1. ---
  2. apiVersion: v1
  3. kind: ServiceAccount
  4. metadata:
  5.   name: hivesec-central-sa
  6.   labels:
  7.     name: hivesec-central-sa
  8.     role: security
  9.   namespace: hivesec
  11. ---
  12. apiVersion: rbac.authorization.k8s.io/v1
  13. kind: ClusterRole
  14. metadata:
  15.   name: hivesec-central-cr
  16.   labels:
  17.     name: hivesec-central-cr
  18.     role: security
  19. rules:
  20.   - apiGroups: ["", "extensions", "apps", "batch"]  #支持api组的列表," ":表示核心api群
  21.     resources: ["namespaces", "nodes", "pods", "services", "endpoints", "daemonsets", "configmaps", "deployments", "replicationcontrollers", "replicasets", "statefulsets", "jobs", "cronjobs"]  #支持的资源对象列表
  22.     verbs: ["get", "list", "watch"]  # 允许对资源对象操作方法列表
  23.     【上面的意思结合起来就是,security用户对apiGroupsresourcesverbs的操作权限】
  24.   - apiGroups: [""]
  25.     resources: ["services/proxy"]
  26.     resourceNames: ["heapster", "http:heapster", "https:heapster"]
  27.     verbs: ["get"]
  28.   - apiGroups: ["metrics.k8s.io"]
  29.     resources: ["pods", "nodes", "configmaps", "nodes/stats"]
  30.     verbs: ["get", "list"]
  32. ---
  33. apiVersion: rbac.authorization.k8s.io/v1
  34. kind: ClusterRoleBinding
  35. metadata:
  36.   name: hivesec-central-crb
  37.   labels:
  38.     name: hivesec-central-crb
  39.     role: security
  40. roleRef:
  41.   apiGroup: rbac.authorization.k8s.io
  42.   kind: ClusterRole
  43.   name: hivesec-central-cr
  44. subjects:
  45. - kind: ServiceAccount
  46.   name: hivesec-central-sa
  47.   namespace: hivesec
  49. ---
  51. apiVersion: rbac.authorization.k8s.io/v1
  52. kind: Role
  53. metadata:
  54.   namespace: hivesec
  55.   name: hivesec-central-role
  56.   labels:
  57.     name: hivesec-central-role
  58. rules:
  59.   - apiGroups: ["", "extensions", "apps"]
  60.     resources: ["pods", "services", "endpoints", "daemonsets", "configmaps", "deployments"]
  61.     verbs: ["get", "list", "create", "delete", "update"]
  63. ---
  64. apiVersion: rbac.authorization.k8s.io/v1
  65. kind: RoleBinding  #角色绑定,将同一个namespace中的subject绑定到某个Role下
  66. metadata:
  67.   namespace: hivesec
  68.   name: hivesec-central-rob
  69.   labels:
  70.     name: hivesec-central-rob
  71. roleRef: #指向的角色
  72.   apiGroup: rbac.authorization.k8s.io
  73.   kind: Role
  74.   name: hivesec-central-role
  75. subjects: #定义用户
  76. - kind: ServiceAccount
  77.   name: hivesec-central-sa  
  78.   namespace: hivesec
  79.  【将hivesec-central-role角色绑定到ServiceAccount用户上,用户就拥有了角色的权限。】

https://zhuanlan.zhihu.com/p/121736064

ServiceAccount

kubernetes管理的账号,用于为Pod中的服务进程在访问Kubernetes时提供身份标识。

ClusterRole:在集群中的角色
Role:在命名空间中的角色

kubectl create secret docker-registry hivesec-secret --namespace=hivesec \
    --docker-server=192.168.222.140/hivesec \
    --docker-username='admin' \
    --docker-password='Harbor12345'

k8s secrets用于存储和管理一些敏感数据,比如密码,token,密钥等敏感信息。它把 Pod 想要访问的加密数据存放到 Etcd 中。然后用户就可以通过在 Pod 的容器里挂载 Volume 的方式或者环境变量的方式访问到这些 Secret 里保存的信息了。