RBAC Authorization(K8S)

Role

• 定义权限规则，维度为namespace

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

• verb种类：

  ["get","post","list", "watch", "create", "update", "patch", "delete"]

• 其他role示例

  • 子资源，如pods的log

    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      namespace: default
      name: pod-and-pod-logs-reader
    rules:
    - apiGroups: [""]
      resources: ["pods", "pods/log"]
      verbs: ["get", "list"]
    

  • 通过name指定resources,当指定了resourceNames时，verb不可以是 list, watch, create, or deletecollection

    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      namespace: default
      name: configmap-updater
    rules:
    - apiGroups: [""]
      resources: ["configmaps"]
      resourceNames: ["my-configmap"]
      verbs: ["update", "get"]
    

ClusterRole

在集群维度来定义用户权限规则，忽略namespace

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

RoleBinding and ClusterRoleBinding

• 将权限赋予serviceAccount

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

• ClusterRoleBingding类似

# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

• bindings绑定的对象可以为groups, users or service accounts.

操作实例-赋予admin权限的帐号

apiVersion: v1
kind: ServiceAccount
metadata:
  name: hitsm-admin
  namespace: hitsm
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: hitsm-admin
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: hitsm-admin
subjects:
- kind: ServiceAccount
  name: hitsm-admin
  namespace: hitsm