Shulou(Shulou.com)06/01 Report--

Editor to share with you how to achieve RBAC role access control in kubernetes. I hope you will get something after reading this article. Let's discuss it together.

One: RBAC architecture

Second: RBAC role binding process

Three: explanation

Advantages of 1.RBAC

a. Full coverage of both resource and non-resource permissions in the cluster

B.RBAC is done by API object and can be operated with Kubectl or API

c. Can be adjusted when allowed without having to restart API Server

2.Role

A role is a set of permissions, in a namespace, you can use Role to define a role, if it is at the cluster level, you can use ClusterRole.

3.ClusterRole

In addition to having the same ability to manage resources in a namespace as Role, it can also be used for authorization of special elements. Such as:

a. Cluster-wide resources, node, etc.

b. Non-resource-based paths, such as "/ healthz"

c. Resources that cover all namespaces

4.RoleBinding and ClusterRoleBinding

Both are used to bind a role to a target, such as User,Group or Service Account. RoleBinding can refer to Role and ClusterRole, and ClusterRoleBinding can only refer to ClusterRole.

5. The way resources are referenced

a. Use "/" to separate resources from subordinate resources such as: resources: ["pods", "pods/log"]

b. Quote by name, such as: resourceNames: ["my-configmap"]

6. Examples of common roles

a. Run to read POD resources in the core API group

Click (here) to collapse or open

Rules:

-apiGroups: ["]

Resources: ["pods"]

Verbs: ["get", "list", "watch"]

b. Run to read and write deployment resources in the API groups "extensions" and "apps"

Click (here) to collapse or open

Rules:

-apiGroups: ["extensions", "apps"]

Resources: ["deployments"]

Verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

7. Example of commonly used role binding

a. Bind the default service-account in the Kube-system namespace

Click (here) to collapse or open

Subjects:

-kind: ServiceAccount

Name: default

Namespace: kube-system

All service account in the b.qa namespace

Click (here) to collapse or open

Subjects:

-kind: Group

Name: system:serviceaccounts:qa

ApiGroup: rbac.authorization.k8s.io

c. All authenticated users

Click (here) to collapse or open

Subjects:

-kind: Group

Name: system:authenticated

ApiGroup: rbac.authorization.k8s.io

8. Authorization Management of Service Account

Service account outside of kube-system does not have any permissions, which requires the user to give service account the required permissions. Such as:

Click (here) to collapse or open

Kubectl create rolebinding default-view\

-- clusterrole=view\

-- serviceaccount=my-namespace:default\

-- namespace=my-namespace

After reading this article, I believe you have a certain understanding of "how to achieve RBAC role access control in kubernetes". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.