Shulou(Shulou.com)06/02 Report--

1. RBAC introduces that RBAC is an authentication and access authorization mechanism of kubernetes, which enables RBAC by setting-authorization-mode=RBAC. The authorization steps for RBAC are divided into two steps:

1) define roles: rules for access control of resources for this role are specified when the role is defined

2) bind role: bind the principal to the role to authorize access to the user.

The following is an illustration of the official website:

two。 Role and clusterrole

Role is the definition of permissions. There are two kinds of roles in kubernetes, one is role for a specific namespace, the other is that clusterrole is valid throughout the cluster.

Examples are as follows:

Kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: namespace: default name: pod-readerrules:- apiGroups: ["] #" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]

Examples of clusterrole are as follows:

Kind:ClusterRoleapiVersion:rbac.authorization.k8s.io/v1metadata: name:secret-readerrules:- apiGroups: ["] resources: [" secrets "] # specify the resource type verbs: [" get "," watch "," list "]

three。 Serviceaccount

Service account is designed to facilitate processes in Pod to call Kubernetes API or other external services, which can be simply understood as service accounts. Generally, serviceaccount is the most common use of RBAC, because the default user resources of K8s are not in the cluster management, and the way to use them is too cumbersome. Serviceaccount can realize authentication and authorization simply and easily.

four。 RoleBinding and clusterrolebinging

A role is defined as a collection of permissions, and then a serviceaccount is created, that is, a service account, and then the two things are bound together, which is the process of authorization.

Examples are as follows:

Kind:RoleBindingapiVersion:rbac.authorization.k8s.io/v1metadata: name:read-pods namespace:defaultsubjects: # principal-kind:ServiceAccount name:jane apiGroup:rbac.authorization.k8s.ioroleRef: # referenced role kind:Role name:pod-reader apiGroup:rbac.authorization.k8s.io

Cluster role binding as above

Kind:ClusterRoleBindingapiVersion:rbac.authorization.k8s.io/v1metadata: name:read-secrets-globalsubjects:- kind:ServiceAccount name:manager apiGroup:rbac.authorization.k8s.ioroleRef: kind:ClusterRole name:secret-reader apiGroup:rbac.authorization.k8s.io

This completes a complete authorization!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.