kubernetes-guide/appendix/yaml.md

# 实用 YAML

## RBAC 相关

### 给 roc 授权 test 命名空间所有权限，istio-system 命名空间的只读权限

```yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin
  namespace: test
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin-to-roc
  namespace: test
subjects:
  - kind: User
    name: roc
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: admin
  apiGroup: rbac.authorization.k8s.io

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: readonly
  namespace: istio-system
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "watch", "list"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: readonly-to-roc
  namespace: istio-system
subjects:
  - kind: User
    name: roc
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: readonly
  apiGroup: rbac.authorization.k8s.io
```

### 给 roc 授权整个集群的只读权限

```yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: readonly
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "watch", "list"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: readonly-to-roc
subjects:
  - kind: User
    name: roc
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: readonly
  apiGroup: rbac.authorization.k8s.io
```

### 给 manager 用户组里所有用户授权 secret 读权限

``` yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io
```

### 给 roc 授权集群只读权限 (secret读权限除外)

secret 读权限比较敏感，不要轻易放开，k8s 的 Role/ClusterRole 没有提供类似 "某资源除外" 的能力，secret 在 core group 下，所以只排除 secret 读权限的话需要列举其它所有 core 下面的资源，另外加上其它所有可能的 group 所有资源(包括CRD):

```yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: readonly
rules:
- apiGroups: [""]
  resources:
  - bindings
  - componentstatuses
  - configmaps
  - endpoints
  - events
  - limitranges
  - namespaces
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  - pods
  - podtemplates
  - replicationcontrollers
  - resourcequotas
  - serviceaccounts
  - services
  verbs: ["get", "list"]
- apiGroups:
  - cert-manager.io
  - admissionregistration.k8s.io
  - apiextensions.k8s.io
  - apiregistration.k8s.io
  - apps
  - authentication.k8s.io
  - autoscaling
  - batch
  - certificaterequests.cert-manager.io
  - certificates.cert-manager.io
  - certificates.k8s.io
  - cloud.tencent.com
  - coordination.k8s.io
  - discovery.k8s.io
  - events.k8s.io
  - extensions
  - install.istio.io
  - metrics.k8s.io
  - monitoring.coreos.com
  - networking.istio.io
  - node.k8s.io
  - policy
  - rbac.authorization.k8s.io
  - scheduling.k8s.io
  - security.istio.io
  - storage.k8s.io
  resources: ["*"]
  verbs: [ "get", "list" ]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: roc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: roc
```

> 可以借助 `kubectl api-resources -o name` 来列举。

### 限制 ServiceAccount 权限

授权 `build-robot` 这个 ServiceAccount 读取 build 命名空间中 Pod 的信息和 log 的权限:

``` yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
  namespace: build

---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: build
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: build
subjects:
- kind: ServiceAccount
  name: build-robot
  namespace: build
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
```

### ServiceAccount 最高权限

```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cluster-admin
  namespace: kube-system

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: cluster-admin
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
```