5.0 KiB
5.0 KiB
实用 YAML
RBAC 相关
给 roc 授权 test 命名空间所有权限,istio-system 命名空间的只读权限
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin
namespace: test
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-to-roc
namespace: test
subjects:
- kind: User
name: roc
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: admin
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly
namespace: istio-system
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly-to-roc
namespace: istio-system
subjects:
- kind: User
name: roc
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: readonly
apiGroup: rbac.authorization.k8s.io
给 roc 授权整个集群的只读权限
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly-to-roc
subjects:
- kind: User
name: roc
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: readonly
apiGroup: rbac.authorization.k8s.io
给 manager 用户组里所有用户授权 secret 读权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
给 roc 授权集群只读权限 (secret读权限除外)
secret 读权限比较敏感,不要轻易放开,k8s 的 Role/ClusterRole 没有提供类似 "某资源除外" 的能力,secret 在 core group 下,所以只排除 secret 读权限的话需要列举其它所有 core 下面的资源,另外加上其它所有可能的 group 所有资源(包括CRD):
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly
rules:
- apiGroups: [""]
resources:
- bindings
- componentstatuses
- configmaps
- endpoints
- events
- limitranges
- namespaces
- nodes
- persistentvolumeclaims
- persistentvolumes
- pods
- podtemplates
- replicationcontrollers
- resourcequotas
- serviceaccounts
- services
verbs: ["get", "list"]
- apiGroups:
- cert-manager.io
- admissionregistration.k8s.io
- apiextensions.k8s.io
- apiregistration.k8s.io
- apps
- authentication.k8s.io
- autoscaling
- batch
- certificaterequests.cert-manager.io
- certificates.cert-manager.io
- certificates.k8s.io
- cloud.tencent.com
- coordination.k8s.io
- discovery.k8s.io
- events.k8s.io
- extensions
- install.istio.io
- metrics.k8s.io
- monitoring.coreos.com
- networking.istio.io
- node.k8s.io
- policy
- rbac.authorization.k8s.io
- scheduling.k8s.io
- security.istio.io
- storage.k8s.io
resources: ["*"]
verbs: [ "get", "list" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: roc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: roc
可以借助
kubectl api-resources -o name来列举。
限制 ServiceAccount 权限
授权 build-robot 这个 ServiceAccount 读取 build 命名空间中 Pod 的信息和 log 的权限:
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
namespace: build
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: build
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: build
subjects:
- kind: ServiceAccount
name: build-robot
namespace: build
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
ServiceAccount 最高权限
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cluster-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io