kubernetes-guide/content/appendix/yaml.md

267 lines
5.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

# 实用 YAML
## RBAC 相关
### 给 roc 授权 test 命名空间所有权限istio-system 命名空间的只读权限
```yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin
namespace: test
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-to-roc
namespace: test
subjects:
- kind: User
name: roc
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: admin
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly
namespace: istio-system
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly-to-roc
namespace: istio-system
subjects:
- kind: User
name: roc
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: readonly
apiGroup: rbac.authorization.k8s.io
```
### 给 roc 授权整个集群的只读权限
```yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly-to-roc
subjects:
- kind: User
name: roc
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: readonly
apiGroup: rbac.authorization.k8s.io
```
### 给 manager 用户组里所有用户授权 secret 读权限
``` yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
```
### 给 roc 授权集群只读权限 (secret读权限除外)
secret 读权限比较敏感不要轻易放开k8s 的 Role/ClusterRole 没有提供类似 "某资源除外" 的能力secret 在 core group 下,所以只排除 secret 读权限的话需要列举其它所有 core 下面的资源,另外加上其它所有可能的 group 所有资源(包括CRD):
```yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: readonly
rules:
- apiGroups: [""]
resources:
- bindings
- componentstatuses
- configmaps
- endpoints
- events
- limitranges
- namespaces
- nodes
- persistentvolumeclaims
- persistentvolumes
- pods
- podtemplates
- replicationcontrollers
- resourcequotas
- serviceaccounts
- services
verbs: ["get", "list"]
- apiGroups:
- cert-manager.io
- admissionregistration.k8s.io
- apiextensions.k8s.io
- apiregistration.k8s.io
- apps
- authentication.k8s.io
- autoscaling
- batch
- certificaterequests.cert-manager.io
- certificates.cert-manager.io
- certificates.k8s.io
- cloud.tencent.com
- coordination.k8s.io
- discovery.k8s.io
- events.k8s.io
- extensions
- install.istio.io
- metrics.k8s.io
- monitoring.coreos.com
- networking.istio.io
- node.k8s.io
- policy
- rbac.authorization.k8s.io
- scheduling.k8s.io
- security.istio.io
- storage.k8s.io
resources: ["*"]
verbs: [ "get", "list" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: roc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: roc
```
> 可以借助 `kubectl api-resources -o name` 来列举。
### 限制 ServiceAccount 权限
授权 `build-robot` 这个 ServiceAccount 读取 build 命名空间中 Pod 的信息和 log 的权限:
``` yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
namespace: build
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: build
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: build
subjects:
- kind: ServiceAccount
name: build-robot
namespace: build
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
```
### ServiceAccount 最高权限
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cluster-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
```