一、RBAC-基于角色的权限控制
范例1:聚合的权限 Aggregate
创建一个clusterrole
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: c-role
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.example.com/aggregate-to-monitoring: "true"
rules: []
创建一个sa
kubectl create sa c-role
查看sa对应的token:
kubectl describe secret c-role-token-98ztq
同时,我们创建一个clusterrolebinding关系:把刚刚创建的sa和c-role关系绑定起来。
kubectl create clusterrolebinding test-c-role --clusterrole=c-role --serviceaccount=default:c-role
此时通过c-role这个sa去登录dashboard,发现是什么权限都没有的。
创建一个aggregate对c-role进行权限添加
cat cluster-role-aggregate.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: c-role-endpoint
labels:
rbac.example.com/aggregate-to-monitoring: "true"
# These rules will be added to the "monitoring" role.
rules:
- apiGroups: [""]
resources: ["services", "endpoints", "pods","namespaces"]
verbs: ["get", "list", "watch"]
创建之后,再次查看权限:
标签:K8S,创建,rbac,入门篇,role,aggregate,sa,权限 From: https://www.cnblogs.com/skyflask/p/16840868.html