江小南
2022/10/23阅读:51主题:默认主题
【CKA、CKS篇】CKA真题解析—RBAC权限控制扩展
扩展
对于题目中涉及到的知识点,我进一步补充说明。
1. RBAC授权模型:
RBAC是Role Based Access Control的英文缩写,意思是基于角色的访问控制。
其中涉及到了下面几个概念:
-
对象:User、Groups、 ServiceAccount -
角色:代表着一组定义在资源上的可操作动作(权限)的集合 -
绑定:将定义好的角色跟对象主体绑定在一起
通过RBAC授权模型,我们可以实现如下的操作:
看到这个图片,相信对于IT人员来说已经明白是什么含义了,这里只做扩展,不展开讲解,有兴趣的小伙伴可以自行学习一下。
2. 角色类型:
集群内角色有两种类型:Role和ClusterRole,Role是命名空间级别的,只对当前名称空间有效。ClusterRole是集群级别的,对集群内所有的名称空间有效。
3. 主体类型:
集群内有三种主体:User(用户),Group(用户组),服务账号(ServiceAccount)。
4. 角色绑定类型:
集群内有两种角色绑定类型:RoleBinding和 ClusterRoleBinding。RoleBinding是命名空间级别的,只对当前名称空间有效。ClusterRoleBinding是集群级别的,对集群内所有的名称空间有效。
注意:clusterbinding不能绑定role,只能绑定clusterrole,而rolebinding既能绑定role又能绑定clusterrole,当rolebinding绑定clusterrole时会使clusterrole降级。
5. yaml说明
clusterrole
candidate@node01:~$ kubectl get clusterrole deployment-clusterrole -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2022-08-12T13:29:58Z"
name: deployment-clusterrole
resourceVersion: "80642"
uid: abfc1af7-bd5a-492b-97e1-211d0fd4ffbe
rules:
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- create
candidate@node01:~$
rules中的参数说明:
-
apiGroups:支持的API组列表
"","apps","autoscaling", "batch"
-
resources:支持的资源对象列表
"services","endpoints","pods","secrets","configmaps","crontabs" ,"deployments","jobs","nodes" , "rolebindings","clusterroles", " daemonsets" ,"replicasets" ,"statefulsets","horizontalpodautoscalers" ,"replicationcontrollers" , "cronjobs"
-
verbs:对资源对象的操作方法列表
"get","list", "watch", "create", "update", "patch", "delete", "exec"
6. Clusterrole和role的yaml创建方法
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployment-clusterrole
rules:
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- create
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deployment-role
namespace: app-team1
rules:
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- create
说明:clusterrole和role的创建方式基本相同,需要注意的是role需要指定名称空间,因为它是名称空间级别的,而clusterrole不需要指定,因为它是集群级别的。
7. 绑定不同的主体方法
上面我们说到了三种主体,绑定方法基本相同,区别主要在于subjects的不同,如下所示:
# 绑定user
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rolebinding-user
namespace: app-team1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deployment-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: sams
# 绑定group
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rolebinding-group
namespace: app-team1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deployment-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: edsp
# 绑定serviceaccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rolebinding-serviceaccount
namespace: app-team1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deployment-clusterrole
subjects:
- kind: ServiceAccount
name: cicd-token
namespace: app-team1
说明:在绑定的时候一定要注意需要有规则(role),同时也要有主体(subjects)才能进行绑定。
作者介绍