网站关键词优化怎么弄,广东seo价格是多少钱,郑州一建董事长,doooor国外设计网站RBAC引入了4个顶级资源对象#xff1a;Role、ClusterRole#xff1a;角色#xff0c;用于指定一组权限#xff1b;RoleBinding、ClusterRoleBinding#xff1a;角色绑定#xff0c;用于将角色#xff08;权限#xff09;赋予给对象
咱们通过Role可以配置命名空间下资源…RBAC引入了4个顶级资源对象Role、ClusterRole角色用于指定一组权限RoleBinding、ClusterRoleBinding角色绑定用于将角色权限赋予给对象
咱们通过Role可以配置命名空间下资源的访问权限例如podservicedeployment等资源是否可以修改删除等权限Role只能对命名空间内的资源进行授权需要指定nameapce
ClusterRole是整个kubernetes下的资源的访问权限的控制跨namespaces的范围资源、非资源类型进行授权
我当前app整个命名空间下有一些pod我们以app这个命名空间创建一个xiaom的用户这个用户只能app这个命名空间下的PodDeployment的资源其他的资源没权限更改
[rootk8s-master1 RBAC]# kubectl get pods -n app -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dsf-67b6bd65c9-44rl4 2/2 Running 16 (3h15m ago) 25d 10.10.135.218 k8s-master3 none none
ingress-nginx-controller-74974c55bd-2bw2r 1/1 Running 6 (20h ago) 2d1h 192.168.21.100 k8s-node1 none none
ingress-nginx-controller-74974c55bd-j24mf 1/1 Running 10 (3h15m ago) 31d 192.168.21.122 k8s-master3 none none
nginx-55c7d65db4-z4rcc 1/1 Running 4 (20h ago) 2d1h 10.10.36.96 k8s-node1 none none
postgres-sonar-5b9d94cd6b-965tk 1/1 Running 2 (3h15m ago) 2d1h 10.10.135.221 k8s-master3 none none
tomcat-657677ffb5-2nrfc 1/1 Running 8 (3h15m ago) 26d 10.10.135.222 k8s-master3 none noneRole的配置示例
[rootk8s-master1 app]# kubectl apply -f app-Role.yaml
role.rbac.authorization.k8s.io/app-authorization-Role created[rootk8s-master1 app]# cat app-Role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: app #指定命名空间name: app-authorization-Role
rules:- apiGroups: [ ] #支持的API组列表, 空字符串表示核心API群resources: [ pod ] #支持的资源对象列表verbs: [ get,delete,create,delete,exec ] #允许的对资源对象的操作方法列表apiGroups表示支持的API组列表“”,“apps”, “autoscaling”, “batch”; resources: 支持的资源对象列表 “services”, “endpoints”, “pods”,“secrets”,“configmaps”,“crontabs”,“deployments”,“jobs”, “nodes”,“rolebindings”,“clusterroles”,“daemonsets”,“replicasets”,“statefulsets”, “horizontalpodautoscalers”,“replicationcontrollers”,“cronjobs” verbs: 对资源对象的操作方法列表 “get”, “list”, “watch”, “create”, “update”, “patch”, “delete”, “exec”
RoleBinding可以将同一namespace中的subject(用户、用户组)绑定到某个Role(规则)下则此subject即具有该Role定义的权限.
[rootk8s-master1 app]# cat app-RoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: app-authorization-role-bindingnamespace: app
subjects:- kind: Username: xiaomapiGroup: rbac.authorization.k8s.io
roleRef:kind: Rolename: app-authorization-RoleapiGroup: rbac.authorization.k8s.io
[rootk8s-master1 app]# kubectl apply -f app-RoleBinding.yaml创建一个xiaom的集群用户验证一下
[rootk8s-master1 user]# pwd
/opt/certs/user
(umask 077;openssl genrsa -out xiaom.key 2048)
[rootk8s-master1 user]# openssl req -new -key xiaom.key -out xiaom.csr -subj /CNxiaom/Oxiaomgroup
[rootk8s-master1 user]# openssl x509 -req -in xiaom.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out xiaom.crt -days 3650
[rootk8s-master1 app]# kubectl config set-cluster kubernetes --embed-certstrue --certificate-authority/opt/kubernetes/certs/ca.pem --serverhttps://192.168.21.120:6443
[rootk8s-master1 app]# kubectl config set-credentials xiaom --embed-certstrue --client-certificate/opt/certs/user/xiaom.crt --client-key/opt/certs/user/xiaom.key
User xiaom set.
[rootk8s-master1 app]# kubectl config set-context xiaomkubernetes --clusterkubernetes --userxiaom
Context xiaomkubernetes modified.
[rootk8s-master1 app]# kubectl config use-context xiaomkubernetes
Switched to context xiaomkubernetes.
[rootk8s-master1 ~]# kubectl get pods -n app
NAME READY STATUS RESTARTS AGE
dsf-67b6bd65c9-44rl4 2/2 Running 18 (17h ago) 26d
host-path-nginx 2/2 Running 2 (17h ago) 17h
ingress-nginx-controller-74974c55bd-2bw2r 1/1 Running 7 (17h ago) 2d22h
ingress-nginx-controller-74974c55bd-j24mf 1/1 Running 11 (17h ago) 32d
nginx-55c7d65db4-t6mgz 1/1 Running 0 79m
postgres-sonar-5b9d94cd6b-965tk 1/1 Running 3 (141m ago) 2d22h
tomcat-657677ffb5-2nrfc 1/1 Running 9 (17h ago) 26d
[rootk8s-master1 ~]# kubectl get deployment -n app
Error from server (Forbidden): deployments.apps is forbidden: User xiaom cannot list resource deployments in API group apps in the namespace app
咱们创建一个集群权限将这个权限赋予给xiaom这个用户当前xiaom这个用户没有操作deployment的权限咱们创建一个deployment的集群权限赋予给xiaom这个用户这样xiaom这个用户可以操作所有命名空间下的deployment
ClusterRole可以对集群范围内资源、跨namespaces的范围资源、非资源类型进行授权
[rootk8s-master1 app]# kubectl apply -f app-ClusterRole.yaml
clusterrole.rbac.authorization.k8s.io/app-authorization-clusterrole created
[rootk8s-master1 app]# cat app-ClusterRole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: app-authorization-clusterrole
rules:- apiGroups: [ apps ]resources: [ deployments ]verbs: [ get,delete,create,delete ]ClusterRoleBinding在整个集群级别和所有namespaces将不同namespace中的subject(用户、用户组)与ClusterRole(集群范围内资源)绑定授予权限
[rootk8s-master1 app]# kubectl apply -f app-ClusterRoleBinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/app-authorization-clusterrole-binding created
[rootk8s-master1 app]# cat app-ClusterRoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: app-authorization-clusterrole-binding
subjects:- kind: Username: xiaomapiGroup: rbac.authorization.k8s.io
roleRef:kind: ClusterRolename: app-authorization-clusterroleapiGroup: rbac.authorization.k8s.io
RoleBinding可以引用ClusterRole对属于同一命名空间内ClusterRole定义的资源主体进行授权
[rootk8s-master1 app]# cat app-RoleClusterBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: app-ClusterRoleBindingnamespace: app
subjects:- kind: Username: xiaomapiGroup: rbac.authorization.k8s.io
roleRef:kind: ClusterRolename: app-authorization-clusterroleapiGroup: rbac.authorization.k8s.io
[rootk8s-master1 app]# kubectl config use-context xiaomkubernetes
[rootk8s-master1 app]# kubectl get deployment -A
NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE
app busybox 0/0 0 0 35d
app dsf 1/1 1 1 26d
app hostpath 0/0 0 0 35d
app ingress-nginx-controller 2/2 2 2 32d
app nginx 1/1 1 1 26d
app postgres-sonar 1/1 1 1 3d
app tomcat 1/1 1 1 32d
kube-devops jenkins 1/1 1 1 2d4h
kube-devops nexus-sonatype-nexus 1/1 1 1 2d4h
kube-system calico-kube-controllers 1/1 1 1 2d23h
kube-system coredns 1/1 1 1 2d22h
kubernetes-dashboard dashboard-metrics-scraper 1/1 1 1 70d
kubernetes-dashboard kubernetes-dashboard 1/1 1 1 70d
nfs-provisioner nfs-subdir-external-provisioner 2/2 2 2 50d
test tomcat-deploy 1/1 1 1 13d
[rootk8s-master1 app]# kubectl delete deployment hostpath -n app
deployment.apps hostpath deleted这样xiaom这个用户就有操作所有命名空间下的deployment的权限 文章转载自: http://www.morning.ytfr.cn.gov.cn.ytfr.cn http://www.morning.fpkpz.cn.gov.cn.fpkpz.cn http://www.morning.xmnlc.cn.gov.cn.xmnlc.cn http://www.morning.hlzpb.cn.gov.cn.hlzpb.cn http://www.morning.qkgwx.cn.gov.cn.qkgwx.cn http://www.morning.dysgr.cn.gov.cn.dysgr.cn http://www.morning.ykswq.cn.gov.cn.ykswq.cn http://www.morning.zpyh.cn.gov.cn.zpyh.cn http://www.morning.ffgbq.cn.gov.cn.ffgbq.cn http://www.morning.bdqpl.cn.gov.cn.bdqpl.cn http://www.morning.krgjc.cn.gov.cn.krgjc.cn http://www.morning.srbmc.cn.gov.cn.srbmc.cn http://www.morning.dzqyn.cn.gov.cn.dzqyn.cn http://www.morning.yhjrc.cn.gov.cn.yhjrc.cn http://www.morning.xqjrg.cn.gov.cn.xqjrg.cn http://www.morning.qtqk.cn.gov.cn.qtqk.cn http://www.morning.tpps.cn.gov.cn.tpps.cn http://www.morning.ldwxj.cn.gov.cn.ldwxj.cn http://www.morning.ywgrr.cn.gov.cn.ywgrr.cn http://www.morning.ztmkg.cn.gov.cn.ztmkg.cn http://www.morning.hyfrd.cn.gov.cn.hyfrd.cn http://www.morning.pzpj.cn.gov.cn.pzpj.cn http://www.morning.ftmp.cn.gov.cn.ftmp.cn http://www.morning.mlnby.cn.gov.cn.mlnby.cn http://www.morning.ssqwr.cn.gov.cn.ssqwr.cn http://www.morning.fnrkh.cn.gov.cn.fnrkh.cn http://www.morning.pqqhl.cn.gov.cn.pqqhl.cn http://www.morning.bqxxq.cn.gov.cn.bqxxq.cn http://www.morning.kmjbs.cn.gov.cn.kmjbs.cn http://www.morning.srcth.cn.gov.cn.srcth.cn http://www.morning.xqndf.cn.gov.cn.xqndf.cn http://www.morning.qlrwf.cn.gov.cn.qlrwf.cn http://www.morning.fbccx.cn.gov.cn.fbccx.cn http://www.morning.lpzqd.cn.gov.cn.lpzqd.cn http://www.morning.clccg.cn.gov.cn.clccg.cn http://www.morning.xbnkm.cn.gov.cn.xbnkm.cn http://www.morning.krfpj.cn.gov.cn.krfpj.cn http://www.morning.wtyqs.cn.gov.cn.wtyqs.cn http://www.morning.glnfn.cn.gov.cn.glnfn.cn http://www.morning.xkjrs.cn.gov.cn.xkjrs.cn http://www.morning.rbbyd.cn.gov.cn.rbbyd.cn http://www.morning.khtjn.cn.gov.cn.khtjn.cn http://www.morning.zrmxp.cn.gov.cn.zrmxp.cn http://www.morning.zdmlt.cn.gov.cn.zdmlt.cn http://www.morning.ymmjx.cn.gov.cn.ymmjx.cn http://www.morning.znsyn.cn.gov.cn.znsyn.cn http://www.morning.gwdkg.cn.gov.cn.gwdkg.cn http://www.morning.hbpjb.cn.gov.cn.hbpjb.cn http://www.morning.pjtnk.cn.gov.cn.pjtnk.cn http://www.morning.lwcqh.cn.gov.cn.lwcqh.cn http://www.morning.qfbzj.cn.gov.cn.qfbzj.cn http://www.morning.xhftj.cn.gov.cn.xhftj.cn http://www.morning.tlzbt.cn.gov.cn.tlzbt.cn http://www.morning.kpbq.cn.gov.cn.kpbq.cn http://www.morning.lqgtx.cn.gov.cn.lqgtx.cn http://www.morning.sxfmg.cn.gov.cn.sxfmg.cn http://www.morning.pznnt.cn.gov.cn.pznnt.cn http://www.morning.nfpkx.cn.gov.cn.nfpkx.cn http://www.morning.nynpf.cn.gov.cn.nynpf.cn http://www.morning.thlzt.cn.gov.cn.thlzt.cn http://www.morning.pxwjp.cn.gov.cn.pxwjp.cn http://www.morning.qwfq.cn.gov.cn.qwfq.cn http://www.morning.bhdyr.cn.gov.cn.bhdyr.cn http://www.morning.xzrbd.cn.gov.cn.xzrbd.cn http://www.morning.rxrw.cn.gov.cn.rxrw.cn http://www.morning.txtgy.cn.gov.cn.txtgy.cn http://www.morning.lblsx.cn.gov.cn.lblsx.cn http://www.morning.muzishu.com.gov.cn.muzishu.com http://www.morning.bncrx.cn.gov.cn.bncrx.cn http://www.morning.ksqzd.cn.gov.cn.ksqzd.cn http://www.morning.ycpnm.cn.gov.cn.ycpnm.cn http://www.morning.mbprq.cn.gov.cn.mbprq.cn http://www.morning.nypgb.cn.gov.cn.nypgb.cn http://www.morning.xrwbc.cn.gov.cn.xrwbc.cn http://www.morning.xppj.cn.gov.cn.xppj.cn http://www.morning.yrbhf.cn.gov.cn.yrbhf.cn http://www.morning.sfdsn.cn.gov.cn.sfdsn.cn http://www.morning.yjfmj.cn.gov.cn.yjfmj.cn http://www.morning.bhdyr.cn.gov.cn.bhdyr.cn http://www.morning.eviap.com.gov.cn.eviap.com
