一、User --> Rolebinding --> Role

一个Role对象只能用于授予对某一单一命名空间中资源的访问权限

1.创建命名空间

# cat namespace-dev.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: development
# kubectl get ns
development       Active   56s

2.在该命名空间是创建一个实例

kubectl create -f nginx-deployment.yaml -n development
kubectl get pod -n development
NAME                               READY   STATUS    RESTARTS   AGE
nginx-deployment-6dd86d77d-pqndm   1/1     Running   0          20s
nginx-deployment-6dd86d77d-q268r   1/1     Running   0          20s
nginx-deployment-6dd86d77d-zn4f4   1/1     Running   0          20s

3.使用当前系统的ca证书认证一个私有证书

# cd /etc/kubernetes/pki/
# openssl genrsa -out dev.key 2048
# openssl req -new -key dev.key -out dev.csr -subj "/CN=dev"
# openssl x509 -req -in dev.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out dev.crt -days 3650
# openssl x509 -noout -text -in ./dev.crt

4.使用生成的证书创建一个用户

# kubectl config set-credentials dev --client-certificate=./dev.crt --client-key=./dev.key --embed-certs=true
User "dev" set.

5.定义一个context

# kubectl config set-context dev@kubernetes --cluster=kubernetes --user=dev --namespace=development
Context "dev@kubernetes" created.

6.role的创建

一个Role对象只能用于授予对某一单一命名空间中资源的访问权限,此处定义了role访问空间为development

kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
# cat role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
  namespace: development
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
# kubectl apply -f role-demo.yaml

7.创建rolebinding绑定角色

kubectl create rolebinding dev-read-pods --role=pods-reader --user=dev --dry-run -o yaml > rolebinding-demo.yaml
# cat rolebinding-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: dev-read-pods
  namespace: development
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev
# kubectl apply -f rolebinding-demo.yaml

8.切换context

# kubectl config use-context dev@kubernetes
Switched to context "dev@kubernetes".
# kubectl get pods
NAME                               READY   STATUS    RESTARTS   AGE
nginx-deployment-6dd86d77d-pqndm   1/1     Running   0          22m
nginx-deployment-6dd86d77d-q268r   1/1     Running   0          22m
nginx-deployment-6dd86d77d-zn4f4   1/1     Running   0          22m
# kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" in the namespace "default"
# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".

二、User --> Clusterrolebinding --> Clusterrole

1.创建clusterrole

# kubectl create clusterrole cluster-read --verb=get,list,watch --resource=pods,node --dry-run -o yaml > clusterrole-demo.yaml
# cat clusterrole-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: cluster-read
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch

2.clusterrolebinding定义

# kubectl create clusterrolebinding dev-read-all-pods --clusterrole=cluster-read --user=dev --dry-run -o yaml > clusterrolebinding-demo.yaml
# cat clusterrolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: dev-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-read
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev

3.删除前面的rolebinding的绑定

# kubectl delete rolebinding -n development dev-read-pods
rolebinding.rbac.authorization.k8s.io "dev-read-pods" deleted
# kubeclt create -f clusterrole-demo.yaml -f clusterrolebinding-demo.yaml 
clusterrole.rbac.authorization.k8s.io/cluster-read created
clusterrolebinding.rbac.authorization.k8s.io/dev-read-all-pods created

4.定义context

# kubectl config set-context devcluster@kubernetes --cluster=kubernetes --user=dev
Context "devcluster@kubernetes" created.

5.切换context测试

# kubectl config use-context devcluster@kubernetes
Switched to context "devcluster@kubernetes".
# kubectl get pod -n ingress-nginx
NAME                                        READY   STATUS    RESTARTS   AGE
nginx-ingress-controller-5694ccb578-9m8j8   1/1     Running   0          20d
# kubectl get node
NAME    STATUS   ROLES    AGE   VERSION
k8s-1   Ready    master   49d   v1.14.2
k8s-2   Ready    <none>   48d   v1.14.2
k8s-3   Ready    <none>   48d   v1.14.2
k8s-4   Ready    <none>   15d   v1.14.2
k8s-5   Ready    <none>   15d   v1.14.2
# kubectl get svc
Error from server (Forbidden): services is forbidden: User "dev" cannot list resource "services" in API group "" in the namespace "default"
# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://20.0.20.101:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: development
    user: dev
  name: dev@kubernetes
- context:
    cluster: kubernetes
    user: dev
  name: devcluster@kubernetes
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: devcluster@kubernetes
kind: Config
preferences: {}
users:
- name: dev
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
# kubectl config use-context  kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes"

三、User --> Rolebinding --> Clusterrole

1.删除前面绑定的cluster

# kubectl delete clusterrolebinding dev-read-all-pods
clusterrolebinding.rbac.authorization.k8s.io "dev-read-all-pods" deleted

2.定义clusterrole

# kubectl create clusterrole clusterrole-role --verb=get,list,watch --resource=pods,node --dry-run -o yaml > clusterrole-rolebinding.yaml
# vim clusterrole-rolebinding.yaml 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: clusterrole-role
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  verbs:
  - get
  - list
  - watch

3.定义rolebinding

# kubectl create rolebinding dev-read-pn --clusterrole=clusterrole-role --user=dev --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
# vim rolebinding-clusterrole-demo.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: dev-read-pod
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: clusterrole-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev
# kubectl apply -f clusterrole-rolebinding.yaml -f rolebinding-clusterrole-demo.yaml 
clusterrole.rbac.authorization.k8s.io/clusterrole-role created
rolebinding.rbac.authorization.k8s.io/dev-read-pn created

4.切换context

# kubectl config use-context  devcluster@kubernetes
Switched to context "devcluster@kubernetes".
# kubectl get pod
No resources found.
# kubectl get pod -A
Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" at the cluster scope
# kubectl get svc
NAME                                                     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
glusterfs-dynamic-db9abc87-9e0a-11e9-a2f3-00505694834d   ClusterIP   10.103.125.206   <none>        1/TCP     13d

集群级别的资源nodes、persistentvolumes等资源,以及非资源型的URL不属于名称空间级别,故此不能使用rolebinding来绑定授权,所有非名称空间级别的资源都无法通过rolebinding绑定至用户并赋予用户相关的权限,这些都是属于clusterrolebinding 的功能