Certified Kubernetes Administrator(CKA)认证系列

第1题 基于角色的访问控制-RBAC 第2题 节点维护—指定node节点不可用
第3题 K8s版本升级
第4题 Etcd数据库备份恢复
第5题 网络策略NetworkPolicy
第6题 四层负载均衡service
第7题 七层负载均衡Ingress
第8题 Deployment管理pod扩缩容器
第9题 pod指定节点部署
第10题 检查Node节点的健康状态
第11题 一个Pod封装多个容器
第12题 持久化存储卷PersistentVolume
第13题 PersistentVolumeClaim
第14题 监控Pod日志
第15题 Sidecar代理
第16题 监控Pod度量指标
第17题 集群故障排查——kubelet故障

题目1

题目来源:Killercoda(RBAC ServiceAccount Permissions)

题目描述:

There are existing Namespaces ns1 and ns2 .

  1. Create ServiceAccount pipeline in both Namespaces.
  2. These SAs should be allowed to view almost everything in the whole cluster. You can use the default ClusterRole view for this.
  3. These SAs should be allowed to create and delete Deployments in their Namespace.
  4. Verify everything using kubectl auth can-i .

中文翻译:

现有命名空间 ns1ns2

  1. 在这两个命名空间中创建服务帐户 pipeline
  2. 这些 SA 应被允许查看整个群集中的几乎所有内容。为此,您可以使用默认的 ClusterRole view
  3. 应允许这些 SA 在其Namespacecreate delete Deployments
  4. 使用 kubectl auth can-i 验证一切。

Tips:

alias k=kubectl

k get clusterrole view # there is default one

k create clusterrole -h # examples

k create rolebinding -h # examples

k auth can-i delete deployments --as system:serviceaccount:ns1:pipeline -n ns1

解题思路:

# 1. 创建ServiceAccount并命名为pipeline
kubectl create sa pipeline -n ns1
kubectl create sa pipeline -n ns2

# 2. 使用默认的ClusterRole View
kubectl create clusterrolebinding pipeline-view --clusterrole view --serviceaccount ns1:pipeline --serviceaccount ns2:pipeline

# 3. 给两个SA赋予创建和删除的权限
kubectl create clusterrole pipeline-deployment-manager --verb=create,delete --resource=deployments
kubectl create rolebinding pipeline-deployment-manager --clusterrole pipeline-deployment-manager --serviceaccount ns1:pipeline -n ns1
kubectl create rolebinding pipeline-deployment-manager --clusterrole pipeline-deployment-manager --serviceaccount ns2:pipeline -n ns2

# 4. 使用kubectl auth can-i 验证
# 验证ns1
kubectl auth can-i create deployments --as system:serviceaccount:ns1:pipeline -n ns1
kubectl auth can-i delete deployments --as system:serviceaccount:ns1:pipeline -n ns1
kubectl auth can-i update deployments --as system:serviceaccount:ns1:pipeline -n ns1
kubectl auth can-i update deployments --as system:serviceaccount:ns1:pipeline -n default

# 验证ns2
kubectl auth can-i create deployments --as system:serviceaccount:ns2:pipeline -n ns2
kubectl auth can-i delete deployments --as system:serviceaccount:ns2:pipeline -n ns2
kubectl auth can-i update deployments --as system:serviceaccount:ns2:pipeline -n ns2
kubectl auth can-i update deployments --as system:serviceaccount:ns2:pipeline -n default

# 验证整个view
kubectl auth can-i list deployments --as system:serviceaccount:ns1:pipeline -n ns1
kubectl auth can-i list deployments --as system:serviceaccount:ns1:pipeline -A
kubectl auth can-i list pods --as system:serviceaccount:ns1:pipeline -A
kubectl auth can-i list pods --as system:serviceaccount:ns2:pipeline -A
kubectl auth can-i list secrets --as system:serviceaccount:ns1:pipeline -A

题目2

题目来源:Killercoda(RBAC User Permissions)

题目描述:

There is existing Namespace applications .

  1. User smoke should be allowed to create and delete Pods, Deployments and StatefulSets in Namespace applications.
  2. User smoke should have view permissions (like the permissions of the default ClusterRole named view ) in all Namespaces but not in kube-system .
  3. Verify everything using kubectl auth can-i .

中文翻译:

已有命名空间 applications

  1. 应允许用户 smokeNamespace 应用程序中 createdelete Pods, DeploymentsStatefulSets
  2. 用户 smoke 应在所有命名空间中拥有查看权限(类似于名为 view 的默认 ClusterRole 的权限),但不包括在 kube-system 中。
  3. 使用 kubectl auth can-i 验证一切。

Tips:

alias k=kubectl

# 1)
k -n applications create role -h
k -n applications create rolebinding -h

# 2)
# as of now it’s not possible to create deny-RBAC in K8s.
# so we allow for all other namespaces

# 3)
k auth can-i -h
k auth can-i create deployments --as smoke -n applications

解题思路:

# 1. 创建RBAC给applications命名空间
kubectl create role smoke --verb=create,delete --resource=pods,deployments,statefulsets
kubectl create rolebinding smoke --role=smoke --user=smoke -n applications

# 2. 赋予view权限给所有的命名空间,除了kube-system
# 众所周知,k8s无法创建微权限的RBAC,所以我们直接给出了kube-system命名空间的其他空间赋权即可
# 查看所有的命名空间
kubectl get ns
kubectl create rolebinding smoke-view --clusterrole=view --user=smoke -n kube-node-lease
kubectl create rolebinding smoke-view --clusterrole=view --user=smoke -n default
kubectl create rolebinding smoke-view --clusterrole=view --user=smoke -n kube-public
kubectl create rolebinding smoke-view --clusterrole=view --user=smoke -n applications
kubectl create rolebinding smoke-view --clusterrole=view --user=smoke -n local-path-storage

# 3. 使用kubectl auth can-i 验证
# 验证applications
kubectl auth can-i create deployments --as smoke -n applications
kubectl auth can-i delete deployments --as smoke -n applications
kubectl auth can-i create pods --as smoke -n applications
kubectl auth can-i delete pods --as smoke -n applications
kubectl auth can-i list secrets --as smoke -n applications

# 查看所有命名空间视图
kubectl auth can-i list deployments --as smoke -n applications
kubectl auth can-i list deployments --as smoke -n default
kubectl auth can-i list deployments --as smoke -n kube-public
kubectl auth can-i list deployments --as smoke -n local-path-storage
kubectl auth can-i list deployments --as smoke -n kube-node-lease
kubectl auth can-i list deployments --as smoke -n kube-system