一、通用权限管理¶
1.1 Namespace查询权限¶
创建一个可以查询命名空间的权限
[root@k8s-master01 study]# vim namespace-readonly.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-readonly
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
[root@k8s-master01 study]# kubectl create -f namespace-readonly.yaml
1.2 Pod删除权限¶
创建一个可以删除Pod的权限
[root@k8s-master01 study]# vim pod-delete.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-delete
rules:
- apiGroups:
- ""
resources:
- pods
- pods/status
verbs:
- get
- list
- delete
[root@k8s-master01 study]# kubectl create -f pod-delete.yaml
1.3 执行命令权限¶
创建一个可以执行命令的权限
[root@k8s-master01 study]# vim pod-exec.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-exec
rules:
- apiGroups:
- ""
resources:
- pods
- pods/status
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
[root@k8s-master01 study]# kubectl create -f pod-exec.yaml
1.4 查看日志权限¶
创建一个可以查看日志的权限
[root@k8s-master01 study]# vim pod-log.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-log
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/status
verbs:
- get
- list
- watch
[root@k8s-master01 study]# kubectl create -f pod-log.yaml
1.5 资源编辑权限¶
创建一个可以针对指定资源进行编辑的权限
[root@k8s-master01 study]# vim pod-edit.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: configmap-deployment-manager
rules:
- apiGroups: [""]
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups: ["apps"]
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
[root@k8s-master01 study]# kubectl create -f pod-edit.yaml
1.6 通用权限(以上汇总)¶
将上面5种方式统一汇总到一个文件中
[root@k8s-master01 study]# vim general_permissions.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-readonly
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-delete
rules:
- apiGroups:
- ""
resources:
- pods
- pods/status
verbs:
- get
- list
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-exec
rules:
- apiGroups:
- ""
resources:
- pods
- pods/status
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-log
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: configmap-deployment-manager
rules:
- apiGroups: [""]
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups: ["apps"]
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
[root@k8s-master01 study]# kaf general_permissions.yaml