Kubernetes RBAC Operations: Difference between revisions
Jump to navigation
Jump to search
(22 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
* [[Kubernetes Operations#Subjects|Kubernetes Operations]] | * [[Kubernetes Operations#Subjects|Kubernetes Operations]] | ||
= | =List Cluster Roles= | ||
=Assigning a Role to a Service Account= | kubectl get clusterroles | ||
=Get Details about a Specific Cluster Role= | |||
kubectl -o yaml get clusterroles cluster-admin | |||
=List Cluster Role Bindings= | |||
kubectl get clusterrolebindings | |||
=Get Details about a Specific Cluster Role Binding= | |||
kubectl get clusterrolebindings cluster-admin -o yaml | |||
=Create a Role= | |||
==With Metadata== | |||
==With CLI== | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n <namespace-name> create role <role-name> --verb=use --resource=podsecuritypolicy --resource-name=example | |||
</syntaxhighlight> | |||
=Create a Role Binding= | |||
==With Metadata== | |||
==With CLI== | |||
<syntaxhighlight lang='bash'> | |||
kubectl -n <namespace-name> create rolebinding <role-binding-name> --role=<role-name> --serviceaccount=<namespace-name:service-account-name> | |||
kubectl -n <namespace-name> create rolebinding <role-binding-name> --role=<role-name> --user=<user-name> | |||
</syntaxhighlight> | |||
It is some times convenient to use the same name for role and role binding. | |||
=Create a Cluster Role Binding= | |||
==With Metadata== | |||
==With CLI== | |||
<syntaxhighlight lang='bash'> | |||
kubectl create clusterrolebinding some-clusterrole-binding --clusterrole=some-clusterrole --serviceaccount=some-namespace:some-sa | |||
</syntaxhighlight> | |||
=Assigning a Cluster Role to a Service Account= | |||
==Using Metadata== | |||
kubectl apply -f | |||
the following manifest: | |||
apiVersion: rbac.authorization.k8s.io/v1 | |||
kind: ClusterRoleBinding | |||
metadata: | |||
name: blue-default-service-account-cluster-admin | |||
roleRef: | |||
apiGroup: rbac.authorization.k8s.io | |||
kind: ClusterRole | |||
name: cluster-admin | |||
subjects: | |||
- kind: ServiceAccount | |||
name: default | |||
namespace: blue | |||
==With CLI== | |||
<syntaxhighlight lang='bash'> | |||
kubectl create rolebinding -n <namespace> <role-binding-name> --clusterrole=<clusterrole-name> --serviceaccount=<namespace>:<serviceaccount-name> | |||
kubectl create rolebinding -n blue edit-blue-serviceaccount-binding --clusterrole=edit --serviceaccount=blue:blue-serviceaccount | |||
</syntaxhighlight> |
Latest revision as of 02:03, 2 October 2020
Internal
List Cluster Roles
kubectl get clusterroles
Get Details about a Specific Cluster Role
kubectl -o yaml get clusterroles cluster-admin
List Cluster Role Bindings
kubectl get clusterrolebindings
Get Details about a Specific Cluster Role Binding
kubectl get clusterrolebindings cluster-admin -o yaml
Create a Role
With Metadata
With CLI
kubectl -n <namespace-name> create role <role-name> --verb=use --resource=podsecuritypolicy --resource-name=example
Create a Role Binding
With Metadata
With CLI
kubectl -n <namespace-name> create rolebinding <role-binding-name> --role=<role-name> --serviceaccount=<namespace-name:service-account-name>
kubectl -n <namespace-name> create rolebinding <role-binding-name> --role=<role-name> --user=<user-name>
It is some times convenient to use the same name for role and role binding.
Create a Cluster Role Binding
With Metadata
With CLI
kubectl create clusterrolebinding some-clusterrole-binding --clusterrole=some-clusterrole --serviceaccount=some-namespace:some-sa
Assigning a Cluster Role to a Service Account
Using Metadata
kubectl apply -f
the following manifest:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: blue-default-service-account-cluster-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: default namespace: blue
With CLI
kubectl create rolebinding -n <namespace> <role-binding-name> --clusterrole=<clusterrole-name> --serviceaccount=<namespace>:<serviceaccount-name>
kubectl create rolebinding -n blue edit-blue-serviceaccount-binding --clusterrole=edit --serviceaccount=blue:blue-serviceaccount