Kubernetes RBAC Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(14 intermediate revisions by the same user not shown)
Line 19: Line 19:
  kubectl get clusterrolebindings cluster-admin -o yaml
  kubectl get clusterrolebindings cluster-admin -o yaml


<syntaxhighlight lang='yaml'>
=Create a Role=
apiVersion: rbac.authorization.k8s.io/v1
==With Metadata==
kind: ClusterRoleBinding
==With CLI==
metadata:
<syntaxhighlight lang='bash'>
  annotations:
kubectl -n <namespace-name> create role <role-name> --verb=use --resource=podsecuritypolicy --resource-name=example
    rbac.authorization.kubernetes.io/autoupdate: "true"
</syntaxhighlight>
  creationTimestamp: "2019-08-23T00:23:50Z"
 
  labels:
=Create a Role Binding=
    kubernetes.io/bootstrapping: rbac-defaults
==With Metadata==
  name: cluster-admin
==With CLI==
  resourceVersion: "97"
<syntaxhighlight lang='bash'>
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
kubectl -n <namespace-name> create rolebinding <role-binding-name> --role=<role-name> --serviceaccount=<namespace-name:service-account-name>
  uid: 47d578f3-c53c-11e9-9b4b-06fd25eb2db2
kubectl -n <namespace-name> create rolebinding <role-binding-name> --role=<role-name> --user=<user-name>
roleRef:
</syntaxhighlight>
  apiGroup: rbac.authorization.k8s.io
It is some times convenient to use the same name for role and role binding.
  kind: ClusterRole
 
  name: cluster-admin
=Create a Cluster Role Binding=
subjects:
==With Metadata==
- apiGroup: rbac.authorization.k8s.io
==With CLI==
  kind: Group
<syntaxhighlight lang='bash'>
  name: system:masters
kubectl create clusterrolebinding some-clusterrole-binding --clusterrole=some-clusterrole --serviceaccount=some-namespace:some-sa
</syntaxhighlight>
</syntaxhighlight>


=Assigning a Cluster Role to a Service Account=
=Assigning a Cluster Role to a Service Account=
==Using Metadata==


  kubectl apply -f  
  kubectl apply -f  
Line 60: Line 62:
     name: default
     name: default
     namespace: blue
     namespace: blue
==With CLI==
<syntaxhighlight lang='bash'>
kubectl create rolebinding -n <namespace> <role-binding-name> --clusterrole=<clusterrole-name> --serviceaccount=<namespace>:<serviceaccount-name>
kubectl create rolebinding -n blue edit-blue-serviceaccount-binding --clusterrole=edit --serviceaccount=blue:blue-serviceaccount
</syntaxhighlight>

Latest revision as of 02:03, 2 October 2020

Internal

List Cluster Roles

kubectl get clusterroles

Get Details about a Specific Cluster Role

kubectl -o yaml get clusterroles cluster-admin

List Cluster Role Bindings

kubectl get clusterrolebindings

Get Details about a Specific Cluster Role Binding

kubectl get clusterrolebindings cluster-admin -o yaml

Create a Role

With Metadata

With CLI

kubectl -n <namespace-name> create role <role-name> --verb=use --resource=podsecuritypolicy --resource-name=example

Create a Role Binding

With Metadata

With CLI

kubectl -n <namespace-name> create rolebinding <role-binding-name> --role=<role-name> --serviceaccount=<namespace-name:service-account-name>
kubectl -n <namespace-name> create rolebinding <role-binding-name> --role=<role-name> --user=<user-name>

It is some times convenient to use the same name for role and role binding.

Create a Cluster Role Binding

With Metadata

With CLI

kubectl create clusterrolebinding some-clusterrole-binding --clusterrole=some-clusterrole --serviceaccount=some-namespace:some-sa

Assigning a Cluster Role to a Service Account

Using Metadata

kubectl apply -f 

the following manifest:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: blue-default-service-account-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: default
    namespace: blue

With CLI

kubectl create rolebinding -n <namespace> <role-binding-name> --clusterrole=<clusterrole-name> --serviceaccount=<namespace>:<serviceaccount-name>
kubectl create rolebinding -n blue edit-blue-serviceaccount-binding --clusterrole=edit --serviceaccount=blue:blue-serviceaccount