Kubernetes Role Based Access Control Concepts: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 104: | Line 104: | ||
name: some-role | name: some-role | ||
subjects: | subjects: | ||
- apiGroup: rbac.authorization.k8s.io | |||
kind: ServiceAccount | |||
name: system:serviceaccount:blue:blue-sa | |||
- apiGroup: rbac.authorization.k8s.io | - apiGroup: rbac.authorization.k8s.io | ||
kind: User | kind: User |
Revision as of 01:00, 5 September 2020
Internal
Overview
In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified scope.
TODO:
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
- https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
Cluster Role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: edit
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-admin: "true"
resourceVersion: "316"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
Cluster Role Binding
A ClusterRoleBinding can be bound to only one role.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: some-role
namespace: some-namespace
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- ""
resourceNames:
- some-specific-resourcename
resources:
- configmaps
verbs:
- get
- update
- patch
Role Binding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
name: some-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: some-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: ServiceAccount
name: system:serviceaccount:blue:blue-sa
- apiGroup: rbac.authorization.k8s.io
kind: User
name: some-user