Kubernetes Role Based Access Control Concepts: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 40: | Line 40: | ||
- list | - list | ||
- watch | - watch | ||
</syntaxhighlight> | |||
=Cluster Role Binding= | |||
A ClusterRoleBinding can be bound to only one role. | |||
<syntaxhighlight lang='yaml'> | |||
apiVersion: rbac.authorization.k8s.io/v1 | |||
kind: ClusterRoleBinding | |||
metadata: | |||
annotations: | |||
rbac.authorization.kubernetes.io/autoupdate: "true" | |||
labels: | |||
kubernetes.io/bootstrapping: rbac-defaults | |||
name: cluster-admin | |||
roleRef: | |||
apiGroup: rbac.authorization.k8s.io | |||
kind: ClusterRole | |||
name: cluster-admin | |||
subjects: | |||
- apiGroup: rbac.authorization.k8s.io | |||
kind: Group | |||
name: system:masters | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 69: | Line 92: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
= | =Role Binding= | ||
<syntaxhighlight lang='yaml'> | <syntaxhighlight lang='yaml'> | ||
apiVersion: rbac.authorization.k8s.io/v1 | apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: | kind: RoleBinding | ||
metadata: | metadata: | ||
annotations: | annotations: | ||
name: some-role-binding | |||
roleRef: | roleRef: | ||
apiGroup: rbac.authorization.k8s.io | apiGroup: rbac.authorization.k8s.io | ||
kind: | kind: Role | ||
name: | name: some-role | ||
subjects: | subjects: | ||
- apiGroup: rbac.authorization.k8s.io | - apiGroup: rbac.authorization.k8s.io | ||
kind: | kind: User | ||
name: | name: some-user | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 01:00, 5 September 2020
Internal
Overview
In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that the application is operated in a specified scope.
TODO:
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
- https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
Cluster Role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: edit
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-admin: "true"
resourceVersion: "316"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
Cluster Role Binding
A ClusterRoleBinding can be bound to only one role.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: some-role
namespace: some-namespace
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- ""
resourceNames:
- some-specific-resourcename
resources:
- configmaps
verbs:
- get
- update
- patch
Role Binding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
name: some-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: some-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: some-user