kubectl auth can-i [동사] [resource]
ex) kubectl auth can-i create pods
external) kubectl auth can-i create deployments --as dev-user
external) kubectl auth can-i create deployments --as dev-user --namespace test
설정된 authoriztion mode 확인하세요
확인을 위해서는 먼저 kube-apiserver manifest 확인 필요
cat /etc/kubernetes/manifests/kube-apiserver.yaml
spec.cantainers.command 아래의
- --authorization-mode=Node,RBAC 확인
default 네임스페이스에 몇 개의 role이 존재하나요?
kubectl get roles
전체 네임스페이스에 몇 개의 role이 존재하나요?
kubectl get roles -A | wc -l 에서 1을 뺀 값 or kubectl get roles -A --no-headers | wc -l
kube-proxy role은 무엇에 접근할 수 있나요?
kube-system 네임스페이스에 있는 role이기 때문에
kubectl describe roles kube-proxy --namespace=kube-system
kube-proxy role에 포함된 계정은 무엇인가요?
kubectl describe rolebindings kube-proxy -n kube-system
새롭게 추가된 dev-user가 default namespace에서 pods list를 가져올 수 있는지 확인하세요
kubectl auth can-i get pods --as dev-user
dev-user가 defalut namespace에서 pods에 접근할 수 있도록 정의하세요
Role: developer
Role Resources: pods
Role Actions: list
Role Actions: create
Role Actions: delete
RoleBinding: dev-user-binding
RoleBinding: Bound to dev-user
vim dev-user.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: developer
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list","delete","cretate"]
kubectl create -f dev-user.yaml
vim dev-user-bind.yaml
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: dev-user-binding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: dev-user # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: developer # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
kubectl auth can-i get pods --as dev-user 로 확인
create에 권한이 없어서 즉석 트러블슈팅
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: developer
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
#verbs: ["get", "watch", "list","delete","cretate"]
verbs: ["get", "watch", "list","delete","create"]
create에서 오타가 났기 때문에 수정해주고
kubectl apply -f dev-user.yaml
kubectl auth can-i get pods --as dev-user
blue 네임스페이스에 developer role이 dark-blue-app pod에 접근할 수 없습니다. 문제를 해결하세요
kubectl edit role developer -n blue
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2024-12-11T14:26:29Z"
name: developer
namespace: blue
resourceVersion: "626"
uid: 2e7f19c0-ad36-447d-b277-cc03cde924f4
rules:
- apiGroups:
- ""
resourceNames:
#- blue-app 앞에 dark를 붙임
- dark-blue-app
resources:
- pods
verbs:
- get
- watch
- create
- delete
추가로 creates deployments 를 추가하세요
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: blue
rules:
- apiGroups:
- ""
resourceNames:
- dark-blue-app
resources:
- pods
verbs:
- get
- watch
- create
- delete
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- watch
- create
- delete
kubectl auth can-i create deployments --as developer -n blue
'DevOps' 카테고리의 다른 글
| CKA 예제 리마인더 - 24. Service Accounts (1) | 2024.12.13 |
|---|---|
| CKA 예제 리마인더 - 23. Cluster Roles (1) | 2024.12.12 |
| CKA 예제 리마인더 - 22. Certificates API (1) | 2024.12.05 |
| CKA 예제 리마인더 - 21. View Certificate Details (0) | 2024.12.02 |
| CKA 예제 리마인더 - 20. Backup and Restore Methods (1) | 2024.11.07 |