CKA 예제 리마인더 - 23. Cluster Roles

DevOps

CKA 예제 리마인더 - 23. Cluster Roles

Vince_rf 2024. 12. 12. 01:22

현재 몇 개의 clusterrole이 존재하나요?

kubectl get clusterrole --no-headers | wc -l

현재 몇 개의 clusterrolebindings가 존재하나요?

kubectl get clusterrolebindings --no-headers | wc -l

cluster-admin clusterrole는 어느 네임스페이스에 있나요?

kubectl describe clusterrole cluster-admin

kubectl edit clusterrole cluster-admin 으로도 확인 가능

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-12-11T15:51:14Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "71"
  uid: 38d1ed19-51d5-4dca-b503-37c131c987d1
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

어떤 유저가 cluster-admin clusterrole에 binding 됐나요?

kubectl describe clusterrolebindings cluster-admin

새로운 유저 michelle가 팀에 합류했습니다. nodes에 접근할 수 있는 clusterrole과 clusterrolebindings를 정의하세요

vim michelle.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: michelle
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["*"]

vim michelle-bind.yaml

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "dave" to read secrets in the "development" namespace.
# You need to already have a ClusterRole named "secret-reader".
kind: RoleBinding
metadata:
  name: michelle
  #
  # The namespace of the RoleBinding determines where the permissions are granted.
  # This only grants permissions within the "development" namespace.
subjects:
- kind: User
  name: michelle # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: michelle
  apiGroup: rbac.authorization.k8s.io

kubectl auth can-i get nodes --as michelle

michelle가 storage에 접근할 수 있도록 정의하세요

ClusterRole: storage-admin

Resource: persistentvolumes

Resource: storageclasses

ClusterRoleBinding: michelle-storage-admin

ClusterRoleBinding Subject: michelle

ClusterRoleBinding Role: storage-admin

vim michelle.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: storage-admin
rules:
- apiGroups: [""]
  resources: ["nodes","persistentvolumes"]
  verbs: ["*"]
# storageclasses는 CoreApi Groups가 아니기때문에 따로 정의
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["*"]

vim michelle-bind.yaml

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "dave" to read secrets in the "development" namespace.
# You need to already have a ClusterRole named "secret-reader".
kind: ClusterRoleBinding
metadata:
  name: michelle-storage-admin
  #
  # The namespace of the RoleBinding determines where the permissions are granted.
  # This only grants permissions within the "development" namespace.
subjects:
- kind: User
  name: michelle # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: storage-admin
  apiGroup: rbac.authorization.k8s.io