본문 바로가기
자격증/CKA

[CKA] ServiceAccount Role Binding

후드리챱챱 2023. 5. 1. 23:29
반응형

ServiceAccount

- 모든 동작중인 컨테이너에는 ServiceAccount가 부여

- 기본적으로 default 계정 사용

- 모니터링 컨테이너 또는 관리 컨테이너에 제한된 권한을 부여할때 사용

 

[문제]

Create the ServiceAccount named pod-access in a new namespace called apps.
Create a Role with the name pod-role, and the RoleBinding named pod-rolebinding.
Map the Service Account from the previous step to the API resources Pods with the operations watch, list, get.

 

[풀이]

검색 키워드 : Role, ServiceAccount

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-clusterrole

 

Using RBAC Authorization

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decis

kubernetes.io

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

 

Configure Service Accounts for Pods

Kubernetes offers two distinct ways for clients that run within your cluster, or that otherwise have a relationship to your cluster's control plane to authenticate to the API server. A service account provides an identity for processes that run in a Pod, a

kubernetes.io

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#-em-serviceaccount-em-

 

ServiceAccount 생성

# kubectl create namespace apps
namespace/apps created

# kubectl create serviceaccount pod-access -n apps
serviceaccount/pod-access created

# kubectl get serviceaccounts -n apps
NAME         SECRETS   AGE
default      0         26s
pod-access   0         16s

 

Pod Role 생성

# kubectl create role pod-role --verb=get --verb=list --verb=watch --resource=pods -n apps
role.rbac.authorization.k8s.io/pod-role created

# kubectl get role -n apps
NAME       CREATED AT
pod-role   2023-05-01T14:18:21Z

# kubectl describe role -n apps
Name:         pod-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]

 

Pod Role Binding 설정

# kubectl create rolebinding pod-rolebinding --role=pod-role --serviceaccount=apps:pod-access --namespace=apps
rolebinding.rbac.authorization.k8s.io/pod-rolebinding created

# kubectl get rolebindings -n apps
NAME              ROLE            AGE
pod-rolebinding   Role/pod-role   19s

# kubectl describe rolebindings -n apps
Name:         pod-rolebinding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  pod-role
Subjects:
  Kind            Name        Namespace
  ----            ----        ---------
  ServiceAccount  pod-access  apps

 

 

[참고]

- 유투브 따배씨

반응형

'자격증 > CKA' 카테고리의 다른 글

[CKA] Kube-DNS  (0) 2023.05.02
[CKA] ServiceAccount Role Binding  (0) 2023.05.01
[CKA] User Cluster Role Binding  (0) 2023.05.01
[CKA] User Role Binding  (0) 2023.04.29
[CKA] Kubernetes Troubleshooting (2)  (0) 2023.04.22

'자격증/CKA' Related Articles

티스토리툴바