반응형
권한관리
- 특정 유저나 ServiceAccount가 접근하려는 API에 접근 권한을 설정
- 권한 있는 User만 접근하도록 허용
- 권한제어
- Role
1. 어떤 API를 이용할 수 있는지의 정의
2. 쿠버네티스의 사용권한을 정의
3. 지정된 네임스페이스에서만 유효
- RoleBinding
1. 사용자/그룹 또는 ServiceAccount와 role을 연결
아래 링크를 참고하여 예제 진행
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
role.rbac.authorization.k8s.io/developer created
kubectl get role
NAME CREATED AT
developer 2023-01-29T08:33:21Z
kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods --dry-run -o yaml
W0129 17:34:22.928088 7278 helpers.go:663] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: developer
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- get
- list
- update
- delete
kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser
rolebinding.rbac.authorization.k8s.io/developer-binding-myuser created
kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser --dry-run -o yaml
W0129 17:35:40.909843 7302 helpers.go:663] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: developer-binding-myuser
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: developer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: myuser
kubeconfig에 등록
//기존
kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.100.0.104:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: ingress-nginx
user: kubernetes-admin
name: ingress-admin@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
//추가
kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true
User "myuser" set.
kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.100.0.104:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: ingress-nginx
user: kubernetes-admin
name: ingress-admin@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: myuser
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
kubectl config set-context myuser --cluster=kubernetes --user=myuser
Context "myuser" created.
kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.100.0.104:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: ingress-nginx
user: kubernetes-admin
name: ingress-admin@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: myuser
name: myuser
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: myuser
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
context를 myuser로 변경
kubectl config current-context
kubernetes-admin@kubernetes
kubectl config use-context myuser
Switched to context "myuser".
kubectl config current-context
myuser
myuser는 pod에 대해 권한 설정된 것들만 실행 가능
kubectl get pods
NAME READY STATUS RESTARTS AGE
testpod 1/1 Running 0 60m
kubectl get services
Error from server (Forbidden): services is forbidden: User "myuser" cannot list resource "services" in API group "" in the namespace "default"
"유저별로 필요한 최소한의 권한 설정 가능"
- ClusterRole
1. 어떤 API를 사용할 수 있는지 권한 정의. 클러스터 전체(전체 네임스페이스)에서 유효
- ClusterRoleBinding
1. 사용자/그룹 또는 ServiceAccount에 role을 연결
ClusterRole 생성하여 기존 role, rolebinding 삭제
kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
kubectl config current-context
kubernetes-admin@kubernetes
kubectl get role
NAME CREATED AT
developer 2023-01-29T08:33:21Z
kubectl get rolebindings.rbac.authorization.k8s.io
NAME ROLE AGE
developer-binding-myuser Role/developer 16m
kubectl delete rolebindings.rbac.authorization.k8s.io developer-binding-myuser
rolebinding.rbac.authorization.k8s.io "developer-binding-myuser" deleted
kubectl delete role developer
role.rbac.authorization.k8s.io "developer" deleted
ClusterRole & ClusterRoleBinding 생성
kubectl create clusterrole developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
clusterrole.rbac.authorization.k8s.io/developer created
kubectl create clusterrolebinding developer-binding-myuser --clusterrole=developer --user=myuser
clusterrolebinding.rbac.authorization.k8s.io/developer-binding-myuser created
ClusterRole, ClusterRoleBinding을 설정했기 때문에 다른 네임스페이스 pod를 확인 할 수 있다.
myuser는 pod에 대한 권한만 설정되어 있기 때문에 다른 자원에 대해서는 확인 불가
kubectl config use-context myuser
Switched to context "myuser".
kubectl get pods
No resources found in default namespace.
ubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-565d847f94-k9kvr 1/1 Running 20 (149m ago) 66d
coredns-565d847f94-tdhmn 1/1 Running 20 (149m ago) 66d
etcd-master.example.com 1/1 Running 22 (149m ago) 66d
kube-apiserver-master.example.com 1/1 Running 22 (149m ago) 66d
kube-controller-manager-master.example.com 1/1 Running 22 (149m ago) 66d
kube-proxy-6529g 1/1 Running 21 (149m ago) 66d
kube-proxy-skhgb 1/1 Running 20 (148m ago) 66d
kube-proxy-x5gsk 1/1 Running 21 (147m ago) 66d
kube-scheduler-master.example.com 1/1 Running 22 (149m ago) 66d
weave-net-bwqrp 2/2 Running 42 (149m ago) 66d
weave-net-r8v7n 2/2 Running 45 (147m ago) 66d
weave-net-t92nl 2/2 Running 42 (148m ago) 66d
kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "myuser" cannot list resource "nodes" in API group "" at the cluster scope
생성한 자원들을 모두 삭제
kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
kubectl delete clusterrolebindings.rbac.authorization.k8s.io developer-binding-myuser
clusterrolebinding.rbac.authorization.k8s.io "developer-binding-myuser" deleted
kubectl delete clusterrole developer
clusterrole.rbac.authorization.k8s.io "developer" deleted
kubectl config delete-context myuser
deleted context myuser from /root/.kube/config
kubectl config delete-user myuser
deleted user myuser from /root/.kube/config
kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.100.0.104:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: ingress-nginx
user: kubernetes-admin
name: ingress-admin@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
kubectl delete serviceaccounts pod-viewer
serviceaccount "pod-viewer" deleted
[참고]
- 유투브 따배쿠 강의
반응형
'Kubernetes' 카테고리의 다른 글
| [Kubernetes] Persistent Volume V & Persistent Volume Claim (0) | 2023.02.02 |
|---|---|
| [kubernetes] Kubernetes 스토리지 (0) | 2023.01.30 |
| [Kubernetes] Kubernetes 인증 (1) | 2023.01.29 |
| [Kubernetes] taint&toleraton, cordon&drain (0) | 2023.01.27 |
| [Kubernetes] Pod Scheduling (1) | 2023.01.26 |
