자격증/CKA

[CKA] User Cluster Role Binding

후드리챱챱 2023. 5. 1. 22:56
반응형

Role, CluterRole 차이점

Role

- 특정 namespace에서만 작업할 수 있도록 제한된 권한 부여

ClusterRole

- 클러스터 단위로 Role을 설정하면 클러스터 내의 namespace에 대해 Role이 설정되어 권한을 부여

 

[문제]

- Create a new ClusterRole named app-clusterrole which only allows to get,watch,list the following resource types: deployment, service.
- Bind the new ClusterRole app-clusterrole to the new user ckauser.
- User ckauser and ckauser clusters are already configured
- To check the results, run the following command: kubectl config use-context ckauser

 

[풀이]

검색 키워드 : ClusterRole

- https://kubernetes.io/docs/reference/access-authn-authz/rbac/

 

Using RBAC Authorization

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decis

kubernetes.io

ClusterRole 생성

 

kubectl create clusterrole 내용 참고

# kubectl create clusterrole app-clusterrole --verb=get,list,watch --resource=deployment,service
clusterrole.rbac.authorization.k8s.io/app-clusterrole created

# kubectl get clusterrole app-clusterrole 
NAME              CREATED AT
app-clusterrole   2023-05-01T13:39:21Z

# kubectl describe clusterrole app-clusterrole 
Name:         app-clusterrole
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources         Non-Resource URLs  Resource Names  Verbs
  ---------         -----------------  --------------  -----
  services          []                 []              [get list watch]
  deployments.apps  []                 []              [get list watch]

 

ClusterRole Binding 생성

 

kubectl create clusterrolebinding 내용 참고

clusterrole binding 이름은 문제에 없으므로 임의로 설정

# kubectl create clusterrolebinding app-clusterrole-binding --clusterrole=app-clusterrole --user=ckauser
clusterrolebinding.rbac.authorization.k8s.io/app-clusterrole-binding created

# kubectl get clusterrolebindings app-clusterrole-binding
NAME                      ROLE                          AGE
app-clusterrole-binding   ClusterRole/app-clusterrole   30s

# kubectl describe clusterrolebindings app-clusterrole-binding
Name:         app-clusterrole-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  app-clusterrole
Subjects:
  Kind  Name     Namespace
  ----  ----     ---------
  User  ckauser

 

User Cluster Role Binding 결과 확인

 

# kubectl config use-context ckauser
# kubectl get deployment -A
# kubectl get service -A

# kubectl get pod -A

# kubectl config use-context kubernetes-admin@kubernetes

 

 

[참고]

- 유투브 따배씨

반응형