728x90
반응형
Practice Test - Role-based-access-controls
bash
## kube-apiserver rbac 모드 확인 (Node,RBAC)
$ ps -ef | grep api
root 3363 2825 0 08:21 ? 00:00:24 kube-apiserver --advertise-address=192.22.228.9 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
## role 확인
$ k get role -A
NAMESPACE NAME CREATED AT
blue developer 2023-05-11T12:24:52Z
kube-public kubeadm:bootstrap-signer-clusterinfo 2023-05-11T12:21:50Z
kube-public system:controller:bootstrap-signer 2023-05-11T12:21:49Z
kube-system extension-apiserver-authentication-reader 2023-05-11T12:21:48Z
kube-system kube-proxy 2023-05-11T12:21:52Z
kube-system kubeadm:kubelet-config 2023-05-11T12:21:49Z
kube-system kubeadm:nodes-kubeadm-config 2023-05-11T12:21:49Z
kube-system system::leader-locking-kube-controller-manager 2023-05-11T12:21:48Z
kube-system system::leader-locking-kube-scheduler 2023-05-11T12:21:48Z
kube-system system:controller:bootstrap-signer 2023-05-11T12:21:48Z
kube-system system:controller:cloud-provider 2023-05-11T12:21:48Z
kube-system system:controller:token-cleaner 2023-05-11T12:21:48Z
$ k describe role kube-proxy -n kube-system
Name: kube-proxy
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [kube-proxy] [get]
## kube-proxy role이 할당된 account 확인
$ k get rolebinding -n kube-system
NAME ROLE AGE
kube-proxy Role/kube-proxy 9m31s
kubeadm:kubelet-config Role/kubeadm:kubelet-config 9m34s
kubeadm:nodes-kubeadm-config Role/kubeadm:nodes-kubeadm-config 9m34s
system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 9m34s
system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 9m34s
system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 9m34s
system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 9m34s
system:controller:cloud-provider Role/system:controller:cloud-provider 9m34s
system:controller:token-cleaner Role/system:controller:token-cleaner 9m34s
$ k describe rolebinding kube-proxy -n kube-system
Name: kube-proxy
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: kube-proxy
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:bootstrappers:kubeadm:default-node-token
## dev-user 권한 확인
$ kubectl auth can-i get po -n default --as dev-user
no
role 및 rolebinding 생성
bash
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: developer
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-user-binding
namespace: default
subjects:
- kind: User
name: dev-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
권한 확인
bash$ k auth can-i create po -n default --as dev-user yes $ k get role -n blue NAME CREATED AT developer 2023-05-11T12:24:52Z $ k describe role developer -n blue Name: developer Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [blue-app] [get watch create delete]
role 수정 (dark-blue-app 추가)
bash
$ k edit role developer -n blue
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2023-05-11T12:24:52Z"
name: developer
namespace: blue
resourceVersion: "684"
uid: 42f67521-51a9-449a-8081-34bdbf556db0
rules:
- apiGroups:
- ""
resourceNames:
- blue-app
- dark-blue-app
resources:
- pods
verbs:
- get
- watch
- create
- delete
$ k auth can-i get po/dark-blue-app -n blue --as dev-user
yes
## deployment create 권한 추가
$ k edit role developer -n blue
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2023-05-11T12:24:52Z"
name: developer
namespace: blue
resourceVersion: "2142"
uid: 42f67521-51a9-449a-8081-34bdbf556db0
rules:
- apiGroups:
- ""
resourceNames:
- blue-app
- dark-blue-app
resources:
- pods
verbs:
- get
- watch
- create
- delete
- apiGroups:
- "apps"
resources:
- deployments
verbs:
- create
Practice Test - Cluster Roles
bash
$ k get clusterroles -A | tail -n +2 | wc -l
69
$ k get clusterrolebinding -A | tail -n +2 | wc -l
54
$ k get clusterrolebinding | grep admin
cluster-admin ClusterRole/cluster-admin 61m
kube-apiserver-kubelet-admin ClusterRole/system:kubelet-api-admin 61m
helm-kube-system-traefik ClusterRole/cluster-admin 61m
helm-kube-system-traefik-crd ClusterRole/cluster-admin 61m
controlplane ~ ➜ k describe clusterrolebinding cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
$ k describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
clusterrole, clusterrolebinding 생성
bash
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-role
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-role
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: node-role
apiGroup: rbac.authorization.k8s.io
storage 관련 권한 추가
bash
## api 정보 확인
$ kubectl api-resources | grep sc
horizontalpodautoscalers hpa autoscaling/v2 true HorizontalPodAutoscaler
endpointslices discovery.k8s.io/v1 true EndpointSlice
flowschemas flowcontrol.apiserver.k8s.io/v1beta3 false FlowSchema
ingressclasses networking.k8s.io/v1 false IngressClass
priorityclasses pc scheduling.k8s.io/v1 false PriorityClass
storageclasses sc storage.k8s.io/v1 false StorageClass
$ kubectl api-resources | grep pv
persistentvolumeclaims pvc v1 true PersistentVolumeClaim
persistentvolumes pv v1 false PersistentVolume
bash
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: storage-admin
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get","list"]
- apiGroups: ["storage.k8s.io/v1"]
resources: ["storageclasses"]
verbs: ["get","list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: michelle-storage-admin
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: storage-admin
apiGroup: rbac.authorization.k8s.io728x90
'기타 > 자격증' 카테고리의 다른 글
| [CKA][실습] 7. Storage (0) | 2023.06.12 |
|---|---|
| [CKA][실습] 6. Security (4) (2) | 2023.05.14 |
| [CKA][실습] 6. Security (0) | 2023.03.06 |
| [CKA][실습] 5. Cluster Maintenance (2) | 2023.02.26 |
| [CKA][실습] 4. Application Lifecycle Management (2) (0) | 2023.02.19 |