RBAC
Create a Role
developer-role.yaml
1
2
3
4
5
6
7
8
9
10
11
| apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
rules:
- apiGroups: [ "" ]
resources: [ "pods" ]
verbs: [ "list", "get", "create", "update", "delete" ]
- apiGroups: [ "" ]
resources: [ "ConfigMap" ]
verbs: [ "create" ]
|
1
| kubectl create -f developer-role.yaml
|
Role Binding
dev-user-developer-binding.yaml
1
2
3
4
5
6
7
8
9
10
11
12
| apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devuser-developer-binding
subjects:
- kind: User
name: dev-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
|
1
| kubectl create -f dev-user-developer-binding.yaml
|
View RBAC
View Roles
View Role Bindings
1
| kubectl get rolebindings
|
Role Detail
1
| kubectl describe role developer
|
Role Binding Detail
1
| kubectl describe rolebinding dev-user-developer-binding
|
Check Access
Current User
1
2
| kubectl auth can-i create deployments
kubectl auth can-i delete nodes
|
Specific User
1
2
| kubectl auth can-i create deployments --as dev-user
kubectl auth can-i create pods --as dev-user
|
Specific User and Namespace
1
| kubectl auth can-i create pods --as dev-user --namespace test
|
Resource Names
developer-role.yaml
1
2
3
4
5
6
7
8
9
| apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
rules:
- apiGroups: [ "" ]
resources: [ "pods" ]
verbs: [ "get", "create", "update" ]
resourceNames: [ "blue", "orange" ]
|
CozyFex