什麼是RBAC
RBAC全稱Role-Based Access Control,是Kubernetes叢集基于角色的通路控制,實作授權決策,允許通過Kubernetes API動态配置政策。
什麼是Role
Role是一組權限的集合,例如Role可以包含列出Pod權限及列出Deployment權限,Role用于給某個NameSpace中的資源進行鑒權。
通過YAML資源定義清單建立Role
kubectl apply -f pod-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"] 
什麼是ClusterRole
ClusterRole是一組權限的集合,但與Role不同的是,ClusterRole可以在包括所有NameSpce和叢集級别的資源或非資源類型進行鑒權。
通過YAML資源定義清單建立ClusterRole
kubectl apply -f pod-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-clusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"] 
相關參數
Role、ClsuterRole Verbs可配置參數
"get", "list", "watch", "create", "update", "patch", "delete", "exec"
Role、ClsuterRole Resource可配置參數
"services", "endpoints", "pods","secrets","configmaps","crontabs","deployments","jobs","nodes","rolebindings","clusterroles","daemonsets","replicasets","statefulsets","horizontalpodautoscalers","replicationcontrollers","cronjobs"
Role、ClsuterRole APIGroup可配置參數
"","apps", "autoscaling", "batch"