3種模式:
- K8s自己的rbac
- Azure上的RBAC
- Azure上的rbac K8s的RBAC與AAD的內建
VSCode實作:
需要:Azure CLI+Rolebinding.yaml+Role.yaml:
注意terminal要切換到Azure cloud shell下。
rbac-aks-aad.azcli:
az aks get-credentials --resource-group Daisyaks --name Daisyaks --admin
kubectl apply -f role.yaml
kubectl get roles
kubectl apply -f role-binding.yaml
kubectl get rolebindings
kubectl get nodes
kubectl get pods
在現有的叢集上啟用AKS托管的Azure AD內建
az aks update -g Daisyaks -n Daisyaks --enable-aad --aad-admin-group-object-ids 42de7d80-3209-494d-9c7f-1f15c86b8829 --aad-tenant-id 4f165557-1ad2-4f81-953c-cbc3ca9781ed
Rolebinding.yaml:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default #optional
subjects:
- kind: User
name: "5a2f5744-e520-4d9d-a70e-c281441bd468"
apiGroup: rbac.authorization.k8s.io/v1
roleRef:
apiGroup: Role
kind: pod-reader
name: rbac.authorization.k8s.io/v1
Role.yaml:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default #optional
rules:
- apiGroups: [""] #the core api group
resources: ["pods"]
verbs: ["get", "watch", "list"]
結果展示: