3种模式:
- K8s自己的rbac
- Azure上的RBAC
- Azure上的rbac K8s的RBAC与AAD的集成
VSCode实现:
需要:Azure CLI+Rolebinding.yaml+Role.yaml:
注意terminal要切换到Azure cloud shell下。
rbac-aks-aad.azcli:
az aks get-credentials --resource-group Daisyaks --name Daisyaks --admin
kubectl apply -f role.yaml
kubectl get roles
kubectl apply -f role-binding.yaml
kubectl get rolebindings
kubectl get nodes
kubectl get pods
在现有的集群上启用AKS托管的Azure AD集成
az aks update -g Daisyaks -n Daisyaks --enable-aad --aad-admin-group-object-ids 42de7d80-3209-494d-9c7f-1f15c86b8829 --aad-tenant-id 4f165557-1ad2-4f81-953c-cbc3ca9781ed
Rolebinding.yaml:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default #optional
subjects:
- kind: User
name: "5a2f5744-e520-4d9d-a70e-c281441bd468"
apiGroup: rbac.authorization.k8s.io/v1
roleRef:
apiGroup: Role
kind: pod-reader
name: rbac.authorization.k8s.io/v1
Role.yaml:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default #optional
rules:
- apiGroups: [""] #the core api group
resources: ["pods"]
verbs: ["get", "watch", "list"]
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBnL5Q2NhdTZzAjY2ITZ3YzY4gjM1QDMyUGN2cTZzMTZlVzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
结果展示: