\u4e4b\u524d\u5b66\u4e60kubernetes api\u7684\u65f6\u5019\uff0c\u5bf9\u6743\u9650\u7684\u83b7\u53d6\u76f4\u63a5\u8fdb\u884c\u4e86\u4e00\u4e2a\u7167\u732b\u753b\u864e\u7684\u5bfc\u5165kubeconfig\uff0c\u6240\u4ee5\u8c03\u5ea6\u7a0b\u5e8f\u4e00\u76f4\u83b7\u53d6\u7684\u662fadmin\u7684\u6743\u9650\uff0c\u8fd9\u662f\u663e\u7136\u662f\u4e0d\u5b89\u5168\u7684\u505a\u6cd5\uff0c\u5f53\u7136\u5728\u5b9e\u9a8c\u5ba4\u91cd\u5efa\u96c6\u7fa4\u65f6\u5019\uff0c\u539f\u6765\u7684\u914d\u7f6e\u6587\u4ef6\u5df2\u7ecf\u4e0d\u751f\u6548\u4e86\uff0c\u51b3\u5b9a\u8d81\u6b21\u673a\u4f1a\u8fdb\u884c\u4e00\u4e2a\u6743\u9650\u7684\u6539\u8fdb<\/p>\n
\u5728\u6b64\u4e4b\u524d\uff0c\u6211\u4eec\u9700\u8981\u4e86\u89e3RBAC\u9274\u6743\uff0c\u5b83\u4e00\u5171\u6d89\u53ca\u56db\u79cdkubernetes \u5bf9\u8c61\uff1a<\/p>\n
\u7b80\u5355\u6765\u8bf4\uff0cRole\u5efa\u7acb\u4e8enamespace\uff0c\u800cClusterRole\u5efa\u7acb\u4e8e\u96c6\u7fa4\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0cRole\u53ea\u80fd\u8bbe\u5b9a\u672cnamespace\u7684\u6743\u9650\uff0cClusterRole\u53ef\u4ee5\u8bbe\u7f6e\u5176\u4ed6namespace\u7684\u6743\u9650<\/p>\n \u793a\u4f8b\uff08\u5b98\u65b9\u6587\u6863\uff09\uff1a\u5bf9\u4e8esecret\u6388\u4e88\u8bfb\u7684\u8bbf\u95ee\u6743\u9650\uff1a<\/p>\n \u7b80\u5355\u6765\u8bf4\uff0cRoleBinding \u5728\u6307\u5b9a\u7684\u540d\u5b57\u7a7a\u95f4\u4e2d\u6267\u884c\u6388\u6743\uff0c\u800c ClusterRoleBinding \u5728\u96c6\u7fa4\u8303\u56f4\u6267\u884c\u6388\u6743\u3002<\/p>\n \u5b98\u65b9\u793a\u4f8b\uff1a<\/p>\n \u5c06Role\u540d\u79f0\u4e3a\"pod-reader\"\u7684Role \u6388\u4e88\u5728'default'namespace\u4e2d\u7684\u7528\u6237'jane'<\/p>\n \u8fd9\u662fK8S\u7ed9pod\u76f4\u63a5\u5206\u914d\u7684\u89d2\u8272\uff0c\u53ef\u4ee5\u901a\u8fc7\u6307\u5b9a\u5bf9\u5e94\u7684serviceaccount\u6765\u6307\u5b9a\u5177\u4f53\u7684\u89d2\u8272\u3002<\/p>\n \u9996\u5148\u6211\u4eec\u521b\u5efa\u4e00\u4e2aserviceaccount<\/p>\n \u8fd9\u4e4b\u540e\uff0c\u6211\u4eec\u8d4b\u4e88\u8fd9\u4e2asa\u5bf9\u5e94\u7684\u6743\u9650<\/p>\n \u6211\u4eec\u5148\u521b\u5efa\u4e00\u4e2a\u6743\u9650Role<\/p>\n \u8fd9\u4e4b\u540e\uff0c\u4e0eservice accout\u8fdb\u884c\u7ed1\u5b9a<\/p>\n \u5728\u7ed1\u5b9a\u5b8c\u4e4b\u540e\uff0c\u6211\u4eec\u5c31\u8bbe\u7f6e\u597d\u4e86\u5177\u6709\u5bf9\u5e94\u6743\u9650\u7684sa<\/p>\n \u73b0\u5728\uff0c\u53ea\u9700\u8981\u5c06\u8fd9\u4e2asa\u7ed1\u5b9a\u5230\u5bf9\u5e94\u7684\u5e94\u7528\u4e2d\u5373\u53ef<\/p>\n \u6b64\u65f6\u7684sa\u662f\u6ca1\u6709\u62c9\u53d6\u955c\u50cf\u7684\u6743\u9650\u7684\uff0c\u6211\u4eec\u9700\u8981\u7ed9\u5f53\u524d\u8d26\u6237\u6dfb\u52a0sa<\/p>\n \u6302\u8f7d\u5f53\u524d<\/p>\n \u5728spec.template.spec \u6dfb\u52a0\uff1a<\/p>\n \u6b64\u65f6token\u548c\u8bc1\u4e66\uff08\u4ee5\u53canamespace\u4fe1\u606f\uff09\u5c06\u4f1a\u6302\u8f7d\u5728 \u8c03\u7528\uff0cpython \u4f8b\uff1a<\/p>\n \u5176\u5b9e\u4e3b\u8981\u548crolebinding\u6709\u5173\uff0crolebinding\u548crole\u5904\u4e8e\u76f8\u540c\u4f4d\u7f6e\uff0c\u8d26\u6237 \u7f18\u7531 \u4e4b\u524d\u5b66\u4e60kubernetes api\u7684\u65f6\u5019\uff0c\u5bf9\u6743\u9650\u7684\u83b7\u53d6\u76f4\u63a5\u8fdb\u884c\u4e86\u4e00\u4e2a\u7167\u732b\u753b\u864e\u7684\u5bfc\u5165kubeconfig\uff0c\u6240\u4ee5\u8c03\u5ea6\u7a0b\u5e8f\u4e00\u76f4\u83b7 …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-65","post","type-post","status-publish","format-standard","hentry","category-4"],"_links":{"self":[{"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=\/wp\/v2\/posts\/65","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=65"}],"version-history":[{"count":1,"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=\/wp\/v2\/posts\/65\/revisions"}],"predecessor-version":[{"id":66,"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=\/wp\/v2\/posts\/65\/revisions\/66"}],"wp:attachment":[{"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=65"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=65"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.maoyulong.club\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=65"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Role<\/code>, ClusterRole<\/code>,RoleBingding<\/code>,ClusterRoleBinding<\/code><\/p>\nRole \u548c ClusterRole<\/h3>\n
apiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRole\nmetadata:\n # \"namespace\" \u88ab\u5ffd\u7565\uff0c\u56e0\u4e3a ClusterRoles \u4e0d\u53d7\u540d\u5b57\u7a7a\u95f4\u9650\u5236\n name: secret-reader\nrules:\n- apiGroups: [\"\"]\n # \u5728 HTTP \u5c42\u9762\uff0c\u7528\u6765\u8bbf\u95ee Secret \u8d44\u6e90\u7684\u540d\u79f0\u4e3a \"secrets\"\n resources: [\"secrets\"]\n verbs: [\"get\", \"watch\", \"list\"]\n<\/code><\/pre>\nRoleBinding \u548c ClusterRoleBinding<\/h3>\n
apiVersion: rbac.authorization.k8s.io\/v1\n# \u6b64\u89d2\u8272\u7ed1\u5b9a\u5141\u8bb8 \"jane\" \u8bfb\u53d6 \"default\" \u540d\u5b57\u7a7a\u95f4\u4e2d\u7684 Pod\n# \u4f60\u9700\u8981\u5728\u8be5\u547d\u540d\u7a7a\u95f4\u4e2d\u6709\u4e00\u4e2a\u540d\u4e3a \u201cpod-reader\u201d \u7684 Role\nkind: RoleBinding\nmetadata:\n name: read-pods\n namespace: default\nsubjects:\n# \u4f60\u53ef\u4ee5\u6307\u5b9a\u4e0d\u6b62\u4e00\u4e2a\u201csubject\uff08\u4e3b\u4f53\uff09\u201d\n- kind: User\n name: jane # \"name\" \u662f\u533a\u5206\u5927\u5c0f\u5199\u7684\n apiGroup: rbac.authorization.k8s.io\nroleRef:\n # \"roleRef\" \u6307\u5b9a\u4e0e\u67d0 Role \u6216 ClusterRole \u7684\u7ed1\u5b9a\u5173\u7cfb\n kind: Role # \u6b64\u5b57\u6bb5\u5fc5\u987b\u662f Role \u6216 ClusterRole\n name: pod-reader # \u6b64\u5b57\u6bb5\u5fc5\u987b\u4e0e\u4f60\u8981\u7ed1\u5b9a\u7684 Role \u6216 ClusterRole \u7684\u540d\u79f0\u5339\u914d\n apiGroup: rbac.authorization.k8s.io\n<\/code><\/pre>\n\u521b\u5efa\u7528\u6237\u5e76\u8bbe\u7f6e\u6743\u9650<\/h2>\n
ServiceAccount<\/h3>\n
kubectl create sa xxxx-sa -n xxxx-ns\n<\/code><\/pre>\n\u521b\u5efaRole\u5e76\u4e3asa\u8bbe\u7f6e\u6743\u9650<\/h3>\n
apiVersion: rbac.authorization.k8s.io\/v1\nkind: Role\nmetadata:\n namespace: yyyy-ns\n name: xxxx-control\nrules:\n- apiGroups: [\"*\"]\n resources: [\"pods\",\"services\",\"ingresses\",\"configmaps\"]\n verbs: [\"*\"]\n<\/code><\/pre>\nkubectl create rolebinding my-sa-view \\\n --role=xxxx-control \\\n --serviceaccount=xxxx-ns:xxxx-sa \\\n --namespace=yyyy-ns\n<\/code><\/pre>\n\u914d\u7f6eimagepullsecret<\/h3>\n
kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"\"}]}'\n<\/code><\/pre>\n\u4e3a\u5e94\u7528\u914d\u7f6esa<\/h2>\n
serviceAccountName: ctf-ctpod\n<\/code><\/pre>\n\/var\/run\/secrets\/kubernetes.io\/serviceaccount<\/code>\u76ee\u5f55\u4e0b<\/p>\nconfiguration = client.Configuration()\nconfiguration.host = \"https:\/\/x.x.x.x:443\"\nconfiguration.verify_ssl = True\/False\nconfiguration.api_key = {\"authorization\": 'Bearer ' + token}\nclient.Configuration.set_default(configuration)\n<\/code><\/pre>\n\u5173\u4e8e\u8de8namespace\u8d4b\u4e88\u7684\u6743\u9650<\/h2>\n
sa<\/code>\u5904\u4e8e\u53e6\u5916\u7684\u540d\u79f0\u7a7a\u95f4\uff0c\u5373\u5c06\u5f53\u524d\u540d\u79f0\u7a7a\u95f4\u7684\u6743\u9650\u8d4b\u4e88\u7ed9sa<\/p>\n","protected":false},"excerpt":{"rendered":"