[26] User Cluster Role Binding
❓Configuring User API Authentication
- Create a new ClusterRole named
app-clusterrole, which only allows to get, watch, list the following resource types: Deployment, Service - Bind the new ClusterRole
app-clusterroleto the new userckcuser - User ckauser and ckauser clusters are ready configured.
- To check the results, run the following command:
- kubectl config use-context ckauser
- 작업 클러스터: k8s
Role vs Cluster Role
일반적인 role은 namespace단위로 적용되는 거지만 cluster role은 namespace상관없이 특정 cluster 단위로 적용 된다. (role < cluster role)
Reference
docs에서 cluster role 검색 → 페이지에서 오른쪽에 Command-line utilities에서 kubectl create clusterrole
실습
# Cluster Role 생성
[user@k8s-master ~]$ kubectl create clusterrole app-clusterrole --verb=get,list,watch --resource=deployment,service
[user@k8s-master ~]$ kubectl get clusterrole app-clusterrole
[user@k8s-master ~]$ kubectl describe clusterrole app-clusterrole
# Cluster RoleBinding 설정
[user@k8s-master ~]$ kubectl create clusterrolebinding app-clusterrolebinding --clusterrole=app-clusterrole --user=ckauser
[user@k8s-master ~]$ kubectl get clusterrolebinding app-clusterrolebinding
[user@k8s-master ~]$ kubectl describe clusterrolebinding app-clusterrolebinding
# 확인해보기
[user@k8s-master ~]$ kubectl config use-context ckauser
[user@k8s-master ~]$ kubectl get deployment
--> 권한 있음
[user@k8s-master ~]$ kubectl get services
--> 권한 있음
[user@k8s-master ~]$ kubectl get secret
--> 권한 없음
기출문제 (37번)
Context You have been asked to create a new ClusterRole for a deployment pipeline and bind it to a specific ServiceAccount scoped to a specific namespace. Task Create a new ClusterRole named deployment-clusterrole, which only allows to create the following resource types:
-
Deployment
-
StatefulSet
-
DaemonSet Create a new ServiceAccount named cicd-token in the existing namespace app-team1. Bind the new ClusterRole deployment-clusterrole lo the new ServiceAccount cicd-token , limited to the namespace app-team1.
-
답안
kubectl create clusterrole deployment-clusterrole --resource=deployment,statefulset,daemonset --verb=createkubectl create serviceaccount cicd-token -n app-team1kubectl create rolebinding deployment-rolebinding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1