[CKA] KodeKloud - Cluster Roles
안녕하세요, 쯀리입니다.
오늘은 Cluster Roles에 대해 알아보겠습니다.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Cluster Role과 Cluster Role Binding
저번시간에 이어 Cluster Role 을 설정해보겠습니다.
https://funlife-julie.tistory.com/63
ClusterRole과 ClusterRoleBinding은 Kubernetes의 RBAC(Role-Based Access Control) 시스템에서 중요한 개념입니다.
ClusterRole은 클러스터 전체에서 리소스에 대한 권한을 정의합니다. 이는 네임스페이스에 한정되지 않고, 클러스터 범위의 리소스(예: 노드, 클러스터 설정 등) 또는 모든 네임스페이스의 리소스에 대해 권한을 부여할 수 있습니다.
ClusterRoleBinding은 ClusterRole을 특정 사용자, 그룹 또는 서비스 계정에 바인딩합니다. 이를 통해 클러스터 전체에서 또는 특정 네임스페이스 내에서 ClusterRole에 정의된 권한을 부여할 수 있습니다.
Quiz
1. For the first few questions of this lab, you would have to inspect the existing ClusterRoles and ClusterRoleBindings that have been created in this cluster.
2. How many Cluster Roles do you see defined in the cluster?
controlplane ~ ➜ k get clusterroles | wc -l
73
### 제목 제외 72개!
3. How many ClusterRoleBindings exist on the cluster?
controlplane ~ ➜ k get clusterrolebinding | wc -l
58
### 제목제외 57개
4. What namespace is the cluster-admin cluster role part of?
controlplane ~ ➜ k describe clusterroles cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
namespace가 설정되어있지않고 클러스터 전역에서 사용가능합니다.
5. What user/groups are the cluster-admin role bound to?
The ClusterRoleBinding for the role is with the same name.
controlplane ~ ➜ k describe clusterrolebindings cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
system:masters
6. What level of permission does the cluster-admin role grant?
Inspect the cluster-admin role's privileges.
controlplane ~ ➜ k describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
해당 권한은 모두 사용할 수 있습니다.
Perform any action on any resources in the cluster
7. A new user michelle joined the team. She will be focusing on the nodes in the cluster. Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.
Grant permission to access nodes
controlplane ~ ➜ vi michelleClusterRole.yaml
###
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-access
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
controlplane ~ ➜ vi michelleClusterRoleBinding.yaml
###
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-access-binding
subjects:
- kind: User
name: michelle
roleRef:
kind: ClusterRole
name: node-access
apiGroup: rbac.authorization.k8s.io
controlplane ~ ➜ k apply -f michelleClusterRole.yaml
clusterrole.rbac.authorization.k8s.io/node-access created
controlplane ~ ➜ k apply -f michelleClusterRoleBinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/node-access-binding created
8. michelle's responsibilities are growing and now she will be responsible for storage as well. Create the required ClusterRoles and ClusterRoleBindings to allow her access to Storage.
Get the API groups and resource names from command kubectl api-resources. Use the given spec:
ClusterRole: storage-admin
Resource: persistentvolumes
Resource: storageclasses
ClusterRoleBinding: michelle-storage-admin
ClusterRoleBinding Subject: michelle
ClusterRoleBinding Role: storage-admin
controlplane ~ ➜ vi michelleStorageRole.yaml
###
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: storage-admin
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "watch", "list", "create", "delete"]
controlplane ~ ➜ vi michelleStorageRoleBinding.yaml
###
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: michelle-storage-admin
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: storage-admin
apiGroup: rbac.authorization.k8s.io
controlplane ~ ➜ k apply -f michelleStorageRole.yaml
clusterrole.rbac.authorization.k8s.io/storage-admin created
controlplane ~ ➜ k apply -f michelleStorageRoleBinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/michelle-storage-admin created
오늘은 Cluster Role에 관해 알아보았습니다.
다음시간에는 Service Account부분을 확인해보겠습니다.
참조
※ Udemy Labs - Certified Kubernetes Administrator with Practice Tests