IT 잡지식/DevOps

[CKA] KodeKloud - Cluster Roles

쯀리♥️ 2024. 7. 20. 00:27

안녕하세요, 쯀리입니다.

오늘은 Cluster Roles에 대해 알아보겠습니다. 

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

 

Using RBAC Authorization

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decis

kubernetes.io

 


 

Cluster Role과 Cluster Role Binding

저번시간에 이어 Cluster Role 을 설정해보겠습니다. 
https://funlife-julie.tistory.com/63

 

[CKA] KodeKloud -Role Based Access Controls

안녕하세요, 쯀리입니다.오늘은 Role에 따라 접근을 다르게 하는 방법인 Role Based Access Controls 줄여 RBAC이라고 많이 부르는데 이것에 대해 알아보겠습니다. https://kubernetes.io/docs/reference/access-authn-au

funlife-julie.tistory.com

 

ClusterRole과 ClusterRoleBinding은 Kubernetes의 RBAC(Role-Based Access Control) 시스템에서 중요한 개념입니다.

ClusterRole은 클러스터 전체에서 리소스에 대한 권한을 정의합니다. 이는 네임스페이스에 한정되지 않고, 클러스터 범위의 리소스(예: 노드, 클러스터 설정 등) 또는 모든 네임스페이스의 리소스에 대해 권한을 부여할 수 있습니다.

 

ClusterRoleBinding은 ClusterRole을 특정 사용자, 그룹 또는 서비스 계정에 바인딩합니다. 이를 통해 클러스터 전체에서 또는 특정 네임스페이스 내에서 ClusterRole에 정의된 권한을 부여할 수 있습니다.


Quiz

1. For the first few questions of this lab, you would have to inspect the existing ClusterRoles and ClusterRoleBindings that have been created in this cluster.

2. How many Cluster Roles do you see defined in the cluster?

controlplane ~ ➜  k get clusterroles | wc -l
73

### 제목 제외 72개!

3. How many ClusterRoleBindings exist on the cluster?

controlplane ~ ➜  k get clusterrolebinding | wc -l
58

### 제목제외 57개

4. What namespace is the cluster-admin cluster role part of?

controlplane ~ ➜  k describe clusterroles cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
             [*]                []              [*]

namespace가 설정되어있지않고 클러스터 전역에서 사용가능합니다.

 

5. What user/groups are the cluster-admin role bound to?
The ClusterRoleBinding for the role is with the same name.

controlplane ~ ➜  k describe clusterrolebindings cluster-admin 
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters

system:masters

6. What level of permission does the cluster-admin role grant?
Inspect the cluster-admin role's privileges.

controlplane ~ ➜  k describe clusterrole cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
             [*]                []              [*]

해당 권한은 모두 사용할 수 있습니다. 

Perform any action on any resources in the cluster

7. A new user michelle joined the team. She will be focusing on the nodes in the cluster. Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.

Grant permission to access nodes
controlplane ~ ➜  vi michelleClusterRole.yaml
###
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-access
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]
  
  
controlplane ~ ➜  vi michelleClusterRoleBinding.yaml 
###
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-access-binding
subjects:
- kind: User
  name: michelle
roleRef:
  kind: ClusterRole
  name: node-access
  apiGroup: rbac.authorization.k8s.io
  
  controlplane ~ ➜  k apply -f michelleClusterRole.yaml 
clusterrole.rbac.authorization.k8s.io/node-access created

controlplane ~ ➜  k apply -f michelleClusterRoleBinding.yaml 
clusterrolebinding.rbac.authorization.k8s.io/node-access-binding created

 

8. michelle's responsibilities are growing and now she will be responsible for storage as well. Create the required ClusterRoles and ClusterRoleBindings to allow her access to Storage. 
Get the API groups and resource names from command kubectl api-resources. Use the given spec:

ClusterRole: storage-admin
Resource: persistentvolumes
Resource: storageclasses
ClusterRoleBinding: michelle-storage-admin
ClusterRoleBinding Subject: michelle
ClusterRoleBinding Role: storage-admin
controlplane ~ ➜ vi michelleStorageRole.yaml
###
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: storage-admin
rules:
- apiGroups: [""]
  resources: ["persistentvolumes"]
  verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "watch", "list", "create", "delete"]

controlplane ~ ➜  vi michelleStorageRoleBinding.yaml
###
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: michelle-storage-admin
subjects:
- kind: User
  name: michelle
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: storage-admin
  apiGroup: rbac.authorization.k8s.io


controlplane ~ ➜  k apply -f michelleStorageRole.yaml 
clusterrole.rbac.authorization.k8s.io/storage-admin created

controlplane ~ ➜  k apply -f michelleStorageRoleBinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/michelle-storage-admin created

 


오늘은 Cluster Role에 관해 알아보았습니다. 

다음시간에는 Service Account부분을 확인해보겠습니다. 


참조

 Udemy Labs - Certified Kubernetes Administrator with Practice Tests