RBAC引入了4个顶级资源对象：Role、ClusterRole：角色，用于指定一组权限；RoleBinding、ClusterRoleBinding：角色绑定，用于将角色（权限）赋予给对象

咱们通过Role可以配置命名空间下资源的访问权限，例如，pod，service，deployment等资源是否可以修改，删除等权限；Role只能对命名空间内的资源进行授权，需要指定nameapce

ClusterRole是整个kubernetes下的资源的访问权限的控制，跨namespaces的范围资源、非资源类型进行授权

我当前app整个命名空间下有一些pod，我们以app这个命名空间，创建一个xiaom的用户，这个用户只能app这个命名空间下的Pod，Deployment的资源，其他的资源没权限更改

[root@k8s-master1 RBAC]# kubectl get pods -n app -o wide
NAME                                        READY   STATUS    RESTARTS         AGE    IP               NODE          NOMINATED NODE   READINESS GATES
dsf-67b6bd65c9-44rl4                        2/2     Running   16 (3h15m ago)   25d    10.10.135.218    k8s-master3   <none>           <none>
ingress-nginx-controller-74974c55bd-2bw2r   1/1     Running   6 (20h ago)      2d1h   192.168.21.100   k8s-node1     <none>           <none>
ingress-nginx-controller-74974c55bd-j24mf   1/1     Running   10 (3h15m ago)   31d    192.168.21.122   k8s-master3   <none>           <none>
nginx-55c7d65db4-z4rcc                      1/1     Running   4 (20h ago)      2d1h   10.10.36.96      k8s-node1     <none>           <none>
postgres-sonar-5b9d94cd6b-965tk             1/1     Running   2 (3h15m ago)    2d1h   10.10.135.221    k8s-master3   <none>           <none>
tomcat-657677ffb5-2nrfc                     1/1     Running   8 (3h15m ago)    26d    10.10.135.222    k8s-master3   <none>           <none>

Role的配置示例：

[root@k8s-master1 app]# kubectl apply -f app-Role.yaml
role.rbac.authorization.k8s.io/app-authorization-Role created[root@k8s-master1 app]# cat app-Role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: app                                         #指定命名空间name: app-authorization-Role
rules:- apiGroups: [ "" ]                                    #支持的API组列表,"" 空字符串，表示核心API群resources: [ "pod" ]                   #支持的资源对象列表verbs: [ "get","delete","create","delete","exec" ]   #允许的对资源对象的操作方法列表

apiGroups表示支持的API组列表：“”,“apps”, “autoscaling”, “batch”;
resources: 支持的资源对象列表
“services”, “endpoints”, “pods”,“secrets”,“configmaps”,“crontabs”,“deployments”,“jobs”,
“nodes”,“rolebindings”,“clusterroles”,“daemonsets”,“replicasets”,“statefulsets”,
“horizontalpodautoscalers”,“replicationcontrollers”,“cronjobs”
verbs: 对资源对象的操作方法列表
“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”, “exec”

RoleBinding可以将同一namespace中的subject(用户、用户组)绑定到某个Role(规则)下，则此subject即具有该Role定义的权限.

[root@k8s-master1 app]# cat app-RoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: app-authorization-role-bindingnamespace: app
subjects:- kind: Username: xiaomapiGroup: rbac.authorization.k8s.io
roleRef:kind: Rolename: app-authorization-RoleapiGroup: rbac.authorization.k8s.io
[root@k8s-master1 app]# kubectl apply -f app-RoleBinding.yaml

创建一个xiaom的集群用户验证一下

[root@k8s-master1 user]# pwd
/opt/certs/user
(umask 077;openssl genrsa -out xiaom.key 2048)
[root@k8s-master1 user]# openssl req -new -key xiaom.key -out xiaom.csr -subj "/CN=xiaom/O=xiaomgroup"
[root@k8s-master1 user]# openssl x509 -req -in xiaom.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out xiaom.crt -days 3650
[root@k8s-master1 app]# kubectl config set-cluster kubernetes --embed-certs=true --certificate-authority=/opt/kubernetes/certs/ca.pem --server=https://192.168.21.120:6443
[root@k8s-master1 app]# kubectl config set-credentials xiaom --embed-certs=true --client-certificate=/opt/certs/user/xiaom.crt --client-key=/opt/certs/user/xiaom.key
User "xiaom" set.
[root@k8s-master1 app]# kubectl config set-context xiaom@kubernetes --cluster=kubernetes --user=xiaom
Context "xiaom@kubernetes" modified.
[root@k8s-master1 app]# kubectl config use-context xiaom@kubernetes
Switched to context "xiaom@kubernetes".
[root@k8s-master1 ~]# kubectl get pods -n app
NAME                                        READY   STATUS    RESTARTS       AGE
dsf-67b6bd65c9-44rl4                        2/2     Running   18 (17h ago)   26d
host-path-nginx                             2/2     Running   2 (17h ago)    17h
ingress-nginx-controller-74974c55bd-2bw2r   1/1     Running   7 (17h ago)    2d22h
ingress-nginx-controller-74974c55bd-j24mf   1/1     Running   11 (17h ago)   32d
nginx-55c7d65db4-t6mgz                      1/1     Running   0              79m
postgres-sonar-5b9d94cd6b-965tk             1/1     Running   3 (141m ago)   2d22h
tomcat-657677ffb5-2nrfc                     1/1     Running   9 (17h ago)    26d
[root@k8s-master1 ~]# kubectl get deployment -n app
Error from server (Forbidden): deployments.apps is forbidden: User "xiaom" cannot list resource "deployments" in API group "apps" in the namespace "app"

咱们创建一个集群权限，将这个权限赋予给xiaom这个用户，当前xiaom这个用户没有操作deployment的权限，咱们创建一个deployment的集群权限赋予给xiaom这个用户，这样xiaom这个用户可以操作所有命名空间下的deployment

ClusterRole可以对集群范围内资源、跨namespaces的范围资源、非资源类型进行授权

[root@k8s-master1 app]# kubectl apply -f app-ClusterRole.yaml
clusterrole.rbac.authorization.k8s.io/app-authorization-clusterrole created
[root@k8s-master1 app]# cat app-ClusterRole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: app-authorization-clusterrole
rules:- apiGroups: [ "apps" ]resources: [ "deployments" ]verbs: [ "get","delete","create","delete" ]

ClusterRoleBinding在整个集群级别和所有namespaces，将不同namespace中的subject(用户、用户组)与ClusterRole(集群范围内资源)绑定，授予权限

[root@k8s-master1 app]# kubectl apply -f app-ClusterRoleBinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/app-authorization-clusterrole-binding created
[root@k8s-master1 app]# cat app-ClusterRoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: app-authorization-clusterrole-binding
subjects:- kind: Username: xiaomapiGroup: rbac.authorization.k8s.io
roleRef:kind: ClusterRolename: app-authorization-clusterroleapiGroup: rbac.authorization.k8s.io

RoleBinding可以引用ClusterRole，对属于同一命名空间内ClusterRole定义的资源主体进行授权

[root@k8s-master1 app]# cat app-RoleClusterBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: app-ClusterRoleBindingnamespace: app
subjects:- kind: Username: xiaomapiGroup: rbac.authorization.k8s.io
roleRef:kind: ClusterRolename: app-authorization-clusterroleapiGroup: rbac.authorization.k8s.io
[root@k8s-master1 app]# kubectl config use-context xiaom@kubernetes
[root@k8s-master1 app]# kubectl get deployment -A
NAMESPACE              NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
app                    busybox                           0/0     0            0           35d
app                    dsf                               1/1     1            1           26d
app                    hostpath                          0/0     0            0           35d
app                    ingress-nginx-controller          2/2     2            2           32d
app                    nginx                             1/1     1            1           26d
app                    postgres-sonar                    1/1     1            1           3d
app                    tomcat                            1/1     1            1           32d
kube-devops            jenkins                           1/1     1            1           2d4h
kube-devops            nexus-sonatype-nexus              1/1     1            1           2d4h
kube-system            calico-kube-controllers           1/1     1            1           2d23h
kube-system            coredns                           1/1     1            1           2d22h
kubernetes-dashboard   dashboard-metrics-scraper         1/1     1            1           70d
kubernetes-dashboard   kubernetes-dashboard              1/1     1            1           70d
nfs-provisioner        nfs-subdir-external-provisioner   2/2     2            2           50d
test                   tomcat-deploy                     1/1     1            1           13d
[root@k8s-master1 app]# kubectl delete deployment hostpath -n app
deployment.apps "hostpath" deleted

这样xiaom这个用户就有操作所有命名空间下的deployment的权限