728x90
반응형
# RBAC 권한의 종류
- RBAC 권한의 종류는 아래와 같다.
- cluster-admin : system:masters group
- admin : None
- edit : None
- view : None
위와 같이 총 4개의 권한을 부여 할 수 있다.
그리고 권한을 아래와 같이 만들수도 있다.
(특정 네임스페이스에 대해서 적용 가능한 항목들이다. "*" 를 부여하면 전체 권한이 부여된다.)
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-was
namespace: dev-was
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
그리고 네임 스페이스 별 롤 바인딩이 가능하다.
Default ClusterRole | Default ClusterRoleBinding | Description |
cluster-admin | system:masters group | Allows super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the role binding's namespace, including the namespace itself. |
admin | None | Allows admin access, intended to be granted within a namespace using a RoleBinding. If used in a RoleBinding, allows read/write access to most resources in a namespace, including the ability to create roles and role bindings within the namespace. This role does not allow write access to resource quota or to the namespace itself. This role also does not allow write access to EndpointSlices (or Endpoints) in clusters created using Kubernetes v1.22+. More information is available in the "Write Access for EndpointSlices and Endpoints" section. |
edit | None | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. This role also does not allow write access to EndpointSlices (or Endpoints) in clusters created using Kubernetes v1.22+. More information is available in the "Write Access for EndpointSlices and Endpoints" section. |
view | None | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). |
- 롤 바인딩 예제는 아래와 같다.
https://may9noy.tistory.com/1033
- 쿠버네티스 공식 사이트
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- 끝-
728x90
반응형
'⭐ Kubernetes & EKS > RBAC (Role-Based Access Control)' 카테고리의 다른 글
클러스터 접근을 위한 사용자 생성 및 특정 NameSpace에 접근하도록 설정하기 (0) | 2023.07.27 |
---|---|
클러스터 권한을 2명 이상 부여 해야 할 경우 (0) | 2023.02.16 |
EKS에 다른 사용자 접근 허용하기 (0) | 2022.12.23 |
쿠버네티스 RBAC 개요 및 예제 실습 (0) | 2022.03.29 |