본문 바로가기

⭐ Kubernetes & EKS/RBAC (Role-Based Access Control)

RBAC 권한의 종류

728x90
반응형

# RBAC 권한의 종류

- RBAC 권한의 종류는 아래와 같다.

- cluster-admin : system:masters group

- admin : None

- edit : None

- view : None

위와 같이 총 4개의 권한을 부여 할 수 있다.

그리고 권한을 아래와 같이 만들수도 있다.

(특정 네임스페이스에 대해서 적용 가능한 항목들이다. "*" 를 부여하면 전체 권한이 부여된다.)

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-was
  namespace: dev-was
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments", "replicasets", "pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

그리고 네임 스페이스 별 롤 바인딩이 가능하다.

Default ClusterRole Default ClusterRoleBinding Description
cluster-admin system:masters group Allows super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the role binding's namespace, including the namespace itself.
admin None Allows admin access, intended to be granted within a namespace using a RoleBinding.
If used in a RoleBinding, allows read/write access to most resources in a namespace, including the ability to create roles and role bindings within the namespace. This role does not allow write access to resource quota or to the namespace itself. This role also does not allow write access to EndpointSlices (or Endpoints) in clusters created using Kubernetes v1.22+. More information is available in the "Write Access for EndpointSlices and Endpoints" section.
edit None Allows read/write access to most objects in a namespace.
This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. This role also does not allow write access to EndpointSlices (or Endpoints) in clusters created using Kubernetes v1.22+. More information is available in the "Write Access for EndpointSlices and Endpoints" section.
view None Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings.
This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).

- 롤 바인딩 예제는 아래와 같다.

https://may9noy.tistory.com/1033

 

EKS에 다른 사용자 접근 허용하기

# EKS에 다른 IAM 사용자의 접근을 허용하는 방법 - EKS는 생성자 외에는 내부 자원을 볼 수 없게 되어 있다. 만약 EKS 리소스를 생성한자 외의 사람이 EKS 클러스터에 접근을 하기 위해서는 aws-auth.yml

may9noy.tistory.com

- 쿠버네티스 공식 사이트

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

 

Using RBAC Authorization

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decis

kubernetes.io

 

- 끝-

728x90
반응형