一、简述

RBAC即Role-Base Access Control的简称，是目前kubernetes上常用的权限授权方式。此种授权方式主要通过用户user、角色role/集群角色clusterrole和许可Permission三种对象关联进行工作。可以对访问api请求给予不同的权限，如get、list、create、update、patch、watch、proxy、redirect、delete、deletecollection等。

二、授权演示实例

1.创建role

role官方解释和实例：

[root@master1 ~]# kubectl create role --help
Create a role with single rule.

Examples:
  # Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
  kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
  
  # Create a Role named "pod-reader" with ResourceName specified
  kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod
--resource-name=anotherpod
  
  # Create a Role named "foo" with API Group specified
  kubectl create role foo --verb=get,list,watch --resource=rs.extensions
  
  # Create a Role named "foo" with SubResource specified
  kubectl create role foo --verb=get,list,watch --resource=pods,pods/status

Options:
      --allow-missing-template-keys=true: If true, ignore any errors in templates when a field or
map key is missing in the template. Only applies to golang and jsonpath output formats.
      --dry-run='none': Must be "none", "server", or "client". If client strategy, only print the
object that would be sent, without sending it. If server strategy, submit server-side request
without persisting the resource.
  -o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-file.
      --resource=[]: Resource that the rule applies to
      --resource-name=[]: Resource in the white list that the rule applies to, repeat this flag for
multiple items
      --save-config=false: If true, the configuration of current object will be saved in its
annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to
perform kubectl apply on this object in the future.
      --template='': Template string or path to template file to use when -o=go-template,
-o=go-template-file. The template format is golang templates
[http://golang.org/pkg/text/template/#pkg-overview].
      --validate=true: If true, use a schema to validate the input before sending it
      --verb=[]: Verb that applies to the resources contained in the rule

Usage:
  kubectl create role NAME --verb=verb --resource=resource.group/subresource
[--resource-name=resourcename] [--dry-run=server|client|none] [options]

Use "kubectl options" for a list of global command-line options (applies to all commands).

实例：

[root@master1 ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml
W0529 10:01:07.330069    5715 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: pods-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

2.创建rolebinding

官方解释和实例

[root@master1 ~]# kubectl create rolebinding --help
Create a RoleBinding for a particular Role or ClusterRole.

Examples:
  # Create a RoleBinding for user1, user2, and group1 using the admin ClusterRole
  kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1

Options:
      --allow-missing-template-keys=true: If true, ignore any errors in templates when a field or
map key is missing in the template. Only applies to golang and jsonpath output formats.
      --clusterrole='': ClusterRole this RoleBinding should reference
      --dry-run='none': Must be "none", "server", or "client". If client strategy, only print the
object that would be sent, without sending it. If server strategy, submit server-side request
without persisting the resource.
      --group=[]: Groups to bind to the role
  -o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-file.
      --role='': Role this RoleBinding should reference
      --save-config=false: If true, the configuration of current object will be saved in its
annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to
perform kubectl apply on this object in the future.
      --serviceaccount=[]: Service accounts to bind to the role, in the format <namespace>:<name>
      --template='': Template string or path to template file to use when -o=go-template,
-o=go-template-file. The template format is golang templates
[http://golang.org/pkg/text/template/#pkg-overview].
      --validate=true: If true, use a schema to validate the input before sending it

Usage:
  kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username]
[--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
[options]

Use "kubectl options" for a list of global command-line options (applies to all commands).

实例

[root@master1 ~]# kubectl create rolebinding jakeli-pods-reader --role=pods-reader --user=jakeli
rolebinding.rbac.authorization.k8s.io/jakeli-pods-reader created
[root@master1 ~]# kubectl get rolebinding
NAME                 ROLE               AGE
jakeli-pods-reader   Role/pods-reader   16s
[root@master1 ~]# kubectl get role
NAME          CREATED AT
pods-reader   2020-05-29T02:02:57Z
[root@master1 ~]# kubectl describe rolebinding jakeli-pods-reader
Name:         jakeli-pods-reader
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  pods-reader
Subjects:
  Kind  Name    Namespace
  ----  ----    ---------
  User  jakeli

yaml配置格式：

[root@master1 ~]# kubectl create rolebinding jakeli-pods-reader --role=pods-reader --user=jakeli --dry-run -o yaml
W0529 10:12:26.821438    9868 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: jakeli-pods-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: jakeli

此时切换到jakeli用户后，就有了get,list,watch的权限。

3.创建clusterrole

clusterrole类似于role

实例

[root@master1 ~]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run
W0529 10:17:32.257743   11668 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: cluster-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

创建并查看clusterrole

[root@master1 ~]# kubectl describe clusterrole cluster-reader
Name:         cluster-reader
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]

4.创建clusterrolebinding

创建格式类似于rolebindbing，实例：

[root@master1 ~]# kubectl create clusterrolebinding jakeli-read-all-pods --clusterrole=cluster-reader --user=jakeli --dry-run -o yaml
W0529 10:32:54.329656   17238 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: jakeli-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: jakeli

查看clusterrolebinding，此时jakeli用户就被授权了相应的执行权限。

[root@master1 ~]# kubectl describe clusterrolebinding jakeli-read-all-pods
Name:         jakeli-read-all-pods
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-reader
Subjects:
  Kind  Name    Namespace
  ----  ----    ---------
  User  jakeli

5.创建rolebinding绑定clusterrole