Namespace与RBAC：Kubernetes权限控制与资源隔离

Kubernetes安全 2 小时前 0 1

categories: - Kubernetes安全 tags: - Kubernetes - Namespace - RBAC - 权限 - 认证

Namespace

创建Namespace


# 创建Namespace
kubectl create namespace production
kubectl create namespace development

# 通过YAML创建
apiVersion: v1
kind: Namespace
metadata:
  name: production

资源配额


apiVersion: v1
kind: ResourceQuota
metadata:
  name: quota
  namespace: production
spec:
  hard:
    cpu: "20"
    memory: 40Gi
    pods: "50"
    services: "10"
    deployments.apps: "20"

RBAC权限控制

ServiceAccount


apiVersion: v1
kind: ServiceAccount
metadata:
  name: myapp-sa
  namespace: default

Role与RoleBinding


# Role：定义权限
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list"]
---
# RoleBinding：绑定用户到Role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: "alice"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRole与ClusterRoleBinding


# ClusterRole：集群级权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]
---
# ClusterRoleBinding：绑定到整个集群
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-reader-binding
subjects:
- kind: ServiceAccount
  name: myapp-sa
  namespace: default
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io

常用Role示例


# 只读权限
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: readonly
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]

# 开发者权限（可读写Pod、Deployment）
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps"]
  verbs: ["*"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get"]

管理命令


# 查看权限
kubectl auth can-i create pods --as=alice
kubectl auth can-i delete pods -n production --as=alice

# 查看Role
kubectl get roles -A
kubectl describe role pod-reader -n default

# 查看RoleBinding
kubectl get rolebindings -A
kubectl describe rolebinding read-pods -n default

# 查看ServiceAccount
kubectl get sa -A

声明：本站所有文章，如无特殊说明或标注，均为本站原创发布。任何个人或组织，在未征得本站同意时，禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益，可联系我们进行处理。