Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
devops:kubernetes [2023/11/28 12:00] – [/etc/resolve.conf в подиках] admin | devops:kubernetes [2023/11/30 08:03] (current) – [Предоставление ограниченного доступа в кластер с помощью RBAC и Service Accounts] admin | ||
---|---|---|---|
Line 661: | Line 661: | ||
====== Предоставление ограниченного доступа в кластер с помощью RBAC и Service Accounts ====== | ====== Предоставление ограниченного доступа в кластер с помощью RBAC и Service Accounts ====== | ||
# https:// | # https:// | ||
- | Надо дописать именно ограниченный доступ. Сейчас - создается **Cluster Admin** | + | |
< | < | ||
#!/bin/bash | #!/bin/bash | ||
set -e | set -e | ||
- | KUB_CONTEXT=' | + | KUB_CONTEXT=' |
- | KUB_USERNAME=' | + | KUB_USERNAME=' |
+ | KUB_NAMESPACES=(' | ||
###### | ###### | ||
#cluster or ns (namespace) | #cluster or ns (namespace) | ||
# | # | ||
- | #AUTH_SCOPE=' | + | AUTH_SCOPE=' |
# If AUTH_SCOPE = ns then we need namespace name | # If AUTH_SCOPE = ns then we need namespace name | ||
- | #KUB_NAMESPACE=' | + | #KUB_NAMESPACES=(' |
- | ######### | + | |
# Comma separated quoted - '" | # Comma separated quoted - '" | ||
- | #KUB_ROLE_APIGROUPS='" | + | KUB_ROLE_APIGROUPS='" |
- | #KUB_ROLE_RESOURCES='" | + | KUB_ROLE_RESOURCES='" |
# | # | ||
- | #KUB_ROLE_VERBS='" | + | KUB_ROLE_VERBS='" |
echo " | echo " | ||
Line 691: | Line 692: | ||
CLUSTER_CA=`kubectl get secret -n kube-system $KUB_SYSTEM_TOKEN_SECRET -o jsonpath={" | CLUSTER_CA=`kubectl get secret -n kube-system $KUB_SYSTEM_TOKEN_SECRET -o jsonpath={" | ||
- | kubectl create serviceaccount $KUB_USERNAME -n kube-system | + | kubectl create serviceaccount ${KUB_USERNAME}-sa -n kube-system |
- | kubectl create | + | |
+ | echo " | ||
+ | kubectl apply -f - << | ||
+ | kind: ClusterRole | ||
+ | apiVersion: rbac.authorization.k8s.io/ | ||
+ | metadata: | ||
+ | name: ${KUB_USERNAME}-ns-cluster-role | ||
+ | rules: | ||
+ | - apiGroups: ["" | ||
+ | resources: [" | ||
+ | verbs: [" | ||
+ | |||
+ | EOF | ||
+ | |||
+ | echo " | ||
+ | kubectl apply -f - << | ||
+ | kind: ClusterRoleBinding | ||
+ | apiVersion: rbac.authorization.k8s.io/ | ||
+ | metadata: | ||
+ | name: ${KUB_USERNAME}-ns-cluster-rolebinding | ||
+ | subjects: | ||
+ | - kind: ServiceAccount | ||
+ | name: ${KUB_USERNAME}-sa | ||
+ | namespace: kube-system | ||
+ | roleRef: | ||
+ | kind: ClusterRole | ||
+ | name: ${KUB_USERNAME}-ns-cluster-role | ||
+ | apiGroup: rbac.authorization.k8s.io | ||
+ | EOF | ||
+ | |||
+ | if [ " | ||
+ | for KUB_NAMESPACE in ${KUB_NAMESPACES[@]}; | ||
+ | kubectl create | ||
+ | |||
+ | echo " | ||
+ | kubectl replace | ||
+ | kind: Role | ||
+ | apiVersion: rbac.authorization.k8s.io/ | ||
+ | metadata: | ||
+ | namespace: ${KUB_NAMESPACE} | ||
+ | name: ${KUB_USERNAME}-role | ||
+ | rules: | ||
+ | - apiGroups: [${KUB_ROLE_APIGROUPS}] | ||
+ | resources: [${KUB_ROLE_RESOURCES}] | ||
+ | verbs: [${KUB_ROLE_VERBS}] | ||
+ | EOF | ||
+ | |||
+ | echo " | ||
+ | kubectl replace -f - << | ||
+ | kind: RoleBinding | ||
+ | apiVersion: rbac.authorization.k8s.io/ | ||
+ | metadata: | ||
+ | name: ${KUB_USERNAME} | ||
+ | namespace: ${KUB_NAMESPACE} | ||
+ | subjects: | ||
+ | - kind: ServiceAccount | ||
+ | name: ${KUB_USERNAME}-sa | ||
+ | namespace: kube-system | ||
+ | roleRef: | ||
+ | kind: Role | ||
+ | name: ${KUB_USERNAME}-role | ||
+ | apiGroup: rbac.authorization.k8s.io | ||
+ | EOF | ||
+ | done | ||
+ | fi | ||
+ | |||
+ | if [ " | ||
+ | echo " | ||
+ | kubectl apply -f - << | ||
+ | kind: ClusterRole | ||
+ | apiVersion: rbac.authorization.k8s.io/ | ||
+ | metadata: | ||
+ | name: ${KUB_USERNAME}-cluster-role | ||
+ | rules: | ||
+ | - apiGroups: [${KUB_ROLE_APIGROUPS}] | ||
+ | resources: [${KUB_ROLE_RESOURCES}] | ||
+ | verbs: [${KUB_ROLE_VERBS}] | ||
+ | EOF | ||
+ | |||
+ | echo " | ||
+ | kubectl apply -f - << | ||
+ | kind: ClusterRoleBinding | ||
+ | apiVersion: rbac.authorization.k8s.io/ | ||
+ | metadata: | ||
+ | name: ${KUB_USERNAME}-cluster-rolebinding | ||
+ | subjects: | ||
+ | - kind: ServiceAccount | ||
+ | name: ${KUB_USERNAME}-sa | ||
+ | namespace: | ||
+ | roleRef: | ||
+ | kind: ClusterRole | ||
+ | name: ${KUB_USERNAME}-cluster-role | ||
+ | apiGroup: rbac.authorization.k8s.io | ||
+ | fi | ||
+ | EOF | ||
+ | fi | ||
kubectl apply -f - <<EOF | kubectl apply -f - <<EOF | ||
Line 701: | Line 797: | ||
namespace: kube-system | namespace: kube-system | ||
annotations: | annotations: | ||
- | kubernetes.io/ | + | kubernetes.io/ |
type: kubernetes.io/ | type: kubernetes.io/ | ||
EOF | EOF | ||
- | SA_TOKEN=`echo " | + | SA_TOKEN=`echo " |
cat <<EOF > ./ | cat <<EOF > ./ |