apiserver pod확인
kubectl describe pod kube-apiserver-master -n kube-system
--authorization-mode=Node,RBAC
kubectl get roles
kubectl get role weave-net -n kube-system -o yaml
kubectl get rolebinding -n kube-system
kubectl get rolebinding -n kube-system weave-net -o yaml
kubectl config view
users:
- name: dev-user
user:
client-certificate: /etc/kubernetes/pki/users/dev-user/dev-user.crt
client-key: /etc/kubernetes/pki/users/dev-user/dev-user.key
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
kubectl ?? --as {user}
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
[role]
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: developer
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["list", "create"]
[rolebinding]
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
role update
rules:
- apiGroups:
- ""
resourceNames:
- blue-app
- dark-blue-app
resources:
- pods
verbs:
- get
- watch
- create
- delete
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- create