ClusterRole이란, 쿠버네티스 리소스에 대한 권한을 정의하는 역할이다.
네임스페이스와 관계없이 클러스터 전역에서 작동하거나, 특정 네임스페이스의 리소스에 대해 권한을 정의할 수 있다.
- 리소스, API 그룹, 허용된 작업(verbs) 지정
- 필요한 최소한의 권한만을 부여해야하며, 클러스터 전역 권한이 필요하지 않으면 Role과 RoleBinding을 사용한다.
- 정의
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]ClusterRoleBinding이란, 정의된 ClusterRole을 사용자, 그룹 또는 서비스 계정에 연결(Binding)한다.
클러스터 전체에서 작동하며, 네임스페이스 제한이 없다.
- 권한이 부여될 주체(Subjects)를 명시
- ClusterRole 조회
controlplane ~ ➜ kubectl get clusterroles
NAME CREATED AT
admin 2025-02-03T05:18:13Z
cluster-admin 2025-02-03T05:18:13Z
clustercidrs-node 2025-02-03T05:18:19Z
edit 2025-02-03T05:18:13Z
k3s-cloud-controller-manager 2025-02-03T05:18:17Z
local-path-provisioner-role 2025-02-03T05:18:17Z
system:aggregate-to-admin 2025-02-03T05:18:13Z
system:aggregate-to-edit 2025-02-03T05:18:13Z
system:aggregate-to-view 2025-02-03T05:18:13Z
system:aggregated-metrics-reader 2025-02-03T05:18:17Z
system:auth-delegator 2025-02-03T05:18:13Z
system:basic-user
controlplane ~ ➜ kubectl describe clusterrolebindings cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
controlplane ~ ➜ kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
# 어떠한 Action, Role 모두 수행 가능
- clusterrole 만들기
$ kubectl create clusterrole --help
Create a cluster role.
Examples:
# Create a cluster role named "pod-reader" that allows user to perform "get", "watch" and "list"
on pods
kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
# Create a cluster role named "pod-reader" with ResourceName specified
kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod
--resource-name=anotherpod- clusterrolebinding 만들기
$ kubectl create clusterrolebinding --help
Create a cluster role binding for a particular cluster role.
Examples:
# Create a cluster role binding for user1, user2, and group1 using the cluster-admin cluster role
kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1
--user=user2 --group=group1실습]
controlplane ~ ➜ kubectl get nodes --as michelle
Error from server (Forbidden): nodes is forbidden: User "michelle" cannot list resource "nodes" in API group "" at the cluster scope
# ClusterRoles and ClusterRoleBindings을 생성해 주어야 한다.
controlplane ~ ➜ kubectl create clusterrole michelle-role --verb=get,list,watch --resource=nodes
clusterrole.rbac.authorization.k8s.io/michelle-role created
controlplane ~ ➜ kubectl create clusterrolebinding michelle-role-binding --clusterrole=michelle-role --user=michell
e
clusterrolebinding.rbac.authorization.k8s.io/michelle-role-binding created
# Role 확인하기
controlplane ~ ➜ kubectl describe clusterrole michelle-role
Name: michelle-role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
nodes [] [] [get list watch]
controlplane ~ ➜ kubectl describe clusterrolebinding michelle-role-binding
Name: michelle-role-binding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: michelle-role
Subjects:
Kind Name Namespace
---- ---- ---------
User michelle
# michell로 작동 확인
controlplane ~ ➜ kubectl get nodes --as michell
NAME STATUS ROLES AGE VERSION
controlplane Ready control-plane,master 40m v1.31.0+k3s1
실습2] storage-admin 만들기
controlplane ~ ➜ kubectl create clusterrole storage-admin --resource=persistentvolumes,storageclasses --verb=list,create,get,watch
clusterrole.rbac.authorization.k8s.io/storage-admin created
controlplane ~ ➜ kubectl describe clusterrole storage-admin
Name: storage-admin
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
persistentvolumes [] [] [list create get watch]
storageclasses.storage.k8s.io [] [] [list create get watch]
controlplane ~ ➜ kubectl get clusterrole storage-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2025-02-03T06:13:11Z"
name: storage-admin
resourceVersion: "1662"
uid: 50885146-39ed-451c-a75c-b18b665ef738
rules:
- apiGroups:
- ""
resources:
- persistentvolumes # 리소스 확인
verbs:
- list
- create
- get
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses # 리소스 확인
verbs:
- list
- create
- get
- watchcontrolplane ~ ➜ kubectl create clusterrolebinding michelle-storage-admin --user=michelle --clusterrole=storage-admin
clusterrolebinding.rbac.authorization.k8s.io/michelle-storage-admin created
controlplane ~ ➜ kubectl get clusterrolebinding michelle-role-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2025-02-03T05:57:58Z"
name: michelle-role-binding
resourceVersion: "1389"
uid: be616dfa-5495-471d-83dd-e2125ef3643e
roleRef: # Binding할 ClusterRole
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: michelle-role
subjects: # 권한 부여할 주체
- apiGroup: rbac.authorization.k8s.io
kind: User
name: michell # 사용자 이름
controlplane ~ ➜ kubectl describe clusterrolebinding michelle-storage-admin
Name: michelle-storage-admin
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: storage-admin
Subjects:
Kind Name Namespace
---- ---- ---------
User michelle
controlplane ~ ➜ kubectl get storageclasses --as michelle
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
local-path (default) rancher.io/local-path Delete WaitForFirstConsumer false 63m
| ClusterRole | Role | |
| 적용 범위 | 클러스터 전역 or 네임스페이스 리소스 | 특정 네임스페이스 내의 리소스 |
| 적용 대상 리소스 | 클러스터 전역 리소스 | 네임스페이스 리소스 |
| Binding | ClusterRoleBinding 또는 RoleBinding | RoleBinding만 가능 |
반응형
'Container > Kubernetes' 카테고리의 다른 글
| [K8S] Image Security (0) | 2025.02.03 |
|---|---|
| [K8S] Service Account(SA) (0) | 2025.02.03 |
| [K8S] api-resources (0) | 2025.01.23 |
| [K8S] Authorization (1) | 2025.01.20 |
| [K8S] Certificates API (0) | 2025.01.13 |
