반응형
2023.06.06
★ 클러스터에 몇 개의 clusterrole이 정의되어 있나요?
-> 69개
controlplane ~ ➜ kubectl get clusterrole --no-headers | wc -l
69
controlplane ~ ➜
★ 클러스터에 몇 개의 clusterrolebindings이 존재하나요?
-> 54개
controlplane ~ ➜ kubectl get clusterrolebindings --no-headers | wc -l
54
controlplane ~ ➜
★ cluster-admin clusterrole은 어떤 네임스페이스에 속하나요?
-> 클러스터 역할은 클러스터 전체에 속하며 네임스페이스의 일부가 아니다.
controlplane ~ ➜ kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
controlplane ~ ➜
★ cluster-admin 역할은 어떤 사용자/그룹에 바인딩되나요?
-> Group system:masters
controlplane ~ ➜ kubectl describe clusterrolebinding cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
controlplane ~ ➜
★ cluster-admin 역할은 어떤 수준의 권한을 부여하나요?
-> 클러스터의 모든 리소스에 대해 모든 작업 수행
controlplane ~ ➜ kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
controlplane ~ ➜
★ 새로운 사용자 미셸이 팀에 합류했습니다. 그녀가 노드에 액세스할 수 있도록 필요한 ClusterRoles 및 ClusterRoleBinding을 만듭니다.
-> 기존 cluster-admin 을 yaml 파일로 복사
controlplane ~ ➜ kubectl get clusterrole cluster-admin -o yaml > michelle.yaml
controlplane ~ ➜-> 복사한 yaml 파일 확인
controlplane ~ ➜ cat michelle.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2023-06-06T07:08:22Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "68"
uid: 0d93b435-10ba-475e-ae77-d46510f93d75
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'-> 복사한 yaml 파일 수정
controlplane ~ ➜ cat michelle.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-admin
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list", "create", "delete"]
controlplane ~ ➜-> 새로운 clusterrole 생성
controlplane ~ ➜ kubectl create -f michelle.yaml
clusterrole.rbac.authorization.k8s.io/node-admin created
controlplane ~ ➜-> clusterrolebinding 복사
controlplane ~ ➜ kubectl get clusterrolebinding system:basic-user -o yaml > michelle-binding.yaml
controlplane ~ ➜-> 내용 확인
controlplane ~ ➜ cat michelle-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2023-06-06T07:08:24Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:basic-user
resourceVersion: "138"
uid: 8ec82b9d-2758-4347-a0d2-25ac08eb17b6
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:basic-user
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
controlplane ~ ➜-> 내용 수정
controlplane ~ ➜ cat michelle-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: michelle-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: node-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: michelle
controlplane ~ ➜-> clusterrolebinding 생성
controlplane ~ ➜ kubectl create -f michelle-binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/michelle-binding created
controlplane ~ ➜
★ 미셸의 책임이 커지면서 이제 그녀는 스토리지도 담당하게 됩니다. 그녀가 스토리지에 액세스할 수 있도록 필요한 ClusterRoles과 clusterrolebinding을 생성한다.
-> stroage-admin 룰 생성
controlplane ~ ➜ kubectl create clusterrole storage-admin --resource=persistentvolumes,storageclasses --verb=get,list,create,delete,watch
clusterrole.rbac.authorization.k8s.io/storage-admin created
controlplane ~ ➜-> 룰 확인
controlplane ~ ➜ kubectl describe clusterrole storage-admin
Name: storage-admin
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
persistentvolumes [] [] [get list create delete watch]
storageclasses.storage.k8s.io [] [] [get list create delete watch]
controlplane ~ ➜-> michelle-stroage-admin 생성
controlplane ~ ➜ kubectl create clusterrolebinding michelle-storage-admin --user=michelle --clusterrole=storage-admin
clusterrolebinding.rbac.authorization.k8s.io/michelle-storage-admin created
controlplane ~ ➜-> 룰 확인
controlplane ~ ➜ kubectl describe clusterrolebindings michelle-storage-admin
Name: michelle-storage-admin
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: storage-admin
Subjects:
Kind Name Namespace
---- ---- ---------
User michelle
controlplane ~ ➜
반응형
'Kubernetes > Kubernetes Exam' 카테고리의 다른 글
| [K8s] CKA 취득 연습문제#8 (role, rolebinding) (0) | 2023.06.06 |
|---|---|
| [K8s] CKA 취득 연습문제#7 (kubeconfig view) (0) | 2023.05.30 |
| [K8s] CKA 취득 연습문제#6 (csr approve, reject) (0) | 2023.05.30 |
| [K8s] CKA 취득 연습문제#5 (etcd, apiserver 인증서) (0) | 2023.05.29 |
| [K8s] CKA 취득 연습문제#4 (etcd backup, recovery) (0) | 2023.05.24 |