[K8s] CKA 취득 연습문제#9 (clusterrole, clusterrolebinding)

 

2023.06.06

★ 클러스터에 몇 개의 clusterrole이 정의되어 있나요?

-> 69개

controlplane ~ ➜  kubectl get clusterrole --no-headers | wc -l
69

controlplane ~ ➜

 

 

★ 클러스터에 몇 개의 clusterrolebindings이 존재하나요?

-> 54개

controlplane ~ ➜  kubectl get clusterrolebindings --no-headers | wc -l
54

controlplane ~ ➜

 

 

★ cluster-admin clusterrole은 어떤 네임스페이스에 속하나요?

-> 클러스터 역할은 클러스터 전체에 속하며 네임스페이스의 일부가 아니다.

controlplane ~ ➜  kubectl describe clusterrole cluster-admin 
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
​​Resources  Non-Resource URLs  Resource Names  Verbs
​​---------  -----------------  --------------  -----
​​*.*        []                 []              [*]
​​​​​​​​​​​​​[*]                []              [*]

controlplane ~ ➜

 

 

★ cluster-admin 역할은 어떤 사용자/그룹에 바인딩되나요?

-> Group  system:masters

controlplane ~ ➜  kubectl describe clusterrolebinding cluster-admin 
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
​​Kind:  ClusterRole
​​Name:  cluster-admin
Subjects:
​​Kind   Name            Namespace
​​----   ----            ---------
​​Group  system:masters  

controlplane ~ ➜

 

 

★ cluster-admin 역할은 어떤 수준의 권한을 부여하나요?

-> 클러스터의 모든 리소스에 대해 모든 작업 수행

controlplane ~ ➜  kubectl describe clusterrole cluster-admin 
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
​​Resources  Non-Resource URLs  Resource Names  Verbs
​​---------  -----------------  --------------  -----
​​*.*        []                 []              [*]
​​​​​​​​​​​​​[*]                []              [*]

controlplane ~ ➜

 

 

★ 새로운 사용자 미셸이 팀에 합류했습니다. 그녀가 노드에 액세스할 수 있도록 필요한 ClusterRoles 및 ClusterRoleBinding을 만듭니다.

-> 기존 cluster-admin 을 yaml 파일로 복사

controlplane ~ ➜ kubectl get clusterrole cluster-admin -o yaml > michelle.yaml
controlplane ~ ➜

-> 복사한 yaml 파일 확인

controlplane ~ ➜  cat michelle.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
​​annotations:
​​​​rbac.authorization.kubernetes.io/autoupdate: "true"
​​creationTimestamp: "2023-06-06T07:08:22Z"
​​labels:
​​​​kubernetes.io/bootstrapping: rbac-defaults
​​name: cluster-admin
​​resourceVersion: "68"
​​uid: 0d93b435-10ba-475e-ae77-d46510f93d75
rules:
- apiGroups:
​​- '*'
​​resources:
​​- '*'
​​verbs:
​​- '*'
- nonResourceURLs:
​​- '*'
​​verbs:
​​- '*'

-> 복사한 yaml 파일 수정

controlplane ~ ➜  cat michelle.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
​​name: node-admin
rules:
- apiGroups: [""]
​​resources: ["nodes"]
​​verbs: ["get", "watch", "list", "create", "delete"]

controlplane ~ ➜

->  새로운 clusterrole 생성

controlplane ~ ➜  kubectl create -f michelle.yaml 
clusterrole.rbac.authorization.k8s.io/node-admin created

controlplane ~ ➜

-> clusterrolebinding 복사

controlplane ~ ➜  kubectl get clusterrolebinding system:basic-user -o yaml > michelle-binding.yaml

controlplane ~ ➜

-> 내용 확인

controlplane ~ ➜  cat michelle-binding.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
​​annotations:
​​​​rbac.authorization.kubernetes.io/autoupdate: "true"
​​creationTimestamp: "2023-06-06T07:08:24Z"
​​labels:
​​​​kubernetes.io/bootstrapping: rbac-defaults
​​name: system:basic-user
​​resourceVersion: "138"
​​uid: 8ec82b9d-2758-4347-a0d2-25ac08eb17b6
roleRef:
​​apiGroup: rbac.authorization.k8s.io
​​kind: ClusterRole
​​name: system:basic-user
subjects:
- apiGroup: rbac.authorization.k8s.io
​​kind: Group
​​name: system:authenticated

controlplane ~ ➜

-> 내용 수정

controlplane ~ ➜  cat michelle-binding.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
​​name: michelle-binding
roleRef:
​​apiGroup: rbac.authorization.k8s.io
​​kind: ClusterRole
​​name: node-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
​​kind: User
​​name: michelle

controlplane ~ ➜

-> clusterrolebinding 생성

controlplane ~ ➜  kubectl create -f michelle-binding.yaml 
clusterrolebinding.rbac.authorization.k8s.io/michelle-binding created

controlplane ~ ➜

 

 

★ 미셸의 책임이 커지면서 이제 그녀는 스토리지도 담당하게 됩니다. 그녀가 스토리지에 액세스할 수 있도록 필요한 ClusterRoles과 clusterrolebinding을 생성한다.

-> stroage-admin 룰 생성

controlplane ~ ➜  kubectl create clusterrole storage-admin --resource=persistentvolumes,storageclasses --verb=get,list,create,delete,watch
clusterrole.rbac.authorization.k8s.io/storage-admin created

controlplane ~ ➜

-> 룰 확인

controlplane ~ ➜  kubectl describe clusterrole storage-admin 
Name:         storage-admin
Labels:       <none>
Annotations:  <none>
PolicyRule:
​​Resources                      Non-Resource URLs  Resource Names  Verbs
​​---------                      -----------------  --------------  -----
​​persistentvolumes              []                 []              [get list create delete watch]
​​storageclasses.storage.k8s.io  []                 []              [get list create delete watch]

controlplane ~ ➜

-> michelle-stroage-admin 생성

controlplane ~ ➜  kubectl create clusterrolebinding michelle-storage-admin --user=michelle --clusterrole=storage-admin

clusterrolebinding.rbac.authorization.k8s.io/michelle-storage-admin created

controlplane ~ ➜

-> 룰 확인

controlplane ~ ➜  kubectl describe clusterrolebindings michelle-storage-admin 
Name:         michelle-storage-admin
Labels:       <none>
Annotations:  <none>
Role:
​​Kind:  ClusterRole
​​Name:  storage-admin
Subjects:
​​Kind  Name      Namespace
​​----  ----      ---------
​​User  michelle  

controlplane ~ ➜