Today I Learn - 51

RBAC

SA 계정을 이용한 사용자 인증

1. NS: development

   apiVersion: v1
   kind: Namespace
   metadata:
     name: development

2. SA: devops

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: devops
     namespace: development

3. Role: dev-fc

   • development NS에 모든 권한

     apiVersion: rbac.authorization.k8s.io/v1
     kind: Role
     metadata:
       name: dev-fc
       namespace: development
     rules:
     - apiGroups:
       - ""
       resources:
       - "*"
       verbs:
       - "*"

4. RoleBinding: devops-dev-fc

   • devops <-> dev-fc

     apiVersion: rbac.authorization.k8s.io/v1
     kind: RoleBinding
     metadata:
       name: devops-dev-fc
       namespace: development
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: Role
       name: dev-fc
     subjects:
     - apiGroup: ""
       kind: ServiceAccount
       name: devops
       namespace: development

5. ClusterRole: view

   • 클러스터 전체 읽기

6. ClusterRoleBinding: devops-view

   • devops <-> cluster-read

     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
       name: devops-view 
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
       name: view
     subjects:
     - apiGroup: ""
       kind: ServiceAccount
       name: devops
       namespace: development

7. kubeconfig(~/.kube/config)

   • 클러스터
   • 계정
   • 컨텍스트(클러스터 - 계정)

SA 계정 토큰 확인

kubectl get sa -n development devops
kubectl describe secret -n development devops-token-rfvwt

kubeconfig 사용자 정의

kubectl config set-credentials devops --token=XXX

kubeconfig 컨텍스트 정의

kubectl config set-context devops@cluster.local --cluster=cluster.local --user=devops --namespace=development

컨텍스트 변경

kubectl config use-context devops@cluster.local

사용자 계정을 이용한 사용자 인증(with x.509)

1. CSR

   x.509 키 생성

   openssl genrsa -out kadmin.key 2048

CSR 생성

openssl req -new -key kadmin.key -out kadmin.csr -subj "/CN=kadmin"

CSR 리소스 생성

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: <NAME>
spec:
  request: <BASE64 ENCODED>
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

CSR 리소스 확인

kubectl get csr

• Pending

CSR 승인: 서명된 인증서 발급

kubectl certificate approve kadmin

CSR 리소스 확인

kubectl get csr

• Approved,Issued

발급된 인증서 csr 리소스의 csr.status.certificate 에 있음.

인증서 저장

kubectl get csr kadmin -o jsonpath='{.status.certificate}' | base64 -d > kadmin.crt

2. ClusterRole: admin

3. ClusterRoleBinding: kadmin-admin

   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: kadmin-admin 
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: admin
   subjects:
   - apiGroup: ""
     kind: User
     name: kadmin

4. kubeconfig

   kubectl config set-credentials kadmin --client-certificate=kadmin.crt --client-key=kadmin.key --embed-certs

   kubectl config set-context kadmin@cluster.local --cluster=cluster.local --user=kadmin

---

x.509 사용자 생성(kops): 클러스터에 모두 읽기 권한

원격 클라이언트

윈도우

choco install kubernetes-cli --version=1.19.5 [--allowdowngrade]

kubectl version

리눅스(쿠버네티스 클러스터)

cp ~/.kube/config /vagrant

윈도우

c:\Users\playdata\vagrant\k8s\config ----copy---> c:\Users\.kube/config

---

helm repo add stable https://charts.helm.sh/stable

helm completion bash | sudo tee /etc/bash_completion.d/helm
exec bash

helm show <option>

• all = chart + readme + values
• chart: 차트 정보(버전...) - Chart.yaml
• readme: README.md
• values: 추가 설정 값 - values.yaml

예: mariadb 패키지
https://github.com/helm/charts/tree/master/stable/mariadb

차트 구조

Chart.yaml

README.md

values.yaml

/templates

values.yaml

service:
  type: LoadBalancer

helm install happy-panda stable/mariadb -f values.yaml 

helm install <release> <package>

helm uninstall <release>

helm upgrade -f <values> <realease> <package>

helm history <realease>

helm rollback <release>