[Mock3_1] RBAC

유유·2023년 1월 31일


목록 보기

docs > https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-role

Create a new service account with the name pvviewer. Grant this Service account access to list all PersistentVolumes in the cluster by creating an appropriate cluster role called pvviewer-role and ClusterRoleBinding called pvviewer-role-binding.Next, create a pod called pvviewer with the image: redis and serviceAccount: pvviewer in the default namespace.

ServiceAccount: pvviewer

ClusterRole: pvviewer-role

ClusterRoleBinding: pvviewer-role-binding

Pod: pvviewer

Pod configured to use ServiceAccount pvviewer ?

  • create svcaccount
k create serviceaccount pvviewer

Command-line utilities

  • create clusterrole
kubectl create clusterrole pod-reader \
--verb=get,list,watch \


kubectl create clusterrole pvviewer-role \
--verb=list \
  • create clusterrolebinding

    템플릿 가져올때 꼭!! 서비스 어카운트도 있는거 가져오기
    --serviceaccount=네임스페이스:서비스어카운트 이름

kubectl create clusterrolebinding myapp-view-binding \
--clusterrole=view \

kubectl create clusterrolebinding pvviewer-role-binding \
--clusterrole=pvviewer-role \

  • create pod
kubectl run pvviewer --image=redis -o yaml > rbac.yaml
  • 확인
k get clusterrolebindings pvviewer-role-binding
k describe clusterrolebindings pvviewer-role-binding

Name:         pvviewer-role-binding
Labels:       <none>
Annotations:  <none>
  Kind:  ClusterRole
  Name:  pvviewer-role
  Kind            Name      Namespace
  ----            ----      ---------
  ServiceAccount  pvviewer  default

>> 마지막 질문 충족함.

유사 문제


Q. Create a new ClusterRole named deployment-clusterrole, which only allows to create the following resource types Deployment, StatefulSet, DaemonSet

Create a new ServiceAccount named cicd-token in the existing namespace aps.

Bind the new ClusterRole deployment-clusterrole to the new ServcieAccount cicd-token, linited to the namespace aps.

  1. ns 만들기
kubectl create ns aps
kubectl get ns
  1. svc account 만들기
kubectl create serviceaccount cicd-token -n aps
k get serviceaccount -n aps
  1. cluster role 만들기
kubectl create clusterrole pod-reader \
--verb=get,list,watch \

kubectl create clusterrole deployment-clusterrole \
--verb=create \
--resource=Deployment,StatefulSet,DaemonSet -n aps
  1. cluster role binding 하기
kubectl create rolebinding myapp-view-binding \
--clusterrole=view \
--serviceaccount=acme:myapp \

kubectl create rolebinding deployment-clusterrole-binding \
--clusterrole=deployment-clusterrole \
--serviceaccount=aps:cicd-token \

k get clusterrolebindings -n aps deployment-clusterolebinding
k describe clusterrolebindings -n aps deployment-clusterolebinding

0개의 댓글