docs > https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-role
Create a new service account with the name pvviewer. Grant this Service account access to list all PersistentVolumes in the cluster by creating an appropriate cluster role called pvviewer-role and ClusterRoleBinding called pvviewer-role-binding.Next, create a pod called pvviewer with the image: redis and serviceAccount: pvviewer in the default namespace.
ServiceAccount: pvviewer
ClusterRole: pvviewer-role
ClusterRoleBinding: pvviewer-role-binding
Pod: pvviewer
Pod configured to use ServiceAccount pvviewer ?
- create svcaccount
k create serviceaccount pvviewer- create clusterrole
*template*
kubectl create clusterrole pod-reader \
--verb=get,list,watch \
--resource=pods
*solve*
kubectl create clusterrole pvviewer-role \
--verb=list \
--resource=PersistentVolumes- create clusterrolebinding
템플릿 가져올때 꼭!! 서비스 어카운트도 있는거 가져오기
--serviceaccount=네임스페이스:서비스어카운트 이름
*template*
kubectl create clusterrolebinding myapp-view-binding \
--clusterrole=view \
--serviceaccount=acme:myapp
*solve*
kubectl create clusterrolebinding pvviewer-role-binding \
--clusterrole=pvviewer-role \
--serviceaccount=default:pvviewer
- create pod
kubectl run pvviewer --image=redis -o yaml > rbac.yaml- 확인
k get clusterrolebindings pvviewer-role-binding
k describe clusterrolebindings pvviewer-role-binding
Name: pvviewer-role-binding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: pvviewer-role
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount pvviewer default
>> 마지막 질문 충족함.유사 문제
💡Q. Create a new ClusterRole named deployment-clusterrole, which only allows to create the following resource types Deployment, StatefulSet, DaemonSet
Create a new ServiceAccount named cicd-token in the existing namespace aps.
Bind the new ClusterRole deployment-clusterrole to the new ServcieAccount cicd-token, linited to the namespace aps.
- ns 만들기
kubectl create ns aps
kubectl get ns- svc account 만들기
kubectl create serviceaccount cicd-token -n aps
k get serviceaccount -n aps- cluster role 만들기
**template**
kubectl create clusterrole pod-reader \
--verb=get,list,watch \
--resource=pods
**solve**
kubectl create clusterrole deployment-clusterrole \
--verb=create \
--resource=Deployment,StatefulSet,DaemonSet -n aps- cluster role binding 하기
**template**
kubectl create rolebinding myapp-view-binding \
--clusterrole=view \
--serviceaccount=acme:myapp \
--namespace=acme
kubectl create rolebinding deployment-clusterrole-binding \
--clusterrole=deployment-clusterrole \
--serviceaccount=aps:cicd-token \
--namespace=aps
k get clusterrolebindings -n aps deployment-clusterolebinding
k describe clusterrolebindings -n aps deployment-clusterolebinding