1. For the first few questions of this lab, you would have to inspect the existing ClusterRoles and ClusterRoleBindings that have been created in this cluster.
2. How many ClusterRoles do you see defined in the cluster?
controlplane ~ ➜ k get clusterrole --no-headers | wc -l
72
answer : 72
3. How many ClusterRoleBindings exist on the cluster?
controlplane ~ ➜ k get clusterrolebindings --no-headers | wc -l
57
answer : 57
4. What namespace is the cluster-admin clusterrole part of?
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
answer : Cluster Roles are cluster wide and not part of any namespace
5. What user/groups are the cluster-admin role bound to?
The ClusterRoleBinding for the role is with the same name
controlplane ~ ➜ kubectl describe clusterrolebinding cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
answer : system:masters
6. What level of permission does the cluster-admin role grant? Inspect the cluster-admin role's privileges.
controlplane ~ ✖ k describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
answer : Perform any action on any resource in the cluster
7. A new user michelle joined the team. She will be focusing on the nodes in the cluster. Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-admin
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list", "create", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: michelle-binding
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: node-admin
apiGroup: rbac.authorization.k8s.io
8. michelle's responsibilities are growing and now she will be responsible for storage as well. Create the required ClusterRoles and ClusterRoleBindings to allow her access to Storage. Get the API groups and resource names from command kubectl api-resources. Use the given spec:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: storage-admin
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "watch", "list", "create", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: michelle-storage-admin
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: storage-admin
apiGroup: rbac.authorization.k8s.io
'IT 기술 > k8s' 카테고리의 다른 글
[cka] Image Security (0) | 2024.07.28 |
---|---|
[cka] Service Accounts (0) | 2024.07.28 |
[cka] Role Based Access Controls (0) | 2024.07.19 |
[cka] KubeConfig (0) | 2024.07.19 |
[cka] Certificates API (0) | 2024.07.19 |
댓글