본문 바로가기
IT 기술/k8s

[cka] Cluster Roles

by Geunny 2024. 7. 28.
반응형

1. For the first few questions of this lab, you would have to inspect the existing ClusterRoles and ClusterRoleBindings that have been created in this cluster.

 

2. How many ClusterRoles do you see defined in the cluster?

controlplane ~ ➜  k get clusterrole --no-headers | wc -l
72

 

answer :  72

 

3. How many ClusterRoleBindings exist on the cluster?

controlplane ~ ➜  k get clusterrolebindings --no-headers | wc -l
57

 

answer : 57

 

4. What namespace is the cluster-admin clusterrole part of?

 

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole

 

Using RBAC Authorization

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decis

kubernetes.io

 

 

answer :  Cluster Roles are cluster wide and not part of any namespace

 

5. What user/groups are the cluster-admin role bound to? 

The ClusterRoleBinding for the role is with the same name

controlplane ~ ➜  kubectl describe clusterrolebinding cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters

 

answer : system:masters

 

6. What level of permission does the cluster-admin role grant? Inspect the cluster-admin role's privileges.

controlplane ~ ✖ k describe clusterrole cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
             [*]                []              [*]

 

answer : Perform any action on any resource in the cluster

 

7. A new user michelle joined the team. She will be focusing on the nodes in the cluster. Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-admin
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list", "create", "delete"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: michelle-binding
subjects:
- kind: User
  name: michelle
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: node-admin
  apiGroup: rbac.authorization.k8s.io

 

8. michelle's responsibilities are growing and now she will be responsible for storage as well. Create the required ClusterRoles and ClusterRoleBindings to allow her access to Storage. Get the API groups and resource names from command kubectl api-resources. Use the given spec:

 

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: storage-admin
rules:
- apiGroups: [""]
  resources: ["persistentvolumes"]
  verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "watch", "list", "create", "delete"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: michelle-storage-admin
subjects:
- kind: User
  name: michelle
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: storage-admin
  apiGroup: rbac.authorization.k8s.io

'IT 기술 > k8s' 카테고리의 다른 글

[cka] Image Security  (0) 2024.07.28
[cka] Service Accounts  (0) 2024.07.28
[cka] Role Based Access Controls  (0) 2024.07.19
[cka] KubeConfig  (0) 2024.07.19
[cka] Certificates API  (0) 2024.07.19

댓글