root@k8s-master-00:~# kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
bindings v1 true Binding
componentstatuses cs v1 false ComponentStatus
configmaps cm v1 true ConfigMap
endpoints ep v1 true Endpoints
events ev v1 true Event
limitranges limits v1 true LimitRange
namespaces ns v1 false Namespace
nodes no v1 false Node
persistentvolumeclaims pvc v1 true PersistentVolumeClaim
persistentvolumes pv v1 false PersistentVolume
pods po v1 true Pod
podtemplates v1 true PodTemplate
replicationcontrollers rc v1 true ReplicationController
resourcequotas quota v1 true ResourceQuota
secrets v1 true Secret
serviceaccounts sa v1 true ServiceAccount
services svc v1 true Service
mutatingwebhookconfigurations admissionregistration.k8s.io/v1 false MutatingWebhookConfiguration
validatingwebhookconfigurations admissionregistration.k8s.io/v1 false ValidatingWebhookConfiguration
customresourcedefinitions crd,crds apiextensions.k8s.io/v1 false CustomResourceDefinition
apiservices apiregistration.k8s.io/v1 false APIService
controllerrevisions apps/v1 true ControllerRevision
daemonsets ds apps/v1 true DaemonSet
deployments deploy apps/v1 true Deployment
replicasets rs apps/v1 true ReplicaSet
statefulsets sts apps/v1 true StatefulSet
selfsubjectreviews authentication.k8s.io/v1 false SelfSubjectReview
tokenreviews authentication.k8s.io/v1 false TokenReview
localsubjectaccessreviews authorization.k8s.io/v1 true LocalSubjectAccessReview
selfsubjectaccessreviews authorization.k8s.io/v1 false SelfSubjectAccessReview
selfsubjectrulesreviews authorization.k8s.io/v1 false SelfSubjectRulesReview
subjectaccessreviews authorization.k8s.io/v1 false SubjectAccessReview
horizontalpodautoscalers hpa autoscaling/v2 true HorizontalPodAutoscaler
cronjobs cj batch/v1 true CronJob
jobs batch/v1 true Job
certificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequest
leases coordination.k8s.io/v1 true Lease
bgpconfigurations crd.projectcalico.org/v1 false BGPConfiguration
bgpfilters crd.projectcalico.org/v1 false BGPFilter
bgppeers crd.projectcalico.org/v1 false BGPPeer
blockaffinities crd.projectcalico.org/v1 false BlockAffinity
caliconodestatuses crd.projectcalico.org/v1 false CalicoNodeStatus
clusterinformations crd.projectcalico.org/v1 false ClusterInformation
felixconfigurations crd.projectcalico.org/v1 false FelixConfiguration
globalnetworkpolicies crd.projectcalico.org/v1 false GlobalNetworkPolicy
globalnetworksets crd.projectcalico.org/v1 false GlobalNetworkSet
hostendpoints crd.projectcalico.org/v1 false HostEndpoint
ipamblocks crd.projectcalico.org/v1 false IPAMBlock
ipamconfigs crd.projectcalico.org/v1 false IPAMConfig
ipamhandles crd.projectcalico.org/v1 false IPAMHandle
ippools crd.projectcalico.org/v1 false IPPool
ipreservations crd.projectcalico.org/v1 false IPReservation
kubecontrollersconfigurations crd.projectcalico.org/v1 false KubeControllersConfiguration
networkpolicies crd.projectcalico.org/v1 true NetworkPolicy
networksets crd.projectcalico.org/v1 true NetworkSet
endpointslices discovery.k8s.io/v1 true EndpointSlice
events ev events.k8s.io/v1 true Event
flowschemas flowcontrol.apiserver.k8s.io/v1 false FlowSchema
prioritylevelconfigurations flowcontrol.apiserver.k8s.io/v1 false PriorityLevelConfiguration
ingressclasses networking.k8s.io/v1 false IngressClass
ingresses ing networking.k8s.io/v1 true Ingress
networkpolicies netpol networking.k8s.io/v1 true NetworkPolicy
runtimeclasses node.k8s.io/v1 false RuntimeClass
apiservers operator.tigera.io/v1 false APIServer
imagesets operator.tigera.io/v1 false ImageSet
installations operator.tigera.io/v1 false Installation
tigerastatuses operator.tigera.io/v1 false TigeraStatus
poddisruptionbudgets pdb policy/v1 true PodDisruptionBudget
bgpconfigurations bgpconfig,bgpconfigs projectcalico.org/v3 false BGPConfiguration
bgpfilters projectcalico.org/v3 false BGPFilter
bgppeers projectcalico.org/v3 false BGPPeer
blockaffinities blockaffinity,affinity,affinities projectcalico.org/v3 false BlockAffinity
caliconodestatuses caliconodestatus projectcalico.org/v3 false CalicoNodeStatus
clusterinformations clusterinfo projectcalico.org/v3 false ClusterInformation
felixconfigurations felixconfig,felixconfigs projectcalico.org/v3 false FelixConfiguration
globalnetworkpolicies gnp,cgnp,calicoglobalnetworkpolicies projectcalico.org/v3 false GlobalNetworkPolicy
globalnetworksets projectcalico.org/v3 false GlobalNetworkSet
hostendpoints hep,heps projectcalico.org/v3 false HostEndpoint
ipamconfigurations ipamconfig projectcalico.org/v3 false IPAMConfiguration
ippools projectcalico.org/v3 false IPPool
ipreservations projectcalico.org/v3 false IPReservation
kubecontrollersconfigurations projectcalico.org/v3 false KubeControllersConfiguration
networkpolicies cnp,caliconetworkpolicy,caliconetworkpolicies projectcalico.org/v3 true NetworkPolicy
networksets netsets projectcalico.org/v3 true NetworkSet
profiles projectcalico.org/v3 false Profile
clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding
clusterroles rbac.authorization.k8s.io/v1 false ClusterRole
rolebindings rbac.authorization.k8s.io/v1 true RoleBinding
roles rbac.authorization.k8s.io/v1 true Role
priorityclasses pc scheduling.k8s.io/v1 false PriorityClass
csidrivers storage.k8s.io/v1 false CSIDriver
csinodes storage.k8s.io/v1 false CSINode
csistoragecapacities storage.k8s.io/v1 true CSIStorageCapacity
storageclasses sc storage.k8s.io/v1 false StorageClass
volumeattachments storage.k8s.io/v1 false VolumeAttachmentroot@k8s-master-00:~# kubectl get role -A
NAMESPACE NAME CREATED AT
kube-public kubeadm:bootstrap-signer-clusterinfo 2024-05-24T01:02:45Z
kube-public system:controller:bootstrap-signer 2024-05-24T01:02:43Z
kube-system extension-apiserver-authentication-reader 2024-05-24T01:02:43Z
kube-system kube-proxy 2024-05-24T01:02:45Z
kube-system kubeadm:kubelet-config 2024-05-24T01:02:43Z
kube-system kubeadm:nodes-kubeadm-config 2024-05-24T01:02:43Z
kube-system system::leader-locking-kube-controller-manager 2024-05-24T01:02:43Z
kube-system system::leader-locking-kube-scheduler 2024-05-24T01:02:43Z
kube-system system:controller:bootstrap-signer 2024-05-24T01:02:43Z
kube-system system:controller:cloud-provider 2024-05-24T01:02:43Z
kube-system system:controller:token-cleaner 2024-05-24T01:02:43Z
root@k8s-master-00:~# kubectl get rolebinding -A
NAMESPACE NAME ROLE AGE
kube-public kubeadm:bootstrap-signer-clusterinfo Role/kubeadm:bootstrap-signer-clusterinfo 6d4h
kube-public system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 6d4h
kube-system calico-apiserver-auth-reader Role/extension-apiserver-authentication-reader 6d4h
kube-system kube-proxy Role/kube-proxy 6d4h
kube-system kubeadm:kubelet-config Role/kubeadm:kubelet-config 6d4h
kube-system kubeadm:nodes-kubeadm-config Role/kubeadm:nodes-kubeadm-config 6d4h
kube-system system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 6d4h
kube-system system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 6d4h
kube-system system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 6d4h
kube-system system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 6d4h
kube-system system:controller:cloud-provider Role/system:controller:cloud-provider 6d4h
kube-system system:controller:token-cleaner Role/system:controller:token-cleaner 6d4h
root@k8s-master-00:~# kubectl describe rolebinding system::leader-locking-kube-scheduler -n kube-system
Name: system::leader-locking-kube-scheduler
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: Role
Name: system::leader-locking-kube-scheduler
Subjects:
Kind Name Namespace
---- ---- ---------
User system:kube-scheduler
ServiceAccount kube-scheduler kube-system
root@k8s-master-00:~# kubectl describe role system::leader-locking-kube-scheduler -n kube-system
Name: system::leader-locking-kube-scheduler
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [kube-scheduler] [get update]
configmaps [] [] [watch]--namespace 생성
root@k8s-master-00:~# kubectl create namespace account
namespace/account created
root@k8s-master-00:~# kubectl get ns
NAME STATUS AGE
account Active 25s
calico-apiserver Active 6d4h
calico-system Active 6d4h
default Active 6d5h
kube-node-lease Active 6d5h
kube-public Active 6d5h
kube-system Active 6d5h
tigera-operator Active 6d4h
--서비스 어카운트 생성
-- api-service-account 라는 서비스어카운트를 account 네임스페이스에 생성
root@k8s-master-00:~# kubectl create serviceaccount api-service-account -n account
serviceaccount/api-service-account created
root@k8s-master-00:~# kubectl get serviceaccount
NAME SECRETS AGE
default 0 6d5h
root@k8s-master-00:~# kubectl get serviceaccount -n account
NAME SECRETS AGE
api-service-account 0 52s
default 0 2m5s
--클러스터 역할(role) 생성 : 특정 네임스페이스에 한정된 정책
root@k8s-master-00:~# vim api-cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: api-cluster-role
namespace: account # 앞에서 정의한 네임스페이스 지정
rules:
- apiGroups: # 역할이 사용할 API 그룹들
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
resources: # 클러스터의 어떤 리소스(예, 파드, 볼륨 등)에 접근가능한지 지정
- pods
- componentstatuses
- configmaps
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- jobs
- limitranges
- namespaces
- nodes
- pods
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 리소스에 접속해서 어떤 것들을 수행할 수 있을지에 대한 행위(verbs)를 지정
root@k8s-master-00:~# kubectl apply -f api-cluster-role.yaml
clusterrole.rbac.authorization.k8s.io/api-cluster-role created
--클러스터 역할 바인딩: 역할이 특정 네임스페이스에 한정된 정책을 따르도록 적용
root@k8s-master-00:~# vim api-cluster-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: api-cluster-role-binding
subjects: # 주체는 서비스 어카운트입니다
- namespace: account
kind: ServiceAccount
name: api-service-account
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: api-cluster-role # api-cluster-role을 api-service-account에 매핑
root@k8s-master-00:~# kubectl apply -f api-cluster-role-binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/api-cluster-role-binding created
--서비스 계정 접속 검증
root@k8s-master-00:~# kubectl auth can-i get pods --as=system:serviceaccount:account:api-service-account
yes
root@k8s-master-00:~# kubectl auth can-i get deploy --as=system:serviceaccount:account:api-service-account
yes
--pod 주석처리 후 확인
root@k8s-master-00:~# vim api-cluster-role.yaml
#- pods
- componentstatuses
- configmaps
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- jobs
- limitranges
- namespaces
- nodes
#- pods
~~
root@k8s-master-00:~# kubectl apply -f api-cluster-role.yaml
clusterrole.rbac.authorization.k8s.io/api-cluster-role configured
root@k8s-master-00:~# kubectl auth can-i get pods --as=system:serviceaccount:account:api-service-account
no
root@k8s-master-00:~# kubectl auth can-i get deploy --as=system:serviceaccount:account:api-service-account
yes