RBAC 생성
Kubernetes 리소스에 접근하기 위한 Role을 설정 한다.
1. 02.rbac/rbac.sh
bxcm-install-gen.sh Shell에 의해 생성되어진 설치 yaml 파일의 변경 사항이 없는 경우에는 rbac.sh 을 이용하여 한번에 생성할 수 있다.
다음은 rbac.sh Shell을 실행한 예이다.
02.rbac$ sh rbac.sh
####################################################################################
# [rbac] start
####################################################################################
>> kubectl apply -f bxframework-rbac.yaml
clusterrole.rbac.authorization.k8s.io/app-read-role-bxcm created
clusterrolebinding.rbac.authorization.k8s.io/app-read-rolebinding-bxcm created
>> kubectl apply -f lra-rbac.yaml
clusterrole.rbac.authorization.k8s.io/lra-coordinator-leader-elector created
clusterrolebinding.rbac.authorization.k8s.io/lra-coordinator-leader-elector created
####################################################################################
# [rbac] end
####################################################################################-
kubectl command를 이용하여 rbac을 생성 한다.
-
프레임워크 rbac (bxframework-rbac.yaml) 생성
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: app-read-role-bxcm namespace: bxcm rules: - apiGroups: ["extensions", "apps", ""] resources: ["namespaces", "pods", "endpoints", "services", "configmaps", "secrets"] verbs: ["get", "list", "watch"] - apiGroups: ["batch", "extensions"] resources: ["jobs"] verbs: ["get", "list", "watch", "create", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: app-read-rolebinding-bxcm namespace: bxcm subjects: - kind: ServiceAccount name: default namespace: bxcm roleRef: kind: ClusterRole name: app-read-role-bxcm apiGroup: rbac.authorization.k8s.ioKubernetes 적용 방법
kubectl apply -f bxframework-rbac.yaml -
LRA rbac (lra-rbac.yaml) 생성
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: lra-coordinator-leader-elector namespace: bxcm rules: - apiGroups: - "" resources: ["endpoints", "configmaps"] verbs: - "*" --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: lra-coordinator-leader-elector namespace: bxcm subjects: - kind: ServiceAccount name: lra-leader-elector namespace: bxcm apiGroup: "" roleRef: kind: ClusterRole name: lra-coordinator-leader-elector apiGroup: ""Kubernetes 적용 방법
kubectl apply -f lra-rbac.yaml
-
RBAC을 다 생성하였다면 아래 Command를 통하여 확인 할 수 있다.
02.rbac$ kubectl get ClusterRole app-read-role-bxcm lra-coordinator-leader-elector
NAME CREATED AT
app-read-role-bxcm 2023-11-29T01:45:27Z
lra-coordinator-leader-elector 2023-11-29T01:45:28Z
02.rbac$ kubectl get ClusterRoleBinding app-read-rolebinding-bxcm lra-coordinator-leader-elector
NAME ROLE AGE
app-read-rolebinding-bxcm ClusterRole/app-read-role-bxcm 4m28s
lra-coordinator-leader-elector ClusterRole/lra-coordinator-leader-elector 4m27s