ClusterRole授权给一个ServiceAccount类型 – 雪雅阁blog

Backlink paketleri

Hacklink satın al

Hacklink satın al

Hacklink satın al

deneme bonusu ver3n siteler

pulibet güncel

Hacklink satın al

pulibet güncel giriş

adapazarı escort

antalya dedektör

betathome eingang

betathome login

kingroyal güncel giriş

kingroyal giriş

kingroyal giriş

Deneme Bonusu Veren Siteler

king royal giriş

kingroyal güncel giriş

在

Linux运维小白成长记

	1.编写资源清单 
[root@master231 rbac]# cat > oldboyedu-sa-rbac.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: kube-public
  name: oldboy

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: xiuxian
  namespace: kube-public
spec:
  replicas: 1
  selector:
    matchLabels:
      app: xiuxian
  template:
    metadata:
      labels:
        app: xiuxian
    spec:
      nodeName: worker232
      serviceAccountName: oldboy
      containers:
      - image: harbor250.oldboyedu.com/oldboyedu-devops/python:3.9.16-alpine3.16
        command:
        - tail
        - -f
        - /etc/hosts
        name: apps

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: reader-oldboy
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  verbs:
  - get
  - watch
  - list
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - watch
  - list
  - delete

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: reader-oldboy-bind
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: reader-oldboy
subjects:
- kind: ServiceAccount
  name: oldboy
  namespace: kube-public
EOF
  

	2.创建资源
[root@master231 rbac]# kubectl apply -f oldboyedu-sa-rbac.yaml 
serviceaccount/oldboy created
deployment.apps/xiuxian created
clusterrole.rbac.authorization.k8s.io/reader-oldboy created
clusterrolebinding.rbac.authorization.k8s.io/reader-oldboy-bind created
[root@master231 rbac]#
[root@master231 rbac]# kubectl get deploy,sa,po -o wide  -n kube-public 
NAME                      READY   UP-TO-DATE   AVAILABLE   AGE    CONTAINERS   IMAGES                                                                SELECTOR
deployment.apps/xiuxian   1/1     1            1           111s   apps         harbor250.oldboyedu.com/oldboyedu-casedemo/python:3.9.16-alpine3.16   app=xiuxian

NAME                     SECRETS   AGE
serviceaccount/default   1         9d
serviceaccount/oldboy    1         111s

NAME                           READY   STATUS    RESTARTS   AGE    IP             NODE        NOMINATED NODE   READINESS GATES
pod/xiuxian-6ffc4f5fd7-m9tf2   1/1     Running   0          111s   10.100.1.165   worker232   <none>           <none>
[root@master231 rbac]# 


	3.安装依赖包
[root@master231 rbac]# kubectl -n kube-public exec -it xiuxian-6ffc4f5fd7-m9tf2 -- sh
/ # 
/ # python -V
Python 3.9.16
/ # 
/ # pip install kubernetes -i https://pypi.tuna.tsinghua.edu.cn/simple/
...
Successfully installed cachetools-5.5.2 certifi-2025.1.31 charset-normalizer-3.4.1 durationpy-0.9 google-auth-2.38.0 idna-3.10 kubernetes-32.0.1 oauthlib-3.2.2 pyasn1-0.6.1 pyasn1-modules-0.4.2 python-dateutil-2.9.0.post0 pyyaml-6.0.2 requests-2.32.3 requests-oauthlib-2.0.0 rsa-4.9 six-1.17.0 urllib3-2.4.0 websocket-client-1.8.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
WARNING: You are using pip version 22.0.4; however, version 25.0.1 is available.
You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.
/ # 

	4.编写python脚本
/ # cat > view-k8s-resources.py <<EOF
from kubernetes import client, config

with open('/var/run/secrets/kubernetes.io/serviceaccount/token') as f:
     token = f.read()

configuration = client.Configuration()
configuration.host = "https://10.0.0.231:6443"  # APISERVER地址
configuration.ssl_ca_cert="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"  # CA证书 
configuration.verify_ssl = True   # 启用证书验证
configuration.api_key = {"authorization": "Bearer " + token}  # 指定Token字符串
client.Configuration.set_default(configuration)
apps_api = client.AppsV1Api() 
core_api = client.CoreV1Api() 
try:
  print("###### Deployment列表 ######")
  #列出default命名空间所有deployment名称
  for dp in apps_api.list_namespaced_deployment("kube-public").items:
    print(dp.metadata.name)
except:
  print("没有权限访问Deployment资源！")

try:
  #列出default命名空间所有pod名称
  print("###### Pod列表 ######")
  for po in core_api.list_namespaced_pod("kube-public").items:
    print(po.metadata.name)
except:
  print("没有权限访问Pod资源！")
EOF

	5.运行python脚本
/ # python3 view-k8s-resources.py 
###### Deployment列表 ######
xiuxian
###### Pod列表 ######
oldboyedu-pods-sa
xiuxian-6ffc4f5fd7-m9tf2
/ # 


	6.更新权限
[root@master231 auth]# kubectl get clusterrolebinding  reader-oldboy-bind -o wide
NAME                 ROLE                        AGE   USERS   GROUPS   SERVICEACCOUNTS
reader-oldboy-bind   ClusterRole/reader-oldboy   18m                    kube-public/oldboy
[root@master231 auth]# 
[root@master231 auth]# kubectl delete clusterrolebinding  reader-oldboy-bind 
clusterrolebinding.rbac.authorization.k8s.io "reader-oldboy-bind" deleted
[root@master231 auth]# 
[root@master231 auth]# kubectl get clusterrolebinding  reader-oldboy-bind -o wide
Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "reader-oldboy-bind" not found
[root@master231 auth]# 

	7.再次测试验证 
[root@master231 rbac]# kubectl -n kube-public exec -it xiuxian-6ffc4f5fd7-z9p56 -- sh
/ # python view-k8s-resources.py 
###### Deployment列表 ######
没有权限访问Deployment资源！
###### Pod列表 ######
没有权限访问Pod资源！
/ #

发表回复取消回复

作者

romabetmegabahissonbahissonbahis girişbetvolebetvole girişmarsbahismarsbahis girişcasibomcasibom girişcasibom güncel girişcasibomcasibom girişcasibom güncel girişmarsbahismarsbahis girişizmir escortbetvolebetvole girişbetvole güncel girişbetvolebetvole girişbetvole güncel girişhacklink satın al