Kubernetes Role & ClusterRole
Kubernetes 的 Role 是一组权限的集合,表明了拥有这个集合的Subject(Kubernetes User Account、Kubernetes Service Account、Group)可以做什么
仅仅是 允许,Role不包含 不允许,也就是绑定了这个role的subject可以做什么
例如 允许在特定的namespace (pod-role namespace)下,列出pod的对应权限集合
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
与普通的Role不同,还有一种 可以在任何 namespace 下使用的权限集合
以下这种表示 任意namespace下,可以列出的pod的权限集合
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-clusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
Kubernetes 拥有大量内置的集群role
calico-node 2021-10-09T13:06:48Z
cattle-fleet-system-fleet-agent-role 2021-10-09T13:21:08Z
cattle-globalrole-admin 2021-10-09T13:19:47Z
cattle-globalrole-authn-manage 2021-10-09T13:19:47Z
cattle-globalrole-catalogs-manage 2021-10-09T13:19:47Z
cattle-globalrole-catalogs-use 2021-10-09T13:19:47Z
cattle-globalrole-clusters-create 2021-10-09T13:19:47Z
cattle-globalrole-clustertemplaterevisions-create 2021-10-09T13:19:47Z
cattle-globalrole-clustertemplates-create 2021-10-09T13:19:47Z
cattle-globalrole-features-manage 2021-10-09T13:19:47Z
cattle-globalrole-kontainerdrivers-manage 2021-10-09T13:19:47Z
cattle-globalrole-nodedrivers-manage 2021-10-09T13:19:47Z
cattle-globalrole-podsecuritypolicytemplates-manage 2021-10-09T13:19:47Z
cattle-globalrole-restricted-admin 2021-10-09T13:19:47Z
cattle-globalrole-roles-manage 2021-10-09T13:19:47Z
cattle-globalrole-settings-manage 2021-10-09T13:19:47Z
cattle-globalrole-user 2021-10-09T13:19:47Z
cattle-globalrole-user-base 2021-10-09T13:19:47Z
cattle-globalrole-users-manage 2021-10-09T13:19:47Z
cattle-globalrole-view-rancher-metrics 2021-10-09T13:19:47Z
cattle-impersonation-u-at6ks67sqf 2021-10-09T13:20:18Z
cattle-impersonation-u-b4qkhsnliz 2021-10-09T13:20:16Z
cattle-impersonation-u-mo773yttt4 2021-10-09T13:22:27Z
cattle-impersonation-u-oz75ayhmkg 2021-10-09T13:20:19Z
cattle-unauthenticated 2021-10-09T13:19:35Z
cert-manager-cainjector 2021-10-09T13:14:13Z
cert-manager-controller-approve:cert-manager-io 2021-10-09T13:14:13Z
cert-manager-controller-certificates 2021-10-09T13:14:13Z
cert-manager-controller-certificatesigningrequests 2021-10-09T13:14:13Z
cert-manager-controller-challenges 2021-10-09T13:14:13Z
cert-manager-controller-clusterissuers 2021-10-09T13:14:13Z
cert-manager-controller-ingress-shim 2021-10-09T13:14:13Z
cert-manager-controller-issuers 2021-10-09T13:14:13Z
cert-manager-controller-orders 2021-10-09T13:14:13Z
cert-manager-edit 2021-10-09T13:14:13Z
cert-manager-view 2021-10-09T13:14:13Z
cert-manager-webhook:subjectaccessreviews 2021-10-09T13:14:13Z
cluster-admin 2021-10-09T13:05:55Z
cluster-crd-clusterRole 2021-10-09T13:19:37Z
cluster-owner 2021-10-09T13:20:16Z
create-ns 2021-10-09T13:20:20Z
edit 2021-10-09T13:05:55Z
flannel 2021-10-09T13:06:48Z
fleet-bundle-deployment 2021-10-09T13:20:45Z
fleet-content 2021-10-09T13:20:45Z
fleet-controller 2021-10-09T13:20:31Z
fleet-controller-bootstrap 2021-10-09T13:20:31Z
fleetworkspace-admin 2021-10-09T13:19:35Z
fleetworkspace-member 2021-10-09T13:19:35Z
fleetworkspace-readonly 2021-10-09T13:19:35Z
gitjob 2021-10-09T13:20:31Z
global-unrestricted-psp-clusterrole 2021-10-09T13:05:56Z
local-clustermember 2021-10-09T13:20:16Z
local-clusterowner 2021-10-09T13:20:13Z
p-b5lm7-namespaces-edit 2021-10-09T13:20:09Z
p-b5lm7-namespaces-readonly 2021-10-09T13:20:09Z
p-qpk2x-namespaces-edit 2021-10-09T13:20:09Z
p-qpk2x-namespaces-readonly 2021-10-09T13:20:09Z
project-crd-clusterRole 2021-10-09T13:19:37Z
project-member 2021-10-09T13:20:15Z
project-member-promoted 2021-10-09T13:20:19Z
rke2-cloud-controller-manager 2021-10-09T13:05:57Z
rke2-coredns-rke2-coredns 2021-10-09T13:06:48Z
rke2-coredns-rke2-coredns-autoscaler 2021-10-09T13:06:48Z
rke2-ingress-nginx 2021-10-09T13:07:47Z
system-unrestricted-psp-role 2021-10-09T13:05:56Z
system:aggregate-to-admin 2021-10-09T13:05:55Z
system:aggregate-to-edit 2021-10-09T13:05:55Z
system:aggregate-to-view 2021-10-09T13:05:55Z
system:auth-delegator 2021-10-09T13:05:55Z
system:basic-user 2021-10-09T13:05:55Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient 2021-10-09T13:05:55Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2021-10-09T13:05:55Z
system:certificates.k8s.io:kube-apiserver-client-approver 2021-10-09T13:05:55Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2021-10-09T13:05:55Z
system:certificates.k8s.io:kubelet-serving-approver 2021-10-09T13:05:55Z
system:certificates.k8s.io:legacy-unknown-approver 2021-10-09T13:05:55Z
system:controller:attachdetach-controller 2021-10-09T13:05:55Z
system:controller:certificate-controller 2021-10-09T13:05:56Z
system:controller:clusterrole-aggregation-controller 2021-10-09T13:05:55Z
system:controller:cronjob-controller 2021-10-09T13:05:55Z
system:controller:daemon-set-controller 2021-10-09T13:05:55Z
system:controller:deployment-controller 2021-10-09T13:05:55Z
system:controller:disruption-controller 2021-10-09T13:05:55Z
system:controller:endpoint-controller 2021-10-09T13:05:55Z
system:controller:endpointslice-controller 2021-10-09T13:05:55Z
system:controller:endpointslicemirroring-controller 2021-10-09T13:05:55Z
system:controller:ephemeral-volume-controller 2021-10-09T13:05:56Z
system:controller:expand-controller 2021-10-09T13:05:55Z
system:controller:generic-garbage-collector 2021-10-09T13:05:56Z
system:controller:horizontal-pod-autoscaler 2021-10-09T13:05:56Z
system:controller:job-controller 2021-10-09T13:05:56Z
system:controller:namespace-controller 2021-10-09T13:05:56Z
system:controller:node-controller 2021-10-09T13:05:56Z
system:controller:persistent-volume-binder 2021-10-09T13:05:56Z
system:controller:pod-garbage-collector 2021-10-09T13:05:56Z
system:controller:pv-protection-controller 2021-10-09T13:05:56Z
system:controller:pvc-protection-controller 2021-10-09T13:05:56Z
system:controller:replicaset-controller 2021-10-09T13:05:56Z
system:controller:replication-controller 2021-10-09T13:05:56Z
system:controller:resourcequota-controller 2021-10-09T13:05:56Z
system:controller:root-ca-cert-publisher 2021-10-09T13:05:56Z
system:controller:route-controller 2021-10-09T13:05:56Z
system:controller:service-account-controller 2021-10-09T13:05:56Z
system:controller:service-controller 2021-10-09T13:05:56Z
system:controller:statefulset-controller 2021-10-09T13:05:56Z
system:controller:ttl-after-finished-controller 2021-10-09T13:05:56Z
system:controller:ttl-controller 2021-10-09T13:05:56Z
system:discovery 2021-10-09T13:05:55Z
system:heapster 2021-10-09T13:05:55Z
system:kube-aggregator 2021-10-09T13:05:55Z
system:kube-controller-manager 2021-10-09T13:05:55Z
system:kube-dns 2021-10-09T13:05:55Z
system:kube-proxy 2021-10-09T13:05:56Z
system:kube-scheduler 2021-10-09T13:05:55Z
system:kubelet-api-admin 2021-10-09T13:05:55Z
system:monitoring 2021-10-09T13:05:55Z
system:node 2021-10-09T13:05:55Z
system:node-bootstrapper 2021-10-09T13:05:55Z
system:node-problem-detector 2021-10-09T13:05:55Z
system:node-proxier 2021-10-09T13:05:55Z
system:persistent-volume-provisioner 2021-10-09T13:05:55Z
system:public-info-viewer 2021-10-09T13:05:55Z
system:rke2-controller 2021-10-09T13:05:56Z
system:rke2-metrics-server 2021-10-09T13:07:39Z
system:rke2-metrics-server-aggregated-reader 2021-10-09T13:07:39Z
system:service-account-issuer-discovery 2021-10-09T13:05:55Z
system:volume-scheduler 2021-10-09T13:05:55Z
u-at6ks67sqf-view 2021-10-09T13:20:14Z
u-b4qkhsnliz-view 2021-10-09T13:20:11Z
u-mo773yttt4-view 2021-10-09T13:22:27Z
u-oz75ayhmkg-view 2021-10-09T13:20:14Z
user-whnpx-view 2021-10-09T13:19:48Z
view 2021-10-09T13:05:55Z
这些 role 大多数面向的是系统实用程序, 但其中有四个是针对一般用户的
cluster-admin: 提供完整的集群访问权限
admin: 提供整个命名空间完整的访问权限
edit: 允许用户修改命名空间中的一切
view: 提供命名空间只读权限