第三题 Cluster Role

# 第三题 Cluster Role ###### tags: `真题讲解` 切换集群kubectl config use-context k8s **Context** A Role bound to a Pod's serviceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions. **Task** Given an existing Pod named **web-pod** running in the namespace monitoring .Edit the existing Role bound to the Pod's serviceAccount **sa-dev-1** to only allow performing list operations, only on resources of type Endpoints. create a new Role named **role-2** in the namespace monitoring , which only allows performing **update** operations, only on resources of type persistentvolumeclaims. create a new RoleBinding named **role-2-binding** binding the newly created Role to the Pod's serviceAccount. Don't delete the existing RoleBinding. ## 解法不建议参考官方文档了, 直接通过Kubectl命令来完成 ``` kubectl create -n monitoring role role-2 --verb update --resource pvc --dry-run=client -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: role-2 namespace: monitoring rules: - apiGroups: - "" resources: - persistentvolumeclaims verbs: - update ``` 确认输出无误后再次键入, 注意namespace ``` kubectl create -n monitoring role role-2 --verb update --resource pvc ``` 创建Rolebing, 将role-2绑定到SA sa-dev-1上. ``` kubectl create -n monitoring rolebinding role-2-binding --role role-2 --serviceaccount monitoring:sa-dev-1 --dry-run=client -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: role-2-binding namespace: monitoring roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: role-2 subjects: - kind: ServiceAccount name: sa-dev-1 namespace: monitoring kubectl create -n monitoring rolebinding role-2-binding --role role-2 --serviceaccount monitoring:sa-dev-1 ``` 如果是题目是让你将权限绑定给该namespace下所有sa则命令修改为: ``` kubectl create -n monitoring rolebinding role-2-binding --role role-2 --group system:serivceaccounts:monitoring --dry-run=client -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: role-2-binding namespace: monitoring roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serivceaccounts:monitoring kubectl create -n monitoring rolebinding role-2-binding --role role-2 --group system:serivceaccounts:monitoring ``` 如果忘了All Serice Account的写法, 可以在官方文档中找到 [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) 搜索在all service即可. ## 验证使用kubectl auth can-i时, --as SA的话, 一定要写SA的全路径:system:serviceaccount:monitoring:sa-dev-1 ``` kubectl auth can-i -n monitoring --as system:serviceaccount:monitoring:sa-dev-1 update pvc yes ```