@@ -983,6 +983,112 @@ kubectl get pods
983983
984984kubectl get secrets
985985
986+ ------------------------------------RBAC------------
986987
988+ By Raman
989+ Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization.
990+
991+ LAB
992+
993+ kubectl create ns finance
994+
995+ openssl genrsa -out john.key 2048 # it will create a private key
996+
997+ openssl req -new -key john.key -out john.csr -subj "/CN=john/O=javadeveloper"
998+
999+
1000+
1001+ openssl x509 -req -in john.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out john.crt -days 500
1002+
1003+
1004+
1005+ #Create a role for namespace finance with resource permission
1006+ #role.yaml
1007+ apiVersion: rbac.authorization.k8s.io/v1
1008+ kind: Role
1009+ metadata:
1010+ namespace: finance
1011+ name: deployment-manager
1012+ rules:
1013+ - apiGroups: ["","extensions","apps"]
1014+ #
1015+ # at the HTTP level, the name of the resource for accessing ConfigMap
1016+ # objects is "configmaps"
1017+ resources: ["deployments","replicasets","pods"]
1018+ verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
1019+
1020+
1021+ kubectl create -f role.yaml
1022+
1023+
1024+
1025+
1026+
1027+ #rolebinding.yaml
1028+ apiVersion: rbac.authorization.k8s.io/v1
1029+ # This role binding allows "jane" to read pods in the "default" namespace.
1030+ # You need to already have a Role named "pod-reader" in that namespace.
1031+ kind: RoleBinding
1032+ metadata:
1033+ name: deployment-manager-binding
1034+ namespace: finance
1035+ subjects:
1036+ # You can specify more than one "subject"
1037+ - kind: User
1038+ name: john
1039+ apiGroup: ""
1040+ roleRef:
1041+ # "roleRef" specifies the binding to a Role / ClusterRole
1042+ kind: Role #this must be Role or ClusterRole
1043+ name: deployment-manager # this must match the name of the Role or ClusterRole you wish to bind to
1044+ apiGroup: ""
1045+
1046+
1047+ kubectl create -f rolebinding.yaml
1048+
1049+
1050+
1051+ kubectl config set-credentials john --client-certificate=/home/ubuntu/temp/john.crt --client-key=/home/ubuntu/temp/john.key
1052+
1053+
1054+
1055+ kubectl config set-context developer-context --cluster=kubernetes --namespace=finance --user=john
1056+
1057+
1058+
1059+ ----Install client
1060+
1061+ curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
1062+
1063+
1064+
1065+ chmod +x ./kubectl
1066+
1067+
1068+
1069+ sudo mv ./kubectl /usr/local/bin/kubectl
1070+
1071+ kubectl version --client
1072+
1073+
1074+
1075+
1076+
1077+ ls ./kube
1078+
1079+ kubectl --kubeconfig config cluster-info
1080+
1081+ kubectl --kubeconfig config config view
1082+
1083+ kubectl --kubeconfig config config view -o jsonpath='{.contexts[*].name}'
1084+
1085+
1086+
1087+ kubectl --kubeconfig config get pods -n finance
1088+
1089+ kubectl --kubeconfig config run nginx-pod --image=nginx -n finance
1090+
1091+
1092+ kubectl --kubeconfig config get pods -n finance
9871093
9881094
0 commit comments