컨테이너&가상화
rbac기반의 namespace 권한부여
잘나가는전산쟁이
2025. 6. 18. 01:28
728x90
반응형
SMALL
 |
| perplexity에서 생성한 AI이미지 |
서비스 계정생성
$> kubectl create sa testuser
role설정
$> cat role.yaml
apiVersion: rbac.authozation.k8s.io/v1
kind: Role
metadata
name: ms-role
namespace: ms
rules:
- apiGroup: [""]
resources: ["*"]
verbs: ["get", "list", "watch"]rolebinding 설정
$> rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ms-rolebinding
namespace: ms
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ms-role
subjects:
- kind: ServiceAccount
name: testuser
namespace: msauth 확인
$> kubectl auth can-i get pods --namespace=ms --as=system:serviceaccouint:default:testuser
yes
user credential 생성
$> kubectl describe serviceaccount testuser
$> kubectl describe secret testuser-token-123
$> kubectl config set-credentials testuser --token=testuser-token-123
context생성
$> kubectl config set-context test-context --cluster=testcluster --as=system:serviceaccount:default:testuser
Context "test-context" created.
$> kubectl config get-contexts
$> kubectl config use-context test-context
Switched to context "test-context"
kube-config 반영
Reference
728x90
반응형
LIST