Role and RoleBinding

Role in Kubernetes contains a set of rules. A rule defines a set of permissions for certain operations and resources by specifying apiGroups, resources, and verbs. For example, the following role defines a read-only rule for configmaps:

# cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: configmap-ro
rules:
  - apiGroups: ["*"]
    resources: ["configmaps"]
    verbs: ["watch", "get", "list"]

A RoleBinding is used to associate a role with a list of accounts. The following example shows we assign the configmap-ro role to a list of subjects. It only has the user linda in this case:

# cat rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devops-role-binding
subjects:
- apiGroup: ""
  kind: User
  name: linda
roleRef:
  apiGroup: ""
  kind: Role
  name: configmap-ro

Role and RoleBinding are namespaced. Their scope is only within a single namespace. For accessing cluster-wide resources, we'll need ClusterRole and ClusterRoleBinding.

For adding namespace into Role or RoleBinding, simply add a namespace field into the metadata in the configuration file.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset