RBAC(Role-Based Access Control)이란 사용자의 역할(role)에 따라 시스템 자원에 대한 접근을 제어하는 방식입니다. 조직의 정책에 따라 사용자의 역할을 정의하고, 각 역할에 권한을 부여하여 접근 제어를 효율적으로 관리할 수 있게 합니다.
이번 포스트에서는 RBAC을 사용해서 클러스터의 특정 namespace에 특정 권한만 가진 사용자를 생성하는 실습 내용을 다뤄보도록 하겠습니다.
실습 순서
조건 확인 → namespace 생성 → 역할(role 생성) → 바인딩 객체 생성 → 인증서 생성 → 테스트
조건
- Namespace - exam-master-backend
- Role-Name - exam-master-backend-developer
- Authority - pods 생성, 조회, 세부 조회, 삭제, 업데이트, 모니터링
Namespace 생성하기
1
2
|
root@Zest # kubectl create namespace exam-master-backend
namespace/exam-master-backend created
|
Role 생성하기
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
# exam-master-backend-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: exam-master-backend-developer-role
namespace: exam-master-backend
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "list", "get", "update", "delete"]
#########################################################
root@Zest # kubectl create -f exam-master-backend-role.yaml
role.rbac.authorization.k8s.io/exam-master-backend-developer-role created
|
Binding 객체 생성
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# exam-master-backend-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: exam-master-backend-developer-role-binding
namespace: exam-master-backend
subjects:
- kind: User
name: exam-master-backend-developer
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: exam-master-backend-developer-role
apiGroup: rbac.authorization.k8s.io
#########################################################
root@Zest # kubectl create -f exam-master-backend-role-binding.yaml
rolebinding.rbac.authorization.k8s.io/exam-master-backend-developer-role-binding created
|
CSR 생성
1
2
3
4
5
|
root@Zest # openssl genrsa -out exam-master-backend-developer.key 2048
root@Zest # openssl req -new -key exam-master-backend-developer.key -out exam-master-backend-developer.csr -subj "/CN=exam-master-backend-developer/O=exam-group"
root@Zest # cat exam-master-backend-developer.csr | base64 | tr -d '\n'
LS0tLS1.............S0tLS0K # -> 복사 후 아래 인증서 request에 붙혀넣기
|
CSR 제출
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
# exam-master-backend-developer-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: exam-master-backend-developer
spec:
groups:
- system:authenticated
request: LS0tLS1.............S0tLS0K
usages:
- digital signature
- key encipherment
- client auth
signerName: kubernetes.io/kube-apiserver-client
#########################################################
root@Zest # kubectl create -f exam-master-backend-developer-csr.yaml
certificatesigningrequest.certificates.k8s.io/exam-master-backend-developer created
|
CSR 승인
1
2
3
4
5
6
7
8
9
10
11
12
13
|
# 확인
root@Zest # kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
exam-master-backend-developer 69s kubernetes.io/kube-apiserver-client admin <none> Pending
# 승인
root@Zest # kubectl certificate approve exam-master-backend-developer
certificatesigningrequest.certificates.k8s.io/exam-master-backend-developer approved
# 확인
root@Zest # kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
exam-master-backend-developer 2m9s kubernetes.io/kube-apiserver-client admin <none> Approved,Issued
|
인증서 가져오기
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
root@Zest # kubectl get csr exam-master-backend-developer -o jsonpath='{.status.certificate}' | base64 --decode > exam-master-backend-developer.crt
# exam-master-backend-developer.crt 파일 확인
root@Zest # cat exam-master-backend-developer.crt
-----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIQeOfvcfs62CVBpaG6qSE1gjANBgkqhkiG9w0BAQsFADAX
MRUwEwYDVQQDDAwxMC4xNTIuMTgzLjEwHhcNMjQwNTI2MTAyNDU5WhcNMjUwNTI2
................................................................
................................................................
................................................................
MRc87yuP5v0P5U/Ul/rzVA4guoPZ9ibQQYGnf844+6ulE+BW0pHq+wP1vlbNxEEa
aOS8bPL81Oy5UUpbEzLJD7ZtkdSXLRBkOu5sWY6O8ntER2gE5rYBo57tazSGBw3o
7v2t5kv/Mws=
-----END CERTIFICATE-----
|
Kubeconfig 파일에 인증서 추가
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
root@Zest # kubectl config set-credentials exam-master-backend-developer --client-certificate=exam-master-backend-developer.crt --client-key=exam-master-backend-developer.key
User "exam-master-backend-developer" set.
root@Zest # kubectl config set-context exam-master-backend --cluster=microk8s-cluster --namespace=exam-master-backend --user=exam-master-backend-developer
Context "exam-master-backend" modified.
root@Zest # kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
exam-master-backend microk8s-cluster--namespace=exam-master-backend exam-master-backend-developer exam-master-backend
* microk8s microk8s-cluster admin
root@Zest # kubectl config use-context exam-master-backend
Switched to context "exam-master-backend".
root@Zest # kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* exam-master-backend microk8s-cluster exam-master-backend-developer exam-master-backend
microk8s microk8s-cluster admin
|
이 단계를 마치면 kubeconfig 파일에 클러스터가 추가되고 kubectl context가 변경됩니다.
확인
1
2
3
4
5
6
7
8
9
10
|
root@Zest # kubectl auth can-i create pods
yes
root@Zest # kubectl auth can-i create deployments
no
root@Zest # kubectl auth can-i create svc
no
root@Zest # kubectl auth can-i get pods
yes
root@Zest # kubectl describe role
Error from server (Forbidden): roles.rbac.authorization.k8s.io is forbidden: User "exam-master-backend-developer" cannot list resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "exam-master-backend"
|
우리는 exam-master-backend-role에 pod를 조회, 삭제, 상세조회, 생성, 업데이트 권한만 주었기 때문에 pod를 생성하거나 조회는 가능했지만 service를 만들거나 deployment를 생성하려고 할 때 권한이 없는 것을 확인할 수 있습니다.
궁금하신 점이나 추가해야할 부분은 댓글이나 아래의 링크를 통해 문의해주세요.
Written with KKam._.Ji
