rbac기반의 namespace 권한부여

서비스 계정생성

$> kubectl create sa testuser

role설정

$> cat role.yaml
apiVersion: rbac.authozation.k8s.io/v1
kind: Role
metadata
  name: ms-role
  namespace: ms
rules:
- apiGroup: [""]
  resources: ["*"]
  verbs: ["get", "list", "watch"]

rolebinding 설정

$> rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ms-rolebinding
  namespace: ms
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ms-role
subjects:
- kind: ServiceAccount
  name: testuser
  namespace: ms

perplexity에서 생성한 AI이미지

auth 확인

$> kubectl auth can-i get pods --namespace=ms --as=system:serviceaccouint:default:testuser
yes

user credential 생성

$> kubectl describe serviceaccount testuser

$> kubectl describe secret testuser-token-123

$> kubectl config set-credentials testuser --token=testuser-token-123

context생성

$> kubectl config set-context test-context --cluster=testcluster --as=system:serviceaccount:default:testuser
Context "test-context" created.

$> kubectl config get-contexts

$> kubectl config use-context test-context
Switched to context "test-context"