Search

[CKA] 48. ClusterRole

Date
2025/01/15
Category
Devops
Tag
Kubernetes
CKA
Security
๋ชฉ์ฐจ

ย Resources

ย Namespaced

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์—์„œ ๋ฆฌ์†Œ์Šค๋ฅผ ๊ทธ๋ฃนํ™”ํ•˜๊ฑฐ๋‚˜ ๊ฒฉ๋ฆฌํ•˜๋Š” ๋ฐ Namespace๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค. ๋„ค์ž„์ŠคํŽ˜์ด์Šค ๋ฆฌ์†Œ์Šค๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ฆฌ์†Œ์Šค๋ฅผ ํฌํ•จํ•œ๋‹ค:
โ€ข
Pods
โ€ข
ReplicaSets
โ€ข
Deployments
โ€ข
Services
โ€ข
Secrets
โ€ข
Roles
โ€ข
Rolebindings
โ€ข
ConfigMaps
โ€ข
PVC
๋ชจ๋“  Namespaced resource๋ฅผ ํ™•์ธํ•˜๋ ค๋ฉด kube api-resources ๋ช…๋ น์„ ์‹คํ–‰ํ•œ๋‹ค.
kubectl api-resources --namespaced=true
Bash
๋ณต์‚ฌ

ย Cluster-Scoped

๋…ธ๋“œ์™€ ๊ฐ™์€ ๋ฆฌ์†Œ์Šค๋Š” ํด๋Ÿฌ์Šคํ„ฐ ์ „์ฒด์— ๊ฑธ์ณ ์žˆ์œผ๋ฉฐ, ํŠน์ • ๋„ค์ž„์ŠคํŽ˜์ด์Šค์™€ ์—ฐ๊ด€๋  ์ˆ˜ ์—†๋‹ค. ํด๋Ÿฌ์Šคํ„ฐ ๋ฒ”์œ„ ๋ฆฌ์†Œ์Šค๋Š” ๋„ค์ž„์ŠคํŽ˜์ด์Šค๋ฅผ ์ง€์ •ํ•˜์ง€ ์•Š๋Š” ๋ฆฌ์†Œ์Šค์ด๋‹ค. ํด๋Ÿฌ์Šคํ„ฐ ๋ฒ”์œ„ ๋ฆฌ์†Œ์Šค์— ํ•ด๋‹น๋˜๋Š” ๋ฆฌ์†Œ์Šค๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋ฆฌ์†Œ์Šค๋ฅผ ํฌํ•จํ•œ๋‹ค:
โ€ข
Nodes
โ€ข
Persistent Volumes
โ€ข
ClusterRoles
โ€ข
ClusterRoleBindings
โ€ข
CertificateSigningRequests
โ€ข
Namespaces
๋ชจ๋“  Cluster-scoped resource๋ฅผ ํ™•์ธํ•˜๋ ค๋ฉด kube api-resources ๋ช…๋ น์„ ์‹คํ–‰ํ•œ๋‹ค.
kubectl api-resources --namespaced=false
Bash
๋ณต์‚ฌ

ย ClusterRole

Namespaced์—์„œ ์‚ฌ์šฉ์ž์—๊ฒŒ ๋ฆฌ์†Œ์Šค์— ๊ถŒํ•œ์„ ๋ถ€์—ฌํ•˜๋Š” ๊ฒƒ์€ Role๊ณผ RoleBinding์„ ์‚ฌ์šฉํ•œ ๊ฒƒ์ฒ˜๋Ÿผ, Cluster-scoped์—์„œ๋Š” ClusterRole๊ณผ ClusterRoleBinding์„ ์‚ฌ์šฉํ•˜๋ฉฐ, ํ˜•์‹๋„ ๋™์ผํ•˜๋‹ค.

ย Create

๋จผ์ € ํด๋Ÿฌ์Šคํ„ฐ ์—ญํ• ์— ๋Œ€ํ•ด ์ƒ์„ฑํ•œ๋‹ค. ์•„๋ž˜์˜ ์ฝ”๋“œ๋Š” node์— ๋Œ€ํ•ด ์กฐํšŒ, ์ƒ์„ฑ, ์‚ญ์ œ๊ฐ€ ๊ฐ€๋Šฅํ•œ ClusterRole์„ ์ƒ์„ฑํ•˜๋Š” ์˜ˆ์‹œ์ด๋‹ค.
# cluster-admin-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-administrator rules: - apiGroups: [""] resources: ["nodes"] verbs: ["list", "get", "create", "delete"]
YAML
๋ณต์‚ฌ
Core Group์— ํฌํ•จ๋˜๋Š” ๋ฆฌ์†Œ์Šค๋Š” apiGroups๋ฅผ ๋นˆ์นธ์œผ๋กœ ๋‘˜ ์ˆ˜ ์žˆ๋‹ค. ๋นˆ ์นธ ์ž์ฒด๊ฐ€ Core Group์„ ์˜๋ฏธํ•œ๋‹ค.

ย Link User to ClusterRole

ClusterRole์„ ์ƒ์„ฑํ•œ ํ›„์—๋Š” ์‚ฌ์šฉ์ž์™€ ์—ฐ๊ฒฐ์‹œ์ผœ์•ผ ํ•œ๋‹ค. ์ด๋•Œ ClusterRoleBinding์„ ์‚ฌ์šฉํ•˜์—ฌ ์—ฐ๊ฒฐ์‹œํ‚จ๋‹ค.
# cluster-admin-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-admin-role-binding subjects: - kind: User name: cluster-admin apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-administrator apiGroup: rbac.authorization.k8s.io
YAML
๋ณต์‚ฌ
RoleBinding๊ณผ ๋งˆ์ฐฌ๊ฐ€์ง€๋กœ ClusterRoleBinding์˜ subjects์—์„œ ์‚ฌ์šฉ์ž์— ๋Œ€ํ•œ ์„ธ๋ถ€์ •๋ณด๋ฅผ ์ž…๋ ฅํ•˜๋ฉฐ, roleRef์—์„œ ClusterRole์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ์ž…๋ ฅํ•œ๋‹ค. ๋˜ํ•œ subjects๋Š” ๋ฆฌ์ŠคํŠธ ํ˜•ํƒœ๋ฅผ ๊ฐ€์ง„๋‹ค.

ย ClusterRole for Namespaced

Kubernetes์—์„œ ๊ถŒํ•œ ๊ด€๋ฆฌ๋Š” ๋ฆฌ์†Œ์Šค์˜ ๋ฒ”์œ„์— ๋”ฐ๋ผ ๋‹ฌ๋ผ์ง„๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ClusterRole๊ณผ ClusterRoleBinding์€ ํด๋Ÿฌ์Šคํ„ฐ ๋ฒ”์œ„ ๋ฆฌ์†Œ์Šค์— ์‚ฌ์šฉ๋œ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ์ด๋Š” ์—„๊ฒฉํ•œ ๊ทœ์น™์ด ์•„๋‹ˆ๋‹ค. ClusterRole์€ ๋„ค์ž„์ŠคํŽ˜์ด์Šค ๋ฆฌ์†Œ์Šค์—๋„ ์ ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค.
ClusterRole์„ ๋„ค์ž„์ŠคํŽ˜์ด์Šค ๋ฆฌ์†Œ์Šค์— ์ƒ์„ฑํ•˜๋ฉด, ์‚ฌ์šฉ์ž๋Š” ๋ชจ๋“  ๋„ค์ž„์ŠคํŽ˜์ด์Šค์—์„œ ํ•ด๋‹น ๋ฆฌ์†Œ์Šค์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋œ๋‹ค. ์˜ˆ๋ฅผ๋“ค์–ด ํŠน์ • ๋„ค์ž„์ŠคํŽ˜์ด์Šค์—์„œ๋งŒ ํŒŒ๋“œ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋Š” ๊ถŒํ•œ์„ ๋ถ€์—ฌํ•˜๋Š” ์—ญํ• ์ด ์žˆ๋‹ค๋ฉด, ์‚ฌ์šฉ์ž๋Š” ํ•ด๋‹น ๋„ค์ž„์ŠคํŽ˜์ด์Šค์˜ ํŒŒ๋“œ์—๋งŒ ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์—ˆ๋‹ค. ํ•˜์ง€๋งŒ ClusterRole์„ ์‚ฌ์šฉํ•˜๋ฉด, ์‚ฌ์šฉ์ž๋Š” ํด๋Ÿฌ์Šคํ„ฐ ๋‚ด์˜ ๋ชจ๋“  ํŒŒ๋“œ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋‹ค.