访问控制

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gatekeeper-manager-role
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - admissionregistration.k8s.io
  resourceNames:
  - gatekeeper-mutating-webhook-configuration
  resources:
  - mutatingwebhookconfigurations
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gatekeeper-manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gatekeeper-manager-role
subjects:
- kind: ServiceAccount
  name: gatekeeper-admin
  namespace: kube-system

// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
type Role struct {
    metav1.TypeMeta `json:",inline"`
    // Standard object's metadata.
    // +optional
    metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

    // Rules holds all the PolicyRules for this Role
    // +optional
    Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
}

// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
type ClusterRole struct {
    metav1.TypeMeta `json:",inline"`
    // Standard object's metadata.
    // +optional
    metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

    // Rules holds all the PolicyRules for this ClusterRole
    // +optional
    Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`

    // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
    // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
    // stomped by the controller.
    // +optional
    AggregationRule *AggregationRule `json:"aggregationRule,omitempty" protobuf:"bytes,3,opt,name=aggregationRule"`
}

// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
// namespace only have effect in that namespace.
type RoleBinding struct {
    metav1.TypeMeta `json:",inline"`
    // Standard object's metadata.
    // +optional
    metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

    // Subjects holds references to the objects the role applies to.
    // +optional
    Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`

    // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
    // If the RoleRef cannot be resolved, the Authorizer must return an error.
    RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
}

// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
// and adds who information via Subject.
type ClusterRoleBinding struct {
    metav1.TypeMeta `json:",inline"`
    // Standard object's metadata.
    // +optional
    metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

    // Subjects holds references to the objects the role applies to.
    // +optional
    Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`

    // RoleRef can only reference a ClusterRole in the global namespace.
    // If the RoleRef cannot be resolved, the Authorizer must return an error.
    RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
}

// PolicyRule holds information that describes a policy rule, but does not contain information
// about who the rule applies to or which namespace the rule applies to.
type PolicyRule struct {
    // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
    Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`

    // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
    // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
    // +optional
    APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
    // Resources is a list of resources this rule applies to. '*' represents all resources.
    // +optional
    Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
    // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
    // +optional
    ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`

    // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
    // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
    // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
    // +optional
    NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,5,rep,name=nonResourceURLs"`
}

kubectl api-resources

const (
    ......

    GroupKind          = "Group"
    ServiceAccountKind = "ServiceAccount"
    UserKind           = "User"

    ......
)

// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
// or a value for non-objects such as user and group names.
// +structType=atomic
type Subject struct {
    // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
    // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
    Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
    // APIGroup holds the API group of the referenced subject.
    // Defaults to "" for ServiceAccount subjects.
    // Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
    // +optional
    APIGroup string `json:"apiGroup,omitempty" protobuf:"bytes,2,opt.name=apiGroup"`
    // Name of the object being referenced.
    Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
    // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
    // the Authorizer should report an error.
    // +optional
    Namespace string `json:"namespace,omitempty" protobuf:"bytes,4,opt,name=namespace"`
}

// RoleRef contains information that points to the role being used
// +structType=atomic
type RoleRef struct {
    // APIGroup is the group for the resource being referenced
    // 当前固定为：rbac.authorization.k8s.io
    APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"`
    // Kind is the type of resource being referenced
	// 仅支持：Role、ClusterRole
    Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
    // Name is the name of resource being referenced
    Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
}

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gatekeeper-manager-role

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: gatekeeper-manager-role

// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
type AggregationRule struct {
    // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
    // If any of the selectors match, then the ClusterRole's permissions will be added
    // +optional
    ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"`
}