본문 바로가기
Compute/kubernetis

[따배씨] 25. User Role Binding / CKA 시험 문제 학습

by 조청유곽 2025. 2. 1.
반응형

이 포스팅은 아래의 유튜브 채널 "따배"를 따라서 학습한 내용입니다.

 

 

 

[관련 이론]

 

 

<RoleBinding과 ClusterRoleBinding의 차이>

RoleBinding: 특정 Role(권한 정의)을 사용자, 그룹 또는 서비스 계정에 연결해서 해당 네임스페이스에서만 권한을 부여.
ClusterRoleBinding: ClusterRole(클러스터 전체에 걸친 권한 정의)을 연결해서 클러스터 전체에서 권한을 부여한다.

 

<주요 차이점>
RoleBinding:

특정 네임스페이스에 한정된 권한을 부여함.
예: default 네임스페이스에서만 Pod을 읽을 수 있도록 설정.
같은 네임스페이스 안의 Role만 참조할 수 있음
또는, ClusterRole을 특정 네임스페이스 내에서만 사용할 수 있음

 

ClusterRoleBinding:

클러스터 전체(모든 네임스페이스)에 대해 권한을 부여함.
예: 모든 네임스페이스에서 Pod을 읽고 쓸 수 있도록 설정.

 

 

[Precondition]

(1) 테스트 환경

(1.1) Rocky Linux Cluster 

: 직접 구성

[root@k8s-master ~]# k get nodes -o wide
NAME         STATUS   ROLES           AGE   VERSION   INTERNAL-IP     EXTERNAL-IP   OS-IMAGE                            KERNEL-VERSION                  CONTAINER-RUNTIME
k8s-master   Ready    control-plane   30d   v1.27.2   192.168.56.30   <none>        Rocky Linux 8.10 (Green Obsidian)   4.18.0-553.33.1.el8_10.x86_64   containerd://1.6.32
k8s-node1    Ready    <none>          30d   v1.27.2   192.168.56.31   <none>        Rocky Linux 8.8 (Green Obsidian)    4.18.0-477.10.1.el8_8.x86_64    containerd://1.6.21
k8s-node2    Ready    <none>          30d   v1.27.2   192.168.56.32   <none>        Rocky Linux 8.8 (Green Obsidian)    4.18.0-477.10.1.el8_8.x86_64    containerd://1.6.21
[root@k8s-master ~]#

 

(1.2) Ubuntu Cluster 

: kodekloud 테스트 환경 활용

controlplane ~ ➜  kubectl get nodes -o wide
NAME           STATUS   ROLES           AGE     VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION   CONTAINER-RUNTIME
controlplane   Ready    control-plane   9m6s    v1.31.0   192.6.94.6    <none>        Ubuntu 22.04.4 LTS   5.4.0-1106-gcp   containerd://1.6.26
node01         Ready    <none>          8m31s   v1.31.0   192.6.94.9    <none>        Ubuntu 22.04.4 LTS   5.4.0-1106-gcp   containerd://1.6.26

https://learn.kodekloud.com/user/courses/udemy-labs-certified-kubernetes-administrator-with-practice-tests

 

(2) 사전 필요 설정 

   : N/A

 

 

[Question]

Cluster : kubectl config use-context k8s

TASK:
Create the kubeconfig named ckauser.
- username : ckauser
- certificate location : /data/cka/ckauser.csr, /data/cka/ckauser.key
- context-name : ckauser
- kubernetes cluster must be operated with the privileges of the ckauser account.

Create a role named pod-role that can create, delete, watch, list, get pods.

Create the following rolebinding.

- name : pod-rolebinding
- role : pod-role
- user: ckauser

 

 

[Solve]

(1) private key 생성 

controlplane ~ ➜  openssl genrsa -out /data/cka/ckauser.key 2048
controlplane ~ ➜  openssl req -new -key /data/cka/ckauser.key -out ckauser.csr -subj "/CN=ckauser"

 

 

(2) CSR(CertificateSigningRequest) 생성

: base64로 encoding 되어 있는 ckauser.csr file 내용을 decode하여 CSR로 생성한다. 

controlplane /data/cka ➜  ls -al
total 16
drwxr-xr-x 2 root root 4096 Jan 28 15:16 .
drwxr-xr-x 3 root root 4096 Jan 28 15:14 ..
-rw-r--r-- 1 root root  887 Jan 28 15:16 ckauser.csr
-rw------- 1 root root 1704 Jan 28 15:14 ckauser.key

controlplane /data/cka ➜  cat /data/cka/ckauser.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1Z6Q0NBVDhDQVFBd0VqRVFNQTRHQTFVRUF3d0hZMnRoZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQgpCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOVzZmWGd4STFlMHNDaTB1VFpSTDJBMmF6Q0lrR2o2OGRWOXZtaXhrcGpuCm4ySCs5TUd5ZVNWMXlIV3JvWGpBMm9LeU8vTFBUbUJOSjA3bFBTaDhCTUtaT0tmODBGNkp6Z09xd2krYm9MQlUKMHJqUWNreXh0RWxrS2ZSWFJtYmFkcm45Yi9TSDlFU202dEs3dkNFbjJMZC9neDFTeHhWVnpSa1VCcWN6WHU3WQpXbWNEYzk5eUNOa09OMS8rVFd6ckFYOVFXNnpCb0RROU9xdXFlZDl3N3g2NHhlanRmeUpSUStVN3huQVE0MXdECkhKbFBrQUtUTUplMlE3VC9tNUVoZ3lBT2w2elAxby9XdkxKbmY2dWJZTDZwNHV2MG43dlhPTTl6Z3A1S25BaGIKRTc3RVFub1VtUSsrdCtUblVHdGhza0VrTTNmMURTM2VSNk9zMmh6QkVZY0NBd0VBQWFBQU1BMEdDU3FHU0liMwpEUUVCQ3dVQUE0SUJBUUFBNWVYa1JZaU9ESTBqV2ZUT0tnRTI2dHFvR0JHRU11bDhydW93NVduWEdFbUt1KzRqCjErd1J4RXNCV014UzRmK3NteVl1MlFDbE1DTk5QcjlHWVdpRkZjeWpiRzhCVzhqQjRmZ0l2bjJVL0cvUkwxbDUKZkdNOXFFYURabEtaSVdPamJ3YlBMdk9zTHg2RHNTVkpKdEFpSUc4eHZmWkMwaW9aNkdTY3FSdk1NRWxVc3Q3aQpPMWJIQUpyNGZWSTkvZlJ4V2x1OXhXVjNUaHZyVU5sU3JjSHhlczFGeWZtSDlCblpwKzZmaXZRMlNPRVR5Q3JoCnJIRW5yTzd6dlRtNndaS1ZIQTJZY2ttUktGOUtMSFA4c3RYaDBIMWdkbm9BTnVmK0cyT2RlemVLdDFBSlBNRUUKTGFXSUVwYUVPSWdLSmRRa2ZrczQ4eGpORXV2djYvMVJSYlVRCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
controlplane /data/cka ➜  
controlplane /data/cka ➜  cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ckauser
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1Z6Q0NBVDhDQVFBd0VqRVFNQTRHQTFVRUF3d0hZMnRoZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQgpCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOVzZmWGd4STFlMHNDaTB1VFpSTDJBMmF6Q0lrR2o2OGRWOXZtaXhrcGpuCm4ySCs5TUd5ZVNWMXlIV3JvWGpBMm9LeU8vTFBUbUJOSjA3bFBTaDhCTUtaT0tmODBGNkp6Z09xd2krYm9MQlUKMHJqUWNreXh0RWxrS2ZSWFJtYmFkcm45Yi9TSDlFU202dEs3dkNFbjJMZC9neDFTeHhWVnpSa1VCcWN6WHU3WQpXbWNEYzk5eUNOa09OMS8rVFd6ckFYOVFXNnpCb0RROU9xdXFlZDl3N3g2NHhlanRmeUpSUStVN3huQVE0MXdECkhKbFBrQUtUTUplMlE3VC9tNUVoZ3lBT2w2elAxby9XdkxKbmY2dWJZTDZwNHV2MG43dlhPTTl6Z3A1S25BaGIKRTc3RVFub1VtUSsrdCtUblVHdGhza0VrTTNmMURTM2VSNk9zMmh6QkVZY0NBd0VBQWFBQU1BMEdDU3FHU0liMwpEUUVCQ3dVQUE0SUJBUUFBNWVYa1JZaU9ESTBqV2ZUT0tnRTI2dHFvR0JHRU11bDhydW93NVduWEdFbUt1KzRqCjErd1J4RXNCV014UzRmK3NteVl1MlFDbE1DTk5QcjlHWVdpRkZjeWpiRzhCVzhqQjRmZ0l2bjJVL0cvUkwxbDUKZkdNOXFFYURabEtaSVdPamJ3YlBMdk9zTHg2RHNTVkpKdEFpSUc4eHZmWkMwaW9aNkdTY3FSdk1NRWxVc3Q3aQpPMWJIQUpyNGZWSTkvZlJ4V2x1OXhXVjNUaHZyVU5sU3JjSHhlczFGeWZtSDlCblpwKzZmaXZRMlNPRVR5Q3JoCnJIRW5yTzd6dlRtNndaS1ZIQTJZY2ttUktGOUtMSFA4c3RYaDBIMWdkbm9BTnVmK0cyT2RlemVLdDFBSlBNRUUKTGFXSUVwYUVPSWdLSmRRa2ZrczQ4eGpORXV2djYvMVJSYlVRCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth
EOF
certificatesigningrequest.certificates.k8s.io/ckauser created

controlplane /data/cka ➜

 

 

(3) CSR 승인

controlplane /data/cka ➜  k get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
ckauser     24s   kubernetes.io/kube-apiserver-client           kubernetes-admin           24h                 Pending
csr-4wqzk   12m   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:58blas    <none>              Approved,Issued
csr-7q5pd   12m   kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

controlplane /data/cka ➜  k certificate approve ckauser
certificatesigningrequest.certificates.k8s.io/ckauser approved

controlplane /data/cka ➜  k get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                  REQUESTEDDURATION   CONDITION
ckauser     41s   kubernetes.io/kube-apiserver-client           kubernetes-admin           24h                 Approved,Issued
csr-4wqzk   12m   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:58blas    <none>              Approved,Issued
csr-7q5pd   13m   kubernetes.io/kube-apiserver-client-kubelet   system:node:controlplane   <none>              Approved,Issued

 

 

(4) CRT 생성 

controlplane /data/cka ➜  kubectl get csr ckauser -o jsonpath='{.status.certificate}'| base64 -d > ckauser.crt

controlplane /data/cka ➜  ls -al
total 24
drwxr-xr-x 2 root root 4096 Jan 28 15:23 .
drwxr-xr-x 3 root root 4096 Jan 28 15:14 ..
-rw-r--r-- 1 root root 1090 Jan 28 15:23 ckauser.crt
-rw-r--r-- 1 root root  887 Jan 28 15:16 ckauser.csr
-rw------- 1 root root 1704 Jan 28 15:14 ckauser.key
-rw-r--r-- 1 root root 1444 Jan 28 15:20 csr.yaml

 

 

(5) Role 생성 및 RoleBinding 진행 

controlplane /data/cka ➜  k create role pod-role --verb=create --verb=delete --verb=watch --verb=list --verb=get --resource=pods
role.rbac.authorization.k8s.io/pod-role created

controlplane /data/cka ➜  k create rolebinding pod-rolebinding --role=pod-role --user=ckauser
rolebinding.rbac.authorization.k8s.io/pod-rolebinding created

controlplane /data/cka ➜  k describe role pod-role 
Name:         pod-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [create delete watch list get]

controlplane /data/cka ➜  k describe rolebindings.rbac.authorization.k8s.io pod-rolebinding 
Name:         pod-rolebinding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  pod-role
Subjects:
  Kind  Name     Namespace
  ----  ----     ---------
  User  ckauser  

controlplane /data/cka ➜

 

 

(6) kubeconfig / context 적용 

controlplane /data/cka ➜  k config set-credentials ckauser --client-key=/data/cka/ckauser.key --client-certificate=/data/cka/ckauser.crt --embed-certs=true
User "ckauser" set.

controlplane /data/cka ➜  k config set-context ckauser --cluster=kubernetes --user=ckauser
Context "ckauser" created.

controlplane /data/cka ➜  kubectl config use-context ckauser
Switched to context "ckauser".

controlplane /data/cka ➜  k config get-contexts 
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         ckauser                       kubernetes   ckauser            
          kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   

controlplane /data/cka ➜

 

 

 

[사용 커맨드 정리]

openssl genrsa -out /data/cka/ckauser.key 2048

openssl req -new -key /data/cka/ckauser.key -out ckauser.csr -subj "/CN=ckauser"

openssl req -new -key /data/cka/ckauser.key -out ckauser.csr -subj "/CN=ckauser"

cat /data/cka/ckauser.csr | base64 | tr -d "\n"

controlplane /data/cka ➜  cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ckauser
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1Z6Q0NBVDhDQVFBd0VqRVFNQTRHQTFVRUF3d0hZMnRoZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQgpCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOVzZmWGd4STFlMHNDaTB1VFpSTDJBMmF6Q0lrR2o2OGRWOXZtaXhrcGpuCm4ySCs5TUd5ZVNWMXlIV3JvWGpBMm9LeU8vTFBUbUJOSjA3bFBTaDhCTUtaT0tmODBGNkp6Z09xd2krYm9MQlUKMHJqUWNreXh0RWxrS2ZSWFJtYmFkcm45Yi9TSDlFU202dEs3dkNFbjJMZC9neDFTeHhWVnpSa1VCcWN6WHU3WQpXbWNEYzk5eUNOa09OMS8rVFd6ckFYOVFXNnpCb0RROU9xdXFlZDl3N3g2NHhlanRmeUpSUStVN3huQVE0MXdECkhKbFBrQUtUTUplMlE3VC9tNUVoZ3lBT2w2elAxby9XdkxKbmY2dWJZTDZwNHV2MG43dlhPTTl6Z3A1S25BaGIKRTc3RVFub1VtUSsrdCtUblVHdGhza0VrTTNmMURTM2VSNk9zMmh6QkVZY0NBd0VBQWFBQU1BMEdDU3FHU0liMwpEUUVCQ3dVQUE0SUJBUUFBNWVYa1JZaU9ESTBqV2ZUT0tnRTI2dHFvR0JHRU11bDhydW93NVduWEdFbUt1KzRqCjErd1J4RXNCV014UzRmK3NteVl1MlFDbE1DTk5QcjlHWVdpRkZjeWpiRzhCVzhqQjRmZ0l2bjJVL0cvUkwxbDUKZkdNOXFFYURabEtaSVdPamJ3YlBMdk9zTHg2RHNTVkpKdEFpSUc4eHZmWkMwaW9aNkdTY3FSdk1NRWxVc3Q3aQpPMWJIQUpyNGZWSTkvZlJ4V2x1OXhXVjNUaHZyVU5sU3JjSHhlczFGeWZtSDlCblpwKzZmaXZRMlNPRVR5Q3JoCnJIRW5yTzd6dlRtNndaS1ZIQTJZY2ttUktGOUtMSFA4c3RYaDBIMWdkbm9BTnVmK0cyT2RlemVLdDFBSlBNRUUKTGFXSUVwYUVPSWdLSmRRa2ZrczQ4eGpORXV2djYvMVJSYlVRCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth
EOF

k certificate approve ckauser

k get csr

kubectl get csr ckauser -o jsonpath='{.status.certificate}'| base64 -d > ckauser.crt

 

k create role pod-role --verb=create --verb=delete --verb=watch --verb=list --verb=get --resource=pods

k create rolebinding pod-rolebinding --role=pod-role --user=ckauser

k describe role pod-role 

k describe rolebindings.rbac.authorization.k8s.io pod-rolebinding 

 

k config set-credentials ckauser --client-key=/data/cka/ckauser.key --client-certificate=/data/cka/ckauser.crt --embed-certs=true

k config set-context ckauser --cluster=kubernetes --user=ckauser

kubectl config use-context ckauser

k config get-contexts

반응형
저작자표시 비영리 변경금지

'Compute > kubernetis' 카테고리의 다른 글

[따배씨] 27. ServiceAccount Role Binding / CKA 시험 문제 학습  (0) 2025.02.01
[따배씨] 26. User Cluster Role Binding / CKA 시험 문제 학습  (0) 2025.02.01
[따배씨] 23-24. Kubernetes troubleshooting / CKA 시험 문제 학습  (0) 2025.02.01
[따배씨] 22. Kubernetes Upgrade / CKA 시험 문제 학습  (0) 2025.02.01
[따배씨] 21. Check Resource Information / --sort-by / CKA 시험 문제 학습  (0) 2025.02.01

관련글

티스토리툴바