{"id":34952,"date":"2024-09-06T10:58:27","date_gmt":"2024-09-06T03:58:27","guid":{"rendered":"http:\/\/jupitek.maudemo.vip\/index.php\/2024\/09\/06\/secure-a-cluster-with-user-permissions-and-rbac\/"},"modified":"2024-09-06T10:58:27","modified_gmt":"2024-09-06T03:58:27","slug":"secure-a-cluster-with-user-permissions-and-rbac","status":"publish","type":"post","link":"https:\/\/jupitek.maudemo.vip\/index.php\/2024\/09\/06\/secure-a-cluster-with-user-permissions-and-rbac\/","title":{"rendered":"B\u1ea3o m\u1eadt cluster v\u1edbi quy\u1ec1n ng\u01b0\u1eddi d\u00f9ng v\u00e0 RBAC"},"content":{"rendered":"<p><strong>B\u1ea3o m\u1eadt ng\u01b0\u1eddi d\u00f9ng Kubernetes<\/strong><\/p>\n<p>Trong qu\u1ea3n tr\u1ecb Linux, \u1ee9ng d\u1ee5ng Ng\u01b0\u1eddi d\u00f9ng, Nh\u00f3m v\u00e0 Quy\u1ec1n l\u00e0 m\u1ed9t ph\u01b0\u01a1ng ph\u00e1p \u0111\u00e3 \u0111\u01b0\u1ee3c th\u1eed nghi\u1ec7m v\u00e0 ki\u1ec3m tra \u0111\u1ec3 c\u1ea3i thi\u1ec7n t\u00ecnh tr\u1ea1ng b\u1ea3o m\u1eadt cho m\u1ed9t s\u1ed1 tr\u01b0\u1eddng h\u1ee3p s\u1eed d\u1ee5ng, t\u01b0\u01a1ng t\u1ef1, qu\u1ea3n tr\u1ecb Kubernetes \u00e1p d\u1ee5ng c\u00e1c kh\u00e1i ni\u1ec7m t\u01b0\u01a1ng t\u1ef1 b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng RBAC (Ki\u1ec3m so\u00e1t truy c\u1eadp d\u1ef1a tr\u00ean vai tr\u00f2), T\u00e0i kho\u1ea3n d\u1ecbch v\u1ee5, v\u00e0 h\u01a1n th\u1ebf n\u1eefa. V\u00ed d\u1ee5: khi t\u01b0\u01a1ng t\u00e1c v\u1edbi b\u1ea3n c\u00e0i \u0111\u1eb7t Kubernetes ti\u00eau chu\u1ea9n, h\u00e0nh vi m\u1eb7c \u0111\u1ecbnh l\u00e0 d\u00e0nh cho m\u1ed9t t\u1ec7p kubeconfig duy nh\u1ea5t \u0111\u1ec3 cung c\u1ea5p quy\u1ec1n truy c\u1eadp kh\u00f4ng gi\u1edbi h\u1ea1n v\u00e0o c\u1ee5m c\u00f3 li\u00ean quan. V\u1edbi t\u00e0i kho\u1ea3n RBAC v\u00e0 D\u1ecbch v\u1ee5, c\u00e1c t\u1ec7p kubeconfig c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c t\u1ea1o cho c\u00e1c c\u00e1 nh\u00e2n c\u1ee5 th\u1ec3 trong m\u1ed9t t\u1ed5 ch\u1ee9c, ch\u1ec9 cho h\u1ecd quy\u1ec1n truy c\u1eadp v\u00e0o c\u00e1c ph\u1ea7n c\u1ee7a c\u1ee5m m\u00e0 h\u1ecd c\u1ea7n.<\/p>\n<p><strong>Trong h\u01b0\u1edbng d\u1eabn n\u00e0y<\/strong><\/p>\n<p>M\u1eb7c d\u00f9 Linode Kubernetes Engine(LKE) l\u00e0 m\u1ed9t N\u1ec1n t\u1ea3ng \u0111\u01b0\u1ee3c qu\u1ea3n l\u00fd d\u01b0\u1edbi d\u1ea1ng gi\u1ea3i ph\u00e1p D\u1ecbch v\u1ee5 cung c\u1ea5p m\u1ee9c b\u1ea3o m\u1eadt c\u01a1 b\u1ea3n nh\u01b0ng theo m\u1eb7c \u0111\u1ecbnh, n\u00f3 kh\u00f4ng x\u1eed l\u00fd vi\u1ec7c t\u1ea1o vai tr\u00f2 v\u00e0 t\u00e0i kho\u1ea3n d\u1ecbch v\u1ee5 cho b\u1ea5t k\u1ef3 ng\u01b0\u1eddi d\u00f9ng n\u00e0o \u0111\u01b0\u1ee3c \u0111\u1ecbnh c\u1ea5u h\u00ecnh tr\u00ean LKE. h\u01b0\u1edbng d\u1eabn t\u1ea1o vai tr\u00f2 v\u00e0 r\u00e0ng bu\u1ed9c vai tr\u00f2 cho ng\u01b0\u1eddi d\u00f9ng m\u1eabu trong kh\u00f4ng gian t\u00ean ri\u00eang c\u1ee7a ng\u01b0\u1eddi d\u00f9ng m\u1eabu, \u0111\u1ec3 ng\u01b0\u1eddi d\u00f9ng c\u00f3 th\u1ec3 xu\u1ea5t t\u1ec7p Kubeconfig t\u00f9y ch\u1ec9nh \u0111\u1ec3 ng\u01b0\u1eddi d\u00f9ng x\u00e1c th\u1ef1c v\u1edbi c\u00e1c quy\u1ec1n h\u1ea1n ch\u1ebf. B\u1eb1ng c\u00e1ch n\u00e0y, t\u1ea5t c\u1ea3 ng\u01b0\u1eddi d\u00f9ng trong m\u1ed9t c\u1ee5m c\u1ee5 th\u1ec3 s\u1ebd kh\u00f4ng b\u1ecb h\u1ea1n ch\u1ebf. b\u1eaft bu\u1ed9c ph\u1ea3i c\u00f3 \u0111\u1ea7y \u0111\u1ee7 quy\u1ec1n qu\u1ea3n tr\u1ecb vi\u00ean.<\/p>\n<p><strong>Tr\u01b0\u1edbc khi b\u1ea1n b\u1eaft \u0111\u1ea7u<\/strong><\/p>\n<p>H\u01b0\u1edbng d\u1eabn n\u00e0y gi\u1ea3 \u0111\u1ecbnh r\u1eb1ng b\u1ea1n c\u00f3 c\u1ee5m Kubernetes \u0111ang ho\u1ea1t \u0111\u1ed9ng \u0111\u01b0\u1ee3c tri\u1ec3n khai b\u1eb1ng Linode Kubernetes Engine (LKE). B\u1ea1n c\u00f3 th\u1ec3 tri\u1ec3n khai c\u1ee5m Kubernetes b\u1eb1ng LKE theo c\u00e1c c\u00e1ch sau:<\/p>\n<ul>\n<li>Tr\u00ecnh qu\u1ea3n l\u00fd \u0111\u00e1m m\u00e2y.<\/li>\n<\/ul>\n<ul>\n<li>API c\u1ee7a Linode v4.<\/li>\n<\/ul>\n<ul>\n<li>Terraform, c\u00f4ng c\u1ee5 c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng ph\u1ed5 bi\u1ebfn d\u01b0\u1edbi d\u1ea1ng m\u00e3 (IaC).<\/li>\n<\/ul>\n<p class=\"has-background\" style=\"background-color:#ccfbe9\">M\u1ed9t c\u1ee5m LKE s\u1ebd \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t Tr\u00ecnh qu\u1ea3n l\u00fd b\u1ed9 \u0111i\u1ec1u khi\u1ec3n \u0111\u00e1m m\u00e2y c\u1ee7a Linode trong m\u1eb7t ph\u1eb3ng \u0111i\u1ec1u khi\u1ec3n c\u1ee7a c\u1ee5m. N\u1ebfu b\u1ea1n kh\u00f4ng tri\u1ec3n khai c\u1ee5m Kubernetes c\u1ee7a m\u00ecnh b\u1eb1ng LKE v\u00e0 mu\u1ed1n s\u1eed d\u1ee5ng Tr\u00ecnh qu\u1ea3n l\u00fd b\u1ed9 \u0111i\u1ec1u khi\u1ec3n \u0111\u00e1m m\u00e2y Linode, h\u00e3y xem C\u00e0i \u0111\u1eb7t Linode CCM tr\u00ean C\u1ee5m Kubernetes kh\u00f4ng \u0111\u01b0\u1ee3c qu\u1ea3n l\u00fd. &#8211; H\u01b0\u1edbng d\u1eabn.<\/p>\n<p><strong>T\u1ea1o ng\u01b0\u1eddi d\u00f9ng m\u1edbi<\/strong><\/p>\n<p>C\u00e1c b\u01b0\u1edbc sau \u0111\u00e2y s\u1ebd cung c\u1ea5p m\u1ed9t ph\u01b0\u01a1ng ph\u00e1p an to\u00e0n \u0111\u1ec3 gi\u1edbi h\u1ea1n quy\u1ec1n truy c\u1eadp c\u1ee7a ng\u01b0\u1eddi d\u00f9ng v\u00e0o m\u1ed9t c\u1ee5m. Ch\u1ee9ng ch\u1ec9 SSL s\u1ebd \u0111\u01b0\u1ee3c t\u1ea1o cho ng\u01b0\u1eddi d\u00f9ng, \u0111\u01b0\u1ee3c qu\u1ea3n tr\u1ecb vi\u00ean ph\u00ea duy\u1ec7t v\u00e0 sau \u0111\u00f3 \u00e1p d\u1ee5ng cho kubeconfig gi\u1edbi h\u1ea1n \u0111\u1ec3 ng\u01b0\u1eddi d\u00f9ng s\u1eed d\u1ee5ng \u0111\u1ec3 c\u00f3 quy\u1ec1n truy c\u1eadp thay v\u00ec quy\u1ec1n truy c\u1eadp ch\u00ednh. t\u1eadp tin kubeconfig c\u1ee7a qu\u1ea3n tr\u1ecb vi\u00ean.<\/p>\n<p><strong>T\u1ea1o ch\u1ee9ng ch\u1ec9 v\u00e0 ph\u00ea duy\u1ec7t CSR cho ng\u01b0\u1eddi d\u00f9ng m\u1edbi<\/strong><\/p>\n<p>\u0110\u1ec3 ng\u01b0\u1eddi d\u00f9ng x\u00e1c th\u1ef1c an to\u00e0n v\u1edbi m\u00e1y ch\u1ee7 Kubernetes, ch\u1ee9ng ch\u1ec9 x.509 s\u1ebd \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng, t\u01b0\u01a1ng t\u1ef1 nh\u01b0 c\u00e1ch \u00e1p d\u1ee5ng SSL\/TLS tr\u00ean tr\u00ecnh duy\u1ec7t web. Y\u00eau c\u1ea7u k\u00fd ch\u1ee9ng ch\u1ec9 ho\u1eb7c CSR, cho ph\u00e9p ch\u1ee9ng ch\u1ec9 .x.509. \u0111\u01b0\u1ee3c ph\u00ea duy\u1ec7t v\u00e0 k\u00fd \u0111\u1ec3 s\u1eed d\u1ee5ng v\u1edbi Kubernetes. \u0110\u1ec3 \u00e1p d\u1ee5ng ch\u1ee9ng ch\u1ec9 v\u00e0 t\u1ea1o CSR, c\u00f3 th\u1ec3 l\u00e0m theo c\u00e1c b\u01b0\u1edbc sau:<\/p>\n<ul>\n<li>T\u1ea1o m\u1ed9t th\u01b0 m\u1ee5c m\u1edbi c\u00f3 nh\u00e3n auth \u0111\u1ec3 l\u01b0u tr\u1eef m\u1ecdi ch\u1ee9ng ch\u1ec9 ng\u01b0\u1eddi d\u00f9ng m\u1edbi s\u1ebd \u0111\u01b0\u1ee3c t\u1ea1o. \u0110i\u1ec1u h\u01b0\u1edbng \u0111\u1ebfn th\u01b0 m\u1ee5c m\u1edbi n\u00e0y sau khi t\u1ea1o.:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>mkdir auth <br>cd auth<\/code><\/pre>\n<ul>\n<li>T\u1ea1o ch\u1ee9ng ch\u1ec9 m\u1edbi cho ng\u01b0\u1eddi d\u00f9ng c\u1ee7a b\u1ea1n:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>openssl genrsa -out exampleuser.key 2048<\/code><\/pre>\n<p class=\"has-background\" style=\"background-color:#b9f8dc\">Ng\u01b0\u1eddi d\u00f9ng v\u0103n b\u1ea3n c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c thay th\u1ebf b\u1eb1ng t\u00ean ng\u01b0\u1eddi d\u00f9ng b\u1ea1n ch\u1ecdn.<\/p>\n<p>T\u1ea1o t\u1ec7p y\u00eau c\u1ea7u k\u00fd ch\u1ee9ng ch\u1ec9 m\u1edbi:<\/p>\n<pre class=\"wp-block-code\"><code>openssl req -new -key exampleuser.key -out exampleuser.csr -subj \"\/CN=exampleuser\"<\/code><\/pre>\n<p>Sao ch\u00e9p kh\u00f3a v\u00e0o th\u01b0 m\u1ee5c c\u00e0i \u0111\u1eb7t kubectl. \u0110\u00e2y th\u01b0\u1eddng l\u00e0 th\u01b0 m\u1ee5c m\u1eb9:<\/p>\n<ul>\n<li>S\u1eed d\u1ee5ng tr\u00ecnh so\u1ea1n th\u1ea3o v\u0103n b\u1ea3n b\u1ea1n ch\u1ecdn, t\u1ea1o t\u1ec7p CSR YAML m\u1edbi:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>sudo nano exampleusercsr.yaml<\/code><\/pre>\n<p>CSR YAML ph\u1ea3i ph\u1ea3n \u00e1nh n\u1ed9i dung sau. Thay th\u1ebf chu\u1ed7i trong tr\u01b0\u1eddng y\u00eau c\u1ea7u b\u1eb1ng chu\u1ed7i base64 \u0111\u01b0\u1ee3c t\u1ea1o cho t\u1ec7p csr c\u1ee7a ri\u00eang b\u1ea1n:<\/p>\n<pre class=\"wp-block-code\"><code>apiVersion: certificates.k8s.io\/v1<br>kind: CertificateSigningRequest<br>metadata:<br>name: exampleuser-csr<br>spec:<br>groups:<br>- system:authenticated<br>request: OGY4d1pQRGlqT21NV2VXCjM4dFdjRmJrQXRyTXJ6YWZnWGRZS1VYb2Z2ZDhLalVPeUJEaFdoWTFJbjZ6NGpEZ2RTbm94K21SdlJxQTFOUEwKN2k0QVd4OFlKcEdVS0Uvb1VKREZDcHVYcE9SZVdUMnY3enhFTzE5QUpRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBRDg5T3JlUC<br>signerName: kubernetes.io\/kube-apiserver-client<br>usages:<br>- digital signature<br>- key encipherment<br>- client auth<\/code><\/pre>\n<ul>\n<li>T\u1ea1o y\u00eau c\u1ea7u k\u00fd ch\u1ee9ng ch\u1ec9:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>kubectl create -f exampleusercsr.yaml<\/code><\/pre>\n<ul>\n<li>B\u1ea1n s\u1ebd th\u1ea5y \u0111\u1ea7u ra gi\u1ed1ng nh\u01b0 sau:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>certificatesigningrequest.certificates.k8s.io\/user1-csr created<\/code><\/pre>\n<ul>\n<li>N\u1ebfu t\u1ea1i b\u1ea5t k\u1ef3 th\u1eddi \u0111i\u1ec3m n\u00e0o c\u1ea7n ki\u1ec3m tra tr\u1ea1ng th\u00e1i c\u1ee7a CSR, c\u00f3 th\u1ec3 nh\u1eadp l\u1ec7nh sau:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>kubectl get csr<\/code><\/pre>\n<pre class=\"wp-block-code\"><code>Additionally, although CSR's will be automatically deleted after enough time has passed, they can be manually deleted so that a new CSR can be attempted at any time using the following syntax:<\/code><\/pre>\n<pre class=\"wp-block-code\"><code>kubectl delete csr user1-csr<\/code><\/pre>\n<ul>\n<li>Th\u00f4ng qua kubectl, ph\u00ea duy\u1ec7t ch\u1ee9ng ch\u1ec9 \u0111\u1ec3 s\u1eed d\u1ee5ng v\u1edbi c\u1ee5m Kubernetes c\u1ee7a b\u1ea1n:<\/li>\n<\/ul>\n<p><code>kubectl certificate approve user1-csr<\/code><\/p>\n<p>Xu\u1ea5t t\u1ec7p .crt t\u1eeb API Kubernetes \u0111\u1ec3 nh\u1eadn b\u1ea3n sao ch\u1ee9ng ch\u1ec9 \u0111\u00e3 k\u00fd c\u1ee7a b\u1ea1n v\u00e0 l\u01b0u n\u00f3 v\u00e0o th\u01b0 m\u1ee5c \/auth\/:<\/p>\n<pre class=\"wp-block-code\"><code><code>kubectl get csr user1-csr -o jsonpath='{.status.certificate}' | base64 --decode &gt; ~\/auth\/exampleuser.cr<\/code><\/code><\/pre>\n<p><strong>T\u1ea1o m\u1ed9t t\u1ec7p kubeconfig gi\u1edbi h\u1ea1n<\/strong><\/p>\n<p>\u0110\u1ec3 ng\u01b0\u1eddi d\u00f9ng b\u1ecb gi\u1edbi h\u1ea1n m\u1edbi c\u00f3 th\u1ec3 t\u01b0\u01a1ng t\u00e1c v\u1edbi Kubernetes, h\u1ecd s\u1ebd c\u1ea7n t\u1ec7p Kubeconfig c\u1ee7a ri\u00eang m\u00ecnh kh\u00f4ng bao g\u1ed3m quy\u1ec1n qu\u1ea3n tr\u1ecb. C\u00e1c b\u01b0\u1edbc sau \u0111\u00e2y s\u1ebd m\u00f4 t\u1ea3 c\u00e1ch t\u1ea1o t\u1ec7p n\u00e0y.<\/p>\n<ul>\n<li>\u0110\u1ec3 \u0111\u1ea3m b\u1ea3o r\u1eb1ng t\u1ec7p kubeconfig g\u1ed1c kh\u00f4ng b\u1ecb ghi \u0111\u00e8 n\u1ebfu kh\u00f4ng c\u00f3 b\u1ea3n sao l\u01b0u, h\u00e3y t\u1ea1o b\u1ea3n sao l\u01b0u ngay b\u00e2y gi\u1edd:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>cp kubeconfig.yaml kubeconfigbackup.yaml<\/code><\/pre>\n<p>Th\u00eam ng\u01b0\u1eddi d\u00f9ng m\u1edbi v\u00e0o t\u1ec7p kubeconfig.yaml:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p>apiVersion: v1<br \/>clusters:<\/p>\n<p>cluster:<br \/>certificate-authority-data: oaiedjaoiu9833ed98whfc9h<br \/>server: https:\/\/def4624b-5fbb-4ac6-ae70-77f28eb131fe.us-east-1.linodelke.net:443<br \/>name: lke1111<br \/>contexts:<\/p>\n<p>context:<br \/>cluster: lke1111<br \/>namespace: default<br \/>user: lke1111-admin<br \/>name: lke1111-ctx<br \/>current-context: lke1111-ctx<br \/>kind: Config<br \/>preferences: {}<br \/>users:<\/p>\n<p>name: exampleuser<br \/>user:<br \/>client-certificate: exampleuser.crt<br \/>client-key: exampleuser.key<\/p>\n<p>name: lke1111-admin<br \/>user:<br \/>token: OIAWHF09W08R08w4f0hs0efch8q088080HEHSC<\/p>\n<\/blockquote>\n<p>\u0110\u1ec3 \u0111\u1ea3m b\u1ea3o r\u1eb1ng ch\u1ec9 ng\u01b0\u1eddi d\u00f9ng b\u1ecb gi\u1edbi h\u1ea1n th\u1ee9 hai m\u1edbi c\u00f3 th\u1ec3 truy c\u1eadp v\u00e0o c\u1ee5m v\u1edbi c\u00e1c quy\u1ec1n h\u1ea1n ch\u1ebf, ph\u1ea3i t\u1ea1o m\u1ed9t t\u1ec7p kubeconfig b\u1ed5 sung m\u00e0 kh\u00f4ng c\u1ea7n ki\u1ec3m so\u00e1t qu\u1ea3n tr\u1ecb:<\/p>\n<pre class=\"wp-block-code\"><code><code>cp kubeconfig.yaml exampleuser_kubeconfig.yaml<\/code><\/code><\/pre>\n<ul>\n<li>T\u1ec7p kubeconfig m\u1edbi ch\u1ec9 n\u00ean bao g\u1ed3m c\u00e1c t\u00f9y ch\u1ecdn c\u1ea5u h\u00ecnh cho ng\u01b0\u1eddi d\u00f9ng b\u1ecb gi\u1edbi h\u1ea1n. X\u00f3a t\u1ea5t c\u1ea3 c\u00e1c d\u00f2ng ng\u01b0\u1eddi d\u00f9ng qu\u1ea3n tr\u1ecb c\u1ee7a t\u1ec7p kubeconfig m\u1edbi, cho \u0111\u1ebfn khi t\u1ec7p exampleuser_kubeconfig.yaml ph\u1ea3n \u00e1nh nh\u1eefng \u0111i\u1ec1u sau:<\/li>\n<\/ul>\n<blockquote class=\"wp-block-quote\">\n<p>apiVersion: v1<br \/>clusters:<\/p>\n<p>cluster:<br \/>certificate-authority-data: iuawhefIDWIDHI23EW98HICUH<br \/>server: https:\/\/def4624b-5fbb-4ac6-ae70-77f28eb131fe.us-east-1.linodelke.net:443<br \/>name: lke1111<br \/>contexts:<\/p>\n<p>context:<br \/>cluster: lke1111<br \/>user: exampleuser<br \/>name: lke1111-ctx<br \/>current-context: lke1111-ctx<br \/>kind: Config<br \/>preferences: {}<br \/>users:<\/p>\n<p>name: exampleuser<br \/>user:<br \/>client-certificate: \/home\/user\/auth\/exampleuser.crt<br \/>client-key: \/home\/user\/auth\/exampleuser.key<\/p>\n<\/blockquote>\n<p>\u0110\u1ec3 ki\u1ec3m tra, h\u00e3y chuy\u1ec3n ng\u1eef c\u1ea3nh hi\u1ec7n t\u1ea1i sang t\u1ec7p kubeconfig m\u1edbi:<\/p>\n<pre class=\"wp-block-code\"><code>export KUBECONFIG=exampleuser_kubeconfig.yaml<\/code><\/pre>\n<p>Sau khi xu\u1ea5t, h\u00e3y th\u1eed li\u1ec7t k\u00ea t\u1ea5t c\u1ea3 c\u00e1c n\u00fat trong c\u1ee5m:<\/p>\n<pre class=\"wp-block-code\"><code>kubectl get nodes<\/code><\/pre>\n<p>N\u1ebfu c\u1ea5u h\u00ecnh ho\u1ea1t \u0111\u1ed9ng, kubeconfig c\u1ee7a ng\u01b0\u1eddi d\u00f9ng m\u1edbi s\u1ebd khi\u1ebfn y\u00eau c\u1ea7u kh\u00f4ng th\u00e0nh c\u00f4ng v\u1edbi l\u1ed7i sau:<\/p>\n<pre class=\"wp-block-code\"><code>Error from server (Forbidden): nodes is forbidden: User \"exampleuser\" cannot list resource \"nodes\" in API group \"\" at the cluster scope<\/code><\/pre>\n<p>D\u1ef1 ki\u1ebfn \u200b\u200bs\u1ebd x\u1ea3y ra l\u1ed7i v\u00ec ng\u01b0\u1eddi d\u00f9ng hi\u1ec7n kh\u00f4ng c\u00f3 b\u1ea5t k\u1ef3 vai tr\u00f2 ho\u1eb7c quy\u1ec1n n\u00e0o \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh. Theo m\u1eb7c \u0111\u1ecbnh, ng\u01b0\u1eddi d\u00f9ng Kubernetes m\u1edbi s\u1ebd kh\u00f4ng th\u1ec3 truy c\u1eadp b\u1ea5t k\u1ef3 t\u00e0i nguy\u00ean n\u00e0o.<\/p>\n<p><strong>\u0110\u1eb7t quy\u1ec1n v\u1edbi RBAC<\/strong><\/p>\n<p>Quy\u1ec1n c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng cho ng\u01b0\u1eddi d\u00f9ng m\u1edbi b\u1eb1ng c\u00e1ch t\u1ea1o t\u1ec7p role.yaml v\u00e0 rolebind.yaml. Trong Kubernetes, Vai tr\u00f2 x\u00e1c \u0111\u1ecbnh c\u00e1c quy\u1ec1n \u0111\u01b0\u1ee3c c\u1ea5p cho m\u1ed9t nh\u00f3m ng\u01b0\u1eddi d\u00f9ng c\u1ee5 th\u1ec3 v\u00e0 Vai tr\u00f2 li\u00ean k\u1ebft \u00e1p d\u1ee5ng c\u00e1c vai tr\u00f2 cho ng\u01b0\u1eddi d\u00f9ng c\u1ee5 th\u1ec3. , n\u1ebfu b\u1ea1n mu\u1ed1n cung c\u1ea5p cho ng\u01b0\u1eddi d\u00f9ng exampleuser \u0111\u00e3 t\u1ea1o tr\u01b0\u1edbc \u0111\u00f3 kh\u1ea3 n\u0103ng t\u01b0\u01a1ng t\u00e1c v\u1edbi c\u00e1c nh\u00f3m trong kh\u00f4ng gian t\u00ean examplenamespace, th\u00ec m\u1ed9t c\u1ea5u h\u00ecnh t\u1ed1t s\u1ebd nh\u01b0 sau:<\/p>\n<ul>\n<li>T\u1ea1o m\u1ed9t t\u1ec7p role.yaml v\u1edbi n\u1ed9i dung sau:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>apiVersion: rbac.authorization.k8s.io\/v1<br>kind: Role<br>metadata:<br>name: example-role<br>namespace: examplenamespace<br>rules:<br>   apiGroups: &#91;\"\"]<br>   resources: &#91;\"pods\"]<br>   verbs: &#91;\"get\", \"watch\", \"list\"]<\/code><\/pre>\n<p>V\u00ed d\u1ee5 tr\u00ean s\u1ebd cho ph\u00e9p b\u1ea5t k\u1ef3 ng\u01b0\u1eddi d\u00f9ng n\u00e0o c\u00f3 vai tr\u00f2 \u0111\u01b0\u1ee3c ch\u1ec9 \u0111\u1ecbnh l\u1ea5y, xem v\u00e0 li\u1ec7t k\u00ea c\u00e1c t\u00e0i nguy\u00ean trong kh\u00f4ng gian t\u00ean examplenamespace l\u00e0 m\u1ed9t m\u00e3 \u0111\u1ecbnh danh duy nh\u1ea5t c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c g\u1ecdi khi \u00e1p d\u1ee5ng li\u00ean k\u1ebft vai tr\u00f2 trong b\u01b0\u1edbc ti\u1ebfp theo.<\/p>\n<ul>\n<li>Sau khi vai tr\u00f2 \u0111\u01b0\u1ee3c t\u1ea1o, h\u00e3y t\u1ea1o t\u1ec7p rolebind.yaml \u0111\u1ec3 li\u00ean k\u1ebft vai tr\u00f2 v\u1edbi ng\u01b0\u1eddi d\u00f9ng c\u1ee7a b\u1ea1n:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>apiVersion: rbac.authorization.k8s.io\/v1<br>kind: RoleBinding<br>metadata:<br>name: example-role-binding<br>namespace: default<br>subjects:<br>apiGroup: rbac.authorization.k8s.io<br>kind: User<br>name: exampleuser<br>roleRef:<br>apiGroup: rbac.authorization.k8s.io<br>kind: Role<br>name: example-role<\/code><\/pre>\n<p>\u00c1p d\u1ee5ng c\u1ea3 role.yaml v\u00e0 rolebind.yaml \u0111\u1ec3 c\u1ea5p quy\u1ec1n cho ng\u01b0\u1eddi d\u00f9ng m\u1edbi:<\/p>\n<pre class=\"wp-block-code\"><code>kubectl apply -f role.yaml <br>kubectl apply -f rolebinding.yaml<\/code><\/pre>\n<ul>\n<li>\u0110\u1ec3 ki\u1ec3m tra, h\u00e3y chuy\u1ec3n kubeconfig v\u00e0 kh\u00f4ng gian t\u00ean \u0111ang ho\u1ea1t \u0111\u1ed9ng sang kh\u00f4ng gian t\u00ean \u0111\u01b0\u1ee3c t\u1ea1o cho ng\u01b0\u1eddi d\u00f9ng m\u1eabu gi\u1edbi h\u1ea1n:<\/li>\n<\/ul>\n<pre class=\"wp-block-code\"><code>export KUBECONFIG=exampleuser_kubeconfig.yaml <br>kubectl config set-context --current --namespace=examplenamespace<\/code><\/pre>\n<p>N\u1ebfu c\u1ea5u h\u00ecnh ho\u1ea1t \u0111\u1ed9ng, b\u1ea1n s\u1ebd kh\u00f4ng th\u1ea5y b\u1ea5t k\u1ef3 l\u1ed7i n\u00e0o khi y\u00eau c\u1ea7u th\u00f4ng tin v\u1ec1 c\u00e1c nh\u00f3m ho\u1ea1t \u0111\u1ed9ng trong kh\u00f4ng gian t\u00ean:<\/p>\n<pre class=\"wp-block-code\"><code>kubectl get pods<\/code><\/pre>\n<p>Tuy nhi\u00ean, n\u1ebfu ng\u01b0\u1eddi d\u00f9ng c\u1ed1 g\u1eafng l\u1ea5y th\u00f4ng tin v\u1ec1 c\u00e1c n\u00fat ho\u1eb7c b\u1ea5t k\u1ef3 y\u00eau c\u1ea7u n\u00e0o kh\u00e1c ch\u01b0a \u0111\u01b0\u1ee3c \u0111\u1ecbnh c\u1ea5u h\u00ecnh r\u00f5 r\u00e0ng th\u00ec y\u00eau c\u1ea7u \u0111\u00f3 s\u1ebd kh\u00f4ng th\u00e0nh c\u00f4ng v\u1edbi l\u1ed7i t\u01b0\u01a1ng t\u1ef1 nh\u01b0 sau:<\/p>\n<p><code>Error from server (Forbidden): nodes is forbidden: User \"exampleuser\" cannot list resource \"nodes\" in API group \"\" at the cluster scope<\/code><\/p>\n<p>Ngu\u1ed3n: https:\/\/techdocs.akamai.com\/cloud-computing\/docs\/secure-a-cluster-with-user-permissions-and-rbac<\/p>\n","protected":false},"excerpt":{"rendered":"<p>B\u1ea3o m\u1eadt ng\u01b0\u1eddi d\u00f9ng Kubernetes Trong qu\u1ea3n tr\u1ecb Linux, \u1ee9ng d\u1ee5ng Ng\u01b0\u1eddi d\u00f9ng, Nh\u00f3m v\u00e0 Quy\u1ec1n l\u00e0 m\u1ed9t ph\u01b0\u01a1ng ph\u00e1p \u0111\u00e3 \u0111\u01b0\u1ee3c th\u1eed nghi\u1ec7m v\u00e0 ki\u1ec3m tra \u0111\u1ec3 c\u1ea3i thi\u1ec7n t\u00ecnh tr\u1ea1ng b\u1ea3o m\u1eadt cho m\u1ed9t s\u1ed1 tr\u01b0\u1eddng h\u1ee3p s\u1eed d\u1ee5ng, t\u01b0\u01a1ng t\u1ef1, qu\u1ea3n tr\u1ecb Kubernetes \u00e1p d\u1ee5ng c\u00e1c kh\u00e1i ni\u1ec7m t\u01b0\u01a1ng t\u1ef1 b\u1eb1ng c\u00e1ch<\/p>\n","protected":false},"author":1,"featured_media":35952,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[79],"tags":[],"class_list":["post-34952","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linode-kubernetes-engine"],"_links":{"self":[{"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/posts\/34952","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/comments?post=34952"}],"version-history":[{"count":0,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/posts\/34952\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/media\/35952"}],"wp:attachment":[{"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/media?parent=34952"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/categories?post=34952"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/tags?post=34952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}