> For the complete documentation index, see [llms.txt](https://ghostwritten.gitbook.io/kubernetes-exam-in-action/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ghostwritten.gitbook.io/kubernetes-exam-in-action/cks-kao-shi/rbac.md).
# RBAC
### 1. 介绍
\
\\
\
\
\
\
\\
\
### 2. Practice -Role and Rolebinding
```
root@master:~/k8slib# k create ns red
namespace/red created
root@master:~/k8slib# k create ns blue
namespace/blue created
root@master:~/k8slib# k -n red create role secret-manager --verb=get --resource=secrets -oyaml --dry-run=client
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: secret-manager
namespace: red
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
root@master:~/k8slib# k -n red create role secret-manager --verb=get --resource=secrets
role.rbac.authorization.k8s.io/secret-manager created
root@master:~/k8slib# k -n red create rolebinding secret-manager --role=secret-manager --user=jane -oyaml --dry-run=client
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: secret-manager
namespace: red
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: secret-manager
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: jane
root@master:~/k8slib# k -n red create rolebinding secret-manager --role=secret-manager --user=jane
rolebinding.rbac.authorization.k8s.io/secret-manager created
root@master:~/k8slib# k -n blue create role secret-manager --verb=get --verb=list --resource=secrets
role.rbac.authorization.k8s.io/secret-manager created
root@master:~/k8slib# k -n blue create rolebinding secret-manager --role=secret-manager --user=jane
rolebinding.rbac.authorization.k8s.io/secret-manager created
#测试
root@master:~/k8slib# k -n red auth can-i get secrets --as jane
yes
root@master:~/k8slib# k -n red auth can-i get secrets --as tom
no
root@master:~/k8slib# k -n red auth can-i delete secrets --as jane
no
root@master:~/k8slib# k -n red auth can-i list secrets --as jane
no
root@master:~/k8slib# k -n blue auth can-i list secrets --as jane
yes
root@master:~/k8slib# k -n blue auth can-i get secrets --as jane
yes
root@master:~/k8slib# k -n blue auth can-i get pods --as jane
no
```
### 3. ClusterRole and ClusterRoleBinding
```
root@master:~/k8slib# k create clusterrole deploy-deleter --verb delete --resource deployments
clusterrole.rbac.authorization.k8s.io/deploy-deleter created
root@master:~/k8slib# k create clusterrolebinding deploy-deleter --user jane --clusterrole deploy-deleter
clusterrolebinding.rbac.authorization.k8s.io/deploy-deleter created
root@master:~/k8slib# k -n red create rolebinding deploy-deleter --user jim --clusterrole deploy-deleter
rolebinding.rbac.authorization.k8s.io/deploy-deleter created
root@master:~/k8slib# k auth can-i delete deployments --as jane
yes
root@master:~/k8slib# k auth can-i delete deployments --as jane -n default
yes
root@master:~/k8slib# k auth can-i delete deployments --as jane -n red
yes
root@master:~/k8slib# k auth can-i delete pods --as jane -n red
no
root@master:~/k8slib# k auth can-i delete deployments --as jim -n default
no
root@master:~/k8slib# k auth can-i delete deployments --as jim -A
no
root@master:~/k8slib# k auth can-i delete deployments --as jim -n red
yes
```
### 4. Accounts and Users
\
\
\\
### 5. CertificateSigningRequests
```
root@master:~/cks/RBAC# openssl genrsa -out jane.key 2048
Generating RSA private key, 2048 bit long modulus
..................................+++
............................................................+++
e is 65537 (0x10001)
root@master:~/cks/RBAC# openssl req -new -key jane.key -out jane.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:jane
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@master:~/cks/RBAC# ls
jane.csr jane.key
```
参考链接:\
```
root@master:~/cks/RBAC# vim csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: jane
spec:
groups:
- system:authenticated
request: todo
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
root@master:~/cks/RBAC# cat jane.csr | base64 -w 0
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ21UQ0NBWUVDQVFBd1ZERUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpERU5NQXNHQTFVRUF3d0VhbUZ1ClpUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU83Z2lEUDNxU3U2Qll3SVVkeDgKU2RERUxOd1c3emVvbkZXZWlxNGFHOWhoMzV6TWFYc09wbjE4V0tmU1pYcjMwU0dVUVcwZjdwYUdKOXlTVVdRNwpnUGw2ejU0VjlpZDdxOWswTDMvcnlNMmJOdEdOQnB0QUJYMjVoOXZaSHpiUzQ0ekZkRlA0T2x0b2orcFpLVnpoCm56T2xBNUZwTmxKRGtzeHRBYVJsYzhwa2liZGpObVVJVGNCT3dkRFp5M1JJUEhsU0FQam10QlJqaUNXQVdYZFUKU01PRXRRUUdkVFFreGo3TDJxbSsyVkhGVUFHOEFKWkMwaFFHQStoTlZMNis2Uk5YTFlrWDR5VnVwMlBNWG5YVQorRUpUVnArZFJjU0FwUXlPbFNITTFpNU5sOWdPdEN4S2VZd245R3VlZnpVNlB5cEFrVitINnRlNHVSKzZYcWpUCkdzc0NBd0VBQWFBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQWkzaVp5TnlYRFdsMVdJQjRta3BpczcwazAKeHl4VW50ZDg1UTJERzJ6K0h1b0YvQlhNZ2hvTXpyWGtndVNraFpRYnRhS1JRMGtOSjNYYUlUQzNGeWN4OW0yVgp3blZZS3VoYnRPTXVlRzJMWngvUTFwNjJZYTJyc1NPbGhyRlhqY1RkUUk0dllpSGNMUE0vMi9FTGFUQU9mQ1dzClUvN0FpNGhQRlk3S0JOVkt4b013VHBFbzgxNXBtMEJtU1orWUZGSU5vQlV6VEI2VUxUd2Yva2FFRkRuc0FtcVEKOVNPRzNvRkx4RmUyVnNwcjhsQ0NOaHV2M21ZZkZlL0JOS3ZvMUdHVDN0SjcwVldLODJZUUdpWjNSbExHaXBKTgpQWXczNmdTdjAydVNxYm9wNWxvSzdUdHhPaU9HSnZJdjVNRnR0OTdVNjlSaHd4dmNHbk5jQXkycVdnRzcKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==root@master:~/cks/RBAC#
root@master:~/cks/RBAC# vim csr.yaml
root@master:~/cks/RBAC# cat csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: jane
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ21UQ0NBWUVDQVFBd1ZERUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpERU5NQXNHQTFVRUF3d0VhbUZ1ClpUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU83Z2lEUDNxU3U2Qll3SVVkeDgKU2RERUxOd1c3emVvbkZXZWlxNGFHOWhoMzV6TWFYc09wbjE4V0tmU1pYcjMwU0dVUVcwZjdwYUdKOXlTVVdRNwpnUGw2ejU0VjlpZDdxOWswTDMvcnlNMmJOdEdOQnB0QUJYMjVoOXZaSHpiUzQ0ekZkRlA0T2x0b2orcFpLVnpoCm56T2xBNUZwTmxKRGtzeHRBYVJsYzhwa2liZGpObVVJVGNCT3dkRFp5M1JJUEhsU0FQam10QlJqaUNXQVdYZFUKU01PRXRRUUdkVFFreGo3TDJxbSsyVkhGVUFHOEFKWkMwaFFHQStoTlZMNis2Uk5YTFlrWDR5VnVwMlBNWG5YVQorRUpUVnArZFJjU0FwUXlPbFNITTFpNU5sOWdPdEN4S2VZd245R3VlZnpVNlB5cEFrVitINnRlNHVSKzZYcWpUCkdzc0NBd0VBQWFBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQWkzaVp5TnlYRFdsMVdJQjRta3BpczcwazAKeHl4VW50ZDg1UTJERzJ6K0h1b0YvQlhNZ2hvTXpyWGtndVNraFpRYnRhS1JRMGtOSjNYYUlUQzNGeWN4OW0yVgp3blZZS3VoYnRPTXVlRzJMWngvUTFwNjJZYTJyc1NPbGhyRlhqY1RkUUk0dllpSGNMUE0vMi9FTGFUQU9mQ1dzClUvN0FpNGhQRlk3S0JOVkt4b013VHBFbzgxNXBtMEJtU1orWUZGSU5vQlV6VEI2VUxUd2Yva2FFRkRuc0FtcVEKOVNPRzNvRkx4RmUyVnNwcjhsQ0NOaHV2M21ZZkZlL0JOS3ZvMUdHVDN0SjcwVldLODJZUUdpWjNSbExHaXBKTgpQWXczNmdTdjAydVNxYm9wNWxvSzdUdHhPaU9HSnZJdjVNRnR0OTdVNjlSaHd4dmNHbk5jQXkycVdnRzcKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
root@master:~/cks/RBAC# k create -f csr.yaml
certificatesigningrequest.certificates.k8s.io/jane created
root@master:~/cks/RBAC# k get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
jane 7s kubernetes.io/kube-apiserver-client kubernetes-admin Pending
root@master:~/cks/RBAC# k certificate approve jane
certificatesigningrequest.certificates.k8s.io/jane approved
root@master:~/cks/RBAC# k get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
jane 73s kubernetes.io/kube-apiserver-client kubernetes-admin Approved,Issued
root@master:~/cks/RBAC# k get csr -o yaml
....
status:
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPakNDQWlLZ0F3SUJBZ0lSQU5OZmhpSEswMjcrbVZ6UU5ZUGZyT0F3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBME1qVXdPRE0zTXpOYUZ3MHlNakEwTWpVdwpPRE0zTXpOYU1GUXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJRXdwVGIyMWxMVk4wWVhSbE1TRXdId1lEClZRUUtFeGhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhEVEFMQmdOVkJBTVRCR3BoYm1Vd2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdTRJZ3o5NmtydWdXTUNGSGNmRW5ReEN6YwpGdTgzcUp4Vm5vcXVHaHZZWWQrY3pHbDdEcVo5ZkZpbjBtVjY5OUVobEVGdEgrNldoaWZja2xGa080RDVlcytlCkZmWW5lNnZaTkM5LzY4ak5temJSalFhYlFBVjl1WWZiMlI4MjB1T014WFJUK0RwYmFJL3FXU2xjNFo4enBRT1IKYVRaU1E1TE1iUUdrWlhQS1pJbTNZelpsQ0UzQVRzSFEyY3QwU0R4NVVnRDQ1clFVWTRnbGdGbDNWRWpEaExVRQpCblUwSk1ZK3k5cXB2dGxSeFZBQnZBQ1dRdElVQmdQb1RWUyt2dWtUVnkySkYrTWxicWRqekY1MTFQaENVMWFmCm5VWEVnS1VNanBVaHpOWXVUWmZZRHJRc1NubU1KL1Jybm44MU9qOHFRSkZmaCtyWHVMa2Z1bDZvMHhyTEFnTUIKQUFHalJqQkVNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwagpCQmd3Rm9BVUs0dktoTHROQ1lpNHZHSVQzVFJBYWgyOWl4OHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTDhYCkdONzAwc2RZb0gvMS96Q0VYSjZwanNUZk16eXBTZDc4MVg5SERSNVh6T0pVWFZ0WDFBRTNqcjQ3M251cGE0OXUKOWhuSG5DMWFEODVnbFhiNE9wR2ttWUw5M241TEZSLzU2eng1ZDdwUDlHSzNtT0JYc2IvZGJ4ZEFlMzZJVG1Ucgo4ajdlcTVEcGZQcUpOWlozRDBCK2ljc1htU0NUNDdzNTRQUWtON3cwUHBvNDFkWS8xYTFndnYxNUJPQXc3bVluCmtNUXlubFZMN0cyQ25SaTlnM2R5S2tueUcyOGkyWmFOOGs5MkJXdmNmM1JTR3FudFM4SUxPYi9jWUpYemY1ZWcKQkMyVHhjeGo2dHJJVkVIV0xuZ2NEZmVhbnZ4Ylgwbk41cGlQYVYzaFpRcWo0aFVQZ201RzJQWmNUWUV4Mk4wZgpCckhOWnZRZElPY2RDRVorY2hrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
....
root@master:~/cks/RBAC# echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPakNDQWlLZ0F3SUJBZ0lSQU5OZmhpSEswMjcrbVZ6UU5ZUGZyT0F3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBME1qVXdPRE0zTXpOYUZ3MHlNakEwTWpVdwpPRE0zTXpOYU1GUXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJRXdwVGIyMWxMVk4wWVhSbE1TRXdId1lEClZRUUtFeGhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhEVEFMQmdOVkJBTVRCR3BoYm1Vd2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdTRJZ3o5NmtydWdXTUNGSGNmRW5ReEN6YwpGdTgzcUp4Vm5vcXVHaHZZWWQrY3pHbDdEcVo5ZkZpbjBtVjY5OUVobEVGdEgrNldoaWZja2xGa080RDVlcytlCkZmWW5lNnZaTkM5LzY4ak5temJSalFhYlFBVjl1WWZiMlI4MjB1T014WFJUK0RwYmFJL3FXU2xjNFo4enBRT1IKYVRaU1E1TE1iUUdrWlhQS1pJbTNZelpsQ0UzQVRzSFEyY3QwU0R4NVVnRDQ1clFVWTRnbGdGbDNWRWpEaExVRQpCblUwSk1ZK3k5cXB2dGxSeFZBQnZBQ1dRdElVQmdQb1RWUyt2dWtUVnkySkYrTWxicWRqekY1MTFQaENVMWFmCm5VWEVnS1VNanBVaHpOWXVUWmZZRHJRc1NubU1KL1Jybm44MU9qOHFRSkZmaCtyWHVMa2Z1bDZvMHhyTEFnTUIKQUFHalJqQkVNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwagpCQmd3Rm9BVUs0dktoTHROQ1lpNHZHSVQzVFJBYWgyOWl4OHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTDhYCkdONzAwc2RZb0gvMS96Q0VYSjZwanNUZk16eXBTZDc4MVg5SERSNVh6T0pVWFZ0WDFBRTNqcjQ3M251cGE0OXUKOWhuSG5DMWFEODVnbFhiNE9wR2ttWUw5M241TEZSLzU2eng1ZDdwUDlHSzNtT0JYc2IvZGJ4ZEFlMzZJVG1Ucgo4ajdlcTVEcGZQcUpOWlozRDBCK2ljc1htU0NUNDdzNTRQUWtON3cwUHBvNDFkWS8xYTFndnYxNUJPQXc3bVluCmtNUXlubFZMN0cyQ25SaTlnM2R5S2tueUcyOGkyWmFOOGs5MkJXdmNmM1JTR3FudFM4SUxPYi9jWUpYemY1ZWcKQkMyVHhjeGo2dHJJVkVIV0xuZ2NEZmVhbnZ4Ylgwbk41cGlQYVYzaFpRcWo0aFVQZ201RzJQWmNUWUV4Mk4wZgpCckhOWnZRZElPY2RDRVorY2hrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | base64 -d
-----BEGIN CERTIFICATE-----
MIIDOjCCAiKgAwIBAgIRANNfhiHK027+mVzQNYPfrOAwDQYJKoZIhvcNAQELBQAw
FTETMBEGA1UEAxMKa3ViZXJuZXRlczAeFw0yMTA0MjUwODM3MzNaFw0yMjA0MjUw
ODM3MzNaMFQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYD
VQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDTALBgNVBAMTBGphbmUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDu4Igz96krugWMCFHcfEnQxCzc
Fu83qJxVnoquGhvYYd+czGl7DqZ9fFin0mV699EhlEFtH+6WhifcklFkO4D5es+e
FfYne6vZNC9/68jNmzbRjQabQAV9uYfb2R820uOMxXRT+DpbaI/qWSlc4Z8zpQOR
aTZSQ5LMbQGkZXPKZIm3YzZlCE3ATsHQ2ct0SDx5UgD45rQUY4glgFl3VEjDhLUE
BnU0JMY+y9qpvtlRxVABvACWQtIUBgPoTVS+vukTVy2JF+MlbqdjzF511PhCU1af
nUXEgKUMjpUhzNYuTZfYDrQsSnmMJ/Rrnn81Oj8qQJFfh+rXuLkful6o0xrLAgMB
AAGjRjBEMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0j
BBgwFoAUK4vKhLtNCYi4vGIT3TRAah29ix8wDQYJKoZIhvcNAQELBQADggEBAL8X
GN700sdYoH/1/zCEXJ6pjsTfMzypSd781X9HDR5XzOJUXVtX1AE3jr473nupa49u
9hnHnC1aD85glXb4OpGkmYL93n5LFR/56zx5d7pP9GK3mOBXsb/dbxdAe36ITmTr
8j7eq5DpfPqJNZZ3D0B+icsXmSCT47s54PQkN7w0Ppo41dY/1a1gvv15BOAw7mYn
kMQynlVL7G2CnRi9g3dyKknyG28i2ZaN8k92BWvcf3RSGqntS8ILOb/cYJXzf5eg
BC2Txcxj6trIVEHWLngcDfeanvxbX0nN5piPaV3hZQqj4hUPgm5G2PZcTYEx2N0f
BrHNZvQdIOcdCEZ+chk=
-----END CERTIFICATE-----
root@master:~/cks/RBAC# k config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.211.40:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
root@master:~/cks/RBAC# k config view -o yaml > view.yaml
root@master:~/cks/RBAC# k config set-credentials jane --client-key=jane.key --client-certificate=jane.crt
User "jane" set.
root@master:~/cks/RBAC# k config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.211.40:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: jane
user:
client-certificate: /root/cks/RBAC/jane.crt
client-key: /root/cks/RBAC/jane.key
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
root@master:~/cks/RBAC# k config set-credentials jane --client-key=jane.key --client-certificate=jane.crt --embed-certs
User "jane" set.
root@master:~/cks/RBAC# k config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.211.40:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: jane
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
root@master:~/cks/RBAC# k config view --raw
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1ERXhPVEF6TWpjME5Gb1hEVE14TURFeE56QXpNamMwTkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWdPClppYVBnYXJlekxVWGV3TGVnUGJiVUtFb2kwUW5MdG5xbVhJOVk0VXpEOUp1cEtNd3FURDVQK3BLRldjVXZrOHYKd1BzYk9hcVhaMm1rajFZTnkrRXFGSmJ2d1Y4M0l1VEkreHFlcEhXa0EzRUhkb1VYVjJwNjA3S0dtZE11V2ZISwplWTlXTHlVSEF5QTFBeDJFTVlid2VtQUhBb2tYaUdvVkU1TTlEaGJRY1dCblVqM3hFWUJYLzEwM1JvSEQxYWtvCmJFbng2dGpQZWluSHJmaEJoVFYydmRGMG9BNUtkQWYyUHByYzlDSVRwTWZnczRUWW1kd3YyTzRaQk1NVDdpbnkKbVB0SmpYVUpobG8zM3JzdkJ2WGZLUjQxZXlXVkFCRThvRE0rUWdHL2U5MCtua0IxNVNPWGtLTFFZWGxIbFg3MgpPalNzZ1EvOG13U3cyekQrdDhzQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZDdUx5b1M3VFFtSXVMeGlFOTAwUUdvZHZZc2ZNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDRVYxazhpMGZtWlBFQzdpTk5IMzMwbXErUnRyWnJyeVRPUFAycXZkOWRTVVV2QWo1SwowbWlYZmVKUGw5ZFpodHhkTGZ5RmVQa2t2SFZ5eVJtTnh2Z3R2Sk1laEdrQXFYeTZEanFmSE4zZUxWOUdjN2daCkJYdlRTMjRIMzY2cmhrVHQydWM3ZXBSTkpQZThqWG14RE8zVHZoaTc4Tll4c1ZIb1VjekQ3Nk83UmV1c3dyWnUKN1NWclhHN0Flay9RVlgxSGR6Q0c3NndCTEdzZ2VOb3B4eVViMmJ6eU80bUI4eDU0OWNBaTBjVkVqZlRoMDRnbwoyQ09pdVZiWEMzOGpQd090bnVFbHNYaW9ZSHYrcHI5RysxREZ4R2ZhY0NtWFFlT2ZYdlNmOEFFeGFLclZIOWYxCkhJQTd4TzQ2TXJ4WmswRXdDQ2d0cERPV25HM2s2d29XN1MyUAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.211.40:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: jane
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPakNDQWlLZ0F3SUJBZ0lSQU5OZmhpSEswMjcrbVZ6UU5ZUGZyT0F3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBME1qVXdPRE0zTXpOYUZ3MHlNakEwTWpVdwpPRE0zTXpOYU1GUXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJRXdwVGIyMWxMVk4wWVhSbE1TRXdId1lEClZRUUtFeGhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhEVEFMQmdOVkJBTVRCR3BoYm1Vd2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdTRJZ3o5NmtydWdXTUNGSGNmRW5ReEN6YwpGdTgzcUp4Vm5vcXVHaHZZWWQrY3pHbDdEcVo5ZkZpbjBtVjY5OUVobEVGdEgrNldoaWZja2xGa080RDVlcytlCkZmWW5lNnZaTkM5LzY4ak5temJSalFhYlFBVjl1WWZiMlI4MjB1T014WFJUK0RwYmFJL3FXU2xjNFo4enBRT1IKYVRaU1E1TE1iUUdrWlhQS1pJbTNZelpsQ0UzQVRzSFEyY3QwU0R4NVVnRDQ1clFVWTRnbGdGbDNWRWpEaExVRQpCblUwSk1ZK3k5cXB2dGxSeFZBQnZBQ1dRdElVQmdQb1RWUyt2dWtUVnkySkYrTWxicWRqekY1MTFQaENVMWFmCm5VWEVnS1VNanBVaHpOWXVUWmZZRHJRc1NubU1KL1Jybm44MU9qOHFRSkZmaCtyWHVMa2Z1bDZvMHhyTEFnTUIKQUFHalJqQkVNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwagpCQmd3Rm9BVUs0dktoTHROQ1lpNHZHSVQzVFJBYWgyOWl4OHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTDhYCkdONzAwc2RZb0gvMS96Q0VYSjZwanNUZk16eXBTZDc4MVg5SERSNVh6T0pVWFZ0WDFBRTNqcjQ3M251cGE0OXUKOWhuSG5DMWFEODVnbFhiNE9wR2ttWUw5M241TEZSLzU2eng1ZDdwUDlHSzNtT0JYc2IvZGJ4ZEFlMzZJVG1Ucgo4ajdlcTVEcGZQcUpOWlozRDBCK2ljc1htU0NUNDdzNTRQUWtON3cwUHBvNDFkWS8xYTFndnYxNUJPQXc3bVluCmtNUXlubFZMN0cyQ25SaTlnM2R5S2tueUcyOGkyWmFOOGs5MkJXdmNmM1JTR3FudFM4SUxPYi9jWUpYemY1ZWcKQkMyVHhjeGo2dHJJVkVIV0xuZ2NEZmVhbnZ4Ylgwbk41cGlQYVYzaFpRcWo0aFVQZ201RzJQWmNUWUV4Mk4wZgpCckhOWnZRZElPY2RDRVorY2hrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBN3VDSU0vZXBLN29GakFoUjNIeEowTVFzM0Jidk42aWNWWjZLcmhvYjJHSGZuTXhwCmV3Nm1mWHhZcDlKbGV2ZlJJWlJCYlIvdWxvWW4zSkpSWkR1QStYclBuaFgySjN1cjJUUXZmK3ZJelpzMjBZMEcKbTBBRmZibUgyOWtmTnRMampNVjBVL2c2VzJpUDZsa3BYT0dmTTZVRGtXazJVa09TekcwQnBHVnp5bVNKdDJNMgpaUWhOd0U3QjBObkxkRWc4ZVZJQStPYTBGR09JSllCWmQxUkl3NFMxQkFaMU5DVEdQc3ZhcWI3WlVjVlFBYndBCmxrTFNGQVlENkUxVXZyN3BFMWN0aVJmakpXNm5ZOHhlZGRUNFFsTlduNTFGeElDbERJNlZJY3pXTGsyWDJBNjAKTEVwNWpDZjBhNTUvTlRvL0trQ1JYNGZxMTdpNUg3cGVxTk1heXdJREFRQUJBb0lCQVFDbW5kWmk2UXdHZytuNgprcE1HeDJwMVEyQkc0M2hYeWpQQlJLUldhNytnWGlRcXFpbW91NzlGSjhadXlFSWdVMXA3b1gxQk1GU3FpVWlrCmdTcGtUMXpXcHVMSjBXZXdnb0tMTGVzenZyS0JOeEkxZDdoejhXUGpIZFcxY3V4aXdSWVd5bU1wYnFyRnQxa3EKaktaZE1zSm9zMkNadkZrM2FBcXNyQnZKSHpwMG4vS3MybzhRNVpoYkpEa0tUY2w1QndoUFBUSHBiRlluSEJUeApHQkxtRWg2YlRueWpSRVpnaUxBdy8xbUFuRWk0dW00ODJJZS9FSjdiMHJvMTcxYjBCOGtkNWdGWUsyUC9sNXRiClFvZG1FckFXWURjazRJeHVlQy92YnFpNUQ0TndSNUVFWUJzWXc2cFFyWlhpTFVBeW53dmsvL21zRUJCY0txN3gKUHp1MHdMMEJBb0dCQVByRDdNS2k5VHdoNCtvbmo1eDdoNm9nTHE5VHFFRzNqVkV6dE03aXl3S3hJTW5UVnptVQpCSThyd1U0cXZvM0F6ZXM1eVhJL05SWkFNV2NTZUtpSVpEQU80d3dPcklXVGcxY056c3JiazdDTXp5UUQ4d2Z4CkVLMEpsdHNYaWw1UzdvTmx6d0dscTZ1UWVZTXhja0IrQ2FCU1BSWlJhSk5yUTFiVXp4STJkTDhUQW9HQkFQUGQKRTdzYjFRSzloMzRRcDdXYjYwNDJzdkxPajdocC93RzhPbk1HVGttcm9WZkg3b2QrV2FYRmNrQ0RBRDR2NkRZbApYZmRRWUVWajU5Z0Q3Rzl4RFdqNEFPZFZ5aGxSeVhpN1FXUnNKRTJwYXdoZ050TFgremtjZzBqcWZsZjFlV3FVCk05OWVOelJnY1RTbjY3ZHAzWkRBMUVROVNocFZveHdReHFyZUY5UnBBb0dBYm9UelVFVXArRHFuakllckQ3aVIKN2pVSTNsVHNqeW9xcW1NemlRc0Rsa2dpdjFEWjNKS1QvOVcwK0pKMk1WdU1aZU91R1NBcWNZZ1JQZkF5SlhVWApVdWI4d2srbFVhblY5UVFzNDlNcW9HRXUyaHl6ZkFpTzVQU1kvQzYvMlJxTDdIVnVhcmR0bGN1ekFsTkVtNC94CkJpdTRxS0Z3aWFoNG9VaGhpeEZkR3VrQ2dZQjV2WHNWSkk3UllHYWNvNW5seXVITVdQZzZ5SzNzNVZWOXUwYisKbHo1TC90ZDc1LzZITzZkclgwZHJOenJPME1HL0RpWjd5VzlXRk1yd0J2MW9vT3FONVlrbDg2a0J2TmUwWXQ4QgpVQTlMaWZFNTdEWlNTYXBMMTVVZXVKbThOWHFZbjBYS0U5SEJYd2dFdm5PcFM3dGxnUzQycHRZd2tXSHRKOTdWCi9DdXZTUUtCZ0JibVVKVmJMSlFOamcxZzNpMHZSUEJCakhkV0VETzMvbU1JQXdxREJMY0FUZ1hZWm5RWmZkQWgKaUJzZXJvaWl0M0FuV1FXTi8rZEhzMFhtdlcxbFUzbEJJc3Jvd1Y3YjZaSzlHcktxRGUwVS9CemJYUmpVczVibwowcEFJaWxLY0ZFNUdLM3FqSmlLM2RKZ2R5a3ZBYldRUDM0UmJ3YUdldHdFbDRWK1pSRnRNCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lJR2w5NUYxYVh3NEl3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBeE1Ua3dNekkzTkRSYUZ3MHlNakF4TVRrd016STNORFphTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW9SSHZVUnBiVkdDb2VqNXoKWFgzYkpxN2FBUTY1amh2YisrNkt2ak1laS9LbWtNSlZWVzEvRWFlVzV3Q3V5aXk4eFQ2Z1FjUjhXNE9YaDk5RwpNcHFvcUhCNEZoNnhlY2xjUjJLVkN1TTVVbk1aZUZDZEJOanQvRnRhVnRkcW90dFJ3eTg1ajh2SmdvL0tRMnFSCkVBTDFJZ3pkTXZ0cjBkQnQ4RjhVUVQ5QVZ2SmJtZzFTelEyeHptSlluQ1EySTFYTnZjV1g4UWlJVGRPdTlUY1YKQjFrMVRjK2x5Sm9mdGlyZmlVVVNBUS82UTlnV05XdEp1d1EwdHVkR2RzZnlobXNCbFV5QkNOSlhEaXRHMUxWawpXTmRFc3d5UVdsVGdZdU9rWkczU3k4RzYyZmlpZDAxb2VqbVFHTExHaVFYcHNWTytyQzdjSnowL2hQdC9GaEgwCmpOWnpZUUlEQVFBQm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVLNHZLaEx0TkNZaTR2R0lUM1RSQWFoMjlpeDh3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFJdE9meXRWT0pOdytTNU1LWWlQWDBCS0lFTGkvcFBHL0NJUUU3Zjg1WlRPSXIvS05JTXcwYURxCmp6M0ZBU0F5bTloVEp4dEtUN3dzeWEvbGcwcnlIMEdGQ0dHTjdDOFNhUVVLNDRxUjd1RnUzRlo1OXNteDc1MU8KQTlOMnYxWlJJa3pQYXVNNGZ3T2NLOFUzN0lkOGVYZkxJMjV3c3p0RXdickdRS1Jia2owMnkzSEpEWWJobjFiUgoyYXpJOU1FaThrMVdtVTk4S1B2bFBFMk9md3BkSFp2TEVJTGdBOGZLZU1WZnduNGlDcVN1L3R1aGJ6RFhqOEFXCkpMcWNyZ1FqT0pxS0hqS2VEWFZIVm14MHFYMnhpRnRUM0prSDdWTFplK1JlUlZ4dEFWekkwc2NoeVFzY04vaXEKY3JNcHQ1NlhPM1BSVWc1bnplWnp5TTE4ajhqL3hIbz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBb1JIdlVScGJWR0NvZWo1elhYM2JKcTdhQVE2NWpodmIrKzZLdmpNZWkvS21rTUpWClZXMS9FYWVXNXdDdXlpeTh4VDZnUWNSOFc0T1hoOTlHTXBxb3FIQjRGaDZ4ZWNsY1IyS1ZDdU01VW5NWmVGQ2QKQk5qdC9GdGFWdGRxb3R0Und5ODVqOHZKZ28vS1EycVJFQUwxSWd6ZE12dHIwZEJ0OEY4VVFUOUFWdkpibWcxUwp6UTJ4em1KWW5DUTJJMVhOdmNXWDhRaUlUZE91OVRjVkIxazFUYytseUpvZnRpcmZpVVVTQVEvNlE5Z1dOV3RKCnV3UTB0dWRHZHNmeWhtc0JsVXlCQ05KWERpdEcxTFZrV05kRXN3eVFXbFRnWXVPa1pHM1N5OEc2MmZpaWQwMW8KZWptUUdMTEdpUVhwc1ZPK3JDN2NKejAvaFB0L0ZoSDBqTlp6WVFJREFRQUJBb0lCQUgzcHAwdWZid1huQ2MyRwpSR2t4bWNBRHNDaGplbXE5SEpzMVB3Q3d0WkJ4Z0FScDVvdUJyWFAvcnRlbWtQMDdPOVoxdnBHcktBdmlNdkxrCmQ5dlhTMEZocW42Z1A5MFVyQzZod2lGZ3Y4N1VhM1RDai96YUdERE91VEJwOWRLWjRMRFVtZ3J2SS9nTXIvRkQKdldMbTdQcFJWQm9tc1lLempUMzdGYnByMThBZk9ERFoyTVlJekxVVlJENWNkM2VRdzN3Q2hlMnpmelJabEhsMwprRG1FQk9YaWRObnpkL0lmSGxWQk4yN2VQYmtVUjIzd0tSbWY2ejE4aDhqV2FveTJwSVdoVGU0THVBM0h1cWpFCnZYSzVvUUY2aEFTL1ZRc2hYVUZ4OXQ3Z0VFZlB5TnBSTURjeWlRVWF2S01tNUlPYXQreklyRnFTeUhNdURwdjIKcXBDSVFvRUNnWUVBeHdXMERTRUgvc1ltR3k1eUhXRStybkVuaG1teFBTL0lzcDl0NzIyWjZ3VVdoeU42QnowYwo0T3pwalBiQVpiY2x3QTlqY0ZLaS9Pelh4Wnl5WU56WHJVaGJraTBwbHF2VHdJQXpqZW9FR1dFNGpzYWN2V005CnVybCs0MU90U3hMWFVwQTRDWDlCSVdJYkZxamlhZ3pxOGp0OG0zMHI1TzBmT0dXblpTQ1F4SnNDZ1lFQXp5NjQKMkNRWmJ1emg3Z1VlRklBcm5UeVk4U1hWdGJ0Q3Z5aDVUdTNwMU40eFpBOUI1NnpvTFFvMkNpZ2FseWJBRmR1UApLMk0zeDQxcmEyWUJmQTl0QnUxem9qQndIY3hiVWZYWmJvcGZUWkFOT1JEbmY0ZEtrV09LdDJ0K052bFdvcTR3ClYyeFRhaDR3WWdQSFc1eTg3YWwxTkg3bUttNzVOWWVkaVNhZkliTUNnWUJDQUd3enBtNm1XVVF0NDN0SXJ3VkEKaUpvWkExZ1orSXpRWC9ydldpT2ZRekt6WWxxSHFBYTV1UmZDL2RuVVlhYU5TUTBySk55VWtGOEdVKzc4SElFUwpJRnJ0NFRoWGxXaEdBTDRZSkRGejBVQVdhVnQxbTBIUGVORFJ4dUJEYzE0aExWN0lGNEdiOXBNUk1yVFRnckV2CjMvWjFBay9hUGFFSzdQdFVtRFlxWFFLQmdFem01TW1scktNVjNrN0JLNGNraEF2YklGSHlYejhUZ1JUL2F2ZTMKSzZKTnp6dDZ4bFcrUW5mbFlHV291U1g5eGpMV3ltK3FabHYxekRlVEoxM3JRK2JjWUoyRktUaUdVQ2MrQURVZAp1MzVJeC8rMG5Ka2ptTFFhcExTc2U2N2dJaDVFVmNFOWZrRFhiOUlSNFAvS1QvNVBkaWZFS3A3NWpoc21lWDBkCkR0Z3RBb0dBVWI0TDFwZ2VBOXZsTWlzMkh1WUphdFd5Z3A0UDN5ODM3L0ZQMGcxa2pBdm43a2dCM2FWeE01QzUKeEUrWklWbm1WcXJycUtpejVjMVNTbTRSc2p2dUFsK2c4cVJtTG9zNEVKNWxzaThLbTZmUlhiSm5EeUZQSHZsRQpGdHBvRVZUT2FzQ045Ylg0NEtoSzZxcFhxTEhpaEwzU0MyVldibllBYnIxd2FJLzQzSWc9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
root@master:~/cks/RBAC# k config set-context jane --user=jane --cluster=kubernetes
Context "jane" created.
root@master:~/cks/RBAC# k config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
jane kubernetes jane
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
root@master:~/cks/RBAC# k config use-context jane
Switched to context "jane".
root@master:~/cks/RBAC# k get ns
Error from server (Forbidden): namespaces is forbidden: User "jane" cannot list resource "namespaces" in API group "" at the cluster scope
root@master:~/cks/RBAC# k auth can-i delete deployments
yes
root@master:~/cks/RBAC# k auth can-i delete pods
no
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ghostwritten.gitbook.io/kubernetes-exam-in-action/cks-kao-shi/rbac.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.