Cluster Roles and Bindings¶
Cluster Roles are roles that are defined across the entire cluster, regardless of namespace. They otherwise are setup and function the same.
Cluster Role Bindings associate cluster roles with users and/or service accounts.
Here is an example of a cluster role defined in a YAML file:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ecr-login-role
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "delete"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "patch"]
Here is example code for creating a cluster role:
from k9.rbac import (
read_yaml,
create_cluster_role
)
body = read_yaml('ecr-login-role.yml')
create_cluster_role(body)
- k9.rbac.list_cluster_roles()[source]¶
List all cluster roles :return: A list of dictionary items with name and created.
- k9.rbac.create_cluster_role(body: dict)[source]¶
Create a cluster role from an object defining the role.
Example:
role = { 'apiVersion': 'rbac.authorization.k8s.io/v1', 'kind': 'ClusterRole', 'metadata': {'name': f'{role_name}'}, 'rules': [ { 'apiGroups': [''], 'resources': ['secrets'], 'verbs': ['create', 'delete'] }, { 'apiGroups': [''], 'resources': ['serviceaccounts'], 'verbs': ['get', 'patch'] } ] } result = create_cluster_role(role)
Result:
{'aggregation_rule': None, 'api_version': 'rbac.authorization.k8s.io/v1', 'kind': 'ClusterRole', 'metadata': {'annotations': None, 'cluster_name': None, 'creation_timestamp': datetime.datetime(2019, 10, 16, 17, 33, 28, tzinfo=tzutc()), 'deletion_grace_period_seconds': None, 'deletion_timestamp': None, 'finalizers': None, 'generate_name': None, 'generation': None, 'initializers': None, 'labels': None, 'managed_fields': None, 'name': 'ecr-login-role', 'namespace': None, 'owner_references': None, 'resource_version': '1901293', 'self_link': '/apis/rbac.authorization.k8s.io/v1/clusterroles/ecr-login-role', 'uid': '10ccdf2b-f03b-11e9-9956-025000000001'}, 'rules': [{'api_groups': [''], 'non_resource_ur_ls': None, 'resource_names': None, 'resources': ['secrets'], 'verbs': ['create', 'delete']}]}"
- Parameters
body – The role definition object.
- Returns
- k9.rbac.delete_cluster_role(name: str)[source]¶
Deletes the specified cluster
- Parameters
name – Name of cluster
- Returns
None if cluster role doesn’t exist, otherwise returns V1Status
- k9.rbac.get_cluster_role(name: str)[source]¶
Gets the specified cluster role.
- Parameters
name – Name of cluster role to retrieve.
- Returns
- k9.rbac.cluster_role_exists(name: str)[source]¶
Checks for the cluster role’s existence.
- Parameters
name – Name of cluster role to look for.
- Returns
True if specified cluster role exists.
- k9.rbac.create_cluster_role_binding(name: str, role: str, sa: str, namespace: Optional[str] = None)[source]¶
Bind the specified role to the specified service account.
- Parameters
name – Name of binding we are creating here.
role – The cluster role name to bind with.
sa – The service account to bind this role to.
namespace – The namespace of the service account. If namespace is None, then the binding will be performed on service account in the default namespace.
- Returns
Example:
result = create_cluster_role_binding(cr_bind_name, cr_name, sa_name)
- k9.rbac.delete_cluster_role_binding(name: str)[source]¶
Delete cluster role binding
- Parameters
name – cluster role binding name
- Returns
None if cluster role binding doesn’t exist, otherwise returns V1Status