Roles and Bindings¶
Roles define what a user or service account can perform. Role bindings associates roles to users or service accounts.
Here is an example of a role definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ecr-login-role
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "delete"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "patch"]
Example Code:
from k9.rbac import (
set_default_namespace,
create_service_account,
create_role,
create_role_binding,
read_yaml
)
set_default_namespace('default')
role_name = "ecr-login-role"
binding_name = "ecr-login-binding"
# create the service account
result = create_service_account(sa_name)
sa_name = result.metadata.name
# create role
body = read_yaml('ecr-login-role.yml')
result = create_role(body)
# create cluster role binding
result = create_role_binding(binding_name, role_name, sa_name)
- k9.rbac.list_roles(namespace: Optional[str] = None)[source]¶
List all cluster roles :param namespace: Then namespace to list roles from. If None, uses the default namespace. :return: A list of dictionary items with name and created.
- k9.rbac.create_role(body: dict, namespace: Optional[str] = None)[source]¶
Create a role from an object defining the role.
- Parameters
body – The role definition object.
namespace – Then namespace to create role in. If None, uses the default namespace.
- Returns
Example YAML file:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ecr-login-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create", "delete"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get", "patch"]
Example Call:
from k9.helper import ( set_default_namespace, create_role, read_yaml ) set_default_namespace('my-namespace') body = read_yaml('ecr-login-role.yml') result = create_role(body)
- k9.rbac.delete_role(name: str, namespace: Optional[str] = None)[source]¶
Deletes the specified cluster
- Parameters
name – Name of cluster
namespace – Then namespace to delete role from. If None, uses the default namespace.
- Returns
None if role exists, otherwise return V1Status
- k9.rbac.get_role(name: str, namespace: Optional[str] = None)[source]¶
Gets the specified cluster role.
- Parameters
name – Name of cluster role to retrieve.
namespace – Then namespace to get role from. If None, uses the default namespace.
- Returns
- k9.rbac.role_exists(name: str, namespace: Optional[str] = None)[source]¶
Checks for the cluster role’s existence.
- Parameters
name – Name of cluster role to look for.
namespace – Then namespace to check for role. If None, uses the default namespace.
- Returns
True if specified cluster role exists.
- k9.rbac.create_role_binding(name: str, role: str, sa: str, namespace: Optional[str] = None)[source]¶
Bind the specified role to the specified service account.
- Parameters
name – Name of binding we are creating here
role – The cluster role name to bind with.
sa – The service account to bind this role to.
namespace – The namespace of role and service account. If namespace is None, then the binding will be performed in the default namespace.
- Returns
Example:
result = create_role_binding(binding_name, role_name, sa_name)
- k9.rbac.get_role_binding(name: str, namespace: Optional[str] = None)[source]¶
Get cluster role binding information
- Parameters
name – Name of cluster role binding
namespace – Then namespace to get role binding from. If None, uses the default namespace.
- Returns
- k9.rbac.role_binding_exists(name: str, namespace: Optional[str] = None)[source]¶
Checks for the existence of the cluster role binding.
- Parameters
name – name of cluster role binding.
namespace – Then namespace to check for role binding. If None, uses the default namespace.
- Returns
True if binding exists.