RBAC

kubectl apply -f rbac.yaml
Shell
복사

TOKEN=$(curl -X POST https://{keycloak 주소}/realms/k8s-realm/protocol/openid-connect/token -d grant_type=password -d client_id=k8s-client -d username=k8s-user -d password="{비밀번호 입력}" -d scope=openid -d client_secret={위에서 확인한 client_secret 입력} | jq -r '.id_token')
curl  https://{EKS 주소}/api/v1/namespaces/default --header "Authorization: Bearer ${TOKEN}" --insecure

# output
{
  "kind": "Namespace",
  "apiVersion": "v1",
  "metadata": {
    "name": "default",
    "uid": "022aada1-a597-4ab1-94e5-61facf07bf8e",
    "resourceVersion": "41",
    "creationTimestamp": "2023-12-05T03:03:34Z",
    "labels": {
      "kubernetes.io/metadata.name": "default"
    },
    "managedFields": [
      {
        "manager": "kube-apiserver",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2023-12-05T03:03:34Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:metadata": {
            "f:labels": {
              ".": {},
              "f:kubernetes.io/metadata.name": {}
            }
          }
        }
      }
    ]
  },
  "spec": {
    "finalizers": [
      "kubernetes"
    ]
  },
  "status": {
    "phase": "Active"
  }
}
Shell
복사

•

권한이 없는 경우

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "namespaces \"default\" is forbidden: User \"https:///realms/k8s-realm#k8s-user\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "name": "default",
    "kind": "namespaces"
  },
  "code": 403
}
Shell
복사

RBAC 적용 확인

cat << EOF > kubeconfig-test
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ""
    insecure-skip-tls-verify: true
    server: https://{EKS Endpoint 주소}
  name: skills-eks-cluster
contexts:
- context:
    cluster: skills-eks-cluster
    user: test
  name: test-eks
current-context: test-eks
kind: Config
preferences: {}
users:
- name: test
  user:
    token: ${TOKEN}
EOF
Shell
복사

kubectl get ns --kubeconfig=kubeconfig-test
Shell
복사

kubectl get svc --kubeconfig=kubeconfig-test
Shell
복사

추가로 sysop 실습

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: sysop-role
rules:
  - apiGroups: [""]
    resources: ["namespaces", "pods"]
    verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: sysop-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sysop-role
subjects:
- kind: Group
  name: sysop
  apiGroup: rbac.authorization.k8s.io
YAML
복사

kubectl apply -f sysop-rbac.yaml
Shell
복사

TOKEN=$(curl -X POST https://{keycloak 주소}/realms/k8s-realm/protocol/openid-connect/token -d grant_type=password -d client_id=k8s-client -d username=sysop -d password="{비밀번호 입력}" -d scope=openid -d client_secret={위에서 확인한 client_secret 입력} | jq -r '.id_token')
curl  https://{EKS 주소}/api/v1/namespaces/default --header "Authorization: Bearer ${TOKEN}" --insecure

# output
{
  "kind": "Namespace",
  "apiVersion": "v1",
  "metadata": {
    "name": "default",
    "uid": "9aa477ca-6e1f-4d06-bde1-4d8207819542",
    "resourceVersion": "24",
    "creationTimestamp": "2025-08-11T12:12:56Z",
    "labels": {
      "kubernetes.io/metadata.name": "default"
    },
    "managedFields": [
      {
        "manager": "kube-apiserver",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2025-08-11T12:12:56Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:metadata": {
            "f:labels": {
              ".": {},
              "f:kubernetes.io/metadata.name": {}
            }
          }
        }
      }
    ]
  },
  "spec": {
    "finalizers": [
      "kubernetes"
    ]
  },
  "status": {
    "phase": "Active"
  }
}
Shell
복사