clusterrolebinding.rbac.authorization.k8s.io/kube-state-metrics created clusterrole.rbac.authorization.k8s.io/kube-state-metrics created deployment.apps/kube-state-metrics created rolebinding.rbac.authorization authorization.k8s.io/kube-state-metrics created role.rbac.authorization.k8s.io/kube-state-metrics-resizer created serviceaccount/kube-state-metrics created service/kube-state-metrics created configmap/prometheus service/prometheus created service/prometheus-open created clusterrolebinding.rbac.authorization.k8s.io/prometheus created clusterrole.rbac.authorization.k8s.io/prometheus created serviceaccount/prometheus-k8s

githubusercontent.com/kata- containers/packaging/4bb97ef14a4ba8170b9d501b3e567037eb0f9a41/kata- deploy/kata-rbac.yaml kubectl apply -f https://raw.githubusercontent.com/kata- containers/packaging/4bb97ef14a4ba8 created deployment.extensions/prometheus created clusterrolebinding.rbac.authorization.k8s.io/prometheus created clusterrole.rbac.authorization.k8s.io/prometheus created serviceaccount/prometheus-k8s privileges are automatically granted when using the standard Cilium deployment artifacts: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium rules: - apiGroups: - cilium

Kubernetes Scale on-demand Flexible and powerful Secure pipeline execution Kubernetes RBAC and security model ensures security consistently across pipelines and workloads OPENSHIFT PIPELINES conflicts! ● Task library and integration with Tekton Hub ● Secure pipelines aligned with Kubernetes RBAC ● Visual and IDE-based pipeline authoring ● Pipeline templates when importing apps ● Automated

登录限制 ⽤户登录来源 IP 受管理员控制（⽀持⿊ / ⽩名单）；⾃定义控制⽤户登录时间段； 控制（复核）⽤户登录时间段；（X-Pack） ⻆⾊管理（X-Pack） ⽤户⾏为⽀持基于⻆⾊的访问控制（RBAC）； 授权控制 Authorization 多维度授权 ⽀持对⽤户、⽤户组、资产、资产节点以及账号进⾏授权； 资产授权 资产以树状结构进⾏展示；资产和节点均可灵活授权；节点内资产⾃动继承授权；⼦节点⾃动继承⽗节点授权； 组织管理 资产同步 账号备份 单点登录系统对接 账号改密 ⼯单管理 账号收集 ⾃定义 LOGO 与主题 访问控制 RADIUS ⼆次认证 短信认证 资产登录与命令复核 ⻆⾊管理 RBAC 1 2 企业为什么需要堡垒机？ JumpServer 堡垒机的优势 JumpServer 堡垒机企业版 JumpServer 案例研究（江苏农信、东⽅明珠、⼩红书） 4 JumpServer

${CLUSTER_NAME} --query "nodeResourceGroup" -- output tsv) AZURE_SERVICE_PRINCIPAL=$(az ad sp create-for-rbac --scopes /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_NODE_RES OURCE_GROUP} --role gated by Kubernetes Role-based access control (RBAC) framework. See the official RBAC documentation [https://kubernetes.io/docs/reference/access- authn-authz/rbac/]. When policies are applied, matched pod pod traffic is redirected. If desired, RBAC configurations can be used such that application developers can not escape the redirection. Note This is a beta feature. Please provide feedback and file a GitHub

${CLUSTER_NAME} --query "nodeResourceGroup" -- output tsv) AZURE_SERVICE_PRINCIPAL=$(az ad sp create-for-rbac --scopes /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_NODE_RES OURCE_GROUP} --role gated by Kubernetes Role-based access control (RBAC) framework. See the official RBAC documentation [https://kubernetes.io/docs/reference/access- authn-authz/rbac/]. When policies are applied, matched pod pod traffic is redirected. If desired, RBAC configurations can be used such that application developers can not escape the redirection. Note This is a beta feature. Please provide feedback and file a GitHub

${CLUSTER_NAME} --query "nodeResourceGroup" -- output tsv) AZURE_SERVICE_PRINCIPAL=$(az ad sp create-for-rbac --scopes /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_NODE_RES OURCE_GROUP} --role gated by Kubernetes Role-based access control (RBAC) framework. See the official RBAC documentation [https://kubernetes.io/docs/reference/access- authn-authz/rbac/]. When policies are applied, matched pod pod traffic is redirected. If desired, RBAC configurations can be used such that application developers can not escape the redirection. Note This is a beta feature. Please provide feedback and file a GitHub

created deployment.extensions/prometheus created clusterrolebinding.rbac.authorization.k8s.io/prometheus created clusterrole.rbac.authorization.k8s.io/prometheus created serviceaccount/prometheus-k8s privileges are automatically granted when using the standard Cilium deployment artifacts: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium rules: - apiGroups: - cilium identity and permissions used by cilium-agent to access the Kubernetes API server when Kubernetes RBAC is enabled. A Secret resource: describes the credentials use access the etcd kvstore, if required

it is recommended to create a dedicated service principal for cilium-operator: az ad sp create-for-rbac --name cilium-operator > azure-sp.json The contents of azure-sp.json should look like this: { configmap/grafana-hubble-dashboard created configmap/prometheus created clusterrole.rbac.authorization.k8s.io/prometheus unchanged clusterrolebinding.rbac.authorization.k8s.io/prometheus unchanged service/grafana created privileges are automatically granted when using the standard Cilium deployment artifacts: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium rules: - apiGroups: - cilium

● Upgrades have been pretty smooth ○ moved from Cilium 1.4 initially to 1.8 today ○ retain old RBAC rules across certain cluster upgrades to avoid disruptions ● (Health checking) tooling really helpful