新增learn-kubernetes（https://github.com/yyong-brs/learn-kubernetes）相关文件

learn/learn-kubernetes-master/kiamol/ch17/lab/README.md

@@ -0,0 +1,51 @@
+# ch17 lab
+
+## Setup
+
+Deploy the Kube Explorer app in the lab configuration:
+
+```
+kubectl apply -f lab/kube-explorer/
+```
+
+Note that [02-service-account.yaml](./kube-explorer/02-service-account.yaml) sets `automountServiceAccountToken` to `false` so Pods don't automatically see the token; [04-deployment.yaml](./kube-explorer/04-deployment.yaml) explicitly mounts the token in the Pod spec.
+
+> Browse to the app and check you can access Pods - e.g. http://localhost:8022
+
+> But not Pods in the lab namespace - http://localhost:8022?ns=kiamol-ch17-lab
+
+## Sample Solution
+
+To access Pods in the lab namespace [rbac-pods.yaml](./solution/rbac-pods.yaml) applies the `default-pod-reader-lab` ClusterRole to the lab namespace:
+
+```
+kubectl apply -f lab/solution/rbac-pods.yaml
+```
+
+> Now you can work with Pods in the lab namespace - http://localhost:8022?ns=kiamol-ch17-lab
+
+![Kube Explorer browsing Pods in the lab namespace](./solution/pods.png)
+
+> But not Service Accounts - http://localhost:8022/ServiceAccounts
+
+To access Service Accounts [rbac-serviceaccounts.yaml](./solution/rbac-serviceaccounts.yaml) creates:
+
+- a ClusterRole with get and list access to ServiceAccounts
+- a RoleBinding applying the ClusterRole to the default namespace
+- a RoleBinding applying the ClusterRole to the lab namespace
+
+```
+kubectl apply -f lab/solution/rbac-serviceaccounts.yaml
+```
+
+> Now you can access Pods in the default and lab namespaces - http://localhost:8022/ServiceAccounts?ns=kiamol-ch17-lab
+
+![Kube Explorer browsing Service Accounts in the lab namespace](./solution/service-accounts.png)
+
+## Teardown
+
+Delete all the resources:
+
+```
+kubectl delete ns,rolebinding,role,clusterrole -l kiamol=ch17-lab
+```

learn/learn-kubernetes-master/kiamol/ch17/lab/kube-explorer/01-namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kiamol-ch17-lab
+  labels:
+    kiamol: ch17-lab

learn/learn-kubernetes-master/kiamol/ch17/lab/kube-explorer/02-service-account.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-explorer-lab
+  namespace: kiamol-ch17-lab
+automountServiceAccountToken: false

learn/learn-kubernetes-master/kiamol/ch17/lab/kube-explorer/03-rbac.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: default-pod-reader-lab  
+  labels:
+    kiamol: ch17-lab
+rules:
+- apiGroups: [""] #core
+  resources: ["pods"]
+  verbs: ["get", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kube-explorer-lab-pods-default
+  namespace: default 
+  labels:
+    kiamol: ch17-lab
+subjects:
+- kind: ServiceAccount
+  name: kube-explorer-lab
+  namespace: kiamol-ch17-lab
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: default-pod-reader-lab

learn/learn-kubernetes-master/kiamol/ch17/lab/kube-explorer/04-deployment.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-explorer
+  namespace: kiamol-ch17-lab
+spec:
+  selector:
+    matchLabels:
+      app: kube-explorer
+  template:
+    metadata:
+      labels:
+        app: kube-explorer
+    spec:
+      serviceAccountName: kube-explorer-lab
+      automountServiceAccountToken: true
+      containers:
+        - image: kiamol/ch17-kube-explorer
+          name: web
+          ports:
+            - containerPort: 80
+              name: http
+          env:
+          - name: ASPNETCORE_ENVIRONMENT
+            value: Development

learn/learn-kubernetes-master/kiamol/ch17/lab/kube-explorer/05-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-explorer
+  namespace: kiamol-ch17-lab
+spec:
+  ports:
+    - port: 8022
+      targetPort: http
+  selector:
+    app: kube-explorer
+  type: LoadBalancer

learn/learn-kubernetes-master/kiamol/ch17/lab/solution/rbac-pods.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kube-explorer-lab-pods-ns
+  namespace: kiamol-ch17-lab 
+  labels:
+    kiamol: ch17-lab
+subjects:
+- kind: ServiceAccount
+  name: kube-explorer-lab
+  namespace: kiamol-ch17-lab
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: default-pod-reader-lab

learn/learn-kubernetes-master/kiamol/ch17/lab/solution/rbac-serviceaccounts.yaml

@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: default-sa-reader-lab  
+  labels:
+    kiamol: ch17-lab
+rules:
+- apiGroups: [""] #core
+  resources: ["serviceaccounts"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kube-explorer-lab-sa-default
+  namespace: default 
+  labels:
+    kiamol: ch17-lab
+subjects:
+- kind: ServiceAccount
+  name: kube-explorer-lab
+  namespace: kiamol-ch17-lab
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: default-sa-reader-lab
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kube-explorer-lab-sa-ns
+  namespace: kiamol-ch17-lab 
+  labels:
+    kiamol: ch17-lab
+subjects:
+- kind: ServiceAccount
+  name: kube-explorer-lab
+  namespace: kiamol-ch17-lab
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: default-sa-reader-lab