文章目錄
- 一、Kubernetes 安全框架
- `1.1.鑒權(Authentication)`
- `1.2.授權(Authorization)`
- `1.3.準入控制(Admission Control)`
- 二、基于角色的權限訪問控制:RBAC
- `2.1.角色`
- `2.2.角色系結`
- `2.3.主體(subject)`
- 三、為devops用戶授權訪問default命名空間權限
- `3.1.用K8S CA簽發客戶端證書`
- 3.1.1.[Shell腳本安裝cfssl](https://blog.csdn.net/anqixiang/article/details/109955024)
- 3.1.2.生成客戶端證書腳本create_cert.sh
- `3.2.生成kubeconfig授權檔案`
- `3.3.創建RBAC權限策略`
一、Kubernetes 安全框架
K8S安全控制框架主要由下面3個階段進行控制:
Authentication(鑒權),確認身份
Authorization(授權),根據身份授予權限
Admission Control(準入控制),類似于電子掃描,可以靈活配置
客戶端要想訪問K8s集群API Server,一般需要證書、Token或 者用戶名+密碼;如果Pod訪問,需要ServiceAccount
1.1.鑒權(Authentication)
三種客戶端身份認證:
? HTTPS 證書認證:基于CA證書簽名的數字證書認證
? HTTP Token認證:通過一個Token來識別用戶
? HTTP Base認證:用戶名+密碼的方式認證(基本不用)
1.2.授權(Authorization)
RBAC(Role-Based Access Control,基于角色的訪問控制):負責完成授權(Authorization)作業,
RBAC根據API請求屬性,決定允許還是拒絕,
比較常見的授權維度:
? user:用戶名
? group:用戶分組
? 資源,例如pod、deployment
? 資源操作方法:get,list,create,update,patch,watch,delete
? 命名空間
? API組
1.3.準入控制(Admission Control)
Adminssion Control實際上是一個準入控制器插件串列,發送到API Server的請求都需要經過這個串列中的每個準入控制器插件的檢查,檢查不通過,則拒絕請求,
二、基于角色的權限訪問控制:RBAC
RBAC(Role-Based Access Control,基于角色的訪問控制),允許通過Kubernetes API動態配置策略,
2.1.角色
一組權限的集合
? Role:授權特定命名空間的訪問權限
? ClusterRole:授權所有命名空間的訪問權限
2.2.角色系結
? RoleBinding:將角色系結到主體(即subject)
? ClusterRoleBinding:將集群角色系結到主體
2.3.主體(subject)
? User:用戶
? Group:用戶組
? ServiceAccount:服務賬號
三、為devops用戶授權訪問default命名空間權限
3.1.用K8S CA簽發客戶端證書
3.1.1.Shell腳本安裝cfssl
3.1.2.生成客戶端證書腳本create_cert.sh
#!/bin/bash
set -e
[ "$#" -ne 1 ] && echo "ERROR:Please Usage:bash $(basename $0) devops(devops表示使用證書的用戶)" && exit 1
USER_NAME=$1
CA_CERT_PATH="/etc/kubernetes/pki"
CERT_PATH="/opt/cert"
[ ! -d "${CA_CERT_PATH}" ] && echo "ERROR:${CA_CERT_PATH}不存在!!!" && exit 1
[ ! -d "${CERT_PATH}" ] && mkdir ${CERT_PATH}
cd ${CERT_PATH}
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
cat > ${USER_NAME}-csr.json <<EOF
{
"CN": "${USER_NAME}",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca="${CA_CERT_PATH}"/ca.crt -ca-key="${CA_CERT_PATH}"/ca.key -config=ca-config.json -profile=kubernetes ${USER_NAME}-csr.json | cfssljson -bare ${USER_NAME}
echo "INFO:證書路徑為${CERT_PATH}"
set +e
bash create_cert.sh devops
3.2.生成kubeconfig授權檔案
創建kubeconfig的腳本create_kubeconfig.sh
#!/bin/bash
set -e
[ "$#" -ne 1 ] && echo "ERROR:Please Usage:bash $(basename $0) devops(devops表示使用kubeconfig的用戶)" && exit 1
USER_NAME=$1
CA_CERT_PATH="/etc/kubernetes/pki"
MASTER_URL="https://192.168.1.10:6443"
CERT_PATH="/opt/cert"
[ ! -d "${CA_CERT_PATH}" ] && echo "ERROR:${CA_CERT_PATH}不存在!!!" && exit 1
if [ ! -f "${CERT_PATH}"/"${USER_NAME}"-key.pem -o ! -f "${CERT_PATH}"/"${USER_NAME}".pem ];then
echo "ERROR:${CERT_PATH}下沒有對應的證書和私鑰" && exit 1
fi
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_CERT_PATH}/ca.crt \
--embed-certs=true \
--server=${MASTER_URL} \
--kubeconfig=${CERT_PATH}/${USER_NAME}.kubeconfig
# 設定客戶端認證
kubectl config set-credentials ${USER_NAME} \
--client-key=${CERT_PATH}/${USER_NAME}-key.pem \
--client-certificate=${CERT_PATH}/${USER_NAME}.pem \
--embed-certs=true \
--kubeconfig=${CERT_PATH}/${USER_NAME}.kubeconfig
# 設定默認背景關系
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=${USER_NAME} \
--kubeconfig=${CERT_PATH}/${USER_NAME}.kubeconfig
# 設定當前使用配置
kubectl config use-context kubernetes --kubeconfig=${CERT_PATH}/${USER_NAME}.kubeconfig
echo "INFO:${USER_NAME}用戶的kubeconfig檔案路徑為${CERT_PATH}/${USER_NAME}.kubeconfig"
set +e
bash create_kubeconfig.sh devops
測驗生成的kubeconfig檔案
kubectl --kubeconfig=/opt/cert/devops.kubeconfig get pod
發現是拒絕訪問的,接下來創建RBAC權限策略,使其可以訪問相關資源
3.3.創建RBAC權限策略
允許devops用戶查看default命名空間下的Pod、deploy、service
rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: ["","apps"]
resources: ["pods","deployments","services"] #資源
verbs: ["get", "watch", "list"] #對資源的操作
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: devops #與生成證書的名字匹配
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader #通過名字與Role匹配
apiGroup: rbac.authorization.k8s.io
kubectl apply -f rbac.yaml
kubectl --kubeconfig=/opt/cert/devops.kubeconfig get pod
可以正常訪問,權限配置生效
參考視頻:https://ke.qq.com/webcourse/index.html#cid=1709963&term_id=103042490&taid=10056433997059979&type=1024&vid=5285890809797835124
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/227174.html
標籤:其他
上一篇:[SpringCould篇]之服務網關(zuul)介紹與配置
下一篇:資料加密以及國密基礎知識