訪問控制概述
API Server作為Kubernetes集群系統的網關,是訪問和管理資源物件的唯一入口;包括kube-controller-manager、kube-scheduler、kubelet和kube-proxy等集群基礎組件、CoreDNS等附加組件和kubectl命令等都需要經過網關才能進行正常的訪問和管理,每一次的訪問請求都需要進行合法性檢驗,包括用戶身份驗證、操作權限驗證及操作規范驗證等,需要通過一系列驗證通過之后才能訪問或存盤資料到etcd中,如下圖所示
通過上圖可以看出訪問
kubernetes集群的資源需要三關:認證、授權、準入控制;API Server處理請求的程序中,認證插件負責鑒定用戶身份,授權插件用于操作權限許可鑒別,而準入插件則用于在資源物件的創建、洗掉、更新或連接(proxy)操作時實作更精細的許可檢查,普通用戶若要安全訪問集群
API Server,往往需要證書、Token或者用戶名+密碼,
ServiceAccount
Servic Account(服務賬號):是指由
Kubernetes API管理的賬號,用于為Pod之中的服務行程在訪問Kubernetes API時提供身份標識,Service Account通常系結于特定的名稱空間,由API Server創建,或者通過API呼叫手動創建,User Account(用戶賬號):獨立于
Kubernetes之外的其他服務管理用戶賬號,例如由管理員分發秘鑰、Keystone一類的用戶存盤(賬號庫)、甚至是保函有用戶名和密碼串列的檔案等,
User Account是為人設計的,而Service Account則是為Pod中的行程呼叫Kubernetes API而設計;
User Account是跨namespace的,而Service Account則是僅局限它所在的namespace;每個
namespace都會自動創建一個default service account
在創建Pod資源時,如果沒有指定一個service account,系統會自動在與該Pod相同的namespace下為其指派一個default service account,而pod和apiserver之間進行通信的賬號,稱為serviceAccountName,如下:
[root@k8s-master ~]# kubectl get pods NAME READY STATUS RESTARTS AGE nginx-statefulset-0 1/1 Running 0 43h nginx-statefulset-1 1/1 Running 0 43h nginx-statefulset-2 1/1 Running 0 43h nginx-statefulset-3 1/1 Running 0 43h [root@k8s-master ~]# kubectl get pods/nginx-statefulset-0 -o yaml |grep "serviceAccountName" serviceAccountName: default [root@k8s-master ~]# kubectl describe pods/nginx-statefulset-0 Name: nginx-statefulset-0 Namespace: default ...... Volumes: default-token-blm9l: Type: Secret (a volume populated by a Secret) SecretName: default-token-blm9l Optional: false 通過上面可以看出每個Pod無論定義與否都會有一個存盤卷,這個存盤卷為default-token-* token令牌,這就是Pod和serviceaccount認證資訊,通過secret進行定義,由于認證資訊屬于敏感資訊,所以需要保存在secret資源當中,并以存盤卷的方式掛載到Pod當中,從而讓Pod內運行的應用通過對應的secret中的資訊來連接apiserver,并完成認證,每個namespace中都有一個默認的叫做default的service account資源,進行查看名稱空間內的secret,也可以看到對應的default-token,讓當前名稱空間中所有的pod在連接apiserver時可以使用的預制認證資訊,從而保證pod之間的通信,
Service Account創建
[root@k8s-master ~]# kubectl get sa #查看serviceaccount資源 NAME SECRETS AGE default 1 7d19h [root@k8s-master ~]# kubectl create serviceaccount admin #創建一個名為admin的serviceaccount資源 serviceaccount/admin created [root@k8s-master ~]# kubectl get sa #查看serviceaccount資源 NAME SECRETS AGE admin 1 7s default 1 7d19h [root@k8s-master ~]# kubectl describe sa/admin #查看serviceaccount資源admin的詳細資訊,可以看出已經自動生成了一個Tokens:admin-token-lc826 Name: admin Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: admin-token-lc826 Tokens: admin-token-lc826 Events: <none> [root@k8s-master ~]# kubectl get secret #查看secret,可以查看也生成了一個admin-token-lc826的secret資源 NAME TYPE DATA AGE admin-token-lc826 kubernetes.io/service-account-token 3 50s ......
Pod中參考service account
每個
Pod物件均可附加其所屬名稱空間中的一個Service Account資源,且只能附加一個,不過,一個Service Account資源可由所屬名稱空間中的多個Pod物件共享使用,創建Pod時,通過“spec.serviceAccountName”進行定義,示例如下:
[root@k8s-master manfests]# vim pod-sa-demo.yaml #編輯資源清單檔案 apiVersion: v1 kind: Pod metadata: name: pod-sa-demo namespace: default labels: app: myapp tier: frontend spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 serviceAccountName: admin #指定serviceAccount資源名稱 [root@k8s-master manfests]# kubectl apply -f pod-sa-demo.yaml pod/pod-sa-demo created [root@k8s-master manfests]# kubectl get pods -l app=myapp NAME READY STATUS RESTARTS AGE pod-sa-demo 1/1 Running 0 9s [root@k8s-master manfests]# [root@k8s-master manfests]# kubectl describe pods/pod-sa-demo Name: pod-sa-demo Namespace: default ...... Volumes: admin-token-lc826: Type: Secret (a volume populated by a Secret) SecretName: admin-token-lc826 #這里可以看出掛載token就是上面創建的sa所生成的那個, Optional: false ......
客戶端組態檔kubeconfig
包括
kubectl、kubelet和kube-controller-manager等在內的API Server的各類客戶端都可以使用kubeconfig組態檔提供接入多個集群的相關配置資訊,包括API Server的URL及認證資訊等,而且能夠設定成不同的背景關系環境,并在各環境之間快速切換,
在
kubernetes集群中,每一個用戶對資源的訪問都需要通過apiserver進行通信認證才能進行訪問的,那么在此機制當中,對資源的訪問可以是token,也可以是通過組態檔的方式進行保存和使用認證資訊,可以通過kubectl config進行查看和配置,如下:
[root@k8s-master]# kubectl config view apiVersion: v1 clusters: #集群串列 - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.1.31:6443 name: kubernetes contexts: #背景關系串列 - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: #用戶串列 - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED
-
cluster:集群串列,包含訪問
API Server的URL和所屬集群的名稱等, -
users:用戶串列,包含訪問
API Server時的用戶名和認證資訊, -
contexts:
kubelet的可用背景關系串列,由用戶串列中的某特定用戶名稱和集群串列中的某特定集群名稱組合而成,
通過
kubeadm部署的kubernetes集群默認提供了擁有集群管理權限的kubeconfig組態檔/etc/kubernetes/admin.conf,它可被復制到任何有著kubectl的主機上以用于管理整個集群,還可以創建基于SSL/TLS認證的自定義賬號,以授予非管理員級別的集群資源使用權限,配置程序由兩部分組成,一是為用戶創建專用私鑰及證書檔案,而是將其配置與kubeconfig檔案中,
自建證書和賬號進行訪問apiserver示例
1)為目標用戶賬號kube-user1創建私鑰及證書檔案,保存于/etc/kubernetes/pki目錄中
(1)生成私鑰,權限設定為600 [root@k8s-master ~]# cd /etc/kubernetes/pki/ [root@k8s-master pki]# (umask 077; openssl genrsa -out kube-user1.key 2048) Generating RSA private key, 2048 bit long modulus ...................................................................................................................+++ .+++ e is 65537 (0x10001) [root@k8s-master pki]# ll kube-user1.key -rw------- 1 root root 1679 10月 16 15:01 kube-user1.key (2)創建證書簽署請求,-subj選項中的CN的值將被kubeconfig作為用戶名使用,O的值將被識別為用戶組 [root@k8s-master pki]# openssl req -new -key kube-user1.key -out kube-user1.csr -subj "/CN=kube-user1/O=kubernetes" (3)基于kubeadm安裝Kubernetes集群時生成的CA簽署證書,這里設定其有效時長為3650天 [root@k8s-master pki]# openssl x509 -req -in kube-user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-user1.crt -days 3650 Signature ok subject=/CN=kube-user1/O=kubernetes Getting CA Private Key (4)驗證證書資訊 [root@k8s-master pki]# openssl x509 -in kube-user1.crt -text -noout
2)使用默認的管理員kubernetes-admin@kubernetes為新建的kube-user1設定kube-config組態檔,配置結果默認保存于當前系統用戶的.kube/config檔案中,
(1)添加用戶到認證 [root@k8s-master pki]# kubectl config set-credentials kube-user1 --embed-certs=true --client-certificate=/etc/kubernetes/pki/kube-user1.crt --client-key=/etc/kubernetes/pki/kube-user1.key User "kube-user1" set. (2)配置context,用來組合cluster和credentials,即訪問的集群的背景關系 [root@k8s-master pki]# kubectl config set-context kube-user1@kubernetes --cluster=kubernetes --user=kube-user1 Context "kube-user1@kubernetes" created. (3)查看組態檔資訊 [root@k8s-master pki]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.1.31:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kube-user1 name: kube-user1@kubernetes - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kube-user1 user: client-certificate-data: REDACTED client-key-data: REDACTED - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED (4)指定要使用的背景關系,切換為kube-user1訪問集群 [root@k8s-master pki]# kubectl config use-context kube-user1@kubernetes Switched to context "kube-user1@kubernetes". (5)測驗訪問kubernetes的資源 [root@k8s-master pki]# kubectl get pods Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "default" 從上面的測驗,當切換為kube-user1用戶進行訪問集群時,由于kube-user1用戶沒有管理集群的權限,所以在獲取pods資源資訊時,會提示Forbidden,
RBAC-基于角色的訪問控制
介紹RBAC
RBAC(Role-Based Access Control,基于角色的訪問控制)是一種新型、靈活且使用廣泛的訪問控制機制,它將權限授予“角色”(role)之上,這一點有別于傳統訪問機制中將權限直接賦予使用者的方式,在
RBAC中,用戶(User)就是一個可以獨立訪問計算機系統中的資料或者用資料表示的其他資源的主體(Subject),角色是指一個組織或任務中的作業或者位置,它代表一種權利、資格和責任,許可(Permission)就是允許對一個或多個客體(Object)執行的操作,一個用戶可以經授權而擁有多個角色,一個角色可由多個用戶構成;每個角色可擁有多種許可,每個許可也可授權給多個不同的角色,每個操作可施加于多個客體(受控物件),每個客體也可以接受多個操作,
RBAC簡單來說就是讓一個用戶(Users)扮演一個角色(Role),角色擁有權限,讓用戶系結該角色;隨后在授權機制中,只需要將權限授權給某個角色,此時用戶將獲取對應角色的權限,從而實作角色的訪問控制,
RBAC授權規則
RBAC授權規則是通過四種資源來進行配置的,他們可以分為兩個組:
Role(角色)和ClusterRole(集群角色),它們指定了在資源上可以執行哪些動作,
RoleBinding(角色系結)和ClusterRoleBinding(集群角色系結),它們將上述角色系結到特定的用戶、組或ServiceAccounts上,角色定義了可以做什么操作,而系結定義了誰可以做這些操作,如下圖所示:
系結關系:
角色和集群角色,或者角色系結和集群角色系結之間的區別在于角色和角色系結是名稱空間級別,而集群角色和集群角色系結是集群級別的資源,
RoleBind--Role:在
kubernetes授權機制中,采用RBAC的方式進行授權,把物件的操作權限定義到一個角色當中,而將用戶系結到該角色,從而使得用戶得到對應角色的權限,比如下圖,當用戶(User1)系結到Role角色當中,User1就獲取了對應的NamespaceA的操作權限,但是對于NamespaceB是沒有權限進行操作的,如get,list等操作,ClusterRoleBind--ClusterRole:集群級別的授權,定義一個集群角色(
ClusterRole),對集群內的所有資源都有可操作的權限,如下圖(只看藍色的線連接),當用戶(User1)通過ClusterRolebinding到ClusterRole,從而User1遍擁有了集群的操作權限,RoleBind-ClusterRole:這種方式進行系結時,用戶僅能獲取當前名稱空間的所有權限,為什么這么繞呢?? 舉例有
10個名稱空間,每個名稱空間都需要一個管理員,而每個管理員的權限是一致的,那么此時需要去定義這樣的管理員,使用RoleBinding就需要創建10個Role,這樣顯得更加繁重,為了當使用RoleBinding去系結一個ClusterRole時,該User僅僅擁有對當前名稱空間的集群操作權限,也就是此時只需要創建一個ClusterRole就解決了以上的需求,比如下圖中的User2和User3用戶雖然系結了ClusterRole,但是他們也只有自己的名稱空間NamespaceB中權限,
Kubernetes RBAC示例
這里由于要切換用戶,使用root用戶同時不停的在kubernetes-admin用戶和上面創建的kube-user1用戶之間進行測驗,故這里創建一個測驗用戶打開另外一個終端進行測驗,
[root@k8s-master ~]# useradd ik8s [root@k8s-master ~]# cp -rp .kube/ /home/ik8s/ [root@k8s-master ~]# chown -R ik8s.ik8s /home/ik8s/ [root@k8s-master ~]# su - ik8s [ik8s@k8s-master ~]$ kubectl config use-context kube-user1@kubernetes Switched to context "kube-user1@kubernetes". [ik8s@k8s-master ~]$ kubectl config view ...... current-context: kube-user1@kubernetes #這里可以看到當前已經切換到kube-user1用戶了 ...... [ik8s@k8s-master ~]$ kubectl get pods #測驗kube-user1用戶的權限,可以看出目前它沒有任何權限 Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "default"
User --> Rolebinding --> Role
1)角色(Role)創建,(說明:一個Role物件只能用于授予對某一單一名稱空間中資源的訪問權限)
[root@k8s-master ~]# kubectl create role -h #查看role創建幫助 ...... Usage: kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run] [options] --verb #指定權限 --resource #指定資源或者資源組 --dry-run #干跑模式并不會創建 [root@k8s-master ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml #干跑模式查看role的定義格式 apiVersion: rbac.authorization.k8s.io/v1 kind: Role #資源型別 metadata: creationTimestamp: null name: pods-reader #資源名稱 rules: - apiGroups: #定義對哪些api組內的資源可以進行操作 - "" resources: #定義對哪些資源可以進行操作 - pods verbs: #定義操作的權限 - get - list - watch [root@k8s-master ~]# cd manfests/ [root@k8s-master manfests]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml [root@k8s-master manfests]# vim role-demo.yaml #撰寫資源清單檔案 apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pods-reader namespace: default rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch [root@k8s-master manfests]# kubectl apply -f role-demo.yaml role.rbac.authorization.k8s.io/pods-reader created [root@k8s-master manfests]# kubectl get role NAME AGE pods-reader 4s [root@k8s-master manfests]# kubectl describe role/pods-reader Name: pods-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules... PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch] #這里表示當前定義了pods-reader這個角色對pods資源擁有get、list、watch的權限,
2)角色的系結,(RoleBinding可以參考在同一名稱空間定義的Role物件)
[root@k8s-master manfests]# kubectl create rolebinding -h #查看rolebinding創建幫助 ...... Usage: kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run] [options] --role #指定role的名字 --user #指定哪個用戶 [root@k8s-master manfests]# kubectl create rolebinding kube-user1-read-pods --role=pods-reader --user=kube-user1 --dry-run -o yaml #干跑模式查看rolebinding的定義格式 apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding #資源型別 metadata: creationTimestamp: null name: kube-user1-read-pods #資源名稱 roleRef: #指定role apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: #指定user - apiGroup: rbac.authorization.k8s.io kind: User name: kube-user1 [root@k8s-master manfests]# kubectl create rolebinding kube-user1-read-pods --role=pods-reader --user=kube-user1 --dry-run -o yaml > rolebinding-demo.yaml [root@k8s-master manfests]# vim rolebinding-demo.yaml #編輯資源清單檔案 apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kube-user1-read-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kube-user1 [root@k8s-master manfests]# kubectl apply -f rolebinding-demo.yaml rolebinding.rbac.authorization.k8s.io/kube-user1-read-pods created [root@k8s-master manfests]# kubectl get rolebinding NAME AGE kube-user1-read-pods 9s [root@k8s-master manfests]# kubectl describe rolebinding kube-user1-read-pods #查看角色系結的資訊,這里可以看到user kube-user1系結到了pods-reader這個角色上, Name: kube-user1-read-pods Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"kube-user1-read-pods","namespace":"... Role: Kind: Role Name: pods-reader Subjects: Kind Name Namespace ---- ---- --------- User kube-user1
3)權限測驗
這時候我們使用kube-user1用戶進行測驗 [ik8s@k8s-master ~]$ kubectl config use-context kube-user1@kubernetes #如果沒有切換到該kube-user1用戶,通過kubectl config use-context進行切換 [ik8s@k8s-master ~]$ kubectl get pods #在default名稱空間獲取pods資訊 NAME READY STATUS RESTARTS AGE nginx-statefulset-0 1/1 Running 0 3d nginx-statefulset-1 1/1 Running 0 3d nginx-statefulset-2 1/1 Running 0 3d nginx-statefulset-3 1/1 Running 0 3d pod-sa-demo 1/1 Running 0 27h [ik8s@k8s-master ~]$ kubectl get pods -n kube-system #測驗獲取kube-system名稱空間中的pods Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "kube-system"
從上面的操作可以看出,role的定義和系結,僅作用于當前名稱空間,在獲取別的名稱空間比如kube-system名稱空間時,一樣會出現Forbidden,
User --> ClusterRolebinding --> ClusterRole
1)ClusterRole定義
ClusterRole資源物件可以授予與Role資源物件相同的權限,但由于它們屬于集群范圍的物件,也可以使用它們授予對以下幾種資源的訪問權限:
集群范圍資源(例如節點,即
Node)非資源型別
endpoint(例如/api、/healthz等,)跨所有名稱空間的名稱空間資源(例如
pod,運行kubectl get pods --all-namespaces來查詢集群中所有的pod)
[root@k8s-master manfests]# kubectl create clusterrole -h #查看clusterrole創建幫助 ...... Usage: kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run] [options] --verb #指定權限 --resource #指定資源或者資源組 [root@k8s-master manfests]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods --dry-run -o yaml #干跑模式查看clusterrole的定義格式 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: cluster-reader rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch [root@k8s-master manfests]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > clusterrole-demo.yaml [root@k8s-master manfests]# vim clusterrole-demo.yaml #編輯資源清單 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-reader rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch [root@k8s-master manfests]# kubectl apply -f clusterrole-demo.yaml #創建clusterrole clusterrole.rbac.authorization.k8s.io/cluster-reader created [root@k8s-master manfests]# kubectl get clusterrole |grep "cluster-reader" cluster-reader 19s [root@k8s-master manfests]# kubectl describe clusterrole/cluster-reader Name: cluster-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-reader"},"rules":[{"apiGrou... PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch]
2)ClusterRoleBinding定義
#這里還是使用kube-user1用戶,所以先將上面的角色系結資訊洗掉 [root@k8s-master manfests]# kubectl get rolebinding #查看角色系結資訊 NAME AGE kube-user1-read-pods 27m [root@k8s-master manfests]# kubectl delete rolebinding kube-user1-read-pods #洗掉前面的系結 rolebinding.rbac.authorization.k8s.io "kube-user1-read-pods" delete [ik8s@k8s-master ~]$ kubectl get pods #洗掉后再用kube-user1用戶獲取pods資源資訊,就立馬出現Forbidden了 Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "default" [root@k8s-master manfests]# kubectl create clusterrolebinding -h Usage: kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run] [options] --clusterrole #指定clusterrole --user #指定用戶 [root@k8s-master manfests]# kubectl create clusterrolebinding kube-user1-read-all-pods --clusterrole=cluster-reader --user=kube-user1 --dry-run -o yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: kube-user1-read-all-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kube-user1 [root@k8s-master manfests]# kubectl create clusterrolebinding kube-user1-read-all-pods --clusterrole=cluster-reader --user=kube-user1 --dry-run -o yaml > clusterrolebinding-demo.yaml [root@k8s-master manfests]# vim clusterrolebinding-demo.yaml #編輯資源清單檔案 cat clusterrolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: kube-user1-read-all-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kube-user1 [root@k8s-master manfests]# kubectl apply -f clusterrolebinding-demo.yaml #創建clusterrolebinding clusterrolebinding.rbac.authorization.k8s.io/kube-user1-read-all-pods created [root@k8s-master manfests]# kubectl get clusterrolebinding/kube-user1-read-all-pods NAME AGE kube-user1-read-all-pods 25s [root@k8s-master manfests]# kubectl describe clusterrolebinding/kube-user1-read-all-pods #查看clusterrolebinding資源kube-user1-read-all-pods詳細資訊,可以看到kube-user1用戶已經系結到clusterrole資源cluster-reader上了, Name: kube-user1-read-all-pods Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"kube-user1-read-all-pod... Role: Kind: ClusterRole Name: cluster-reader Subjects: Kind Name Namespace ---- ---- --------- User kube-user1
3)權限測驗
[ik8s@k8s-master ~]$ kubectl get pods #角色系結后再次獲取pods資訊,已經可以正常查看 NAME READY STATUS RESTARTS AGE nginx-statefulset-0 1/1 Running 0 3d1h nginx-statefulset-1 1/1 Running 0 3d1h nginx-statefulset-2 1/1 Running 0 3d1h nginx-statefulset-3 1/1 Running 0 3d1h pod-sa-demo 1/1 Running 0 28h [ik8s@k8s-master ~]$ kubectl get pods -n kube-system #切換名稱空間也是可以查看的 NAME READY STATUS RESTARTS AGE coredns-bccdc95cf-9gsn8 1/1 Running 0 8d coredns-bccdc95cf-x7m8g 1/1 Running 0 8d etcd-k8s-master 1/1 Running 0 8d kube-apiserver-k8s-master 1/1 Running 0 8d kube-controller-manager-k8s-master 1/1 Running 0 8d kube-flannel-ds-amd64-gg55s 1/1 Running 0 8d kube-flannel-ds-amd64-ssr7j 1/1 Running 5 8d kube-flannel-ds-amd64-w6f9h 1/1 Running 4 8d kube-proxy-77pbc 1/1 Running 3 8d kube-proxy-qs655 1/1 Running 3 8d kube-proxy-xffq4 1/1 Running 0 8d kube-scheduler-k8s-master 1/1 Running 0 8d [ik8s@k8s-master ~]$ kubectl delete pods/pod-sa-demo #在進行洗掉pod測驗時,還是會報Forbidden,這是因為在授權時就沒授予delete權限的, Error from server (Forbidden): pods "pod-sa-demo" is forbidden: User "kube-user1" cannot delete resource "pods" in API group "" in the namespace "default"
從上面的操作可以看出,clusterrole的定義和clusterrolebinding的系結,可以獲取到集群內所有資源的對應權限,
User --> Rolebinding --> Clusterrole
將用戶kube-user1通過角色系結(RoleBinding)到集群角色cluster-reader當中,此時kube-user1僅作用于當前名稱空間的所有pods資源的權限,
1)系結
#首先洗掉上面的clusterrolebinding [root@k8s-master manfests]# kubectl delete clusterrolebinding kube-user1-read-all-pods clusterrolebinding.rbac.authorization.k8s.io "kube-user1-read-all-pods" deleted [root@k8s-master manfests]# kubectl create rolebinding kube-user1-read-pods --clusterrole=cluster-reader --user=kube-user1 --dry-run -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: kube-user1-read-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kube-user1 [root@k8s-master manfests]# kubectl create rolebinding kube-user1-read-pods --clusterrole=cluster-reader --user=kube-user1 --dry-run -o yaml > rolebinding-clusterrole-demo.yaml [root@k8s-master manfests]# vim rolebinding-clusterrole-demo.yaml #編輯資源清單檔案 apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kube-user1-read-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kube-user1 [root@k8s-master manfests]# kubectl apply -f rolebinding-clusterrole-demo.yaml rolebinding.rbac.authorization.k8s.io/kube-user1-read-pods created [root@k8s-master manfests]# kubectl get rolebinding kube-user1-read-pods NAME AGE kube-user1-read-pods 32s [root@k8s-master manfests]# kubectl describe rolebinding kube-user1-read-pods Name: kube-user1-read-pods Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"kube-user1-read-pods","namespace":"... Role: Kind: ClusterRole Name: cluster-reader Subjects: Kind Name Namespace ---- ---- --------- User kube-user1
2)權限測驗
[ik8s@k8s-master ~]$ kubectl get pods NAME READY STATUS RESTARTS AGE nginx-statefulset-0 1/1 Running 0 3d1h nginx-statefulset-1 1/1 Running 0 3d1h nginx-statefulset-2 1/1 Running 0 3d1h nginx-statefulset-3 1/1 Running 0 3d1h pod-sa-demo 1/1 Running 0 28h [ik8s@k8s-master ~]$ kubectl get pods -n kube-system Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "kube-system"
從上面的操作可以看出,角色系結(Rolebinding)和集群角色(ClusterRole)系結后,用戶只擁有自己當前名稱空間的對應的權限,
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/55408.html
標籤:其他