Kebernetes 学习总结(9)认证-授权-RBAC
生活随笔
收集整理的這篇文章主要介紹了
Kebernetes 学习总结(9)认证-授权-RBAC
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
一、概述
Kubernetes集群的所有操作基本上都是通過kube-apiserver這個組件進行的,它提供HTTP RESTful形式的API供集群內外客戶端調用。這就引發了安全問題:假如別人知道你的API地址,那么你的服務器就很容易遭到惡意破壞。所以k8s 認證授權過程不支持HTTP連接到kube-apiserver。
使用kubectl cluster-info 可以看到API server的Endpoint地址,如下:
對APIServer的訪問要經過的三個步驟,前面兩個是認證和授權,第三個是 Admission Control,它也能在一定程度上提高安全性,不過更多是資源管理方面的作用。
client --> | authentication(認證 驗證用戶名與密碼是否正確)| authorization (授權 控制當前用戶的權限)| admissionControl (資源依賴、關聯及環境檢查) --> Resourcesk8s模塊化程度非常高,認證、授權、準入控制都是由用戶指定某種插件實現相應功能。
Authentication
kubernetes提供了多種認證方式,比如客戶端證書、靜態token、靜態密碼文件、ServiceAccountTokens等等,都是以插件(plugin)的形式由用戶指定。可以同時指定使用一種或多種認證方式。client 經過任何一種plugin的成功認證 即表示認證成功,無需再經過其它額外認證。
常見如下兩種:
1) token(例預共享密鑰,是通過http首部Restful方式傳遞密鑰)
2) SSL/TLS(authentication、雙向身份驗證、https通信)
Authorization
k8s 1.6之后支持 RBAC、node、ABAC、webhook等plugins。 RBAC(Role-Based Access)只有許可授權(默認拒絕所有),kubeadm安裝的k8s默認都是使用RBAC的授權。 RBAC讓集群管理員可以針對特定使用者或服務賬號的角色,進行更精確的資源訪問控制。在RBAC中,權限與角色相關聯,用戶通過成為適當角色的成員而得到這些角色的權限。這就極大地簡化了權限的管理。在一個組織中,角色是為了完成各種工作而創造,用戶則依據它的責任和資格來被指派相應的角色,用戶可以很容易地從一個角色被指派到另一個角色。
AdmissionControl
準入控制:本質上為一段準入代碼,在對kubernetes api的請求過程中,順序為:先經過認證 & 授權,然后執行準入操作,最后對目標對象進行操作。這個準入代碼在api-server中,而且必須被編譯到二進制文件中才能被執行。在對集群進行請求時,每個準入控制代碼都按照一定順序執行。如果有一個準入控制拒絕了此次請求,那么整個請求的結果將會立即返回,并提示用戶相應的error信息。
常用組件(控制代碼)如下:
- AlwaysAdmit:允許所有請求
- AlwaysDeny:禁止所有請求,多用于測試環境
- ServiceAccount:它將serviceAccounts實現了自動化,它會輔助serviceAccount做一些事情,比如如果pod沒有serviceAccount屬性,它會自動添加一個default,并確保pod的serviceAccount始終存在
- LimitRanger:他會觀察所有的請求,確保沒有違反已經定義好的約束條件,這些條件定義在namespace中LimitRange對象中。如果在kubernetes中使用LimitRange對象,則必須使用這個插件。
- NamespaceExists:它會觀察所有的請求,如果請求嘗試創建一個不存在的namespace,則這個請求被拒絕
二、訪問API server的方式
k8s API server 提供了豐富的Restful接口 提用戶訪問 。
REST request path: http://apiServerName:port/apis/apps/version_name/namespaces/default/deployments/myapp-deploy/(add/delete/edit/get)
API request verb : get/list/create/update/patch/watch/proxy/redirect/delete/deletecollection/
使用kubectl 命令時默認調用${HOME}/.kube/目錄中的認證信息,但其它訪問方式則不能調用這些認證信息(例curl),如果希望通過curl方式訪問API server,可以使用代理功能。
在本地啟用代理:
然后在另一個終端使用curl 的方式訪問,如下所示:
[root@k8s-master-dev ~]# curl http://localhost:8080/api/v1/namespaces {"kind": "NamespaceList","apiVersion": "v1","metadata": {"selfLink": "/api/v1/namespaces","resourceVersion": "768383"}...[root@k8s-master-dev ~]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments {"kind": "DeploymentList","apiVersion": "apps/v1","metadata": {"selfLink": "/apis/apps/v1/namespaces/kube-system/deployments","resourceVersion": "768654"},...三、Authentication
哪些client需要與API server 交互?cluster 外部的client (kubectl)和cluster內部的 client(Pod)都需要與API server交互。
以上顯示 cluster內部的各pods 、及其它組件訪問API server時使用 10.96.0.1; 而 kubectl 命令及外部訪問API server時使用 172.16.20.79:6443 。
訪問API server 時的認證用戶也分為兩類:
1) serviceAccountName (cluster內部pod客戶端)
2) UserAccount (cluster外部訪問)
1、serviceAccountName
ServiceAccount(服務帳戶)是由Kubernetes API管理的用戶。它們綁定到特定的命名空間,并由API服務器自動創建或通過API調用手動創建。服務帳戶與存儲為Secrets的一組證書相關聯,這些憑據被掛載到pod中,以便集群進程與Kubernetes API通信。(登錄dashboard時我們使用的就是ServiceAccount)
當kubernetes集群搭建好后,系統中就存在多個ServiceAccount,它們隸屬于不同的名稱空間,不同名稱空間之間的ServiceAccount名稱可以相同。通過下面的命令查看當前系統的ServiceAccount
使用kubectl get sa --all-namespaces 查看所有名稱空間的sa 。
手工創建ServiceAccount,語法如下:
kubectl create serviceaccount my-service-account
例:
ServiceAccount創建的同時會自動創建secrets,名稱以account的名稱為前綴。例:
[root@k8s-master-dev ~]# kubectl get secrets NAME TYPE DATA AGE admin-token-q99pz kubernetes.io/service-account-token 3 23h default-token-m66jg kubernetes.io/service-account-token 3 5d [root@k8s-master-dev ~]#ServiceAccount中主要用于保存token,而token又屬于 secrets 資源,如下:
[root@k8s-master-dev ~]# kubectl describe sa admin Name: admin Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: admin-token-q99pz Tokens: admin-token-q99pz Events: <none> [root@k8s-master-dev ~]#可以使用 kubectl describe secrets admin-token-q99pz 命令查看該token的信息。例:
[root@k8s-master-dev ~]# kubectl describe secrets/admin-token-q99pz Name: admin-token-q99pz Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name=adminkubernetes.io/service-account.uid=3f0f0199-4539-11e9-ac19-000c295011ceType: kubernetes.io/service-account-tokenData ==== ca.crt: 1025 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJ.............. [root@k8s-master-dev ~]#每一個Pod創建的時候,都會被分配到指定的ServiceAccount下面,通常是default,也可以在編寫Pod的manifest文件的時候指定。例:
[root@k8s-master-dev ~]# vim pod-sa-demo.yaml [root@k8s-master-dev ~]# cat pod-sa-demo.yaml apiVersion: v1 kind: Pod metadata:name: pod-sa-demonamespace: defaultlabels:app: myapptier: frontendannotations:inspiry.com/author: "cluster admin" spec:containers:- name: myappimage: ikubernetes/myapp:v1ports:- name: httpcontainerPort: 80serviceAccountName: admin [root@k8s-master-dev ~]# kubectl apply -f pod-sa-demo.yaml pod/pod-sa-demo created [root@k8s-master-dev ~]#在Pod創建時,相關的認證文件會被以volume的形式掛載進Pod,目的是方便在Pod里訪問API SERVER(例如kubernetes的dashboard)。例:
[root@k8s-master-dev ~]# kubectl describe pods pod-sa-demo Name: pod-sa-demo Namespace: default Priority: 0 PriorityClassName: <none> Node: k8s-node1-dev/192.168.20.78 Start Time: Wed, 13 Mar 2019 10:41:59 +0800 Labels: app=myapptier=frontend Annotations: inspiry.com/author=cluster adminkubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"inspiry.com/author":"cluster admin"},"labels":{"app":"myapp","tier":"frontend"},"name":"pod..." Status: Running IP: 10.244.1.107 Containers:myapp:Container ID: docker://729b24ee03040b09a0d93a977e65e206bd434b6c35003f0fea953b661c635af2Image: ikubernetes/myapp:v1Image ID: docker-pullable://ikubernetes/myapp@sha256:9c3dc30b5219788b2b8a4b065f548b922a34479577befb54b03330999d30d513Port: 80/TCPHost Port: 0/TCPState: RunningStarted: Wed, 13 Mar 2019 10:42:00 +0800Ready: TrueRestart Count: 0Environment: <none>Mounts:/var/run/secrets/kubernetes.io/serviceaccount from admin-token-q99pz (ro) Conditions:Type StatusInitialized TrueReady TrueContainersReady TruePodScheduled True Volumes:admin-token-q99pz:Type: Secret (a volume populated by a Secret)SecretName: admin-token-q99pzOptional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300snode.kubernetes.io/unreachable:NoExecute for 300s Events: <none> [root@k8s-master-dev ~]#2、UserAccount
是用于 k8s集群 外部或獨立服務 管理訪問集群使用的,由管理員分配私鑰。平時常用的kubectl命令就是UserAccount執行的。
kubeconfig 稱為認證配置,就是為集群外部client訪問k8s集群所作的認證配置。
外部用戶訪問k8s集群(例使用kubectl命令)時,需要配置用戶訪問k8s集群所用到的賬戶、證書、私鑰、集群名、API server地址等,這些信息被存放在kubeconfig 中。
可以使用kubectl config 命令對 訪問k8s集群的認證配置文件 進行各種操作。具體可參考:kubectl config --help 。
使用kubectl config view 可查看認證配置,如下所示:
說明:
apiVersion: v1
clusters: [] #配置要訪問的kubernetes集群名稱列表。
contexts: [] #配置訪問kubernetes集群的具體上下文列表。定義哪個集群被哪個用戶訪問
current-context: "" #配置當前使用的上下文環境
kind: Config
preferences: {}
users: [] #配置訪問的用戶信息列表,用戶名以及證書信息 (其中REDACTED表示私密數據)
創建UserAccount所需要的訪問密鑰及證書,利用當前k8s的CA證書進行簽名
[root@k8s-master-dev ~]# cd /etc/kubernetes/pki/ [root@k8s-master-dev pki]# ls apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub [root@k8s-master-dev pki]# (umask 077; openssl genrsa -out meteor.key 2048) Generating RSA private key, 2048 bit long modulus .......................................................+++ .............+++ e is 65537 (0x10001) [root@k8s-master-dev pki]# openssl req -new -key meteor.key -out meteor.csr -subj "/CN=meteor" [root@k8s-master-dev pki]# openssl x509 -req -in meteor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out meteor.crt -days 365 Signature ok subject=/CN=meteor Getting CA Private Key [root@k8s-master-dev pki]# openssl x509 -in meteor.crt -text -noout Certificate:Data:Version: 1 (0x0)Serial Number:b2:d2:50:2a:92:52:e0:63Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=kubernetesValidityNot Before: Mar 13 07:35:17 2019 GMTNot After : Mar 12 07:35:17 2020 GMTSubject: CN=meteorSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d0:69:52:bd:c8:f2:43:39:3c:5e:b3:49:f7:5a:29:17:1d:80:f9:b8:b1:f5:dc:1a:72:d9:96:7b:96:77:bd:cc:73:ac:88:dd:be:8f:32:d5:7f:37:f7:57:d8:c1:ae:bd:04:1a:5f:9f:64:8a:34:49:9b:06:96:91:16:2e:1e:af:b7:9a:e0:c8:ca:1f:73:12:54:0d:ff:95:c1:c0:b0:8c:e5:0c:fe:c1:20:9d:32:fb:2b:09:59:7e:9b:39:17:9c:83:4f:a5:34:4a:4c:4f:e4:22:ef:ee:ba:ee:80:21:49:ca:62:6c:3b:46:45:a5:98:bd:37:4b:3b:b0:eb:4b:63:1a:f2:9d:1a:f9:19:9d:22:43:70:83:1b:c9:a8:70:de:45:e1:9c:89:e3:db:a9:41:47:83:cc:38:1e:f3:16:17:4d:91:b1:44:b3:8a:ee:5f:77:aa:db:9c:de:50:c7:c2:be:9e:9d:a9:ff:a6:a7:e1:0a:8d:b3:48:c5:34:e2:c3:2d:ac:8c:e0:ed:fa:2c:03:7e:05:ce:df:ba:66:24:bc:4c:8b:36:a1:1a:90:7b:11:3d:54:ba:22:c9:58:ce:de:8a:07:3c:ca:50:df:4e:6b:e3:3b:62:77:88:99:c2:a8:b5:48:f2:cd:93:20:3b:7e:46:e4:ba:ef:8d:86:ac:a9Exponent: 65537 (0x10001)Signature Algorithm: sha256WithRSAEncryption1c:02:98:15:57:e1:60:c7:90:7f:6d:c0:d4:2c:f5:5e:33:9e:c1:23:48:91:9f:8d:d1:20:4c:17:8d:c6:b5:fe:09:e7:92:5f:7f:5a:5a:c0:13:d7:03:4e:a9:03:be:a2:09:56:90:06:ef:47:94:29:13:81:61:f0:c7:9b:de:c6:89:7d:c6:43:8a:9b:89:d6:10:b5:cb:1e:46:16:3f:89:8f:70:4a:28:33:05:84:61:d3:ed:88:fd:ab:63:d4:33:c8:1b:b5:bf:36:b1:84:a4:a0:24:20:ec:cd:35:d1:82:57:fa:09:ff:48:07:a2:04:c3:90:2b:ba:c0:f9:4b:ea:2e:55:45:79:f3:d9:7c:8c:e5:08:f8:0a:b2:51:3e:11:16:6d:e1:ec:8c:03:f0:b6:c4:a1:77:80:22:aa:48:b1:40:e5:61:3d:3c:9f:cf:d3:d0:3e:e3:73:46:84:96:0d:f8:3a:4e:6f:cf:cd:97:ea:d6:25:98:af:3e:b7:15:f1:17:30:56:be:32:a5:45:bb:8d:53:bb:4c:00:ef:b2:94:5f:da:da:72:f7:da:81:09:3e:47:15:a0:d8:ff:79:af:9c:42:8d:da:e4:44:6f:a9:38:e0:b4:8d:58:fb:15:7a:39:cb:87:b7:db:fe:4a:af:8e:b7:7c:fc:ab:77:eb:c0 [root@k8s-master-dev pki]# ls apiserver.crt apiserver-kubelet-client.crt ca.srl front-proxy-client.crt meteor.key apiserver-etcd-client.crt apiserver-kubelet-client.key etcd front-proxy-client.key sa.key apiserver-etcd-client.key ca.crt front-proxy-ca.crt meteor.crt sa.pub apiserver.key ca.key front-proxy-ca.key meteor.csr [root@k8s-master-dev pki]#創建一個訪問憑證(UserAccount),并指定相應的證書及私鑰
如果指定了一個已存在的名字,將合并新字段并覆蓋舊字段
修改kubeconfig(認證配置),創建一個新的Context及指定訪問憑據(UserAccount)
[root@k8s-master-dev pki]# kubectl config set-context meteor@kubernetes --cluster=kubernetes --user=meteor Context "meteor@kubernetes" created. [root@k8s-master-dev pki]# kubectl config view apiVersion: v1 clusters: - cluster:certificate-authority-data: REDACTEDserver: https://192.168.20.79:6443name: kubernetes contexts: - context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-admin@kubernetes - context: #上下文創建成功cluster: kubernetesuser: meteorname: meteor@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-adminuser:client-certificate-data: REDACTEDclient-key-data: REDACTED - name: meteoruser: #meteor用戶憑據(證書)成功client-certificate-data: REDACTEDclient-key-data: REDACTED [root@k8s-master-dev pki]#切換并測試新的上下文配置
[root@k8s-master-dev pki]# kubectl config use-context meteor@kubernetes Switched to context "meteor@kubernetes". [root@k8s-master-dev pki]# kubectl config view apiVersion: v1 clusters: - cluster:certificate-authority-data: REDACTEDserver: https://192.168.20.79:6443name: kubernetes contexts: - context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-admin@kubernetes - context:cluster: kubernetesuser: meteorname: meteor@kubernetes current-context: meteor@kubernetes kind: Config preferences: {} users: - name: kubernetes-adminuser:client-certificate-data: REDACTEDclient-key-data: REDACTED - name: meteoruser:client-certificate-data: REDACTEDclient-key-data: REDACTED [root@k8s-master-dev pki]#[root@k8s-master-dev pki]# kubectl get pods No resources found. Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "default" [root@k8s-master-dev pki]#當然也可以在當前新定義一個集群的認證配置(kubeconfig),例:
需要指定ca的證書、API service地址、隱藏證書選項、配置文件的路徑(不指定默認在當前家目錄),如下所示:
四、Authorization
當認證通過,下一步要做的就是授權,授權決定一個用戶可以干什么。Kubernetes可以配置多種授權方式,其中目前使用的是RBAC(Role Based Access Control)。RBAC涉及幾個重要概念,它們是: Role/ RoleBinding / ClusterRole / ClusterRoleBinding
首先必須清楚一點:授權離不開認證,授權是基于ServiceAccount/UserAccount的。Role可以理解為權限(例如get,list,update,delete,add),它決定了ServiceAccount可以干什么,RoleBinding用于把Role綁定到指定的ServiceAccount。
下圖是Role的綁定
ClusterRole和ClusterRoleBinding的作用一樣,不同的是,它們的作用域是整個集群,而Role和RoleBinding的作用域是namespace。
創建角色role
[root@k8s-master-dev ~]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes". [root@k8s-master-dev ~]# [root@k8s-master-dev ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > manifests/role-demo.yaml [root@k8s-master-dev ~]# vim manifests/role-demo.yaml [root@k8s-master-dev ~]# cat manifests/role-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:name: pods-readernamespace: default rules: - apiGroups:- ""resources:- podsverbs:- get- list- watch [root@k8s-master-dev ~]# kubectl apply -f manifests/role-demo.yaml role.rbac.authorization.k8s.io/pods-reader created [root@k8s-master-dev ~]#[root@k8s-master-dev ~]# kubectl get roles NAME AGE pods-reader 14m [root@k8s-master-dev ~]# kubectl describe roles/pods-reader Name: pods-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroup..." PolicyRule:Resources Non-Resource URLs Resource Names Verbs--------- ----------------- -------------- -----pods [] [] [get list watch] [root@k8s-master-dev ~]#創建角色綁定rolebinding,并綁定用戶到角色
[root@k8s-master-dev ~]# kubectl create rolebinding meteor-read-pods --role=pods-reader --user=meteor --dry-run -o yaml > manifests/rolebinding-demo.yaml [root@k8s-master-dev ~]# vim manifests/rolebinding-demo.yaml [root@k8s-master-dev ~]# cat manifests/rolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata:name: meteor-read-podsnamespace: default roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: pods-reader subjects: - apiGroup: rbac.authorization.k8s.iokind: Username: meteor [root@k8s-master-dev ~]# kubectl apply -f manifests/rolebinding-demo.yaml rolebinding.rbac.authorization.k8s.io/meteor-read-pods created [root@k8s-master-dev ~]# kubectl get rolebinding NAME AGE meteor-read-pods 13s [root@k8s-master-dev ~]# kubectl describe rolebinding/meteor-read-pods Name: meteor-read-pods Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"meteor-read-pods","namespace":"default"},"roleRe..." Role:Kind: RoleName: pods-reader Subjects:Kind Name Namespace---- ---- ---------User meteor [root@k8s-master-dev ~]#創建新用戶,測試新的配置
[root@k8s-master-dev ~]# useradd k8suser01 [root@k8s-master-dev ~]# cp -rp .kube ~k8suser01/ [root@k8s-master-dev ~]# chown -R k8suser01.k8suser01 ~k8suser01/.kube [root@k8s-master-dev ~]# su - k8suser01 [k8suser01@k8s-master-dev ~]$ kubectl config use-context meteor@kubernetes Switched to context "meteor@kubernetes". [k8suser01@k8s-master-dev ~]$ kubectl get pods NAME READY STATUS RESTARTS AGE mongo-0 2/2 Running 0 6h mongo-1 2/2 Running 0 6h mongo-2 2/2 Running 0 6h pod-sa-demo 1/1 Running 0 5h [k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-system No resources found. Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "kube-system" [k8suser01@k8s-master-dev ~]$ logout由于Role和RoleBinding的作用域namespace 為default,所以meteor@kubernetes上下文無法訪問kube-system 名稱空間中的資源。如果希望該上下文可以訪問kube-system名稱空間內的資源 ,需要使用ClusterRole和ClusterRoleBinding。如下所示:
[root@k8s-master-dev ~]# kubectl get rolebinding NAME AGE meteor-read-pods 4m [root@k8s-master-dev ~]# kubectl delete rolebinding meteor-read-pods rolebinding.rbac.authorization.k8s.io "meteor-read-pods" deleted [root@k8s-master-dev ~]# [root@k8s-master-dev ~]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run > manifests/clusterRole-demo.yaml [root@k8s-master-dev ~]# vim manifests/clusterRole-demo.yaml [root@k8s-master-dev ~]# cat manifests/clusterRole-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:name: cluster-reader rules: - apiGroups:- ""resources:- podsverbs:- get- list- watch [root@k8s-master-dev ~]# kubectl apply -f manifests/clusterRole-demo.yaml clusterrole.rbac.authorization.k8s.io/cluster-reader created [root@k8s-master-dev ~]# kubectl get clusterrole NAME AGE admin 5d cluster-admin 5d cluster-reader 8s edit 5d flannel 5d ...... [root@k8s-master-dev ~]# kubectl describe clusterrole cluster-reader Name: cluster-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-reader","namespace":""},"rules":[{"apiGr..." PolicyRule:Resources Non-Resource URLs Resource Names Verbs--------- ----------------- -------------- -----pods [] [] [get list watch] [root@k8s-master-dev ~]# [root@k8s-master-dev ~]# kubectl create clusterrolebinding meteor-read-all-pods --clusterrole=cluster-reader --user=meteor --dry-run -o yaml >> manifests/clusterRoleBinding-demo.yaml [root@k8s-master-dev ~]# vim manifests/clusterRoleBinding-demo.yaml [root@k8s-master-dev ~]# cat manifests/clusterRoleBinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata:name: meteor-read-all-pods roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.iokind: Username: meteor [root@k8s-master-dev ~]# kubectl apply -f manifests/clusterRoleBinding-demo.yaml clusterrolebinding.rbac.authorization.k8s.io/meteor-read-all-pods created [root@k8s-master-dev ~]# kubectl get clusterrolebinding meteor-read-all-pods NAME AGE meteor-read-all-pods 16s [root@k8s-master-dev ~]#再次測試meteor@kubernetes 上下文 ,如下所示:
[root@k8s-master-dev ~]# su - k8suser01 上一次登錄:三 3月 13 16:09:07 CST 2019pts/0 上 [k8suser01@k8s-master-dev ~]$ kubectl get pods NAME READY STATUS RESTARTS AGE mongo-0 2/2 Running 0 1d mongo-1 2/2 Running 0 1d mongo-2 2/2 Running 0 1d pod-sa-demo 1/1 Running 0 1d [k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE coredns-78fcdf6894-9t2x5 1/1 Running 0 5d coredns-78fcdf6894-tvbtd 1/1 Running 0 5d etcd-k8s-master-dev 1/1 Running 0 5d kube-apiserver-k8s-master-dev 1/1 Running 0 5d kube-controller-manager-k8s-master-dev 1/1 Running 1 5d kube-flannel-ds-amd64-9tmns 1/1 Running 0 5d kube-flannel-ds-amd64-cn8v5 1/1 Running 0 5d kube-flannel-ds-amd64-gwf76 1/1 Running 0 5d kube-flannel-ds-amd64-v4g6w 1/1 Running 0 5d kube-proxy-4ks89 1/1 Running 0 5d kube-proxy-b47qm 1/1 Running 0 5d kube-proxy-dz778 1/1 Running 0 5d kube-proxy-mg5rr 1/1 Running 0 5d kube-scheduler-k8s-master-dev 1/1 Running 1 5d [k8suser01@k8s-master-dev ~]$ logout [root@k8s-master-dev ~]#RoleBinding也可以引用ClusterRole,對屬于同一命名空間內ClusterRole定義的資源主體進行授權。但ClusterRoleBinding中的角色只能是ClusterRole。如下meter用戶僅能對它所在的名稱空間進行操作。
[root@k8s-master-dev rbac]# kubectl delete -f clusterRoleBinding-demo.yaml clusterrolebinding.rbac.authorization.k8s.io "meteor-read-all-pods" deleted [root@k8s-master-dev rbac]# kubectl create rolebinding meteor-read-pods --clusterrole=cluster-reader --user=meteor --dry-run -o yaml > rolebinding-clusterrole-demo.yaml [root@k8s-master-dev rbac]# vim rolebinding-clusterrole-demo.yaml [root@k8s-master-dev rbac]# cat rolebinding-clusterrole-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata:name: meteor-read-pods roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.iokind: Username: meteor [root@k8s-master-dev rbac]# kubectl apply -f rolebinding-clusterrole-demo.yaml rolebinding.rbac.authorization.k8s.io/meteor-read-pods created [root@k8s-master-dev rbac]# kubectl get rolebinding NAME AGE meteor-read-pods 10s [root@k8s-master-dev rbac]# [root@k8s-master-dev rbac]# su - k8suser01 上一次登錄:四 3月 14 15:33:42 CST 2019pts/0 上 [k8suser01@k8s-master-dev ~]$ kubectl get pods NAME READY STATUS RESTARTS AGE mongo-0 2/2 Running 0 1d mongo-1 2/2 Running 0 1d mongo-2 2/2 Running 0 1d pod-sa-demo 1/1 Running 0 1d [k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-system No resources found. Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "kube-system" [k8suser01@k8s-master-dev ~]$ logout [root@k8s-master-dev rbac]#k8s集群內置了一些clusterRole ,可以利用上述方法為某個名稱空間指定特定管理員。操作如下:
kubectl create rolebinding default-ns-admin --clusterrole=admin --user=meteor轉載于:https://blog.51cto.com/caiyuanji/2362416
總結
以上是生活随笔為你收集整理的Kebernetes 学习总结(9)认证-授权-RBAC的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 超级账本-如何贡献
- 下一篇: 机器视觉-halcon学习笔记1