10、kubernetes之RBAC认证

一、kubectl proxy

# kubectl proxy --port=8080
# curl http://localhost:8080/api/v1/
# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/

二、serviceaccount资源

• 创建自定义serviceaccount：用于pod与api通信的认证账号

# kubectl create serviceaccount admin
serviceaccount/admin created

# kubectl create serviceaccount dongfei -o yaml --dry-run  #生成配置清单
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: null
  name: dongfei

# kubectl get sa  #sa，serviceaccount的简写
NAME      SECRETS   AGE
admin     1         5s
default   1         77d

# kubectl describe sa admin
Name:                admin
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   admin-token-76kb7
Tokens:              admin-token-76kb7
Events:              <none>

# kubectl get secret
NAME                  TYPE                                  DATA   AGE
admin-token-76kb7     kubernetes.io/service-account-token   3      36s
default-token-4q4c9   kubernetes.io/service-account-token   3      77d
mysql-root-password   Opaque                                1      7d21h

• 应用自定义serviceaccount

apiVersion: v1
kind: Pod
metadata:
  name: pod-sa-demo
  namespace: default
  labels:
    app: myapp
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
  serviceAccountName: admin

# kubectl describe pods pod-sa-demo |grep -A4 Volumes
Volumes:
  admin-token-76kb7:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  admin-token-76kb7
    Optional:    false

三、RBAC 基于角色的访问控制

1、apiserver客户端配置及创建UserAccount用户

• apiserver客户端配置文件

# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.100.51:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

• 制作连接apiserver的证书，创建用户

# cd /etc/kubernetes/pki/
# (umask 077;openssl genrsa -out dongfei.key 2048)
# openssl req -new -key dongfei.key -out dongfei.csr -subj "/CN=dongfei"
# openssl x509 -req -in dongfei.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dongfei.crt -days 365
# openssl x509 -in dongfei.crt -text -noout  #查看

# kubectl config set-credentials dongfei --client-certificate=./dongfei.crt --client-key=./dongfei.key --embed-certs=true
# kubectl config set-context dongfei@kubernetes --cluster=kubernetes --user=dongfei

• 切换上下文

# kubectl config use-context dongfei@kubernetes
# kubectl config view
# kubectl config use-context kubernetes-admin@kubernetes

• 创建kubectl配置文件

# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://192.168.100.51:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
# kubectl config view --kubeconfig=/tmp/test.conf

2、Role角色

• 创建Role

# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
# vim role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: pods-reader
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
# kubectl apply -f role-demo.yaml
# kubectl get role
# kubectl describe role pods-reader

3、rolebinding

• 创建user和role的绑定关系

# kubectl create rolebinding dongfei-read-pods --role=pods-reader --user=dongfei -o yaml --dry-run > rolebinding-demo.yaml
# vim rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: dongfei-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dongfei
# kubectl apply -f rolebinding-demo.yaml
# kubectl get rolebinding
# kubectl describe rolebinding dongfei-read-pods

• 测试账号权限

# kubectl config use-context dongfei@kubernetes
# kubectl get pods  #默认名称空间有权限
# kubectl get pods -n kube-system  #无权限

• 删除rolebinding

# kubectl delete rolebinding dongfei-read-pods

4、clusterrole

• 创建clusterrole

# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run -o yaml > clusterrole-demo.yaml
# vim clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: cluster-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
# kubectl apply -f clusterrole-demo.yaml

5、clusterrolebinding

• user-绑定-clusterrole

# kubectl create clusterrolebinding dongfei-read-all-pods --clusterrole=cluster-reader --user=dongfei --dry-run -o yaml > clusterrolebinding-demo.yaml
# kubectl apply -f clusterrolebinding-demo.yaml
# kubectl describe clusterrolebinding dongfei-read-all-pods

• 测试

# kubectl config use-context dongfei@kubernetes
# kubectl get pods  
# kubectl get pods -n kube-system  #可以访问集群所以的名称空间

6、role绑定至clusterrole

• role将会降权为所在名称空间内

# kubectl create rolebinding dongfei-read-pods --clusterrole=cluster-reader --user=dongfei