k8s 权限控制之rbac

权限控制

此处要介绍的是基于rbac 的权限控制，主要涉及四个概念，角色(role,clusterrole)，角色绑定（rolebinding,clusterrolebinding）,授权对象（serviceaccount, user），权限（apiGroups,resources,verbs）

serviceaccount 与 user 区别

sa 通常都是用于pod 中的应用授权，例如pod 中的程序要访问集群做一些操作就可以使用sa ，默认pod 都都有一个default sa

user 通常是给人使用的，标记的是个人，例如在kubectl 配置文件中的多用户就是用user 定义的。

但是两者的使用没有严格限制

基于serviceaccount 的权限分配

命名空间的角色授权

###角色就是绑定了一些权限，角色是基于命名空间的，集群角色才是全局的，也就是角色绑定给用户或者sa都是作用在固定命名空间的。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ .Release.Name }}
rules:
  - apiGroups:
    - "*"
    resources:
    - "*"
    verbs:
    - list
    - get
    - create


###RoleBinding 是命名空间资源对象，把serviceaccount 与role 绑定在一起
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ .Release.Name }}-binding
RoleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
  name: {{ .Release.Name }}


###serviceaccount 是基于命名空间的，伴随着它的创建，命名空间内会自动生成与它同名的token
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Release.Name }}

集群权限控制

###集群角色与普通角色区别就一点，集群角色对应权限是整个集群的，所有命名空间资源以及不属于命名空间的集群对象
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: langkai-u-all
rules:
- apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - list
  - get
  - watch


###角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: langkai-u-all-cluster-binding
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: langkai-u-all
subjects:
- kind: ServiceAccount
  name: langkai-u-all


ServiceAccount 与上面的是同一个，通过serviceaccount 对应的token 就可以登陆kuboard 进行相应操作

基于user 的权限分配在kubectl 配置文件中的使用

kubectl 访问apiserver 是基于用户家目录下面的.kube/config 里面配置来完成验证的。

应用场景：

有两个集群，prd  和 dev ，通过同一个kubectl 访问两个集群，通过用户user1 访问prd 集群的 frontend 命名空间，通过用户user2 访问 dev 的backend 命名空间，此时就需要在config 里面配置不同的上下文来实现两种访问。

介绍几个概念  集群 用户  上下文

1、集群就是k8s 集群，里面配置了集群证书，地址等信息；

2、用户就是授权对象，配置认证信息，后面是通过rbac 对用户授权才能访问集群；

3、上下文就是把集群+用户+命名空间 联系在一起，例如用户tom+集群k8s-new+命名空间dev 的意思是在此上下文中通过kubectl 命令执行的操作都是在集群k8s-new 的空间dev 的操作，以tom 身份执行的

config 配置文件

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlDeURDQ0FiQ2dBd0lCQWdJQkFEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHJkV0psDQpjbTVsZEdWek1CNFhEVEl3TURreE5UQTVNekl3TUZvWERUTXdNRGt4TXpBNU16SXdNRm93RlRFVE1CRUdBMVVFDQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHE1DQpmVVpWT3RTRzhocTV2Tk8xUzJmTkQrVnd5TjFYb25lT1JrbXV5ZHRPMHJSQ0VwSWdjZFg1d3pvek40L0s3Rld1DQp6MzZmWm9yV3JTWjFyMzNWcUNzdzZlUFVQcmJQaU5ZSStQdEszU29icHh4ZVQ5KzlUSVpxVmc2UTJhcEExckM5DQpObTBuMCswdmh0SUxjeGs3amRXM3QrSkhiWWhlNE4zZ2tCUUVoaS9OVDNyZDJUNzQ3SFk5L1ZmUFdHZStNTEZwDQo1V056T2ZyL0ZqWUhVMmR5dnRZMnl6VlVaeFBPRitaTjlENGpHWmpDbzR5MFdhTVBOeUxGV056dnQ4NkM1dmYrDQppUUZTN2E4bVo1emwybWFabldtZ204bjVLNUd0QWdNM3VVZXh1QlZpOXZ5OCt3K3kralcyYnR6QmkwRUgxYUQ2DQppbW1UUVZsaHdscEhpWU1STEIwQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCDQovd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRjRhTElSRm10R210NDd6UVFZKy9yb2FEK3pIDQoxUnZnMStDYjk4NnZkbENtc08ybVNadldyb2tYUTFtL2pyMzUxeW1xUzNwU3FId05kOUdFaWg5cWJpYmpTQXhCDQo4RU1vUmxhclBRUDBRemlNcytIR1N1RHRYYW95RzZvN3RnQVErV1R1NUdBazBPWnRlcVdhdzVKK2FQZGIydEluDQpqSWVyUW1BMmhnYlRoVFdDbjIwL2lrUUVWSm44OFQvYU1YUG01TGdPbXQ2RGdpbHZEKzdySFBONk5WY1NvcmFXDQoydE9qd3VJa0tMSFhUcFZwb213UDU3UGl1VWNxSTV0NjVuaTQ1WEhoVDBnS0F2ZUZCa2wxZzJ0M00veTdvTU9yDQp6R2Q4MW1ORTMrQzV6WWdHL2ZsTWREeVVLTzcvNXhDbVYvNVRkWkIxWTVEWm1DYkNaUDJhazBnMnVaZz0NCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
    server: https://192.168.1.200:8443
  name: k8s-new
- cluster:
    server: https://192.168.1.210:8443
  name: k8s-old



contexts:
- context:
    cluster: k8s-new
    user: langkai
  name: k8s-new-all
- context:
    cluster: k8s-new
    namespace: langkai
    user: langkai
  name: k8s-new-langkai
- context:
    cluster: k8s-old
    namespace: default
    user: kzf
  name: k8s-old-default
current-context: k8s-new-langkai


kind: Config
preferences: {}
users:
- name: kzf
  user:
    password: 1qaz2wsx
    username: kouzhenfang
- name: langkai
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvekNDQVlzQ0NRQ0Jwa2dGSUhoTGx6QU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXdNVEF4TWpBek5EUXlNbG9YRFRJeE1UQXhNakF6TkRReU1sb3dFakVRTUE0RwpBMVVFQXd3SGJHRnVaMnRoYVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTROClN6ZUZkVjNIT2FWR1FVbmpSUFFrS2h4Z2ZkT2xJdVFlb243UGtEeHhwb0d5SkE4UkNqbUpXcVhDT2lhbWtma2QKMWhPT3k0Z2M5K2F0M2JDZkRjMjI2VENyUUg5RVUyL1R3ejhvd3FRdWoyTG1EdnB1ZVBGWUNsRlNLeU1GMTYzMApaL3FpamU1YnlWK1p3TklKaC92bzVNbStPZlV3QjRzWmJIeFJxb1pOb3I3dytjbEk1M3VYMm5uNEVobEFxL3hLCmwxcXhmeFRXNEJ4RVZ3cWx2Z2Q2aFBlVS90SUJDbjJ5YVhCVW52WkF0aEhjRjV3aDdpcW9OYUF1Yi9zR1c4elEKdURMYUxNOHFnd3pVZDd6ZVhuNTc1K1hLcGU3UEVuKzFOVjZSTkg1bUNtdkI0VDUrcXl1VFBCWW9lTXV6eS84UQpya2pQREZNZ1A5TmUyK25sK1hzQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBYjdGL1BUZnlTK3ovClp6eGZ2Y2g2YmxGVGZXaTFiZGRXemdWd1pOVWlrMUxiUEFmMGxsM2hDMjJoRUlvNm5CUXRnMG1XNzVNY3VlZWwKMXZ1VldMaVN2ZGd6aWRZcmtseFgwY2d3d3p6MjNwSWhJM0dVUjU3QU55N212ZTBIMjM2eWNsZi9SNkFTdE9BcAo5eUlkYWkwWjk2ejRzK1FDaldNOWw2Y2JDNnhDbUlEMEhGTHRMNHhmTXlnSHd2YmRtQTNxbGl2alRwVUEzMEZTCjl2M2tiRXpvRDAvbE1HQ1hZZlJpb1FlV0w0TjJVOExMeldFT2NmSTg2Tm4xVFdtRGZXcmVhSExFSHU2NTZlWkQKUy9ucjMrRVVHL09YUndaVnc0V0QrL3VoZlFIbkNvdjZWUEN3bXR3TXNOM1NlVE5MWk1vU3BKVWlyN1VtTlJNVQpLYjZla3VQNU1RPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBemcxTE40VjFYY2M1cFVaQlNlTkU5Q1FxSEdCOTA2VWk1QjZpZnMrUVBIR21nYklrCkR4RUtPWWxhcGNJNkpxYVIrUjNXRTQ3TGlCejM1cTNkc0o4TnpiYnBNS3RBZjBSVGI5UERQeWpDcEM2UFl1WU8KK201NDhWZ0tVVklySXdYWHJmUm4rcUtON2x2Slg1bkEwZ21IKytqa3liNDU5VEFIaXhsc2ZGR3FoazJpdnZENQp5VWpuZTVmYWVmZ1NHVUNyL0VxWFdyRi9GTmJnSEVSWENxVytCM3FFOTVUKzBnRUtmYkpwY0ZTZTlrQzJFZHdYCm5DSHVLcWcxb0M1dit3WmJ6TkM0TXRvc3p5cURETlIzdk41ZWZudm41Y3FsN3M4U2Y3VTFYcEUwZm1ZS2E4SGgKUG42cks1TThGaWg0eTdQTC94Q3VTTThNVXlBLzAxN2I2ZVg1ZXdJREFRQUJBb0lCQVFES3NhOGRWZTdIcXBTZApiY2dKL0VTM2VkL20vRkNxNDFhNFd4NTBhcEN6dFFVYnJuYmtUMW5ra2FhWFNzSlRoU1l4amxVcDloMW5yejk2CkwrelZzeEVzSFZPMWFiRlB3SkhuZnNRaG5HSWtpaHpKS0JEeDc3eVBoWkRZd0dEbzJmVjZET1JBWEtvTUlVU3UKQTV6M3dTS0EvM0FZdVVWZ1diZ0I4S2VVZisya29IS0ZjQUM1N1VJUklDcy9qSDV3SGJBSFdFR0NNRWRQdUdrUgpBZXBSQkxXdERURjduSFBLSk02VEJrMnc2c2lwMFpyWkpKbFZycDd1UzFYcHNkbmtLOEVRY3BLK3ZoT1NUUlVaCjB0d2lwNEVZand1Rks1bTIySVlHQlBVaEFWY2VOMExsekFKUk5vUFNsWkREWGYyMVZtS3RaM3VWTEs5T3BkNGcKNXYrazRuUlpBb0dCQVAwd3NGYitseUV4a1ZWbnF2ZVBzZ3o5S3ZvUmVLQ09oOHEvNUZKR2VhYWN1ZFpJeGVOUgpPN3FHa1VYNFB1K21kZVhKRXFoOVBhRzQ0Uy9HcGUvTjFFR3dIUVJiWU1kSXNoT2RqUUJ6TWF6TWo3N0ZCcVRqCm8zUzVTNVlrOFgrN2d0NElmeTNtWDVQNDdnZkN4aDZuc1RkbTY1dVpDMlluQ1lpZ3k2bi9aaEgvQW9HQkFOQlcKcjRMQU9DRkk2S0VkZCtmekdXUStOVU9yUWEvR2RiMnlsRlY5c2xNMExseElrUWRjT0YvU1l4N0RQM3ozV2UwYgpLdGluZUpuejZpb2NwSElRV2owcW13UEFONlFsRnVhQ3JWc0FReEs0UVdwamprTXFVVEtLN2JhaE5mditPUnB0ClY5RStoWTgvNnlOMktZMVRBMlQ0M2d5dERoYjAxa0MrRm8zZTRXQ0ZBb0dBUjQ5cVY3d3ZSTjk0bnpYa3VZR3cKcGtFcjAyLzZzdzUxek5VOW1BOTVOS0VaV1RwS1MveGFzRloyV3R0V0ZtL3E1SjVYR3E0RExHRlByQ3d1SEVBRgpuT2RFM0VWamJnL2EzUFpyc3RQY0YyWGR2dUo3QlVHZG9sRDR6eC96N2RFMnBNQ3NDWElTVTRWSTZZS2djbXVkCkIvYWI0dWQzdEZDV1BqcU1OYWtNMVVzQ2dZQitmWU1HRVlxQ3V1OXlrcCt3VmlwK2NENktuVG0rYlBJamdIOEwKQU12Nk5GNUpiVTJRZUc5SnprU2I4dE5qSGhLZElMZDgzd0VjQjdtT1krRjcxMjNTWVVISW56V3BGVk80RkhNSQpJenFWN1FUYWdTTm9xQkt3YXlVMGt1Qmg1TkhxdDZSdnlGUHl5MDRLTTcyNnJrSUxWZ1lMRUM3VHhVY24rOEZaCjFZNWt1UUtCZ0ZUMXFjakF4ME9NaGF3dVI4ODJycmNnMTFWR2hBQU5uZGtMa3ZIUVN0bEc0Zyt3Tkg3ZHB6MTkKbzJhdjUrcHdONlhWQVBBR2k2SzM0MFVlNkt6NGVTUzNWR3Flb0RNSXJrcVdtby9qV1lxM1hoWXowU29VRkFORgpyNkZSZy9YREo5SXhkUWZyMXpBaEM1UytmbjJ1Q3F4V1NPV0FlMEFJRGZ4Ym9uTVlIeUxTCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

注意要点：

1、 用户的认证信息只能是密钥对，用户密码形式不生效

2、集群也必须配置他的证书否则访问的时候会报错： 没有相关资源

用户证书生成：

###创建一个私钥
umask 077; openssl genrsa -out langkai.key 2048
###创建证书请求
openssl req -new -key langkai.key -out langkai.csr -subj "/CN=langkai"
###基于证书请求和集群的ca公私钥创建证书
openssl x509 -req -in langkai.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out langkai.crt -days 365
把公私钥信息配置到config中client-certificate-data 和client-key-data 处

kubectl config set-credentials langkai  --client-certificate=./langkai.crt --client-key=./langkai.key --embed-certs=true

或者
cat langkai.crt ｜ base64   
把编码后的信息配置在config 中 client-key-data 和 client-certificate-data 处

切换上下文

kubectl config --kubeconfig=config-demo use-context dev-frontend  
#--kubeconfig 指定了配置文件路径，如果不指定就是默认的～/.kube/config  
#实际此操作就是更改的config 文件也可以手动在配置文件中指定上下文
current-context: k8s-new-langkai

授权

只有对用户授权kubectl 才能使用否则无法操作集群，授权分为两部分：集群+命名空间资源

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: langkai-u-all
rules:
- apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - list
  - get
  - watch


---
# Source: fengmi-frontend/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: langkai-u-all-cluster-binding
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: langkai-u-all
subjects:
- kind: User
  name: langkai-u-all


---
# Source: fengmi-frontend/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: langkai-u-all
rules:
- apiGroups:
  - "*"
  resources:
  - "*"
  verbs:
  - "*"


---
# Source: fengmi-frontend/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: langkai-u-all-binding
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: langkai-u-all
subjects:
- kind: User
  name: langkai-u-all

关于用户：

用户不是一个集群里面的资源对象，也就是说用户不用额外创建，而serviceaccount 是需要创建的，用户只需要在config 定义即可，而sa 必须通过yaml 或者命令创建的。