• K8S RBAC



    API Server 内部通过用户认证后,然后进入授权流程。对合法用户进行授权并且随后在用户访问时进行鉴权,是权限管理的重要环节。
    在 kubernetes 集群中,各种操作权限是赋予角色(Role 或者 ClusterRole)的。通过创建 RoleBinding 或者 ClusterBinding 把 用户(User),用户组(Group)或服务账号(Service Account)绑定在 Role 或 ClusterRole 上。这样用户,用户组或者服务账号就有了相对应的操作权限。
    这里有个需要注意的地方
    ClusterRoleBinding 只能绑定 ClusterRole,而 RoleBinding 可以绑定 Role 或者 ClusterRole。
    根据上图:
    1.User1 通过 RoleBinding 把 Role 绑定,可以在 Namespace A 获得 Role 中的权限;
    2.User2 和 User3 通过 RoleBinding 把 ClusterRole 绑定,这两个用户即可以在 Namespace B 空间中获得 ClusterRole 权限;
    3.如果 User1 通过 ClusterRoleBinding 把 ClusterRole 绑定,这个用户即可在所有的 Namespace 空间中获得 ClusterRole 权限;

    创建 role

    su - klvchen
    cd sa/
    kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
    
    kubectl apply -f role-demo.yaml 
    kubectl get role
    kubectl describe role pods-reader
    

    创建 rolebinding

    kubectl create rolebinding klvchen-read-pods --role=pods-reader --user=klvchen --dry-run -o yaml > rolebinding-demo.yaml
    kubectl apply -f rolebinding-demo.yaml
    kubectl describe rolebinding klvchen-read-pods
    

    测试账号

    kubectl config use-context klvchen@kubernetes
    kubectl config view
    kubectl get pods
    

    为了方便测试,创建一个新的用户 ik8s

    useradd ik8s
    cp -rf .kube/ /home/ik8s/
    chown  -R ik8s. /home/ik8s/
    su - ik8s
    kubectl config use-context klvchen@kubernetes
    kubectl config view
    

    创建 clusterrole

    kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run > clusterrole-demo.yaml
    
    kubectl apply -f clusterrole-demo.yaml 
    
    kubectl get rolebinding
    
    # 删除 klvchen-read-pods ,解除 role 角色 pods-reader 和 user 用户 klvchen 的绑定关系
    kubectl delete rolebinding klvchen-read-pods
    

    创建 clusterrolebinding

    kubectl create clusterrolebinding klvchen-read-all-pods --clusterrole=cluster-reader --user=klvchen --dry-run -o yaml > clusterrolebinding-demo.yaml
    kubectl apply -f clusterrolebinding-demo.yaml
    
    kubectl describe clusterrolebinding klvchen-read-all-pods
    

    测试

    #切换到 ik8s 账户
    kubectl get pods -n kube-system
    # 所有命名空间都可以正常显示 pods
    

    使用 rolebinding 关联 clusterrole

    kubectl delete clusterrolebinding klvchen-read-all-pods
    kubectl create rolebinding klvchen-read-pods --clusterrole=cluster-reader --user=klvchen --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
    kubectl apply -f rolebinding-clusterrole-demo.yaml 
    
    #测试
    #切换到 ik8s 账户
    kubectl get pods 
    # 只有默认的命名空间可以正常显示 pods
    

    查看 k8s 集群中 admin 拥有的权限

    kubectl get clusterrole admin -o yaml
    kubectl get clusterrolebinding cluster-admin -o yaml
    
    [root@master ~]# kubectl get clusterrolebinding cluster-admin -o yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      annotations:
        rbac.authorization.kubernetes.io/autoupdate: "true"
      creationTimestamp: 2018-11-07T10:12:36Z
      labels:
        kubernetes.io/bootstrapping: rbac-defaults
      name: cluster-admin
      resourceVersion: "107"
      selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
      uid: a6252a77-e275-11e8-8c94-cad98100ca95
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:masters                     # admin 所在的组是 system:masters
    
    # kubernetes-admin 是属于 system:masters 组
    [root@master ~]# kubectl config view
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.0.205:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: klvchen
      name: klvchen@kubernetes
    - context:
        cluster: kubernetes
        user: kubernetes-admin
      name: kubernetes-admin@kubernetes
    current-context: kubernetes-admin@kubernetes
    kind: Config
    preferences: {}
    users:
    - name: klvchen
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    - name: kubernetes-admin
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    

    查看对应的证书,这里注意了,证书的有效期为1年

    [root@master ~]# cd /etc/kubernetes/pki/
    [root@master pki]# openssl x509 -in ./apiserver-kubelet-client.crt -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 3302614080992031284 (0x2dd53e0237bbb234)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=kubernetes
            Validity
                Not Before: Nov  7 10:11:55 2018 GMT
                Not After : Nov  7 10:11:56 2019 GMT
            Subject: O=system:masters, CN=kube-apiserver-kubelet-client
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
    ...后面信息忽略
    
  • 相关阅读:
    微信公众平台接口测试账号申请
    Windows平台下tomcat+java的web程序持续占cpu问题调试
    mysql存储过程基础
    Mysql权限控制
    MySQL开启federated引擎实现数据库表映射
    JAVA中Set集合--HashSet的使用
    在js中嵌套java代码
    MySql计算两个日期的时间差函数
    关于easyui combobox下拉框实现多选框的实现
    利用excel办公软件快速拼凑sql语句
  • 原文地址:https://www.cnblogs.com/klvchen/p/9957729.html
Copyright © 2020-2023  润新知