常用的授权插件:Node ,ABAC,RBAC,Webhook
RBAC:Role-based AC基于角色的访问控制
角色 (role)
许可 (permision)
Object_url: /apis/<GROUP>/<VERSION>/namespaces/<NAMESPACE_NAME>/<KIND>[/OBJECT_ID]
Role:
Operations
Objects
Rolebinding 权限仅限于名称空间 用户user同过该命名空间的rolebinding去绑定clusterrole,那么就只有该命名空间的权限而没有其他命名空间的权限,既只要rolebinding去clusterrole
Cluserrole还有role所不具有的权限,需要通过clusterrolebinding去绑定
User account OR service acount
Role
资源分属于两种级联:集群,名称空间
集群角色: clusterrole,clusterrolebinding
创建角色role
kubectl create role –help
kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run
kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml >role-demo.yaml
role名 授予的操作:get list wacth 授予的资源名 干跑
创建role角色没指定namedpace,那就在默认的名称空间default
--verb=* 表示授予所有权限
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pods-reader
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
kubectl apply -f role-demo.yaml
kubectl get pods
kubectl describe role pods-reader
角色创建好了,给账户绑定上角色
kubectl create rolebinding –help
kubectl create rolebinding mageedu-read-pods --role=pods-reader --user=mageedu
binding名,既能role也能clusterrole --role=角色role名 --user=给哪个用户绑
kubectl create rolebinding mageedu-read-pods --role=pods-reader --user=mageedu --dry-run -o yam > rolebind-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: mageedu-read-pods rolebinding名
roleRef: 指定role
apiGroup: rbac.authorization.k8s.io
kind: Role 资源类型role
name: pods-reader role角色名
subjects: 绑定的对象
- apiGroup: rbac.authorization.k8s.io
kind: User 绑定角色的类型:用户
name: mageedu 绑定角色的用户名
kubectl explain rolebinding.roleRef
kubectl explain rolebinding.subjects
验证
kubectl describe rolebinding mageedu-read-pods
kubectl config use-context mageedu@kubernetes 切换用户mageedu 也叫切换上下文
kubectl get pods 有get权限了
kubectl get pods -n kube-system 在别的namespace没权限get
创建clusterrole
kubectl create clusterrole –help
kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run >
clusterrole名 --verb=权限 --resourc=控制的资源名
clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
kubectl explain clusterrole
kubectl explain clusterrole.metadata
切回系统用户创建
kubectl config use-context kubernetes-admin@kubernetes
kubectl apply -f clusterrole-demo.yaml
验证
kubectl describe clusterrole cluster-reader
给mageedu账号绑定clusterrole
先解绑上面绑定的rolebinding
kubectl get rolebinding
kubectl delete rolebinding mageedu-read-pods 解绑 现在mageedu已经没有角色权限了
给账号mageedu绑定clusterrole
kubectl create clusterrolebinding –help
kubectl create clusterrolebinding mageedu-read-all-pods --clusterrole=cluster-reader --user=mageedu
指定clusterrolebinding cluseterrolebinding绑定名 --clusterrole=只能绑clusterrole
--dry-run -o yaml > clusterrolebinding-demo.yaml
vim clusterrolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: mageedu-read-all-pods ClusterRoleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole 绑定的角色类型
name: cluster-reader 角色名
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User 对user绑定
name: mageedu 给用户账号mageedu绑定角色clusterrole
注释:系统上已经有一大批clusterrole
kubectl get clusterrole
验证:
kubectl get clusterrolebinding
kubectl describe clusterrolebinding mageedu-read-all-pods
然后再去mageedu账号测试
kubectl get pods
kubectl get pods -n kube-system 既cluterrole可以在全集群get的所有权限,可以查看系统级别的pods
kubectl delete pods pod-sa-demo 因为没有赋予clusterrole类角色mageedu-read-all-pods的delete权限
所以赋予了mageedu-read-all-pods角色的账号mageedu不能delete
把maggedu的clusterrole角色删了,既删了clusterrolebing, 使用rolebinding去绑定clusterrole
kubectl get clusterrolebinding
kubectl delete clusterrolebinding mageedu-read-all-pods 删了clusterrolebing
kubectl create rolebinding mageedu-read-pods --clusterrole=cluster-reader --user=mageedu --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
rolebinding bing名 绑定clusterrole cluserrole名 给哪个用户绑定
vim rolebinding-clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: mageedu-read-pods
namespace: default 只对namespace的default空间生效
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: mageedu
kubectl apply -f rolebinding-clusterrole-demo.yaml
kubectl describe rolebinding mageedu-read-pods
测试
访问default下的pods
kubectl get pods 可以访问
kubectl get pods -n kube-system 去访问kube-system空间的pods就不行了
说明:用rolebinding去绑定clusterrole,绑定的clusterrole类角色权限会降级,降到授权的名称空间
在其他用户运行kubectl
useradd ik8s
cp -rp /root/.kube/ /home/ik8s/
chown -R ik8s:ik8s /home/ik8s/
su - ik8s
kubectl config use-context mageedu@kubernetes
kubectl config view 切换用户成功,操作可行
k8s的admin权限
kubectl get clusterrole admin -o yaml
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2019-07-30T12:43:34Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: admin
resourceVersion: "356"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/admin
uid: 28b74331-9da2-4041-8c8e-190e34eacc6b
rules:
- apiGroups:
- ""
resources: 授权访问的资源
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs: 授权的操作
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
kubectl create rolebinding default-ns-admin --clusterrole=admin --user=mageedu
创建rolebinding rolebinding名 绑定的角色类型,角色名 给哪个用户绑定角色
相当于是给mageedu赋予了default 名称管理员的角色,权限 ,admin集群角色作用,权限仅限于授权的名称空间
kubectl delete pods pod-sa-demo 可以删了
kubectl get pods -n kube-system 不具有管理其他名称空间的权限
kubectl get clusterrolebinding
kubectl describe clusterrolebinding cluster-admin
kubectl get clusterrolebinding cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2019-07-30T12:43:34Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "96"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
uid: 4b7462e9-124b-4a61-bc66-fc81435243e1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
查看kubernetes-admin从属关系
cd /etc/kubernetes/pki/
openssl x509 -in ./apiserver-kubelet-client.crt -text –noout
小结:
rolebinding clusterrolebinding
subject: user 作为授权主体
group
serviceaccount
role,clusterrole
object:资源 物体
rescource group
rescource
non-resource url
action:get list watch patch delete deletecollection ...