• rbac权限控制


    常用的授权插件:Node ,ABAC,RBAC,Webhook

    RBAC:Role-based AC基于角色的访问控制

    角色  (role)

    许可 (permision)

    Object_url: /apis/<GROUP>/<VERSION>/namespaces/<NAMESPACE_NAME>/<KIND>[/OBJECT_ID]

    Role:

     Operations

     Objects

    Rolebinding 权限仅限于名称空间 用户user同过该命名空间的rolebinding去绑定clusterrole,那么就只有该命名空间的权限而没有其他命名空间的权限,既只要rolebinding去clusterrole

    Cluserrole还有role所不具有的权限,需要通过clusterrolebinding去绑定

      User account OR service acount

      Role

    资源分属于两种级联:集群,名称空间

    集群角色: clusterrole,clusterrolebinding

    创建角色role

    kubectl create role –help

    kubectl create role pods-reader --verb=get,list,watch  --resource=pods --dry-run

    kubectl create role pods-reader --verb=get,list,watch  --resource=pods --dry-run -o yaml  >role-demo.yaml

                      role名      授予的操作:get list wacth           授予的资源名  干跑

    创建role角色没指定namedpace,那就在默认的名称空间default 

    --verb=*  表示授予所有权限

    apiVersion: rbac.authorization.k8s.io/v1

    kind: Role

    metadata:

      name: pods-reader

      namespace: default

    rules:

    - apiGroups:

      - ""

      resources:

      - pods

      verbs:

      - get

      - list

      - watch

    kubectl apply -f role-demo.yaml

    kubectl get pods

    kubectl describe role pods-reader

    角色创建好了,给账户绑定上角色

    kubectl create rolebinding –help

    kubectl create rolebinding mageedu-read-pods --role=pods-reader --user=mageedu

                         binding名,既能role也能clusterrole  --role=角色role名  --user=给哪个用户绑

    kubectl create rolebinding mageedu-read-pods --role=pods-reader --user=mageedu --dry-run -o yam > rolebind-demo.yaml

    apiVersion: rbac.authorization.k8s.io/v1

    kind: RoleBinding

    metadata:

      creationTimestamp: null

      name: mageedu-read-pods   rolebinding名

    roleRef:  指定role

      apiGroup: rbac.authorization.k8s.io

      kind: Role 资源类型role

      name: pods-reader  role角色名

    subjects:  绑定的对象

    - apiGroup: rbac.authorization.k8s.io

      kind: User  绑定角色的类型:用户

      name: mageedu   绑定角色的用户名 

    kubectl explain rolebinding.roleRef

    kubectl explain rolebinding.subjects

    验证

    kubectl describe rolebinding mageedu-read-pods

    kubectl config use-context mageedu@kubernetes 切换用户mageedu 也叫切换上下文

    kubectl get pods 有get权限了

    kubectl get pods -n kube-system 在别的namespace没权限get

    创建clusterrole

    kubectl create clusterrole –help

    kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run >

                             clusterrole名  --verb=权限     --resourc=控制的资源名

    clusterrole-demo.yaml

    apiVersion: rbac.authorization.k8s.io/v1

    kind: ClusterRole

    metadata:

      creationTimestamp: null

      name: cluster-reader

    rules:

    - apiGroups:

      - ""

      resources:

      - pods

      verbs:

      - get

      - list

      - watch

    kubectl explain clusterrole

    kubectl explain clusterrole.metadata

    切回系统用户创建

    kubectl config use-context kubernetes-admin@kubernetes

    kubectl apply -f clusterrole-demo.yaml

    验证

    kubectl describe clusterrole cluster-reader

    给mageedu账号绑定clusterrole

    先解绑上面绑定的rolebinding

    kubectl get rolebinding

    kubectl delete rolebinding mageedu-read-pods 解绑 现在mageedu已经没有角色权限了

    给账号mageedu绑定clusterrole

    kubectl create clusterrolebinding –help

    kubectl create clusterrolebinding mageedu-read-all-pods --clusterrole=cluster-reader --user=mageedu

               指定clusterrolebinding  cluseterrolebinding绑定名   --clusterrole=只能绑clusterrole

    --dry-run -o yaml > clusterrolebinding-demo.yaml

    vim clusterrolebinding-demo.yaml

    apiVersion: rbac.authorization.k8s.io/v1beta1

    kind: ClusterRoleBinding

    metadata:

      creationTimestamp: null

      name: mageedu-read-all-pods  ClusterRoleBinding

    roleRef:

      apiGroup: rbac.authorization.k8s.io

      kind: ClusterRole 绑定的角色类型

      name: cluster-reader 角色名

    subjects:

    - apiGroup: rbac.authorization.k8s.io

      kind: User 对user绑定

      name: mageedu  给用户账号mageedu绑定角色clusterrole

    注释:系统上已经有一大批clusterrole

    kubectl get clusterrole

    验证:

    kubectl get clusterrolebinding

    kubectl describe clusterrolebinding  mageedu-read-all-pods

    然后再去mageedu账号测试

    kubectl get pods

    kubectl get pods -n kube-system  既cluterrole可以在全集群get的所有权限,可以查看系统级别的pods

    kubectl delete pods pod-sa-demo  因为没有赋予clusterrole类角色mageedu-read-all-pods的delete权限

    所以赋予了mageedu-read-all-pods角色的账号mageedu不能delete

    把maggedu的clusterrole角色删了,既删了clusterrolebing, 使用rolebinding去绑定clusterrole

    kubectl get clusterrolebinding

    kubectl delete clusterrolebinding mageedu-read-all-pods  删了clusterrolebing

    kubectl create rolebinding mageedu-read-pods --clusterrole=cluster-reader --user=mageedu --dry-run -o yaml > rolebinding-clusterrole-demo.yaml

                 rolebinding  bing名         绑定clusterrole  cluserrole名   给哪个用户绑定

    vim rolebinding-clusterrole-demo.yaml

    apiVersion: rbac.authorization.k8s.io/v1

    kind: RoleBinding

    metadata:

      name: mageedu-read-pods

      namespace: default  只对namespace的default空间生效

    roleRef:

      apiGroup: rbac.authorization.k8s.io

      kind: ClusterRole

      name: cluster-reader

    subjects:

    - apiGroup: rbac.authorization.k8s.io

      kind: User

      name: mageedu

    kubectl apply -f rolebinding-clusterrole-demo.yaml

    kubectl describe rolebinding mageedu-read-pods

    测试

    访问default下的pods

    kubectl get pods  可以访问

    kubectl get pods -n kube-system 去访问kube-system空间的pods就不行了

    说明:用rolebinding去绑定clusterrole,绑定的clusterrole类角色权限会降级,降到授权的名称空间

    在其他用户运行kubectl

    useradd ik8s

    cp -rp /root/.kube/ /home/ik8s/

    chown -R ik8s:ik8s /home/ik8s/

    su - ik8s

    kubectl config use-context mageedu@kubernetes

    kubectl config view  切换用户成功,操作可行

    k8s的admin权限

    kubectl get clusterrole admin -o yaml

    aggregationRule:

      clusterRoleSelectors:

      - matchLabels:

          rbac.authorization.k8s.io/aggregate-to-admin: "true"

    apiVersion: rbac.authorization.k8s.io/v1

    kind: ClusterRole

    metadata:

      annotations:

        rbac.authorization.kubernetes.io/autoupdate: "true"

      creationTimestamp: "2019-07-30T12:43:34Z"

      labels:

        kubernetes.io/bootstrapping: rbac-defaults

      name: admin

      resourceVersion: "356"

      selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/admin

      uid: 28b74331-9da2-4041-8c8e-190e34eacc6b

    rules:

    - apiGroups:

      - ""

      resources: 授权访问的资源

      - pods/attach

      - pods/exec

      - pods/portforward

      - pods/proxy

      - secrets

      - services/proxy

      verbs: 授权的操作

      - get

      - list

      - watch

    - apiGroups:

      - ""

      resources:

      - serviceaccounts

      verbs:

      - impersonate

    - apiGroups:

      - ""

      resources:

      - pods

      - pods/attach

      - pods/exec

      - pods/portforward

      - pods/proxy

      verbs:

      - create

      - delete

      - deletecollection

      - patch

      - update

    - apiGroups:

      - ""

      resources:

      - configmaps

      - endpoints

      - persistentvolumeclaims

      - replicationcontrollers

      - replicationcontrollers/scale

      - secrets

      - serviceaccounts

      - services

      - services/proxy

      verbs:

      - create

      - delete

      - deletecollection

      - patch

      - update

    - apiGroups:

      - apps

      resources:

      - daemonsets

      - deployments

      - deployments/rollback

      - deployments/scale

      - replicasets

      - replicasets/scale

      - statefulsets

      - statefulsets/scale

      verbs:

      - create

      - delete

      - deletecollection

      - patch

      - update

    - apiGroups:

      - autoscaling

      resources:

      - horizontalpodautoscalers

      verbs:

      - create

      - delete

      - deletecollection

      - patch

      - update

    - apiGroups:

      - batch

      resources:

      - cronjobs

      - jobs

      verbs:

      - create

      - delete

      - deletecollection

      - patch

      - update

    - apiGroups:

      - extensions

      resources:

      - daemonsets

      - deployments

      - deployments/rollback

      - deployments/scale

      - ingresses

      - networkpolicies

      - replicasets

      - replicasets/scale

      - replicationcontrollers/scale

      verbs:

      - create

      - delete

      - deletecollection

      - patch

      - update

    - apiGroups:

      - policy

      resources:

      - poddisruptionbudgets

      verbs:

      - create

      - delete

      - deletecollection

      - patch

      - update

    - apiGroups:

      - networking.k8s.io

      resources:

      - ingresses

      - networkpolicies

      verbs:

      - create

      - delete

      - deletecollection

      - patch

      - update

    - apiGroups:

      - ""

      resources:

      - configmaps

      - endpoints

      - persistentvolumeclaims

      - pods

      - replicationcontrollers

      - replicationcontrollers/scale

      - serviceaccounts

      - services

      verbs:

      - get

      - list

      - watch

    - apiGroups:

      - ""

      resources:

      - bindings

      - events

      - limitranges

      - namespaces/status

      - pods/log

      - pods/status

      - replicationcontrollers/status

      - resourcequotas

      - resourcequotas/status

      verbs:

      - get

      - list

      - watch

    - apiGroups:

      - ""

      resources:

      - namespaces

      verbs:

      - get

      - list

      - watch

    - apiGroups:

      - apps

      resources:

      - controllerrevisions

      - daemonsets

      - deployments

      - deployments/scale

      - replicasets

      - replicasets/scale

      - statefulsets

      - statefulsets/scale

      verbs:

      - get

      - list

      - watch

    - apiGroups:

      - autoscaling

      resources:

      - horizontalpodautoscalers

      verbs:

      - get

      - list

      - watch

    - apiGroups:

      - batch

      resources:

      - cronjobs

      - jobs

      verbs:

      - get

      - list

      - watch

    - apiGroups:

      - extensions

      resources:

      - daemonsets

      - deployments

      - deployments/scale

      - ingresses

      - networkpolicies

      - replicasets

      - replicasets/scale

      - replicationcontrollers/scale

      verbs:

      - get

      - list

      - watch

    - apiGroups:

      - policy

      resources:

      - poddisruptionbudgets

      verbs:

      - get

      - list

      - watch

    - apiGroups:

      - networking.k8s.io

      resources:

      - ingresses

      - networkpolicies

      verbs:

      - get

      - list

      - watch

    - apiGroups:

      - authorization.k8s.io

      resources:

      - localsubjectaccessreviews

      verbs:

      - create

    - apiGroups:

      - rbac.authorization.k8s.io

      resources:

      - rolebindings

      - roles

      verbs:

      - create

      - delete

      - deletecollection

      - get

      - list

      - patch

      - update

      - watch

    kubectl create  rolebinding default-ns-admin --clusterrole=admin --user=mageedu

                创建rolebinding  rolebinding名  绑定的角色类型,角色名 给哪个用户绑定角色

    相当于是给mageedu赋予了default 名称管理员的角色,权限 ,admin集群角色作用,权限仅限于授权的名称空间

    kubectl delete pods pod-sa-demo  可以删了 

    kubectl get pods -n kube-system  不具有管理其他名称空间的权限

    kubectl get clusterrolebinding

    kubectl describe  clusterrolebinding cluster-admin

    kubectl get clusterrolebinding cluster-admin  -o yaml  

    apiVersion: rbac.authorization.k8s.io/v1

    kind: ClusterRoleBinding

    metadata:

      annotations:

        rbac.authorization.kubernetes.io/autoupdate: "true"

      creationTimestamp: "2019-07-30T12:43:34Z"

      labels:

        kubernetes.io/bootstrapping: rbac-defaults

      name: cluster-admin

      resourceVersion: "96"

      selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin

      uid: 4b7462e9-124b-4a61-bc66-fc81435243e1

    roleRef:

      apiGroup: rbac.authorization.k8s.io

      kind: ClusterRole

      name: cluster-admin

    subjects:

    - apiGroup: rbac.authorization.k8s.io

      kind: Group

      name: system:masters

    查看kubernetes-admin从属关系

    cd /etc/kubernetes/pki/

    openssl x509 -in ./apiserver-kubelet-client.crt -text –noout

    小结:

    rolebinding clusterrolebinding

    subject: user  作为授权主体

               group

              serviceaccount 

      role,clusterrole

    object:资源 物体

         rescource group

         rescource

         non-resource url

    action:get list watch patch delete deletecollection ...

  • 相关阅读:
    struct&Method
    SetFinalizer、runtime.GC
    Map(没有写底层)
    数组和切片
    函数
    指针、Time
    字符串、strings、strconv
    基本类型和运算符
    第二阶段的事后诸葛亮
    第二个冲刺阶段第10天
  • 原文地址:https://www.cnblogs.com/leiwenbin627/p/11330272.html
Copyright © 2020-2023  润新知