• kubernetes学习笔记之十:RBAC(二)


         上一章中我们简单讲解了k8s集群用户使用Role/ClusterRole/RoleBingding/ClusterRoleBingding设置不同的权限,但是kubeconfig文件使用的admin,实际部署过程中用户应该使用自己的kubeconfig文件,下面我们参照实际使用配置用户权限.

    一、创建 dev namespace

    [root@k8s-master-155-221 rbac]# cat create-namespace.yaml 
    apiVersion: v1
    kind: Namespace
    metadata:
      name: dev
    
    [root@k8s-master-155-221 rbac]# kubectl apply -f create-namespace.yaml 
    namespace/dev created
    [root@k8s-master-155-221 rbac]# kubectl get namespaces 
    NAME              STATUS   AGE
    default           Active   51d
    dev               Active   5s
    ingress-nginx     Active   8d
    kube-node-lease   Active   51d
    kube-public       Active   51d
    kube-system       Active   51d

    二、在dev namesapce中创建测试pod

    [root@k8s-master-155-221 rbac]# cat pod-demo.yaml 
    apiVersion: v1
    kind: Pod
    metadata: 
      name: dev-pod-demo
      namespace: dev
      labels:
        app: dev-myapp
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
    [root@k8s-master-155-221 rbac]# kubectl apply -f pod-demo.yaml
    pod/dev-pod-demo created
    [root@k8s-master-155-221 rbac]# kubectl get pods -n dev
    NAME           READY   STATUS    RESTARTS   AGE
    dev-pod-demo   1/1     Running   0          5s

    三、创建dev-read/dev-admin/cluster-read/cluster-admin四个用户,分别对应namespace和cluster的读取和管理

    创建dev-read csr文件

    [root@k8s-master-155-221 cert]# cat dev-read-csr.json 
    {
      "CN": "dev-read",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "ST": "BeiJing",
          "L": "BeiJing",
          "O": "k8s",
          "OU": "4Paradigm"
        }
      ]
    }

    创建dev-read用户的证书和秘钥

    [root@k8s-master-155-221 cert]# cfssl gencert -ca=/mnt/k8s/cert/ca.pem -ca-key=/mnt/k8s/cert/ca-key.pem dev-read-csr.json  | cfssljson -bare dev-read
    2020/01/20 15:59:20 [INFO] generate received request
    2020/01/20 15:59:20 [INFO] received CSR
    2020/01/20 15:59:20 [INFO] generating key: rsa-2048
    2020/01/20 15:59:21 [INFO] encoded CSR
    2020/01/20 15:59:21 [INFO] signed certificate with serial number 5387334044569180330097517551617071931
    2020/01/20 15:59:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
    websites. For more information see the Baseline Requirements for the Issuance and Management
    of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
    specifically, section 10.2.3 ("Information Requirements").

    创建dev-read用户kubecofnig文件

    [root@k8s-master-155-221 cert]# cat tem.kubeconfig 
    #!/bin/bash
    # 设置集群参数
    export KUBE_APISERVER="https://172.16.155.220:8443"
    kubectl config set-cluster kubernetes 
    --certificate-authority=/mnt/k8s/cert/ca.pem 
    --embed-certs=true 
    --server=${KUBE_APISERVER} 
    --kubeconfig=dev-read.kubeconfig
    
    # 设置客户端认证参数
    kubectl config set-credentials dev-read 
    --client-certificate=/mnt/k8s/cert/dev-read.pem 
    --client-key=/mnt/k8s/cert/dev-read-key.pem 
    --embed-certs=true 
    --kubeconfig=dev-read.kubeconfig
    
    # 设置上下文参数
    kubectl config set-context kubernetes 
    --cluster=kubernetes 
    --user=dev-read 
    --kubeconfig=dev-read.kubeconfig
    
    # 设置默认上下文
    kubectl config use-context kubernetes --kubeconfig=dev-read.kubeconfig
    [root@k8s-master-155-221 cert]# sh tem.kubeconfig 
    Cluster "kubernetes" set.
    User "dev-read" set.
    Context "kubernetes" created.
    Switched to context "kubernetes".

    四、对用户设置不同的权限

    1.配置dev-read用户可以对dev namespace具有读取pod的权限

    拷贝dev-read用户的kubeconfig文件,并查看默认权限

    #master上
    [root@k8s-master-155-221 cert]# scp dev-read.kubeconfig 172.16.155.224:/root #在master上拷贝dev-read用户的kubeconfig到集群某个节点上
    #测试节点上 [root@k8s
    -node-155-224 ~]# mkdir .kube #创建kubeconfig默认目录并重命名文默认文件名config [root@k8s-node-155-224 ~]# mv dev-read.kubeconfig .kube/config [root@k8s-node-155-224 ~]# kubectl get pods Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default" #当前dev-read没有任何权限 [root@k8s-node-155-224 ~]# kubectl get pods -n dev Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "dev"

    创建一个对dev namespace具有读取权限的role

    [root@k8s-master-155-221 rbac]# cat role-demo.yaml 
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: dev-pods-reader
      namespace: dev
    rules:
    - apiGroups:
      - ""
      resources:
      - pods
      verbs:
      - get
      - list
      - watch
    [root@k8s-master-155-221 rbac]# kubectl apply -f role-demo.yaml 
    role.rbac.authorization.k8s.io/dev-pods-reader created
    [root@k8s-master-155-221 rbac]# kubectl get role -n dev
    NAME              AGE
    dev-pods-reader   10s

    创建一个rolebingding,将dev-read用户和pods-reader

    [root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml 
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: dev-read-pods
      namespace: dev
    roleRef:  
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: dev-pods-reader
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: dev-read
    [root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
    rolebinding.rbac.authorization.k8s.io/dev-read-pods created
    [root@k8s-master-155-221 rbac]# kubectl get rolebindings.rbac.authorization.k8s.io -n dev
    NAME            AGE
    dev-read-pods   7s

    测试:

    [root@k8s-node-155-224 ~]# kubectl config view
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://172.16.155.220:8443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: dev-read
      name: kubernetes
    current-context: kubernetes
    kind: Config
    preferences: {}
    users:
    - name: dev-read
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    
    [root@k8s-node-155-224 ~]# kubectl get pods -n dev
    NAME           READY   STATUS    RESTARTS   AGE
    dev-pod-demo   1/1     Running   0          30m
    [root@k8s-node-155-224 ~]# kubectl get pods -n default
    Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default"

    2.配置dev-read用户可以对dev namespace具有admin权限

    [root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: dev-read-pods
      namespace: dev
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: admin
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: dev-read
    [root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
    rolebinding.rbac.authorization.k8s.io/dev-read-pods created

    测试,查看是否可以删除和创建pod

    [root@k8s-node-155-224 ~]# cat deploy-demo.yaml 
    apiVersion: apps/v1
    kind: Deployment
    metadata: 
      name: myapp-deploy
      namespace: dev
    spec:
      replicas: 3
      selector: 
        matchLabels:
          app: myapp
          release: canary
      template:
        metadata:
          labels:
            app: myapp
            release: canary
        spec:
          containers:
          - name: myapp
            image: ikubernetes/myapp:v1
            ports:
            - name: httpd
              containerPort: 80
    [root@k8s-node-155-224 ~]# kubectl apply -f deploy-demo.yaml 
    deployment.apps/myapp-deploy created
    [root@k8s-node-155-224 ~]# kubectl get  deploy -n dev
    NAME           READY   UP-TO-DATE   AVAILABLE   AGE
    myapp-deploy   3/3     3            3           17s
    [root@k8s-node-155-224 ~]# kubectl get  pods  -n dev
    NAME                            READY   STATUS    RESTARTS   AGE
    myapp-deploy-5c67ffb9fb-5cntq   1/1     Running   0          4m21s
    myapp-deploy-5c67ffb9fb-mvpkb   1/1     Running   0          4m21s
    myapp-deploy-5c67ffb9fb-rj5qp   1/1     Running   0          4m21s

    #对于集群,可以通过绑定ClusterRoleBinding和ClusterRole来实现,具体过程类似,不再赘述

  • 相关阅读:
    wxGlade: a GUI builder for wxWidgets/wxPython
    wxPython or PyQt or PySide哪一个比较好
    wxpython学习笔记
    C++实现发送HTTP请求 CoderZh 博客园
    Lucene如何分布式(WWW与Lucene服务器分离)
    MVC中一个表单实现多个提交按钮(一个action搞定添删改)
    何为.Net Remoting
    Lucene实用的分词匹配
    我心中的核心组件(可插拔的AOP)~第十四回 全文检索架构~终于设计了一个自己满意的Lucene架构
    【学习opencv第五篇】霍夫线变换
  • 原文地址:https://www.cnblogs.com/panwenbin-logs/p/12218377.html
Copyright © 2020-2023  润新知