• Kubernetes系统安全-授权策略(authorization policy)


                   Kubernetes系统安全-授权策略(authorization policy)

                                         作者:尹正杰

    版权声明:原创作品,谢绝转载!否则将追究法律责任。 

    一.Kubernetes授权策略(authorization policy)概述

      紧随认证环节之后的是"授权"检查环境;一个常规请求必须在其请求报文中包含用户名,请求的动作以及目标对象;若存在某授权策略对于此请求给予了许可授权,即授权成功。
    
      Kubernetes授权要求使用通用REST属性与现有的组织范围或云提供商范围的访问控制系统进行交互。
    
      Kubernetes支持多种授权模块,如ABAC模式、RBAC模式和Webhook模式,当管理员创建集群时,他们配置了应该在API服务器中使用的授权模块。
        
      如果配置了多个授权模块,Kubernetes将检查每个模块,如果有任何模块授权请求,则可以继续请求,如果所有模块拒绝请求,则拒绝请求(HTTP状态代码403)。

    1>.Kubernetes的请求属性(Request Attributes)

      user:
        身份验证期间提供的用户字符串。
      group:     经过身份验证的用户所属的组名列表。
      extra:     由身份验证层提供的任意字符串密钥到字符串值的映射。
      API:     指示请求是否针对API资源。
      Request path:     其他非资源终结点(如/api或/healthz)的路径
      API request verb:     API动词get、list、create、update、patch watch、proxy、redirect、delete和deletecollection用于资源请求。
      HTTP request web:     HTTP动词get、post、put和delete用于非资源请求。
      Resource:     正在访问的资源的ID或名称(仅限资源请求)-对于使用get、update、patch和delete谓词的资源请求,必须提供资源名称。
      Subresource:     正在访问的子资源(仅用于资源请求)
      Namespace:     正在访问的对象的命名空间(仅适用于命名空间资源请求)。
      API group:
        正在访问的API组(仅用于资源请求)。enpty字符串指定核心API组。

    2>.授权模块(Authorization Modules)

      Node:
        专用的授权插件,根据Pod对象调度的结果为Node进行授权。
    
      ABAC(Attribute-based access control):
        基于属性的访问控制(ABAC)定义了一种访问控制模式,通过使用将属性组合在一起的策略,将访问权限授予用户。这些策略可以使用任何类型的属性(用户属性、资源属性、对象、环境属性等)。
    
      RBAC(Role-based access control):
        基于角色的访问控制(RBAC)是一种基于企业中各个用户的角色来管理对计算机或网络资源的访问的方法。在这种情况下,访问是单个用户执行特定任务(如查看、创建或修改文件)的能力。
        使用"rbac.authorization.k8s.io" API驱动授权策略,并支持动态配置。
      Webhook:
        WebHook其实就是一个HTTP回调:在发生某些事情时发生的HTTP POST;通过HTTP POST的简单事件通知。实现WebHooks的web应用程序将在发生某些事情时向URL发送消息。

    3>.查看当前操作系统启动的授权

    [root@master200.yinzhengjie.org.cn ~]# ll /etc/kubernetes/manifests/
    total 16
    -rw------- 1 root root 1798 Feb  4 19:39 etcd.yaml
    -rw------- 1 root root 2606 Feb  4 19:39 kube-apiserver.yaml
    -rw------- 1 root root 2533 Feb  4 19:39 kube-controller-manager.yaml
    -rw------- 1 root root 1120 Feb  4 19:39 kube-scheduler.yaml
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# grep authorization-mode /etc/kubernetes/manifests/kube-apiserver.yaml 
        - --authorization-mode=Node,RBAC
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 

    4>.检查API访问权限

      kubectl提供auth can-i子命令,用于快速查询API授权层。
    
      该命令使用SelfSubjectAccessReview API来确定当前用户是否可以执行给定的操作,并且无论使用何种授权模式都可以工作。
    
      管理员可以将此与用户模拟结合起来,以确定其他用户可以执行的操作。

     

    二.RBAC授权模块概述

    1>.什么是RBAC

      基于角色的访问控制(RBAC)根据组织中的角色来限制网络访问,已成为高级访问控制的主要方法之一。
    
      RBAC中的角色是指员工对网络的访问级别。
    
      员工仅可获取有效履行其职责所需的信息:
        访问权限可以是多种因素,如权限、责任和工作能力。
        此外,对计算机资源的访问可以限制在特定的任务上,例如查看、创建或修改文件的能力。

    2>.HTTP方法和kubectl命令的对应动作(verb)关系

      HTTP方法与API endpoint(kubectl)的对应关系:
        POST:
          对应API endpoint的create。
        GET,HEAD:
          对应API endpoint的get(for individual resources)和list(for collections)。
        PUT:
          对应API endpoint的update。
        PATCH:
          对应API endpoint的patch。
        DELETE:
          对应API endpoint的delete(for individual resources),deletecollection(for collections)。

    3>.定义RBAC的规则

      角色关联:
        只有当Subjects已选择或已分配角色时,主题才能行使权限。需要注意的是,一个用户可以对应多个角色。
    
      角色授权:
        必须为Subject授权Subjects的活动角色。   权限授权:
        只有当权限被授权为使用者的活动角色时,使用者才能行使权限。

    4>.Role和ClusterRole

      在RBAC API中,角色包含表示一组权限的规则。权限纯粹是附加的(没有“拒绝”规则)。
    
      角色可以用Role在命名空间中定义,也可以用Cluster Role在集群范围内定义。

      角色只能用于授予对单个命名空间中资源的访问权限。

      ClusterRole可用于授予与角色相同的权限,但由于它们是群集范围的,因此也可用于授予对以下对象的访问权限:
        群集范围的资源(如节点)
        non-resource endpoints(like "/healthz")
        所有命名空间中的命名空间资源(如pods)(例如,运行kubectl get pods所需的所有命名空间)

    5>.Kubernetes内置的集群角色(ClusterRole)

      kubernetes内置了四个角色(https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles):
        cluster-admin:
          默认绑定system:master group。
        admin:
          未绑定(None)
        edit:
          未绑定(None)
        view:
          未绑定(None)

    三.Role应用案例

    1>.创建角色

    [root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/rbac/pods-reader.yaml 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/rbac/pods-reader.yaml 
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      namespace: default
      name: pods-reader
    rules:
    - apiGroups: [""]   # "" 表示core API group
      resources: ["pods", "pods/log","services"]
      verbs: ["get", "list", "watch"]
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/rbac/pods-reader.yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/pods-reader.yaml 
    role.rbac.authorization.k8s.io/pods-reader created
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl get roles
    NAME          AGE
    pods-reader   11s
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/pods-reader.yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl get roles -o yaml
    apiVersion: v1
    items:
    - apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
        annotations:
          kubectl.kubernetes.io/last-applied-configuration: |
            {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["pods","pods/log","services"],"verbs":["get","list","watch"]}]}
        creationTimestamp: "2020-02-14T23:35:51Z"
        name: pods-reader
        namespace: default
        resourceVersion: "983543"
        selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/roles/pods-reader
        uid: 0733946d-24d5-4af1-9aaf-7c902fd7769f
      rules:
      - apiGroups:
        - ""
        resources:
        - pods
        - pods/log
        - services
        verbs:
        - get
        - list
        - watch
    kind: List
    metadata:
      resourceVersion: ""
      selfLink: ""
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl get roles -o yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl describe  roles 
    Name:         pods-reader
    Labels:       <none>
    Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                    {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules...
    PolicyRule:
      Resources  Non-Resource URLs  Resource Names  Verbs
      ---------  -----------------  --------------  -----
      pods/log   []                 []              [get list watch]
      pods       []                 []              [get list watch]
      services   []                 []              [get list watch]
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl describe roles

    2>.创建jason用户,无权限获取pods信息

      博主推荐阅读:
        https://www.cnblogs.com/yinzhengjie/p/12302138.html

      

    3>.使用角色绑定(rolebinding)和创建的用户进行绑定后,可以正常读取pods信息啦

    [root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/rbac/jason-pods-reader.yaml
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/rbac/jason-pods-reader.yaml
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: jason-pods-reader
      namespace: default
    subjects:
    - kind: User
      name: jason
      apiGroup: rbac.authorization.k8s.io
    roleRef:
      kind: Role
      name: pods-reader
      apiGroup: rbac.authorization.k8s.io
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/rbac/jason-pods-reader.yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/jason-pods-reader.yaml
    rolebinding.rbac.authorization.k8s.io/jason-pods-reader created
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl get rolebinding
    NAME                AGE
    jason-pods-reader   16s
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/jason-pods-reader.yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl get rolebinding -o yaml
    apiVersion: v1
    items:
    - apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        annotations:
          kubectl.kubernetes.io/last-applied-configuration: |
            {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"jason-pods-reader","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"pods-reader"},"subjects":[{"apiGroup":"rbac.a
    uthorization.k8s.io","kind":"User","name":"jason"}]}    creationTimestamp: "2020-02-14T23:45:26Z"
        name: jason-pods-reader
        namespace: default
        resourceVersion: "985062"
        selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/jason-pods-reader
        uid: 5cfa58f8-4253-4558-be14-058e7891503c
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: Role
        name: pods-reader
      subjects:
      - apiGroup: rbac.authorization.k8s.io
        kind: User
        name: jason
    kind: List
    metadata:
      resourceVersion: ""
      selfLink: ""
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl get rolebinding -o yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl get rolebinding
    NAME                AGE
    jason-pods-reader   72s
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl describe rolebinding
    Name:         jason-pods-reader
    Labels:       <none>
    Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                    {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"jason-pods-reader","namespace":"def...
    Role:
      Kind:  Role
      Name:  pods-reader
    Subjects:
      Kind  Name   Namespace
      ----  ----   ---------
      User  jason  
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl describe rolebinding

    四.ClusterRole应用案例

    1>.创建ClusterRole

    [root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/rbac/cluster-pod-reader.yaml
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: cluster-pod-reader
    rules:
    - apiGroups: ["*"]
      resources: ["pods", "pods/log","services","deloyments"]
      verbs: ["get", "list", "watch"]
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/rbac/cluster-pod-reader.yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/cluster-pod-reader.yaml
    clusterrole.rbac.authorization.k8s.io/cluster-pod-reader created
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrole cluster-pod-reader
    NAME                 AGE
    cluster-pod-reader   84s
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]#  
    [root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/cluster-pod-reader.yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrole cluster-pod-reader -o yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      annotations:
        kubectl.kubernetes.io/last-applied-configuration: |
          {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-pod-reader"},"rules":[{"apiGroups":["*"],"resources":["pods","pods/log","services","deloyments"],"verbs":["get","list","watch"]}]}
      creationTimestamp: "2020-02-15T00:27:20Z"
      name: cluster-pod-reader
      resourceVersion: "991729"
      selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-pod-reader
      uid: f2169cb2-89d9-4472-bcb8-a6fb3b80c0e7
    rules:
    - apiGroups:
      - '*'
      resources:
      - pods
      - pods/log
      - services
      - deloyments
      verbs:
      - get
      - list
      - watch
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrole cluster-pod-reader -o yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl describe clusterrole cluster-pod-reader 
    Name:         cluster-pod-reader
    Labels:       <none>
    Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                    {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-pod-reader"},"rules":[{"api...
    PolicyRule:
      Resources     Non-Resource URLs  Resource Names  Verbs
      ---------     -----------------  --------------  -----
      deloyments.*  []                 []              [get list watch]
      pods.*/log    []                 []              [get list watch]
      pods.*        []                 []              [get list watch]
      services.*    []                 []              [get list watch]
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl describe clusterrole cluster-pod-reader

    2>.创建ClusterRoleBinding

    [root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/rbac/jason-cluster-pods-reader.yaml 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/rbac/jason-cluster-pods-reader.yaml 
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: jason-pods-reader
    subjects:
    - kind: User
      name: jason
      apiGroup: rbac.authorization.k8s.io
    roleRef:
      kind: ClusterRole
      name: cluster-pod-reader
      apiGroup: rbac.authorization.k8s.io
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/rbac/jason-cluster-pods-reader.yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/jason-cluster-pods-reader.yaml 
    clusterrolebinding.rbac.authorization.k8s.io/jason-pods-reader created
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrolebinding jason-pods-reader 
    NAME                AGE
    jason-pods-reader   51s
    [root@master200.yinzhengjie.org.cn ~]#  
    [root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/jason-cluster-pods-reader.yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrolebinding jason-pods-reader 
    NAME                AGE
    jason-pods-reader   81s
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrolebinding jason-pods-reader -o yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      annotations:
        kubectl.kubernetes.io/last-applied-configuration: |
          {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"jason-pods-reader"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-pod-reader"},"subjects":[{"apiGroup":"rbac.auth
    orization.k8s.io","kind":"User","name":"jason"}]}  creationTimestamp: "2020-02-15T00:31:56Z"
      name: jason-pods-reader
      resourceVersion: "992468"
      selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/jason-pods-reader
      uid: 01fc89b3-6b9c-4f79-ac9c-18563824b3b7
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-pod-reader
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: jason
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrolebinding jason-pods-reader -o yaml
    [root@master200.yinzhengjie.org.cn ~]# kubectl describe clusterrolebinding jason-pods-reader 
    Name:         jason-pods-reader
    Labels:       <none>
    Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                    {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"jason-pods-reader"},"roleRef...
    Role:
      Kind:  ClusterRole
      Name:  cluster-pod-reader
    Subjects:
      Kind  Name   Namespace
      ----  ----   ---------
      User  jason  
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# 
    [root@master200.yinzhengjie.org.cn ~]# kubectl describe clusterrolebinding jason-pods-reader

    五.

  • 相关阅读:
    android 布局边框的使用,在xml文件中配置边框大小及颜色
    android去掉layout顶部的阴影(状态栏下边的阴影)
    ExpandableListView
    addTextChangedListener有错
    Android EditText____TextchangedListener
    LinkedHashMap.get("key")
    适配器模式(Java代码)
    单例模式(Java代码)
    工厂方法模式(Java代码)
    质数算法
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/12310192.html
Copyright © 2020-2023  润新知