https://www.bookstack.cn/read/kubernetes-handbook/guide-kubectl-user-authentication-authorization.md
https://blog.csdn.net/weixin_43384009/article/details/105980976
主要的一点一定要记住:
CN是用户名admin
O是组名admin
后面会对授权角色都用得上
1)创建用户最好就是CN指定的用户
kubectl config set-credentials admin
2)创建serviceaccount用户
kubectl create namespace admin
kubectl create serviceaccount admin
3)RoleBinding角色绑定,将权限授权给用户CN(admin),组就是O(admin),或serviceaccount(admin)
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options] -n 【namespace】
1.自签证书颁发机构(CA)
cd /root/TLS/k8s
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
root@k8s-master:~/TLS/k8s # cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2020/08/27 15:05:30 [INFO] generating a new CA key and certificate from CSR
2020/08/27 15:05:30 [INFO] generate received request
2020/08/27 15:05:30 [INFO] received CSR
2020/08/27 15:05:30 [INFO] generating key: rsa-2048
2020/08/27 15:05:31 [INFO] encoded CSR
2020/08/27 15:05:31 [INFO] signed certificate with serial number 543074556734204684883324478113935421961362062670
root@k8s-master:~/TLS/k8s # ll *pem
-rw------- 1 root root 1.7K Aug 27 15:05 ca-key.pem
-rw-r--r-- 1 root root 1.4K Aug 27 15:05 ca.pem
用户wubo
root@localhost:~/TLS/k8s # cat wubo-csr.json
{
"CN": "wubo",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "wubo",
"OU": "dev"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes wubo-csr.json | cfssljson -bare wubo
用户admin
root@localhost:~/TLS/k8s # cat admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:masters",
"OU": "System"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
admin用户最好是system:masters 组这个组是系统组也就是k8s集群的组 此处的kind可以是:User、ServiceAccount和Group。当然也可以不是这个组,任意写 o:admin ou:superred 最后让admin用户与系统角色绑定也可以。kubectl create clusterrolebinding wubo-admin-cluseter --clusterrole=cluster-admin --user=admin
[root@localhost k8s]# kubectl describe clusterrolebinding cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
cluster-admin角色的具体权限很大
[root@localhost k8s]# kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
创建用户
集群管理员用户针对所有资源所有namespace的
kubectl config set-cluster kubernetes --server=https://10.10.3.139:6443 --certificate-authority=ca.pem --embed-certs=true
kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true
kubectl config set-context admin@kubernetes --cluster=kubernetes --user=admin
切到admin
kubectl config use-context admin@kubernetes
如果在上面的admin-csr.json指定了O组是system:masters,则已经有最高角色和权限了 kubectl可以直接使用 默认配置在 ~/.kube/config. 否则要授权或角色绑定给用户kubectl create clusterrolebinding wubo-admin-cluseter --clusterrole=cluster-admin --user=admin
===========================================================================================
普通用户,针对单个namespace的
kubectl config set-cluster kubernetes --server=https://10.10.3.139:6443 --certificate-authority=ca.pem --embed-certs=true --kubeconfig=wubo.kubeconfig
kubectl config set-credentials wubo --client-certificate=wubo.pem --client-key=wubo-key.pem --embed-certs=true --kubeconfig=wubo.kubeconfig
kubectl config set-context wubo@kubernetes --cluster=kubernetes --user=wubo --namespace wubo --kubeconfig=wubo.kubeconfig
切到wubo
kubectl config use-context wubo@kubernetes --kubeconfig=wubo.kubeconfig
没有任何角色和权限 需要授权绑定角色
此时用户通过认证,但还没有权限操作集群资源,需要继续添加授权。
清理用户
kubectl config delete-context wubo@kubernetes
kubectl config delete-cluster kubernetes
kubectl config unset wubo@kubernetes
rm -rf ~/.kube/config
一、简介
基于角色的访问控制(“RBAC”)
http://docs.kubernetes.org.cn/80.html
(1)
Kubernetes的授权是基于插件形式的,常用的授权插件有以下几种:
- Node:node节点授权
- ABAC:基于属性的访问控制
- RBAC:基于角色的访问控制
- Webhook:自定义http回调方法
基于角色的访问控制:如图,先让一个用户(Users)扮演一个角色(Role),让角色(Role)拥有权限,从而让用户拥有这样的权限,然后在授权机制当中,只需要将权限授予某个角色,此时用户将获取对应角色的权限,从而实现角色的访问控制;
(2)Role和ClusterRole
Role是一系列的权限的集合,例如一个Role可以包含读取 Pod 的权限和列出 Pod 的权限, ClusterRole 跟 Role 类似,但是可以在集群中全局使用。
Role只能授予单个namespace 中资源的访问权限。
ClusterRole授权 >= Role授予(与Role类似),但ClusterRole属于集群级别对象:
-
- 集群范围(cluster-scoped)的资源访问控制(如:节点访问权限)
- 非资源类型(如“/ healthz”)
- 所有namespaces 中的namespaced 资源(如 pod)
(3)RoleBinding和ClusterRoleBinding
RoleBinding是将Role中定义的权限授予给用户或用户组。它包含一个subjects列表(users,groups ,service accounts),并引用该Role,Role有了权限,用户也就有了权限。RoleBinding在某个namespace 内授权,ClusterRoleBinding适用在集群范围内使用。
RoleBinding可以引用相同namespace下定义的Role。
Role和ClusterRole、RoleBinding和ClusterRoleBinding关系如下图:
(4)
使用RoleBinding去绑定ClusterRole:
如果有10个名称空间,每个名称空间都需要一个管理员,而这些管理员的权限都是一致的。那么此时需要去定义这样的管理员,使用RoleBinding就需要创建10个Role,这样显得很麻烦。为此当使用RoleBinding去绑定一个ClusterRole时,该User仅仅拥有对当前名称空间的集群操作权限,而不是拥有所有名称空间的权限,所以此时只需要创建一个ClusterRole代替掉10个Role就解决了以上的需求。
基础信息创建:
创建ns
root@localhost:~/TLS/k8s # kubectl create ns wubo namespace/wubo created
创建sc
root@localhost:~/TLS/k8s # kubectl create serviceaccount wubo -n wubo serviceaccount/wubo created
查看信息
root@localhost:~/TLS/k8s # kubectl describe serviceaccount wubo -n wubo Name: wubo
Namespace: wubo
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: wubo-token-j5l5n
Tokens: wubo-token-j5l5n
Events: <none>
root@localhost:~/TLS/k8s # kubectl describe secret wubo -n wubo
Name: wubo-token-j5l5n
Namespace: wubo
Labels: <none>
Annotations: kubernetes.io/service-account.name: wubo
kubernetes.io/service-account.uid: cd794b7e-afb5-4dcc-8513-e472d1163538
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 4 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Imtla2RhLS1SZ0NBUkVYTkY3eTZSWkE4UkNJVWJ2d0doS3NrYXpOOXlreWcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ3dWJvIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Ind1Ym8tdG9rZW4tajVsNW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoid3VibyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImNkNzk0YjdlLWFmYjUtNGRjYy04NTEzLWU0NzJkMTE2MzUzOCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDp3dWJvOnd1Ym8ifQ.JP1zGwS9LDxEL9CqZC0TnCpePPDQgljzoxu3FnC-w2wfcaMFn1cH8syMpNoPhd-IUgZ1mVLpCZS-Ch-CIJS5lcID1e03A3mhKAvq_c14D1nzmFjL7MG_TSmBoAs6Xvda8GefMEhbXMxEcp9LSBTKNoPfLY9k0d1AB80mVaPB-cF0Av-wyJtnah5CXyTnwWtcaUvd7i7vTco2VIXEmEiqr1JAE3GiRPV-u55nF9w83jEqPGJxdjjYMiL2czcST2ad8NGoGa5aN1uOr_tzw4DotmI9nHuiZqx1LAQQ6WMioNezfQhUt3nMytYHxMyzkyQoIFZXhR8y0C3SLFO1pPJ9CQ
二、RBAC应用
对User进行访问权限的控制
(1)Role --> User -->Rolebinding
使用kubectl create进行创建角色(role),指定角色名称,--verb指定权限,--resource指定资源或者资源组,--dry-run:此模式不会真的创建;
root@localhost:~/TLS/k8s # kubectl create role wubo-role --verb=get,list,watch --resource=pods --dry-run -o yaml -n wubo
W0831 13:57:23.584932 7602 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: wubo-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
b、生成资源定义清单
root@localhost:~/TLS/k8s # kubectl create role wubo-role --verb="*" -n wubo --resource="*" --dry-run -o yaml > role-wubo.yaml 1 ↵
W0831 14:01:13.075799 7913 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client.
root@localhost:~/TLS/k8s # cat role-wubo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: wubo-role
namespace: wubo
rules:
- apiGroups:
- ""
resources:
- '*'
verbs:
- '*'
检查是否有namespace没有手动加上
root@localhost:~/TLS/k8s # kubectl create -f role-wubo.yaml
role.rbac.authorization.k8s.io/wubo-role created
root@localhost:~/TLS/k8s # kubectl get role wubo-role -n wubo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2020-08-31T06:03:43Z"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:rules: {}
manager: kubectl
operation: Update
time: "2020-08-31T06:03:43Z"
name: wubo-role
namespace: wubo
resourceVersion: "752909"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/wubo/roles/wubo-role
uid: e32ac2db-e240-4cd1-969b-d0e3ca20a2a5
rules:
- apiGroups:
- ""
resources:
- '*'
verbs:
- '*'
或者
root@localhost:~/TLS/k8s # kubectl create role wubo-role --verb="*" --resource="*" -n wubo
role.rbac.authorization.k8s.io/wubo-role created
root@localhost:~/TLS/k8s # kubectl describe role wubo-role -n wubo -o yaml
Error: unknown shorthand flag: 'o' in -o
See 'kubectl describe --help' for usage.
root@localhost:~/TLS/k8s # kubectl describe role wubo-role -n wubo -o yaml 1 ↵
Error: unknown shorthand flag: 'o' in -o
See 'kubectl describe --help' for usage.
root@localhost:~/TLS/k8s # kubectl get role wubo-role -n wubo -o yaml 1 ↵
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2020-08-31T05:59:14Z"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:rules: {}
manager: kubectl
operation: Update
time: "2020-08-31T05:59:14Z"
name: wubo-role
namespace: wubo
resourceVersion: "752290"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/wubo/roles/wubo-role
uid: e2bde214-bf56-4c72-a98a-0feb12cf74e0
rules:
- apiGroups:
- ""
resources:
- '*'
verbs:
- '*'
(2)RoleBinding角色绑定,将权限授权给用户wubo
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options] -n 【namespace】
使用kubectl create进行创建角色绑定,指定角色绑定的名称,--role|--clusterrole指定绑定哪个角色,--user指定哪个用户,--serviceaccount指的sc的用户内部用户;
root@localhost:~/TLS/k8s # kubectl create rolebinding wubo-binding --role=wubo-role --user=wubo -n wubo
rolebinding.rbac.authorization.k8s.io/wubo-binding created
root@localhost:~/TLS/k8s # kubectl describe rolebinding wubo-binding -n wubo
Name: wubo-binding
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: wubo-role
Subjects:
Kind Name Namespace
---- ---- ---------
User wubo
root@localhost:~/TLS/k8s # kubectl get rolebinding wubo-binding -n wubo -o yaml 1 ↵
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2020-08-31T06:19:33Z"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: kubectl
operation: Update
time: "2020-08-31T06:19:33Z"
name: wubo-binding
namespace: wubo
resourceVersion: "755077"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/wubo/rolebindings/wubo-binding
uid: d88082b0-f1ef-48ac-98c7-3b86ff8a3970
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: wubo-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: wubo
测试一下
kubectl run nginx-test --image=nginx --port=80 -n wubo
把wubo.kubeconfig文件拷贝到其他有kubectl节点去 scp wubo.kubeconfig ip:/root/.kube/config
没考之前
[root@localhost ~]# kubectl get pods -o wide
The connection to the server localhost:8080 was refused - did you specify the right host or port?
考了之后
[root@localhost ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-test 1/1 Running 0 2m29s 10.244.0.10 10.10.3.179 <none> <none>
wubo用户的权限是只能在wubo的namespace。
[root@localhost ~]# kubectl get pods -o wide -n kube-system
Error from server (Forbidden): pods is forbidden: User "wubo" cannot list resource "pods" in API group "" in the namespace "kube-system"
(3)ClusterRole-->ClusterRoleBinding-->User
在master执行
root@localhost:~/TLS/k8s # kubectl delete rolebinding wubo-binding -n wubo
rolebinding.rbac.authorization.k8s.io "wubo-binding" deleted
在其他有kubectl的节点执行
[root@localhost ~]# kubectl get pods -o wide
Error from server (Forbidden): pods is forbidden: User "wubo" cannot list resource "pods" in API group "" in the namespace "wubo"
创建集群角色 wubo-clusterrole 针对所有namespace
[root@localhost ~]# kubectl create clusterrole wubo-clusterrole --verb="*" --resource="*"
clusterrole.rbac.authorization.k8s.io/wubo-clusterrole created
[root@localhost ~]# kubectl get clusterrole wubo-clusterrole -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2020-08-31T07:46:06Z"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:rules: {}
manager: kubectl
operation: Update
time: "2020-08-31T07:46:06Z"
name: wubo-clusterrole
resourceVersion: "766919"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/wubo-clusterrole
uid: be9c9aea-4e94-4412-bbd6-5f3253c3c2f5
rules:
- apiGroups:
- ""
resources:
- '*'
verbs:
- '*'
给wubo用户赋予 cluster-admin 集群角色
root@localhost:~/TLS/k8s # kubectl create clusterrolebinding wubo-admin-cluseter --clusterrole=cluster-admin --user=wubo 1 ↵
clusterrolebinding.rbac.authorization.k8s.io/wubo-admin-cluseter created
或者自定义的集群角色
root@localhost:~/TLS/k8s # kubectl create clusterrolebinding wubo-admin-cluseter --clusterrole=wubo-clusterrole --user=wubo 1 ↵
clusterrolebinding.rbac.authorization.k8s.io/wubo-admin-cluseter created
此时其他kubectl的节点拥有全部权限了,很大的权限 ,可以查看其他namespace下面的资源了
[root@localhost ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
10.10.3.179 Ready <none> 3d22h v1.18.8
10.10.3.197 Ready <none> 3d5h v1.18.8
[root@localhost ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-test 1/1 Running 0 12m 10.244.0.10 10.10.3.179 <none> <none>
(4)clusterrole --> rolebinding --> user
将wubo通过rolebinding到集群角色clusterrole中,此时,wubo仅作用于当前名称空间的所有pods资源的权限;
root@localhost:~/TLS/k8s # kubectl create rolebinding wubo-admin --clusterrole=cluster-admin --user=wubo -n wubo
rolebinding.rbac.authorization.k8s.io/wubo-admin created
root@localhost:~/TLS/k8s # kubectl get rolebinding -n wubo
NAME ROLE AGE
wubo-admin ClusterRole/cluster-admin 12s
root@localhost:~/TLS/k8s # kubectl get rolebinding -n wubo -o yaml
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2020-08-31T07:52:40Z"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: kubectl
operation: Update
time: "2020-08-31T07:52:40Z"
name: wubo-admin
namespace: wubo
resourceVersion: "767824"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/wubo/rolebindings/wubo-admin
uid: 4d328b1f-a1c2-48c8-ad01-e5276349c199
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: wubo
kind: List
metadata:
resourceVersion: ""
selfLink: ""
可见wubo可以访问当前namespace的pod,但是不能访问其他namespace的pod;因为这种绑定方式,clusterrole是被降级的;
(5)RBAC的三种授权访问方式
RBAC不仅可以对user进行访问权限的控制,还可以通过group和serviceaccount进行访问权限控制。user即单个用户,group是对一个组内的user进行授权;
上一节学习了Pod可以通过 spec.serviceAccountName来定义其是以某个serviceaccount的身份进行运行,当我们通过RBAC对serviceaccount进行访问授权时,就可以实现Pod对其他资源的访问权限进行控制。也就是说,当我们对serviceaccount进行rolebinding或clusterrolebinding,会使创建Pod拥有对应角色的权限和apiserver进行通信。
https://www.cnblogs.com/weiyiming007/p/10484763.html
对group进行访问权限的控制
其他有kubectl的节点操作目前是不可行的
[root@localhost ~]# kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "wubo" cannot list resource "nodes" in API group "" at the cluster scope
csr申请证书文件 用户名CN:wubo 组O:superred:dev
[root@localhost k8s]# cat wubo-csr.json
{
"CN": "wubo",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "superred:dev",
"OU": "System"
}
]
}
生成wubo的公钥wubo.pem和私钥 wubo-key.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes wubo-csr.json | cfssljson -bare wubo
[root@localhost k8s]# ls wubo*
wubo.csr wubo-csr.json wubo-key.pem wubo.kubeconfig wubo.pem
创建用户
#设置集群
[root@localhost k8s]#kubectl config set-cluster kubernetes --server=https://10.10.3.163:6443 --certificate-authority=ca.pem --embed-certs=true --kubeconfig=wubo.kubeconfig
#创建用户 CN wubo
[root@localhost k8s]#kubectl config set-credentials wubo --client-certificate=wubo.pem --client-key=wubo-key.pem --embed-certs=true --kubeconfig=wubo.kubeconfig
#设置上下文
[root@localhost k8s]#kubectl config set-context wubo@kubernetes --cluster=kubernetes --user=wubo --kubeconfig=wubo.kubeconfig
#使用上下文
[root@localhost k8s]# kubectl config use-context wubo@kubernetes --kubeconfig=wubo.kubeconfig
最重要的一步:创建角色绑定 指定组信息就是O: superred:dev
此处有很多事情可以做,我只是用了系统默认的角色而且还是集群角色,可以自己创建角色 给角色赋予权限可以操作那些资源,根据需求自己发挥去吧。还可以是单namespace角色
[root@localhost k8s]# kubectl create clusterrolebinding superred:dev:cluster-admin --group=superred:dev --clusterrole=cluster-admin
以后在创建用户的时候指定这个组就可以了 不用在创建绑定了 直接就有这个权限了
[root@localhost k8s]# cat wuqi-csr.json
{
"CN": "wuqi",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "superred:dev",
"OU": "System"
}
]
[root@localhost k8s]#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes wuqi-csr.json | cfssljson -bare wuqi
[root@localhost k8s]# ls wuqi*
wuqi.csr wuqi-csr.json wuqi-key.pem wuqi.kubeconfig wuqi.pem
[root@localhost k8s]# kubectl config set-cluster kubernetes --server=https://10.10.3.163:6443 --certificate-authority=ca.pem --embed-certs=true --kubeconfig=wuqi.kubeconfig
[root@localhost k8s]# kubectl config set-credentials wuqi --client-certificate=wuqi.pem --client-key=wuqi-key.pem --embed-certs=true --kubeconfig=wuqi.kubeconfig
[root@localhost k8s]# kubectl config set-context wuqi@kubernetes --cluster=kubernetes --user=wuqi --kubeconfig=wuqi.kubeconfig
[root@localhost k8s]# kubectl config use-context wuqi@kubernetes --kubeconfig=wuqi.kubeconfig
拷给其他带有kubectl的节点
[root@localhost ~]# cat wuqi.kubeconfig > ~/.kube/config
效果可以查看到了
[root@localhost ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
10.10.3.167 Ready <none> 5h17m v1.18.8
这是因为最新版的k8s默认启用了RBAC,并为未认证用户赋予了一个默认的身份:anonymous。
对serviceaccount进行访问权限的控制
创建服务账号(serviceAccount)
[root@localhost k8s]# kubectl create serviceaccount superred
serviceaccount/superred created
这时候将得到一个在 default namespace 的 serviceaccount 账号;运行kubectl get serviceaccount superred
将得到如下结果:
[root@localhost k8s]# kubectl get serviceaccount superred
NAME SECRETS AGE
superred 1 14s
[root@localhost k8s]# kubectl describe serviceaccount superred
Name: superred
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: superred-token-5mxff
Tokens: superred-token-5mxff
Events: <none>
因为在使用 serviceaccount 账号配置 kubeconfig 的时候需要使用到 superred 的 token, 该 token 保存在该 serviceaccount 保存的 secret 中;
[root@localhost k8s]# kubectl get secret
NAME TYPE DATA AGE
default-token-cr6t4 kubernetes.io/service-account-token 3 6h6m
superred-token-5mxff kubernetes.io/service-account-token 3 2m32s
[root@localhost k8s]# kubectl get secret superred-token-5mxff -o yaml
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVUVg3TGNpS1Q2L1lDMEs2UURiRGZwUjNNY24wd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl4TURJd09EQXhNVEV3TUZvWERUSTJNREl3TnpBeE1URXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdmIyekszeE1uN1NlNW8reDI2blUKclpRSGFZT1FTRVF0REhQaWhNRXR2cVBHak9lOVFmUWdDclBBR0M3ejB3UlozNmNYZ3IzakZUcWVqTHFraHh5bwpvTkhRK3l6UmZ5R1lkVGhBbWYvQzBqL1FmTjhZbU5HY1BGU2dMSm5RcW9GZUFHWmo3bTlndFpTNVdFM21YOC9CClNjb0VSQXdQZFlrbURJSVJwZElUYnFpbmFoZkVaSHZOWFo1M3NPa051ai81Y0ZDdjFHaG03SUxNRGlSOVRwNkQKcllBbTJjS2dabHdySkQ0MGtGeVo5MllKV3dDSExFVy9LeFg3NnAyRFk3SWpONGppYWlPNi9EMWJvWlJjazIvUgpZSVEzK3FIQVU1RUZlakZrMnlLZDJCWWhzd2hDRWNOWm4xWkp4T0pLVWFyMDR3a3ZOVEM5N3VCRW9uUTNrd3R0CjZ3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVWDhSdVozWis5eFhoS2xBSWtIY01PVjBDcnNrd0h3WURWUjBqQkJnd0ZvQVVYOFJ1WjNaKwo5eFhoS2xBSWtIY01PVjBDcnNrd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBQkROWjBDVTVnQWUvN0tjUjhxCkMwcmJhM0xpU3ZLVkcvekt6VU9DQnNrd056akVqbGxJYy9NWi9TOHdyeFJvOGRyTU54TnRHbXRFejNiRStxcjYKWHdzcXAra24vSEhhY2x6TEtObHJHV0h1cUlsbFh0NDhjSFdjSUJ5THBwMVpGUTFzNzJ4VWUzQ25CNFpzN2picAp5TzY2RVBiQnFQbWlQamZUd1V6dEJLcFRqS2M3YXc0bmsyc3RiS0tuN3NzRVQxRlVQd05UMVJQQythdVhQS2JQCnZtV21DSDVCeTlFVjBxRi81OEQ3dGk3YWpZR3JhTjdEV2FHNW9DNktGU1dGTmhvZXgrRTNRS1lacktsbzVsTkgKODliTHpSS2lUZk91VE9tYk12bVVvK1ZtTGYwK3g1aWQ4S0poWW91b3IzYm9TMXNFNzVseHNkNnBRVnpYVGExTApmWk09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
namespace: ZGVmYXVsdA==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklrWkxOalpJY25oRUxWOU5kRzlxVTAxc1puZFFMVVp0T0hWc1kwZ3dVVTQzYTJSNFlXTjVaVWhvUzFVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbk4xY0dWeWNtVmtMWFJ2YTJWdUxUVnRlR1ptSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW5OMWNHVnljbVZrSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWRXbGtJam9pTURCbU9UVTVNakF0T1RJMFpDMDBOamd4TFRoalpqZ3RNamN5TVRnNVlqTTFaV0kxSWl3aWMzVmlJam9pYzNsemRHVnRPbk5sY25acFkyVmhZMk52ZFc1ME9tUmxabUYxYkhRNmMzVndaWEp5WldRaWZRLm1jeDJSYUl2S0JKWXVZSTJoWFNqYlN3MUFOYjE4Uk9RNTVIa1VNbEl6dU90YnZYdHBnbkdoTGZKNFZmVnRxVDhjN0VTQ3FZeGc1UWlzdXIxMGk0QlVZdkwyMnNYOHNRNnN0RXBWemdYQlZ4RzdVbGU5Q3NKa2V6YXJjaWlFNS1sakcyMUlqczZiMDNpb2NVZFVnWjJPTXVmWXJmb1RVX2NQNTFpMDgxbUNnRHllOWpCNXRFS2dfczBkZkIwZl9SeElRZHNta3BqS0dpcEFwU0dCbGkweDQxTXhIMTFLLTZDaUxGVE9hUkJuNFdIcTlzZUxCa2RXeFdNanFObklJOU9BcFVVNkxCb0tJWXMzYURydVZKcUI1ZWItYzRpc3JFSFgtWkpjSGhRNThJZm1GNkh2OHN6WkZ1VTlMV0JkQWxxZGdjVG5CSTgzSzRVb3Z0S1lUUjlrdw==
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: superred
kubernetes.io/service-account.uid: 00f95920-924d-4681-8cf8-272189b35eb5
creationTimestamp: "2021-02-08T07:50:49Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ca.crt: {}
f:namespace: {}
f:token: {}
f:metadata:
f:annotations:
.: {}
f:kubernetes.io/service-account.name: {}
f:kubernetes.io/service-account.uid: {}
f:type: {}
manager: kube-controller-manager
operation: Update
time: "2021-02-08T07:50:49Z"
name: superred-token-5mxff
namespace: default
resourceVersion: "47897"
selfLink: /api/v1/namespaces/default/secrets/superred-token-5mxff
uid: 9fd1151e-c87a-468e-9eca-2d7e53b1b252
type: kubernetes.io/service-account-token
[root@localhost k8s]#
DASH_TOCKEN=$( kubectl get secrets $(kubectl get secret | awk '/superred-token/{print $1}') -o jsonpath={.data.token}|base64 -d)
[root@localhost k8s]# echo $DASH_TOCKEN
eyJhbGciOiJSUzI1NiIsImtpZCI6IkZLNjZIcnhELV9NdG9qU01sZndQLUZtOHVsY0gwUU43a2R4YWN5ZUhoS1UifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InN1cGVycmVkLXRva2VuLTVteGZmIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InN1cGVycmVkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDBmOTU5MjAtOTI0ZC00NjgxLThjZjgtMjcyMTg5YjM1ZWI1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c3VwZXJyZWQifQ.mcx2RaIvKBJYuYI2hXSjbSw1ANb18ROQ55HkUMlIzuOtbvXtpgnGhLfJ4VfVtqT8c7ESCqYxg5Qisur10i4BUYvL22sX8sQ6stEpVzgXBVxG7Ule9CsJkezarciiE5-ljG21Ijs6b03iocUdUgZ2OMufYrfoTU_cP51i081mCgDye9jB5tEKg_s0dfB0f_RxIQdsmkpjKGipApSGBli0x41MxH11K-6CiLFTOaRBn4WHq9seLBkdWxWMjqNnII9OApUU6LBoKIYs3aDruVJqB5eb-c4isrEHX-ZJcHhQ58IfmF6Hv8szZFuU9LWBdAlqdgcTnBI83K4UovtKYTR9kw
创建角色
比如想创建一个只可以查看集群deployments
,services
,pods
相关的角色,应该使用如下配置 这里我就用系统角色了clusterRole/cluster-admin
创建角色绑定
kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options] --namespace=namespace
#将clusterrole绑定到这个服务账户上
kubectl create clusterrolebinding superred:serveraccount --clusterrole=cluster-admin --serviceaccount=default:superred
配置 kubeconfig
经过以上的步骤,最开始创建的 serviceaccount 就可以用来访问我们的集群了, 同时我们可以动态更改 ClusterRole
的授权来及时控制某个账号的权限(这也是使用 serviceaccount 的好处);
1 获取token
[root@localhost k8s]# DASH_TOCKEN=$( kubectl get secrets $(kubectl get secret | awk '/superred-token/{print $1}') -o jsonpath={.data.token}|base64 -d)
2. 设置集群
[root@localhost k8s]# kubectl config set-cluster kubernetes --server=https://10.10.3.163:6443 --kubeconfig=/root/superred-serveraccount.conf
3. 设置用(dashboard-admin)用token
[root@localhost k8s]# kubectl config set-credentials superred --token=$DASH_TOCKEN --kubeconfig=/root/superred-serveraccount.conf
4设置上下文参数
[root@localhost k8s]# kubectl config set-context superred-serveraccount@kubernets --cluster=kubernetes --user=superred --namespace=default --kubeconfig=/root/superred-serveraccount.conf
5. 设置默认上线文
[root@localhost k8s]# kubectl config use-context superred-serveraccount@kubernets --kubeconfig=/root/superred-serveraccount.conf
https://www.cnblogs.com/mjiu/p/10395220.html
为 service account 添加 ImagePullSecret
ImagePullSecret用于从私有仓库pull镜像
$ kubectl create secret docker-registry myregistrykey --docker-server=10.10.10.12 --docker-username=admin --docker-password=HarBor12345 --docker-email=xxxx
secret/myregistrykey created.
说明 : --docker 开头的参数分别指定了私有仓库的地址用户和密码
首先,创建一个 imagePullSecret,详见这里(或者上面)。然后,确认已创建。如:
$ kubectl get secrets myregistrykey
NAME TYPE DATA AGE
myregistrykey kubernetes.io/.dockerconfigjson 1 1d
然后,修改 namespace 中的默认 service account 使用该 secret 作为 imagePullSecret。
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'
手动创建 service account 的 API token
有一个superred的 service account,现在手动创建一个新的 secret。
$ cat > /tmp/superred-secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: superred-secret
annotations:
kubernetes.io/service-account.name: superred
type: kubernetes.io/service-account-token
EOF
$ kubectl create -f /tmp/superred-secret.yaml
secret "superred-secret" created
现在可以确认下新创建的 secret 取代了 superred 这个 service account 原来的 API token。
服务账户的自动化
服务账户准入控制器(Service account admission controller)
如果该 pod 没有 ServiceAccount 设置,将其 ServiceAccount 设为 default。
保证 pod 所关联的 ServiceAccount 存在,否则拒绝该 pod。
如果 pod 不包含 ImagePullSecrets 设置,那么 将 ServiceAccount 中的 ImagePullSecrets 信息添加到 pod 中。
将一个包含用于 API 访问的 token 的 volume 添加到 pod 中。
将挂载于 /var/run/secrets/kubernetes.io/serviceaccount 的 volumeSource 添加到 pod 下的每个容器中。
Token 控制器(Token controller)
检测服务账户的创建,并且创建相应的 Secret 以支持 API 访问。
检测服务账户的删除,并且删除所有相应的服务账户 Token Secret。
检测 Secret 的增加,保证相应的服务账户存在,如有需要,为 Secret 增加 token。
检测 Secret 的删除,如有需要,从相应的服务账户中移除引用。
服务账户控制器(Service account controller)
服务账户管理器管理各命名空间下的服务账户,并且保证每个活跃的命名空间下存在一个名为 “default” 的服务账户
kubernetes的用户组
Kubernetes 还拥有“用户组”(Group)的概念:
ServiceAccount对应内置“用户”的名字是:
system:serviceaccount:<ServiceAccount名字 >
而用户组所对应的内置名字是:
system:serviceaccounts:<Namespace名字 >
示例1:表示mynamespace中的所有ServiceAccount
subjects:
- kind: Group
name: system:serviceaccounts:mynamespace
apiGroup: rbac.authorization.k8s.io
示例2:表示整个系统中的所有ServiceAccount
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
Kubernetes 还提供了四个预先定义好的 ClusterRole 来供用户直接使用:
cluster-amdin
admin
edit
view
1.首先找到kubectl命令的配置文件
默认情况下为/etc/kubernetes/admin.conf,在 上一篇 中,我们已经复制到了$HOME/.kube/config中。
2.然后我们使用client-certificate-data和client-key-data生成一个p12文件
可使用下列命令:
# 生成client-certificate-data
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
# 生成client-key-data
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
# 生成p12
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
3.最后导入上面生成的p12文件,重新打开浏览器,显示如下:chrome
导入证书百度下 windows导入证书即可
查看证书 crtl+R
certmgr.msc
然后关闭浏览器,重新登录后通过token登录就可以了
查看dashboard的token信息
root@localhost:~/TLS/k8s # kubectl get secret -n kube-system |grep admin|awk '{print $1}'
dashboard-admin-token-jxr2g
root@localhost:~/TLS/k8s # kubectl describe secret/dashboard-admin-token-jxr2g -n kube-system 1 ↵
Name: dashboard-admin-token-jxr2g
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 6c8e994b-c140-4b7c-8085-8955cb016f12
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Imtla2RhLS1SZ0NBUkVYTkY3eTZSWkE4UkNJVWJ2d0doS3NrYXpOOXlreWcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tanhyMmciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNmM4ZTk5NGItYzE0MC00YjdjLTgwODUtODk1NWNiMDE2ZjEyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.DL-hoDCeLhB--edIVhYe021ev27KvD4LMlCrwD3gHdcD7Pc8L3iktZHb6DRE8f6DZ_p2_HshmZKRvNZVljd9lUSJzolw4DHh6_o5sibeeS1eADQqeg3m6fbUga9nuY3LlnYvSd0Q9QAZEHpiUWXUkpY9-S72BW2GLvJIYpd9xJrBUwDsxR5SRRWdv3iDBisSO8kC7usDdlgJvqvy7qqiu9QyLXwK3TgfXk4c-CFBuq5ZsmolqVT5MctF9B66L_9BLuNYeCiJUVd328Y-vgievIE9lN3RfG4fvxbM6KBkmwVgHA63RIi0f8ftxDsZ09MsKjOm0FVivmBDb9qTpfMzEQ
最后通过token登录,输入上面那串token值即可
https://blog.csdn.net/baidu_38432732/article/details/106469037
也可以给匿名用户授权
==============================================================================================
4.打开页面如下
对于正式环境,需要创建一个用户并授权,在上一篇文章里介绍过,多少还是烦了点。
对于测试环境,我们不需要那么麻烦,不就是匿名用户被禁用了吗,直接给匿名用户授权就可以了
kubectl create clusterrolebinding wubo:anonymous --clusterrole=cluster-admin --user=system:anonymous
重新部署kubernetes-dashboard,然后通过http://xxx.xxx.xxx.xxx:31000即可直接访问,然后会遇到下面的问题:
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "configmaps" in API group "" in the namespace "default"
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "persistentvolumeclaims" in API group "" in the namespace "default"
问题很清楚,就是kube-system:kubernetes-dashboard这个serviceaccount没有权限,同上一个的问题的解决办法:
kubectl create clusterrolebinding wubo:kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard
http://blog.leanote.com/post/criss/K8S%E4%B9%8BAPI%E8%AE%BF%E9%97%AE
https://blog.csdn.net/jholy/article/details/85125997