企业运维实战之k8s（kubernetes访问控制）初学者必看，点赞关注后期不迷路

kubernetes访问控制

serviceaccount

创建serviceaccount：admin

kubectl create serviceaccount admin

查看这个sa信息

kubectl describe sa admin

此时k8s为用户自动生成认证信息，但没有授权

创建一个可以访问私有仓库的secret，并且添加secrets到serviceaccount中

kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=admin --docker-password=westos --docker-email=root@westos.org
kubectl patch serviceaccount admin -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'

如下图，可以看到
Image pull secrets: myregistrykey

vim sa.yaml

将认证信息添加到serviceAccount中，要比直接在Pod指定imagePullSecrets要安全很多

apiVersion: v1
kind: Pod
metadata:
  name: myapp
  labels:
    app: myapp
spec:
  containers:
  - name: myapp
    image: reg.westos.org/westos/game2048
    ports:
    - name: http
      containerPort: 80
  serviceAccountName: admin

UserAccount

创建UserAccount：test

cd /etc/kubernetes/pki/
openssl genrsa -out test.key 2048
openssl req -new -key test.key -out test.csr -subj "/CN=test"
openssl  x509 -req -in test.csr -CA ca.crt -CAkey ca.key  -CAcreateserial -out test.crt -days 365
openssl x509 -in test.crt -text -noout
kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
kubectl  config view
kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
kubectl config use-context test@kubernetes

此时用户通过认证，但还没有权限操作集群资源，需要继续添加授权

role

Role是一系列的权限的集合，Role只能授予单个namespace 中资源的访问权限。

Role示例:

vim role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: myrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]

vim rolebinding.yaml

使用rolebinding绑定Role

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-read-pods
  namespace: default
subjects:
- kind: User
  name: test
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: myrole
  apiGroup: rbac.authorization.k8s.io

实验流程及效果：

[root@server2 roles]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".
[root@server2 roles]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
[root@server2 roles]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@server2 roles]# kubectl apply -f role.yaml 
role.rbac.authorization.k8s.io/myrole created
[root@server2 roles]# kubectl apply -f rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/test-read-pods created
[root@server2 roles]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".
[root@server2 roles]# kubectl get pod 
NAME                        READY   STATUS    RESTARTS   AGE
my-nginx-6ff6f45df4-v77rp   1/1     Running   1          44h
myapp                       1/1     Running   0          7m54s

由上可以看出，test用户已经可以查看默认ns的pod

ClusterRole

ClusterRole 跟 Role 类似，但是可以在集群中全局使用。

ClusterRole示例

vim clusterRole.yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myclusterrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

RoleBinding和ClusterRoleBinding
RoleBinding是将Role中定义的权限授予给用户或用户组。它包含一个subjects列表(users，groups ，service accounts)，并引用该Role。
RoleBinding是对某个namespace 内授权，ClusterRoleBinding适用在集群范围内使用。

vim rolebinding.yaml

使用rolebinding绑定clusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rolebind-myclusterrole
  namespace:  default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test

先切到kubernetes-admin,应用clusterRole.yaml,使用rolebinding绑定clusterRole并切换到test用户

[root@server2 roles]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@server2 roles]# kubectl apply -f clusterRole.yaml 
clusterrole.rbac.authorization.k8s.io/myclusterrole created
[root@server2 roles]# kubectl apply -f rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/rolebind-myclusterrole created
[root@server2 roles]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".

编写一个deployment控制器的yaml文件

vim deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: myapp:v1

运行

kubectl apply -f deployment.yaml

可以发现 test用户可以创建deployment控制器及查看pod

vim clusterrolebinding.yaml

使用clusterrolebinding绑定clusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: clusterrolebinding-myclusterrole
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test

重复操作，先切换到kubernetes-admin,使用clusterrolebinding绑定clusterRole并切换到test用户

[root@server2 roles]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@server2 roles]# kubectl apply -f clusterrolebinding.yaml 
clusterrolebinding.rbac.authorization.k8s.io/clusterrolebinding-myclusterrole created
[root@server2 roles]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".

测试：可以看到其他ns的pod