#基于SSL/TLS认证的自定义用户账号,授予非管理员级别的集群使用权限--创建用户凭证
#1.创建自定义用户--生成私钥
[root@master ~]#cd /etc/kubernetes/pki
[root@master pki]# useradd rbac
[root@master pki]# (umask 066;openssl genrsa -out rabc.key 2048)
#2.创建证书签署请求---绑定
[root@master pki]# openssl req -new -key rbac.key -out rbac.csr -subj "/CN=rbac/O=system:master"
#3.生成证书
[root@master pki]# openssl x509 -req -in rbac.csr -CA ca.crt -CAkey ./ca.key -CAcreateserial -out rbac.crt -days 3650
Signature ok
subject=/CN=rbac/O=system:master
Getting CA Private Key
#4.验证证书信息
[root@master pki]# openssl x509 -in rbac.crt -text -noout
#5.给rbac用户kube-config配置文件
#配置集群信息
[root@master pki]# kubectl config set-cluster kubernetes --embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.100.2:6443
Cluster "kubernetes" set.
#配置客户端证书信息
[root@master pki]# kubectl config set-credentials rbac --embed-certs=true --client-certificate=/etc/kubernetes/pki/rbac.crt --client-key=/etc/kubernetes/pki/rbac.key
User "rbac" set.
#配置context
[root@master pki]# kubectl config set-context rbac@kubernetes --cluster=kubernetes --user=rbac
Context "rbac@kubernetes" created.
#指定要使用的上下文
[root@master pki]# kubectl config use-context rbac@kubernetes
Switched to context "rbac@kubernetes".
#没有授权资源的准入控制,即哪些资源如何操作
[root@master pki]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "rbac" cannot list resource "pods" in API group "" in the namespace "default"
#给rbac用户授权---创建rolebinding/role
[root@master pki]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@master pki]# kubectl create role rbac-read-pods --verb="*" --resource="deploy,pods" -n myspace
role.rbac.authorization.k8s.io/rbac-read-pods created
[root@master pki]# kubectl create rolebinding rbac-read-pods --role=rbac-read-pods --user=rbac -n myspace
rolebinding.rbac.authorization.k8s.io/rbac-read-pods created
[root@master pki]# kubectl config use-context rbac@kubernetes
Switched to context "rbac@kubernetes".
[root@master pki]# kubectl get pods,deploy -n myspace
NAME READY STATUS RESTARTS AGE
pod/cirros-7cc8675d67-sr5mk 1/1 Running 0 19h
pod/docker-registry 1/1 Running 0 19h
pod/pod-ssl 1/1 Running 0 20h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.extensions/cirros 1/1 1 1 19h
#rolebinding不可以跨名称空间引用role资源,但主体中的用户账号,用户组,和服务账号却不受名称空间的限制,管理员可以为同一个主体账号,通过不同的rolebinding资源绑定多个名称空间中的角色, 主体类型:User/Group/Service Account
#创建管理员的方法:
- 将账号和cluster-admin进行绑定
- 在创建证书的过程中将其加入到system:masters组 -subject "/CN=user_name /O=system:masters"
#创建角色--user--只能访问一个名称空间下的资源
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cnych-role
namespace: kube-system
rules:
- apiGroups: ["", "apps"] #“”:代表核心群组
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 也可以使用['*']
- apiGroups:指定请求资源的所属群组,通过kubeect expalin查询
- resources:指定要请求的资源类型pod.node,log,service等
- verbs:指定对请求资源的操作权限
#创建角色权限绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cnych-rolebinding
namespace: kube-system
subjects:
- kind: User
name: cnych
apiGroup: ""
roleRef:
kind: Role
name: cnych-role
apiGroup: rbac.authorization.k8s.io # 留空字符串也可以,则使用当前的apiGroup
- rolebonding:将用户和规则进行绑定,从而完成对用户的授权
- kubectl get pods --context=cnych-context 临时使用上下文
#只能访问某个namespace的ServiceAccount
$ kubectl create sa cnych-sa -n kube-system
#创建role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cnych-sa-role
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
#创建rolebinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cnych-sa-rolebinding
namespace: kube-system
subjects:
- kind: ServiceAccount
name: cnych-sa
namespace: kube-system
roleRef:
kind: Role
name: cnych-sa-role
apiGroup: rbac.authorization.k8s.io
#可以访问集群的serviceaccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: cnych-sa2
namespace: kube-system
#创建clusterrolebinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cnych-sa2-clusterrolebinding
subjects:
- kind: ServiceAccount
name: cnych-sa2
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin #绑定集群管理员
apiGroup: rbac.authorization.k8s.io
RBAC
最新推荐文章于 2024-06-07 11:19:48 发布