目录
1.1 UserAccount与ServiceAccount
2.2 RBAC(Role Based Access Control)
一 kubernetes API 访问控制
Authentication(认证)
-
认证方式现共有8种,可以启用一种或多种认证方式,只要有一种认证方式通过,就不再进行其它方式的认证。通常启用X509 Client Certs和Service Accout Tokens两种认证方式。
-
Kubernetes集群有两类用户:由Kubernetes管理的Service Accounts (服务账户)和(Users Accounts) 普通账户。k8s中账号的概念不是我们理解的账号,它并不真的存在,它只是形式上存在。
Authorization(授权)
-
必须经过认证阶段,才到授权请求,根据所有授权策略匹配请求资源属性,决定允许或拒绝请求。授权方式现共有6种,AlwaysDeny、AlwaysAllow、ABAC、RBAC、Webhook、Node。默认集群强制开启RBAC。
Admission Control(准入控制)
-
用于拦截请求的一种方式,运行在认证、授权之后,是权限认证链上的最后一环,对请求API资源对象进行修改和校验。
1.1 UserAccount与ServiceAccount
-
用户账户是针对人而言的。 服务账户是针对运行在 pod 中的进程而言的。
-
用户账户是全局性的。 其名称在集群各 namespace 中都是全局唯一的,未来的用户资源不会做 namespace 隔离, 服务账户是 namespace 隔离的。
-
集群的用户账户可能会从企业数据库进行同步,其创建需要特殊权限,并且涉及到复杂的业务流程。 服务账户创建的目的是为了更轻量,允许集群用户为了具体的任务创建服务账户 ( 即权限最小化原则 )。
1.1.1 ServiceAccount
-
服务账户控制器(Service account controller)
-
服务账户管理器管理各命名空间下的服务账户
-
每个活跃的命名空间下存在一个名为 “default” 的服务账户
-
-
服务账户准入控制器(Service account admission controller)
-
相似pod中 ServiceAccount默认设为 default。
-
保证 pod 所关联的 ServiceAccount 存在,否则拒绝该 pod。
-
如果pod不包含ImagePullSecrets设置那么ServiceAccount中的ImagePullSecrets 被添加到pod中
-
将挂载于 /var/run/secrets/kubernetes.io/serviceaccount 的 volumeSource 添加到 pod 下的每个容器中
-
将一个包含用于 API 访问的 token 的 volume 添加到 pod 中
-
1.1.2 ServiceAccount示例:
建立名字为admin的ServiceAccount
[root@k8s-master volumes]# kubectl create sa test1
serviceaccount/test1 created
[root@k8s-master volumes]# kubectl get sa
NAME SECRETS AGE
default 0 4d15h
test1 0 2s
[root@k8s-master volumes]# kubectl describe sa test1
Name: test1
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>
建立secrets
[root@k8s-master volumes]# kubectl create secret docker-registry docker-login --docker-username admin --docker-password redhat --docker-server www.test.com --docker-email admin@test.com
secret/docker-login created
[root@k8s-master volumes]# kubectl describe secrets docker-login
Name: docker-login
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 118 bytes
将secrets注入到sa中
[root@k8s-master ~]# kubectl edit sa test
apiVersion: v1
imagePullSecrets:
- name: docker-login
kind: ServiceAccount
metadata:
creationTimestamp: "2024-09-08T15:44:04Z"
name: test
namespace: default
resourceVersion: "262259"
uid: 7645a831-9ad1-4ae8-a8a1-aca7b267ea2d
[root@k8s-master ~]# kubectl describe sa test
Name: timinglee
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: docker-login
Mountable secrets: <none>
Tokens: <none>
Events: <none>
建立私有仓库并且利用pod访问私有仓库
[root@k8s-master auth]# vim example1.yml
[root@k8s-master auth]# kubectl apply -f example1.yml
pod/testpod created
[root@k8s-master auth]# kubectl describe pod testpod
Warning Failed 5s kubelet Failed to pull image "www.test.com/test/nginx:latest": Error response from daemon: unauthorized: unauthorized to access repository: test/nginx, action: pull: unauthorized to access repository: test/nginx, action: pull
Warning Failed 5s kubelet Error: ErrImagePull
Normal BackOff 3s (x2 over 4s) kubelet Back-off pulling image "reg.timinglee.org/lee/nginx:latest"
Warning Failed 3s (x2 over 4s) kubelet Error: ImagePullBackOff
在创建pod时会镜像下载会受阻,因为docker私有仓库下载镜像需要认证
pod绑定sa
[root@k8s-master auth]# vim example1.yml
apiVersion: v1
kind: Pod
metadata:
name: testpod
spec:
serviceAccountName: test
containers:
- image: www.test.com/test/nginx:latest
name: testpod
[root@k8s-master auth]# kubectl apply -f example1.yml
pod/testpod created
[root@k8s-master auth]# kubectl get pods
NAME READY STATUS RESTARTS AGE
testpod 1/1 Running 0 2s
二 认证(在k8s中建立认证用户)
2.1 创建UserAccount
#建立证书
[root@k8s-master ~]# cd /etc/kubernetes/pki/
[root@k8s-master pki]# openssl genrsa -out test.key 2048
[root@k8s-master pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test"
[root@k8s-master pki]# openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 365
Certificate request self-signature ok
subject=CN = test
[root@k8s-master pki]# openssl x509 -in test.c
test.crt test.csr
[root@k8s-master pki]# openssl x509 -in test.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
4f:08:4a:78:d6:b5:42:85:6f:27:73:59:c5:70:74:20:dd:a1:96:49
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Sep 10 06:23:24 2024 GMT
Not After : Sep 10 06:23:24 2025 GMT
Subject: CN = test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:9f:2b:1b:fc:72:3a:8f:fa:21:bd:cd:d7:32:
01:66:a2:c1:ab:a6:53:f0:4f:cb:02:dd:b8:d1:af:
a0:cb:6d:25:a6:ff:5b:db:c6:14:bb:dc:37:34:21:
b0:2b:be:0d:2c:bb:4c:c6:2d:4a:12:a6:b2:8f:71:
08:fc:24:03:51:10:30:61:86:83:0e:88:5c:da:67:
0e:c8:dc:f8:3e:dd:81:cd:c5:73:0c:bd:41:dd:49:
cd:13:a3:ba:c3:16:f7:9b:5d:6e:1a:44:92:7d:d1:
96:4f:30:fd:25:6a:e5:96:6e:f0:6d:d7:dd:c9:00:
b1:9d:7a:df:56:60:66:08:a0:0e:ed:44:b4:1d:bb:
27:4c:c8:a8:71:11:32:74:25:10:51:ab:03:8f:6a:
95:9f:eb:cf:3c:48:72:1b:32:39:42:36:d2:3a:6b:
3e:0a:72:f8:13:e6:49:7b:b9:ba:05:5d:cf:91:42:
cf:d5:73:d5:79:25:a5:6a:f9:bc:8e:79:d5:42:8d:
d2:39:f2:69:20:6a:b6:09:85:eb:0b:1b:37:69:b6:
2e:0d:d0:28:c5:43:2a:5c:e2:74:53:4b:7e:7d:8e:
18:6d:40:68:d3:af:ab:7e:04:4c:75:25:92:cc:fe:
4d:cd:86:64:8d:1a:88:b1:65:53:d8:df:f6:12:6c:
52:41
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
2f:19:a8:6b:b5:cc:d6:f8:ae:b0:b1:97:53:0d:10:e9:a0:31:
36:63:bc:d9:e3:14:e5:56:09:dd:16:c2:45:8e:5e:24:76:d4:
e0:2e:a3:0e:e2:45:14:b2:d3:d7:d4:87:f5:1b:08:14:22:20:
f9:17:22:90:f7:34:23:1c:fe:1b:8c:0f:60:71:9b:b2:ce:89:
85:d4:09:26:c8:a8:a8:bb:7f:d0:29:bb:95:5a:b1:41:43:e6:
4a:e9:e3:98:60:69:82:aa:71:58:9b:4c:36:b1:15:a8:f9:ae:
a1:fc:b1:b7:ba:2f:96:73:1d:2f:af:5f:b8:55:3e:dd:10:ca:
b6:88:49:c9:b1:3b:32:77:4b:fe:cc:06:d9:e0:f4:3c:43:56:
b2:00:77:6c:bd:17:75:1b:dc:9e:83:99:3b:25:f5:41:38:95:
4a:e6:53:ba:af:15:67:0f:a3:54:94:05:45:47:e1:69:bc:5a:
c3:26:dc:b6:6d:23:0b:92:5a:0c:85:29:49:d6:4a:78:32:95:
cf:c8:6d:d8:6e:77:6e:9d:11:da:1f:ef:0f:e6:73:9a:4e:9c:
06:69:29:7c:a6:2f:d8:60:ff:ec:a8:0a:42:9a:d8:7f:dc:59:
a2:68:e8:86:fc:de:3c:ef:3a:f6:68:69:76:cb:30:60:b1:7a:
b6:c6:38:54
#创建集群的安全上下文
[root@k8s-master pki]# kubectl config set-context test@kubernetes --cluster kubernetes --user test
Context "test@kubernetes" created.
#切换用户,用户在集群中只有用户身份没有授权
[root@k8s-master pki]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".
[root@k8s-master volumes]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
#切换会集群管理
[root@k8s-master volumes]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
2.2 RBAC(Role Based Access Control)
2.2.1 基于角色访问控制授权:
-
允许管理员通过Kubernetes API动态配置授权策略。RBAC就是用户通过角色与权限进行关联。
-
RBAC只有授权,没有拒绝授权,所以只需要定义允许该用户做什么即可
-
RBAC的三个基本概念
-
Subject:被作用者,它表示k8s中的三类主体, user, group, serviceAccount
-
-
Role:角色,它其实是一组规则,定义了一组对 Kubernetes API 对象的操作权限。
-
RoleBinding:定义了“被作用者”和“角色”的绑定关系
-
RBAC包括四种类型:Role、ClusterRole、RoleBinding、ClusterRoleBinding
-
Role 和 ClusterRole
-
Role是一系列的权限的集合,Role只能授予单个namespace 中资源的访问权限。
-
-
ClusterRole 跟 Role 类似,但是可以在集群中全局使用。
-
Kubernetes 还提供了四个预先定义好的 ClusterRole 来供用户直接使用
-
cluster-amdin、admin、edit、view
2.2.2 role授权实施
#生成role的yaml文件
[root@k8s-master ~]# kubectl create role myrole --dry-run=client --verb=get --resource pods -o yaml > myrole.yml
#更改文件内容
[root@k8s-master ~]# vim myrole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: myrole
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
- create
- update
- path
- delete
#创建role
[root@k8s-master ~]# kubectl apply -f myrole.yml
role.rbac.authorization.k8s.io/myrole created
[root@k8s-master ~]# kubectl describe role myrole
Name: myrole
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get watch list create update path delete]
#建立角色绑定
[root@k8s-master ~]# kubectl create rolebinding test --role myrole --namespace default --er test --dry-run=client -o yaml > rolebinding-myrole.yml
[root@k8s-master ~]# vim rolebinding-myrole.yml
[root@k8s-master ~]# kubectl apply -f rolebinding-myrole.yml
rolebinding.rbac.authorization.k8s.io/test created
[root@k8s-master ~]# kubectl get rolebindings.rbac.authorization.k8s.io test
NAME ROLE AGE
test Role/myrole 7s
#切换用户测试授权
[root@k8s-master ~]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".
[root@k8s-master ~]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "test" cannot list resource "services" in API group "" in the namespace "default"
[root@k8s-master ~]# kubectl get pods
No resources found in default namespace.
#切换回管理员
[root@k8s-master ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
2.2.3 clusterrole授权实施
#建立集群角色
[root@k8s-master ~]# kubectl create clusterrole myclusterrole --resource=deployment --verb get --dry-run=client -o yaml > myclusterrole.yml
[root@k8s-master ~]# vim myclusterrole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: myclusterrole
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- path
- delete
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- create
- update
- path
- delete
[root@k8s-master ~]# kubectl apply -f myclusterrole.yml
clusterrole.rbac.authorization.k8s.io/myclusterrole created
[root@k8s-master ~]# kubectl describe clusterrole myclusterrole
Name: myclusterrole
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch create update path delete]
deployments.apps [] [] [get list watch create update path delete]
#建立集群角色绑定
[root@k8s-master ~]# kubectl create clusterrolebinding clusterrolebind-myclusterrole --clusterrole myclusterrole --user test --dry-run=client -o yaml > clusterrolebind-myclusterrole.yml
[root@k8s-master ~]# vim clusterrolebind-myclusterrole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: clusterrolebind-myclusterrole
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
[root@k8s-master ~]# kubectl apply -f clusterrolebind-myclusterrole.yml
clusterrolebinding.rbac.authorization.k8s.io/clusterrolebind-myclusterrole created
[root@k8s-master ~]# kubectl describe clusterrolebindings.rbac.authorization.k8s.io clusterrolebind-myclusterrole
Name: clusterrolebind-myclusterrole
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: myclusterrole
Subjects:
Kind Name Namespace
---- ---- ---------
User test
#测试:
[root@k8s-master ~]# kubectl get deployments.apps -A
NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE
ingress-nginx ingress-nginx-controller 1/1 1 1 2d15h
kube-system calico-kube-controllers 1/1 1 1 19m
kube-system calico-typha 1/1 1 1 19m
kube-system coredns 2/2 2 2 5d12h
metallb-system controller 1/1 1 1 4d20h
[root@k8s-master ~]# kubectl get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 5d12h
ingress-nginx ingress-nginx-controller LoadBalancer 10.99.113.246 172.25.254.50 80:32021/TCP,443:30469/TCP 2d15h
ingress-nginx ingress-nginx-controller-admission ClusterIP 10.109.224.49 <none> 443/TCP 2d15h
kube-system calico-typha ClusterIP 10.100.135.188 <none> 5473/TCP 19m
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 5d12h
metallb-system metallb-webhook-service ClusterIP 10.111.127.168 <none> 443/TCP 4d20h
[root@k8s-master ~]# kubectl -n kube-system get pods
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-6849cb478c-m4w4s 1/1 Running 0 20m
calico-node-hwmkr 1/1 Running 0 20m
calico-node-nfh2x 1/1 Running 0 20m
calico-node-zztrx 1/1 Running 0 20m
calico-typha-fff9df85f-sfdwm 1/1 Running 0 20m
coredns-6d99c88569-gr9sm 1/1 Running 0 2m8s
coredns-6d99c88569-zjgt2 1/1 Running 0 2m8s
etcd-k8s-master.exam.com 1/1 Running 4 (2d1h ago) 5d12h
kube-apiserver-k8s-master.exam.com 1/1 Running 4 (2d1h ago) 5d12h
kube-controller-manager-k8s-master.exam.com 1/1 Running 4 (2d1h ago) 5d12h
kube-proxy-426tw 1/1 Running 3 (2d14h ago) 5d
kube-proxy-859xv 1/1 Running 3 (2d1h ago) 5d
kube-proxy-rhjgx 1/1 Running 3 (2d14h ago) 3d18h
kube-scheduler-k8s-master.exam.com 1/1 Running 4 (2d1h ago) 5d12h
2.2.4 服务账户的自动化
服务账户准入控制器(Service account admission controller)
-
如果该 pod 没有 ServiceAccount 设置,将其 ServiceAccount 设为 default。
-
保证 pod 所关联的 ServiceAccount 存在,否则拒绝该 pod。
-
如果 pod 不包含 ImagePullSecrets 设置,那么 将 ServiceAccount 中的 ImagePullSecrets 信息添加到 pod 中。
-
将一个包含用于 API 访问的 token 的 volume 添加到 pod 中。
-
将挂载于 /var/run/secrets/kubernetes.io/serviceaccount 的 volumeSource 添加到 pod 下的每个容器中。
服务账户控制器(Service account controller)
服务账户管理器管理各命名空间下的服务账户,并且保证每个活跃的命名空间下存在一个名为 “default” 的服务账户