啃k8s之安全机制与RBAC使用方法
一:k8s安全机制
-
安全框架、
-
传输安全、认证,授权,准入控制
-
使用rbac授权
1.1:kubernetes安全框架
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-RggZYfh2-1603117340333)(C:\Users\kevin\AppData\Roaming\Typora\typora-user-images\image-20201019214742803.png)]](https://img-blog.csdnimg.cn/20201019222327930.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzQ3MjE5OTQy,size_16,color_FFFFFF,t_70#pic_center)
-
安全框架的流程
- 流程:kubectl先请求api资源,然后是过三关,第一关是认证(Authentication),第二关是授权(Authorization),第三关是准入控制(Admission Control),只有通过这三关才可能会被k8s创建资源。
- K8S安全控制框架主要由下面3个阶段进行控制,每一个阶段都支持插件方式,通过API Server配置来启用插件。
- 普通用户若要安全访问集群API Server,往往需要证书、Token或者用户名+密码;Pod访问,需要ServiceAccount
-
apiserver使用的是token认证
[root@master ~]# ps aux | grep apiserver
...
--token-auth-file=/opt/kubernetes/cfg/token.csv
...
'其中能够查询到token认证等信息'
- 查看ServiceAccount,可以通过ServiceAccount在pod中去访问apiserver
[root@master ~]# kubectl get sa
NAME SECRETS AGE
default 1 8d
'Service Account它并不是给kubernetes集群的用户使用的,而是给pod里面的进程使用的,它为pod提供必要的身份认证。'
- 传输安全方面:8080用于内部通讯(是通过master及其他组件连接使用),6443是提供给外部访问的端口
[root@master ~]# netstat -ntap |grep 8080|grep LISTEN
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 29837/kube-apiserve
[root@master ~]# netstat -ntap |grep 6443|grep LISTEN
tcp 0 0 20.0.0.51:6443 0.0.0.0:* LISTEN 29837/kube-apiserve
1.2:第一关:Authentication认证
-
三种客户端身份认证:
- 1、HTTPS 证书认证:基于CA证书签名的数字证书认证
- 2、HTTP Token认证:通过一个Token来识别用户(生产环境中使用广泛)
- 3、HTTP Base认证:用户名+密码的方式认证
-
1、HTTPS证书认证
[root@localhost text]# cat /root/k8s/k8s-cert/k8s-cert.sh
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"20.0.0.51", '此处直接指定了负载均衡和master的节点'
"20.0.0.52",
"20.0.0.100",
"20.0.0.55",
"20.0.0.57",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
- httpd的token认证
[root@master ~]# cat /opt/kubernetes/cfg/token.csv
127b0779cbe906fd1e76fcfba0b2ceee,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
1.3:第二关:Authorization授权
- RBAC(Role-Based Access Control,基于角色的访问控制):负责完成授权(Authorization)工作,允许通过Kubernetes API动态配置策略。
- 使用RBAC授权
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-owPtQ2fE-1603117340335)(C:\Users\kevin\AppData\Roaming\Typora\typora-user-images\image-20201019215628232.png)]](https://img-blog.csdnimg.cn/20201019222347689.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzQ3MjE5OTQy,size_16,color_FFFFFF,t_70#pic_center)
-
角色:
1、Role:授权特定命名空间的访问权限
2、ClusterRole:授权所有命名空间的访问权限
角色绑定
1、RoleBinding:将角色绑定到主体(即subject)
2、ClusterRoleBinding:将集群角色绑定到主体
主体(subject)
1、User:用户
2、Group:用户组
3、ServiceAccount:服务账号
1.3.1:RBAC使用测试
- 1、创建名称空间kevin
[root@master ~]# kubectl create ns kevin
namespace/kevin created
[root@master ~]# kubectl get ns
NAME STATUS AGE
default Active 8d
kevin Active 8s
kube-public Active 8d
kube-system Active 8d
- 2、创建测试pod
[root@master ~]# kubectl run nginx --image=nginx -n kevin
kubectl run --generator=deployment/apps.v1beta1 is DEPRECATED and will be removed in a future version. Use kubectl create instead.
deployment.apps/nginx created
- 3、扩容成3个副本,使用scale命令
[root@master ~]# kubectl scale deploy/nginx --replicas=3 -n kevin
deployment.extensions/nginx scaled
[root@master ~]# kubectl get pods -n kevin
NAME READY STATUS RESTARTS AGE
nginx-dbddb74b8-9nkvl 1/1 Running 0 116s
nginx-dbddb74b8-c52ph 1/1 Running 0 2m26s
nginx-dbddb74b8-ngl4v 1/1 Running 0 116s
- 4、创建role
[root@master ~]# vim rbac-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kevin
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"] '创建角色只有pod资源的操作权限'
verbs: ["get", "watch", "list"] '只有这些操作可以使用'
[root@master ~]# kubectl apply -f rbac-role.yaml
role.rbac.authorization.k8s.io/pod-reader created
[root@master ~]# kubectl get role -n kevin
NAME AGE
pod-reader 34s
- 5、角色绑定
[root@master ~]# vim rbac-rolebangbing.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: kevin
subjects:
- kind: User
name: zhangsan
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
[root@master ~]# kubectl apply -f rbac-rolebangbing.yaml
rolebinding.rbac.authorization.k8s.io/read-pods created
[root@master ~]# kubectl get role,rolebinding -n kevin
NAME AGE
role.rbac.authorization.k8s.io/pod-reader 8m4s
NAME AGE
rolebinding.rbac.authorization.k8s.io/read-pods 51s
- 6、拷贝rbac.yaml和rbac-user.sh文件到/root/test中
[root@master ~]# cd test/
[root@master test]# mkdir zhangsan
[root@master test]# rz -E
rz waiting to receive.
[root@master test]# mv rbac-user.sh zhangsan/
[root@master zhangsan]# cp /root/k8s/k8s-cert/ca* ./
'证书拷贝到zhangsan目录'
[root@master zhangsan]# vim rbac-user.sh '修改地址为apiserver访问地址(负载均衡VIP)'
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://20.0.0.100:6443 \
--kubeconfig=zhangsan-kubeconfig
- 7、安装格式化工具
[root@master zhangsan]# yum install -y dos2unix
[root@master zhangsan]# dos2unix rbac-user.sh '格式化'
dos2unix: converting file rbac-user.sh to Unix format ...
[root@master zhangsan]# bash rbac-user.sh
2020/10/17 11:14:22 [INFO] generate received request
2020/10/17 11:14:22 [INFO] received CSR
2020/10/17 11:14:22 [INFO] generating key: rsa-2048
2020/10/17 11:14:22 [INFO] encoded CSR
2020/10/17 11:14:22 [INFO] signed certificate with serial number 491990070582944526021040226890964605695127823966
2020/10/17 11:14:22 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Cluster "kubernetes" set.
User "zhangsan" set.
Context "default" created.
Switched to context "default".
- 8、查看证书
[root@master zhangsan]# cat zhangsan-kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVSnpMNXdkZFd3L1RkL0IrY0tyQ3RIQnA1NUFzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TVRBd09UQXhNemN3TUZvWERUSTFNVEF3T0RBeE16Y3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcERSdGcwQ29WVnZZWmdOSEcwVk8KWjRGeEJRZE83bGFDdW92dlExNGZqM1hkUGxGWGllV0JuVnNWSUQwK21xZ2hlbnRKaTJmRTl4azlaV0QxSzFrUgpGZ2lzZS9lb3lrN3dKeU5wREVuclJBeVc0MlkyTlBrK0JHdDJBRkJHaFF2dEVoSjRLL3hERTVzaVdpN0VIZTJiCkJ6MUYyQUxiYWoybFNhR09Xa2RRYmpJUnVhdThERVowMmlCUFB0cTh6QlRuZFFyYWl6V0xGcG8vTkpsSmt3YTMKRklPTFh5MktTQVp0Ym94VW15VWVWTGtxMmFxaHJGMm9sOFhEN28waTN1SnlyWEtpQ1JjaXREaS92b0laazdsOQovVWJGdldyZGRnUVEwbzBlUU1TNVo3alFueTFtY29QN1owbzVhVVk5ZUpQT1VURU1neEJGUnUyMlArdDVPdkF6CnNRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVMitMSGlHeWxLcHo2cy9HanNRWU9FOGt4UTVBd0h3WURWUjBqQkJnd0ZvQVUyK0xIaUd5bApLcHo2cy9HanNRWU9FOGt4UTVBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFEcENrM1ovcWtuSU1TT0orOHJ1ClBxUTdMSUJEalM3YVdaRGlabEN4Kzl6Q0RuRkVvKzdDbktXVzdNMnhIcWpnNE5ZQTVJSkVrYm0vaHp0OWpQckgKdTd4Sm82Z25RcENBdlR0TUxpQzN5Njc5WS9KZnNnc0loMFg5bHVMbmMyL2FOblFRckJkbEN5T2JGdTdSMVpBaQpqV3AyRVVIeHQzVXorVDFaMytPanVIZUwrNHhnTVNmWmRDUjB3cWVYQUcvSTJ1WXpLaVZCemJqZktOcHdWcUZ5Cm0vWlRnTmtKdUEwaGVaUE0xSXdsczZWcTZRb0kyWW03SDc0WWZaeFQzeEVMWnVxL1c1SXhpOVZCUy91YlMrWTAKWmNlV29iMG4ycGlaU24xaUxpUDZqTzZRTGE5cUlUYm5Ha1lYVFdhdUZQZ0lzNUx3ZGc1UTlwb2U3SUQxakdjYQo0VFk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://20.0.0.100:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: zhangsan
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: zhangsan
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR0akNDQXA2Z0F3SUJBZ0lVVmkyWkI1UElRbUd4NkFuNS9mNkF0d2xScGw0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TVRBeE56QXpNRGt3TUZvWERUTXdNVEF4TlRBek1Ea3dNRm93UkRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RVRBUApCZ05WQkFNVENIcG9ZVzVuYzJGdU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnAzWkNCZEhtYVplSUxMZEphTHRXVGVPR1lYdThXS2ZUWm1zdWsvQnovSzFUb3lXNXAzQ1FaT2x5TWtFNXN1L3UKQkF2Qml0RkMvRStKNXBLR2N1cUR3eEVPZGVoU2VwYkwrZHhkKzBSaFNFbVYrNWNxRHR5RHFhaDhYS0l5dGNETApjN0dWNDZFZVBHVlZYelJweWZlb3lod2ZOQzBwZEgzMkV2SGVYRTNtclNvU0h1aGxkbGE2aW1MbWxCQUZDT1RUCnlpZGoxQ1lQWXJZNGxaakQvc1A3a0FxRzNDZjRkaG9FMlVKOEZ4MDh2SE83VmxXeWl0ZzdwOURzdm14QjBRREwKOHpNd1h6VnRBNWMrc2xPTE5JU0hEeUQ4U0djVEFZZHBpdGRQcVVJQVNmVG1XQkRaUWg3OERBbGNoNjRha3FmUgpiSWZ3WFV5VWtmMzliVVluN3FCV21RSURBUUFCbzM4d2ZUQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsCkJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwT0JCWUUKRlBFUE1nU1B2cVNTZWhBWC9tazJDYUs5bXhOY01COEdBMVVkSXdRWU1CYUFGTnZpeDRoc3BTcWMrclB4bzdFRwpEaFBKTVVPUU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQXc2SFNMc0ZTT0V5MDkwV3F4VmtDSWR6SWFOODFBCnNVaDk1eTZZQXczK1BPb29XZVg3Y09RUW5HYVhrVXJLVEFuZzNjUlZTSW5IbzFlYmdHQjQ2WHJIYTRtQ0pZMGgKWjlqaFk1NFhvc21FRWN4MVhlQ3g3Ui8wZitQM0RQOFFxQ3loVEl2VThKZWNtcDFPNUJJek5WWTVkREtiQlc2VwpVV0lqbDFvT2F5ZmFYeHBuWE9ONExKQ1ZpUkovRGNTWlpWbE1RcEpIeTVFcVdDUERobDZJakFOTkdGdHNKU3BUCmRjWklRTEMya2dYUkFoV2pPbHM1MnZRYk1qbVowRUxqZ1hrdWFJVWxOcEpxUzRuakF4RkNlL2ZGS2FDdGxmMngKa0dHOEdwb29WekVKUnMyc2JJaDVETkp2V1g0S0trd1ZYWStkYis0SktzRHdIVlhLQmRxaHN4am0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcDNaQ0JkSG1hWmVJTExkSmFMdFdUZU9HWVh1OFdLZlRabXN1ay9Cei9LMVRveVc1CnAzQ1FaT2x5TWtFNXN1L3VCQXZCaXRGQy9FK0o1cEtHY3VxRHd4RU9kZWhTZXBiTCtkeGQrMFJoU0VtVis1Y3EKRHR5RHFhaDhYS0l5dGNETGM3R1Y0NkVlUEdWVlh6UnB5ZmVveWh3Zk5DMHBkSDMyRXZIZVhFM21yU29TSHVobApkbGE2aW1MbWxCQUZDT1RUeWlkajFDWVBZclk0bFpqRC9zUDdrQXFHM0NmNGRob0UyVUo4RngwOHZITzdWbFd5Cml0ZzdwOURzdm14QjBRREw4ek13WHpWdEE1YytzbE9MTklTSER5RDhTR2NUQVlkcGl0ZFBxVUlBU2ZUbVdCRFoKUWg3OERBbGNoNjRha3FmUmJJZndYVXlVa2YzOWJVWW43cUJXbVFJREFRQUJBb0lCQVFDTU9TVHR0S1lvVXQrTworZWI1VUt6aXlac3pzNld4NHMzTW5BRkRsWHU1My9VQnpzd1huZFQ2K3ROSnEzNUNERkFVaVRlR0l0WGhha1RCCmtuNE1hYnp0TVRJWG52SzVmZDNOR2k2RUFPMG8xNTFFTDM3ak5OajJ6b05jR2VFMmVmcWlwTmdxNURYcVFydnEKM1h1Yng4cEplcVRTVHVMQWpkem9YaWxneDBaYVJsNU1IZG5rdE5GT25RM1FGS01JdlM0azBvTEJlQ1Q2ZytuTQpVZXZZV3VReWM5R3dPRTR1VmRhNlBkaElBT1IrKzBkK3BkaUcrNlFiRTBxRTkySmRHc3l5RVh1L1lYQTJtWVY2CndJcFZqRXE1ZHR2LzZHaDlWZFNzTExnaUM4UmZwVHY0TXAzMnprVHNaL1dNVkhBVnBscFBNeTV2aExxZnNlQTgKcitVU2E4SUJBb0dCQU1uMWZna29LaWYyb2NLRFZyMklyQ2dMVUlPV3VPZzI3Tks3SjhGNnlGUnl3WllwWFp3TApiczd0TXhmRzhsMlVzeVE5RVZMalpMSmRqdkc3NjJkUGNpaVFvdUQraHlvUW94RFFsS2ZMZTF6dEVFTGxjbTNQCkVicmM1OVloeVNzMENLdHl6dno3ZjUrdm52eTZvSjhpYktrSWRHSHJoMzR3bHRJVlFVMmI1YmpaQW9HQkFOUkYKcW5kMlYwYVZLVjVWdnFKWVN2WjZlSmJnNjVxL1dZeUQralh5RmttSWlGNkkvZ2RISUZDMmM4TFY3UEpLcHUwTAo3YWFndk5UK29jWG5DQjlUZzFtVGk0NnNOeFVpVlNQeTVON0RlUW52d0RXS2xsK2lWOUV1ZklZSVRPMmxFdmw0CnpHZW1RaFRHRlI0SE1tK3JFclU3dlo2eHBZck1OY05KOHVKcml2UEJBb0dBVTB4OU1wdXRYNVJiUGRaY05ZcWsKcjFPVFh1TVEyejZrU1hyR09BaERqb2xTalhQOFZ6dGo5ZGRpQm9HWlA3M3djWmI2aVR5Zk1PNWo0aExIVW5JegpQTVlEV0ZmRE9qZG9lcXY5VklRYUdzYnd1UmJZTHJDRXVKVWF6bmhhK0FYYk9aUCtDZHhWMUhCa1hBdEI2c0VSCkhsc05YY0grdmE2ZTFvSEwwSTNubjJrQ2dZQlBRc0FYSVVvUFllenplNExXTGErMy94eitBWGdYN1RFcnhhL3MKNnJzbHMrUnZvQ2x5WUQyUnhiN04xb0ZHSzFmUEZYQWtrc3BQb2RDWUM5ODlpenAxZlNGVUlidmptVkUvUGhmMQprZm1sR3krakRsOTkwQ21JUXhwZUZjVmJ5eEtkc2x4b3EyenJRdGRwd2ZnME9DV2hKSEIyVEJEckZidFJjMUJNCitTa0dRUUtCZ0YwMFhHaGF2Q1ZpQ252NG5lSzQvSm9uZWtVd0VzR3VuU0tiTUZqR3VuM1ZvVE04aXZvdk9yUGwKWjFLTFNjdE90OUZvaURlYXU0eXg0SjJPSXp0YzRVenhib2htakZBN05OMnNocjc1aWZMaXpSRDIwNThrWW0ycwoxQURxcmFHMmFtemgwVzNsUFJ3RDdUVlFLWEZCenJRQUEvUzFJdlRvZlkwMFJIT1EyMVFPCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
- 9、使用zhangsan-kubeconfig访问pod资源
[root@master zhangsan]# kubectl --kubeconfig=zhangsan-kubeconfig get pods -n kevin '使用zhangsan-kubeconfig访问pod资源'
NAME READY STATUS RESTARTS AGE
nginx-dbddb74b8-9nkvl 1/1 Running 0 26m
nginx-dbddb74b8-c52ph 1/1 Running 0 26m
nginx-dbddb74b8-ngl4v 1/1 Running 0 26m
[root@master zhangsan]# kubectl --kubeconfig=zhangsan-kubeconfig get svc -n kevin '使用zhangsan-kubeconfig访问 svc资源就会被拒绝'
Error from server (Forbidden): services is forbidden: User "zhangsan" cannot list resource "services" in API group "" in the namespace "kevin"
[root@master zhangsan]# kubectl --kubeconfig=zhangsan-kubeconfig get svc
Error from server (Forbidden): services is forbidden: User "zhangsan" cannot list resource "services" in API group "" in the namespace "default"
'也无法访问默认的命名空间'
- UI访问控制
[root@master zhangsan]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.0.0.221 <none> 443:30001/TCP 8d
- 访问地址https://20.0.0.54:30001
- 查看令牌
[root@master zhangsan]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
dashboard-admin-token-ps2xz kubernetes.io/service-account-token 3 8d
default-token-4fhj6 kubernetes.io/service-account-token 3 8d
kubernetes-dashboard-certs Opaque 11 8d
kubernetes-dashboard-key-holder Opaque 2 8d
kubernetes-dashboard-token-2ftmr kubernetes.io/service-account-token 3 8d
[root@master zhangsan]# kubectl describe secret kubernetes-dashboard-token-2ftmr -n kube-system
Name: kubernetes-dashboard-token-2ftmr
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: 590bdea5-09de-11eb-8631-000c29115408
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi0yZnRtciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjU5MGJkZWE1LTA5ZGUtMTFlYi04NjMxLTAwMGMyOTExNTQwOCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.mTKnGAudQ4rdpXUIth1odGn-GEPjX9X2Fb4kDJ3QE-WKuHNaOVO_zknTRSxOwQPKf22guz0JGFVNnX8tOvfw7v0gz4biEuiTh8EJOzCyiigT13_KY1JJf-D3X8oW3rBfBNIDkrbbZWxQcFKToFLnv4cKGkt-JSedajlnjDDueLhKZR3ZN6LVfOtNhDv9ftT6g_FnyMuMwYBsEwJMCyEsCOLFGPvtlwtppSHpHkD3JEkaBcE2ohviQFgkBH2IKNyKsY01BtME2sFNRC4lwF5FKiGGeY0VP9qRDrp6tCdNUGPCtkzgJCktpPjDdLbZEsK5ksvS9-IKIjS5Mbq3s5NcBg
- 10、编辑认证yaml文件
[root@master zhangsan]# vim sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: pod-reader
namespace: kevin
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sa-read-pods
namespace: kevin
subjects:
- kind: ServiceAccount
name: pod-reader
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
[root@master zhangsan]# kubectl apply -f sa.yaml
serviceaccount/pod-reader created
rolebinding.rbac.authorization.k8s.io/sa-read-pods created
[root@master zhangsan]# kubectl get sa -n kevin
NAME SECRETS AGE
default 1 46m
pod-reader 1 14s
[root@master zhangsan]# kubectl describe secret pod-reader -n kevin
Name: pod-reader-token-rhfgp
Namespace: kevin
Labels: <none>
Annotations: kubernetes.io/service-account.name: pod-reader
kubernetes.io/service-account.uid: b6560884-1029-11eb-ba66-000c29115408
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 5 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrZXZpbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJwb2QtcmVhZGVyLXRva2VuLXJoZmdwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InBvZC1yZWFkZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiNjU2MDg4NC0xMDI5LTExZWItYmE2Ni0wMDBjMjkxMTU0MDgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a2V2aW46cG9kLXJlYWRlciJ9.Zbqbo0TRSC2aXW_eJeTuGXOzmBAu0YZsDvhGvO47fal6b_h0L_D3rgqqxbhGHffvYUAQHHZYFmrXM66B4n9lG50sw6mmOZUWY-w8P86nw2Y1Eurw2JbFTjbF_n0BA1lOizJqjD10CobrtDLFaZB_AUZhLTq1S6B-YTD85Q6ra1PQwcVYTPhJMRzbLcRkvNL1iIPfL3sA_SMBEd6EP8pwOTY7JKiqYyrpoVVJmNiZaeHk9DnJcfrTgAs61F7GsgB6-0-zOrY9pjv6DVi_XdbLqZIR3xjtVhkoPYIf-I-n8fnk_8GUiInXLGWfJ0AhuxQDv8vqVeomTor1f4vbx0e4DA
- 11、使用令牌登陆UI界面
1.4:第三关:准入控制Admission Control
-
Adminssion Control实际上是一个准入控制器插件列表,发送到API Server的请求都需要经过这个列表中的每个准入控制器 插件的检查,检查不通过,则拒绝请求。
-
查看进程信息
[root@master ~]# ps aux |grep apiserver
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction '此行是准入控制的插件信息'
-
解释
-
NamespaceLifecycle: 命令空间回收
LimitRanger:配额管理
ServiceAccount: 每个pod中导入方便访问apiserver
ResourceQuota: 基于命名空间的高级配额管理
NodeRestriction: Node加入到k8s群集中以最小权限运行
官网推荐的插件:
1.11版本以上推荐使用的插件:
–enable-admission-plugins= \ NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds, ResourceQuota
-
1141
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
