只说操作不来理论哈
rbac是以插件形式串运行
Role ---> RoleBinding //作用于用户空间
ClusterRole ---> ClusterRoleBinding //使用于集群级别
--创建私钥及证书--
openssl genrsa -out kuber1.key 2048
openssl req -new -key kube-user1.key -out kube-user1.csr -subj "/CN=kube-user1/O=kubernetes"
openssl x509 -req -in kube-user1.csr -CA /opt/kubernetes/ssl/ca.pem -CAkey /opt/kubernetes/ssl/ca-key.pem -CAcreateserial -out kube-user1.crt -days 3650
kubectl config set-cluster mk8s --embed-certs=true --certificate-authority=/opt/kubernetes/ssl/ca.pem --server="https://192.168.0.81:6443"
kubectl config set-credentials kube-user1 --embed-certs=true --client-certificate=/root/k8s_config/kube-user1.crt --client-key=/root/k8s_config/kube-user1.key
kubectl config set-context kube-user1@mk8s --cluster=mk8s --user=kube-user1
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: testing #所属名称空间
name: my-pod
rules:
- apiGroups: [""] #表示 core API group
resources: ["pods","pods/log","services"] #可以访问的资源类型
verbs: ["get","list","watch"] #get,list,create,update,watch,proxy,redirect,delete and deletecollection
---
#rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-reader
namespace: testing
subjects:
- kind: User #要引用的资源对象(主体)所属的类型,可用值为"User","Group" 和"ServiceAcount"
name: kube-user1 #引用主体的名称
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #引用的资源所属的类别,可以用值为Role或ClusterRole,必选
name: my-pod # 引用的资源名称
apiGroup: rbac.authorization.k8s.io #引用资源(Role或ClusterRole)所属的API群组,必选
kubectl config use-context kube-user1@mk8s
Switched to context "kube-user1@mk8s".
kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
default default admin
* kube-user1@mk8s mk8s kube-user1
lemon-admin@kubernetes kubernetes lemon-admin
lemon@kubernetes kubernetes lemon
kubectl get pods
Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "default"
kubectl get pod -n testing
No resources found in testing namespace.
kubectl get service
Error from server (Forbidden): services is forbidden: User "kube-user1" cannot list resource "services" in API group "" in the namespace "default"
kubectl config use-context default
Switched to context "default".
#增加service资源
resources: ["pods","pods/log","service"]
kubectl apply -f role.yaml
kubectl config use-context kube-user1@mk8s
Switched to context "kube-user1@mk8s".
Error from server (Forbidden): services is forbidden: User "kube-user1" cannot list resource "services" in API group "" in the namespace "testing": RBAC: role.rbac.authorization.k8s.io "services-admin" not found
kubectl config use-context default
Switched to context "default".
kubectl create rolebinding lemon-admin-service --role=services-admin --user=kube-user1 -n testing
rolebinding.rbac.authorization.k8s.io/lemon-admin-service created
----------------------------------------------------------------------------------------
ClusterRole和ClusterRolebinding
集群级别的角色资源和ClusterRole资源消除了能够管理与Role资源一样的许可权限之外,还可以用于集群组件的授权,配置方式及其在rule字段
中可以嵌套也与Role资源类似。
#ClusterRole是集群级别不需要使用metadata.namespace字段
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: my-node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","watch","list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: my-healthz-admin
rule:
- nonResourceURLs:
- /heatlhz
verbs:
- get
- create
---
##聚合类型ClusterRole
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: my-monitoring
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.example.com/aggregate-to-monitoring: "true"
rules: []
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: my-monitoring-endpoints
lables:
rbac.example.com/aggregate-to-monitring: "true"
# These rules will be added to the "monitroing role
rules:
- apiGroups: [""]
resources: ["services","endpoints","pods"]
verbs: ["get","list","watch"]
------------------------------------------------------------------------------------------------
面向用户内的内建ClusterRole
API Server内建立了一组默认的ClusterRole和ClusterRoleBinding以预留系统使用,其中大多数都以"system:"为前缘,另外一些
还有一些非以"system:"为前缘的默认的role资源,它们总是为面向用户的需求而设计的,包括超级用户角色(cluster-admin)用于授权收集
集群级别的权限的ClusterRoleBinding(Cluster-status)以授予特定的名称空间级别权限的RoleBinding(admin,edit,view).
[cluster-admin,cluster-status,admin,edit,view]
内建的ClusterRole资源cluster-admin拥有管理集群所有资源的权限,它基于同名的ClusterRoleBinding资源绑定到了"system:masters"
组上,这意味着所有隶属于此组的用户都将具有集群的超级管理管理权限。
/O=system:master/CN=kubernetes-admin
CluserRoeBindind用RoleBinding用法
kubectl create deployment my-dep --image=busybox -n testing
Error from server (Forbidden): deployments.apps is forbidden: User "kube-user1" cannot create resource "deployments" in API group "apps" in the namespace "testing": RBAC: role.rbac.authorization.k8s.io "services-admin" not found
#加入管理员群组(集群级别的权限)
kubectl create rolebinding dev-admin --clusterrole=cluster-admin --user=kube-user1 -n testing
rolebinding.rbac.authorization.k8s.io/dev-admin created
kubectl create deployment my-dep --image=busybox -n testing
deployment.apps/my-dep created
###ClusterRole 和ClusterRoleBinding实战:
openssl genrsa -out kube-user2.key 2048
openssl req -new -key kube-user2.key -out kube-user2.csr -subj "/CN=kube-user2/O=lk8s"
openssl x509 -req -in kube-user2.csr -CA /opt/kubernetes/ssl/ca.pem -CAkey /opt/kubernetes/ssl/ca-key.pem -CAcreateserial -out kube-user2.crt -days 3650
kubectl config set-cluster lk8s --embed-certs=true --certificate-authority=/opt/kubernetes/ssl/ca.pem --server="https://192.168.0.81:6443"
kubectl config set-credentials kube-user2 --embed-certs=true --client-certificate=/root/k8s_config2/kube-user2.crt --client-key=/root/k8s_config2/kube-user2.key
kubectl config set-context kube-user2@lk8s --cluster=lk8s --user=kube-user2
openssl genrsa -out kube-mfz.key 2048
openssl req -new -key kube-mfz.key -out kube-mfz.csr -subj "/CN=kube-mfz/O=mfzlk8s"
openssl x509 -req -in kube-mfz.csr -CA /opt/kubernetes/ssl/ca.pem -CAkey /opt/kubernetes/ssl/ca-key.pem -CAcreateserial -out kube-mfz.crt -days 3650
kubectl config set-cluster mfzlk8s --embed-certs=true --certificate-authority=/opt/kubernetes/ssl/ca.pem --server="https://192.168.0.81:6443"
kubectl config set-credentials kube-mfz --embed-certs=true --client-certificate=/root/k8s_config2/kube-mfz.crt --client-key=/root/k8s_config2/kube-mfz.key
kubectl config set-context kube-mfz@mfzlk8s --cluster=mfzlk8s --user=kube-mfz
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-mfz-role
rules:
- apiGroups: [""]
resources: ["pods","deployments"]
verbs: ["get","watch","list","create","delete"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluser-mfz-clusterrolebinding
subjects:
- kind: User
name: kube-mfz
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-mfz-role
apiGroup: rbac.authorization.k8s.io
kubectl get deployments
Error from server (Forbidden): deployments.apps is forbidden: User "kube-mfz" cannot list resource "deployments" in API group "apps" in the namespace "default"
#加入具有deployments权限的组里
kubectl create clusterrolebinding mfz-admin --clusterrole=system:controller:deployment-controller --user=kube-mfz
clusterrolebinding.rbac.authorization.k8s.io/mfz-admin created
#测试访问
kubectl get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
db 2/2 2 2 15d
memched-operator 1/1 1 1 11d
nfs-client-provisioner 1/1 1 1 65d
school-operator 1/1 1 1 35h
student 15/15 15 15 35h
k8s的rbac授权操作
最新推荐文章于 2024-04-20 07:30:00 发布