简介
kubernetes集群相关的所有交互都通过apiserver完成,在这样的集中式管理系统中,权限管理尤其重要。kubernetes 1.5+版本引入RBAC(Role Base Access Control)的权限控制机制正是满足这样一种条件下的权限控制功能。
[root@k8s nginx]# grep -C3 'authorization-mode' /etc/kubernetes/manifests/kube-apiserver.yaml
API Server目前支持以下几种授权策略:
- AlwaysDeny:表示拒绝所有请求,一般用于测试。
- AlwaysAllow:允许接收所有请求。 如果集群不需要授权流程,则可以采用该策略,这也是Kubernetes的默认配置。
- ABAC(Attribute-Based Access Control):基于属性的访问控制。
表示使用用户配置的授权规则对用户请求进行匹配和控制。 - Webhook:通过调用外部REST服务对用户进行授权。
- RBAC:Role-Based Access Control,基于角色的访问控制(本章讲解)。
- Node:是一种专用模式,用于对kubelet发出的请求进行访问控制。
更多权限管理,可参考:http://docs.kubernetes.org.cn/51.html#Kubernetes
关系图如下:
实战
1.创建认证密钥及证书
[root@k8s rbac]# openssl genrsa -out devuser.key
[root@k8s rbac]# openssl req -new -key devuser.key -subj "/CN=devuser" -out devuser.csr
[root@k8s rbac]# openssl x509 -req -in devuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out devuser.crt -days 365
2.创建用户,role及rolebinding
1.创建user:devuser
[root@k8s rbac]# kubectl config set-context devuser@kubernetes --cluster=kubernetes --user=devuser --namespace=dev
[root@k8s rbac]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
devuser@kubernetes kubernetes devuser dev
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
2.创建Role,Rolebing给用户devuser进行授权
[root@k8s nginx]# cat devuser-role-bind.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: devuser-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devuser-rolebinding
namespace: dev
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: devuser-role
apiGroup: rbac.authorization.k8s.io
[root@k8s nginx]# kubectl apply -f devuser-role-bind.yaml
role.rbac.authorization.k8s.io/devuser-role created
rolebinding.rbac.authorization.k8s.io/devuser-rolebinding created
3.检验权限
由于只给用户授予了dev名称空间中pod的权限,所以无法获取别的名称空间的资源
[root@k8s rbac]# kubectl config use-context devuser@kubernetes
Switched to context "devuser@kubernetes".
[root@k8s nginx]# kubectl get pods -n default
Error from server (Forbidden): pods is forbidden: User "devuser" cannot list resource "pods" in API group "" in the namespace "default"
[root@k8s nginx]# kubectl get pods -n kube-system
Error from server (Forbidden): pods is forbidden: User "devuser" cannot list resource "pods" in API group "" in the namespace "kube-system"
[root@k8s nginx]# kubectl get pods -n nodes
Error from server (Forbidden): pods is forbidden: User "devuser" cannot list resource "pods" in API group "" in the namespace "nodes"
3.验证
[root@k8s nginx]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
devuser@kubernetes kubernetes devuser dev
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
[root@k8s nginx]# cat dev-nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-dev
namespace: dev
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: myapp-dev
image: nginx:latest
ports:
- containerPort: 80
name: http-web-svc
imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:
namespace: dev
name: nginx-service-dev
spec:
selector:
app: nginx
ports:
- name: name-of-service-port
protocol: TCP
port: 8080
targetPort: http-web-svc
[root@k8s nginx]# kubectl apply -f dev-nginx.yaml
deployment.apps/nginx-deployment-dev created
service/nginx-service-dev created
[root@k8s nginx]# kubectl config use-context devuser@kubernetes #切换上下文
Switched to context "devuser@kubernetes".
[root@k8s nginx]# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-deployment-dev-79cdf66b76-9f622 1/1 Running 0 54s