RBAC 基于角色的访问控制,引入了4个资源对象,分别是Role,ClusterRole,RoleBinding,ClusterRoleBinding.
1.角色(ROLE):
Role表示是一组规则权限,只能累加,Role可以定义在一个namespace中,只能用于授予对单个命名空间中的资源访问的权限
2.集群角色(ClusterRole)
ClusterRole具有与Role相同的权限角色控制能力,不同的是ClusterRole是集群级别的,可以用于:
- 集群级别的资源控制(例如 node 访问权限)
- 非资源型 endpoints(例如 /healthz 访问)
- 所有命名空间资源控制(例如 pods)
3.角色绑定(RoleBinding)集群角色绑定(ClusterRoleBinding)
RoloBinding可以将角色中定义的权限授予用户或用户组,RoleBinding包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(users、groups、service accounts),RoleBinding适用于某个命名空间内授权,而 ClusterRoleBinding适用于集群范围内的授权。
RoleBinding同样可以引用ClusterRole来对当前 namespace 内用户、用户组或 ServiceAccount 进行授权,这种操作允许集群管理员在整个集群内定义一些通用的 ClusterRole,然后在不同的 namespace 中使用 RoleBinding 来引用
开启RBAC认证:
apiserver 启动的时候指定RBAC参数
--authorization-mode=Node,RBAC
例子:
现在有个需求集群外的服务器需要获取集群管理员的权限,我们可以这样写:
kubectl create serviceaccount root
kubectl create clusterrolebinding root-cluster --clusterrole=cluster-admin --user=root
或者通过yaml文件实现
apiVersion: v1
kind: ServiceAccount
metadata:
name: root
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: root-admin
subjects:
- kind: ServiceAccount
name: root
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
查看root的配置及绑定的角色
# kubectl get sa root -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-12-22T13:51:06Z
name: root
namespace: default
resourceVersion: "3928601"
selfLink: /api/v1/namespaces/default/serviceaccounts/root
uid: a143d8fd-05f0-11e9-9b39-c659655aa83d
secrets:
- name: root-token-9f84k
# kubectl get ClusterRoleBinding root-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: 2018-12-23T12:03:30Z
name: root-admin
resourceVersion: "4068948"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/root-admin
uid: c33133a7-06aa-11e9-960b-005056a99383
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: root
namespace: default
获取root的token:
# kubectl get secret $(kubectl get serviceaccount root -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InJvb3QtdG9rZW4tOWY4NGsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicm9vdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImExNDNkOGZkLTA1ZjAtMTFlOS05YjM5LWM2NTk2NTVhYTgzZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnJvb3QifQ.G6-JRbqUs3WYGYHR8Z2Mih5kPIZEx0kn1VnI7lnJmD16KZhU0mMbzuzqya4iznKUThkPASKk5lmeqKFKkL2_wfiHzrY7T7_huo68HuDRaroL61yjMJKO8MPo6bx9yZYBudvf0hvJJ4NFscC1_qfltD6vlO6VoGmJtmbP7jaliw8-0103p8PUMjcUweRo0MR_wZ6Ni6yT168lnmufyT7ucIFsKDwW_wm4DE1RlIfaa0rZqdUj7t8DZmyvgTmTVdyb803OBFkboJax34QcKVIwlfo2cXuS39Tvmiw7aFq-Jk3r2wgOeH2S0E_YnWdKQEdhA63GU2oS7tJyOqcvDLgX_Q
现在有另外一个需求就是不同的用户访问不同的命名空间里的资源并且有这个命名空间里的所有权限:
apiVersion: v1
kind: ServiceAccount
metadata:
name: zhangsan
namespace: dev
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: role-dev-user1
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "delete", "update", "patch"]
- apiGroups: [""]
resources: ["pods/portforward", "pods/proxy"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps", "extensions"]
resources: ["replicasets"]
verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list", "create", "update", "pathch", "delete"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
resources: ["cronjobs"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["replicationcontrollers"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-bind-dev-user1
namespace: dev
subjects:
- kind: ServiceAccount
name: zhangsan
namespace: dev
roleRef:
kind: Role
name: role-dev-user1
apiGroup: rbac.authorization.k8s.io
生成kubeconfig用于kubectl去访问集群或者去访问dashborad
kubectl config set-cluster kubernetes \
--insecure-skip-tls-verify=true \
--server="https://API-SERVER:6443"
kubectl config set-credentials dev-user1 \
--token='token'
定义context运行环境
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=dev-user1 \
--namespace=dev
kubectl config use-context kubernetes
通过windwos去访问集群
windows kubectl命令安装
命令下载:
https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/windows/amd64/kubectl.exe
然后将其放至系统PATH目录下,比如c:\Windows
将生成好的kubeconfig文件放在加目录里
文件名为config,文件放到 ~/.kube/下(~为用户家目录),因为kubectl命令默认读取此文件,否则每次使用kubectl命令,需要用参数--kubeconfig=configpath指定。
效果如图(我赋予的角色是cluster-admin):
或者通过kubernetes dashborad去访问
如果是我刚才创建的root的话可以正常访问如图:
如果是我张三这个用户的话 那就只能访问自己命名空间的资源
如图:
我们切换命名空间到dev就不会出错