Kubernetes RBAC

最新推荐文章于 2022-01-02 11:08:38 发布

Michael_曾浩

最新推荐文章于 2022-01-02 11:08:38 发布

阅读量199

点赞数

分类专栏： kubernetes

本文链接：https://blog.csdn.net/qq_29778131/article/details/85044754

版权

kubernetes 专栏收录该内容

9 篇文章 0 订阅

订阅专栏

Kubernetes RBAC

查看系统存在的Roles 与ClusterRoles

查看Roles

kubectl get roles --all-namespaces

查看ClusterRoles

kubectl get clusterroles --all-namespaces

创建michael命名空间里面只读用户hzeng

创建ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: hzeng
  namespace: michael

创建Roles 设置权限为 list get watch

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: handpay-pod-reader
  namespace: michael
rules:
 - apiGroups:
 - ""
  resources:
 - pods
  verbs:
 - get
 - list
 - watch

获取ServiceAccount 的secrets

kubectl get serviceaccount -n michael hzeng -oyaml

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"hzeng","namespace":"michael"}}
  creationTimestamp: 2018-12-16T10:44:06Z
  name: hzeng
  namespace: michael
  resourceVersion: "641989"
  selfLink: /api/v1/namespaces/michael/serviceaccounts/hzeng
  uid: 8332394d-011f-11e9-8876-fa163e015d52
secrets:
 - name: hzeng-token-p7q56

获取secrets的token，用base64解密

kubectl get secrets  -n michael hzeng-token-p7q56  -oyaml | grep token: |awk '{print $2}'|base64 -d

创建 Cluster 并绑定 Context

#  service 为APIservice 地址 
kubectl config set-cluster hpcluster --server=https://192.168.1.170:5443 --certificate-authority=/var/paas/srv/kubernetes/ca.crt -n michael 
# 设置context 绑定cluster，用户切换context后读取cluster的设置
kubectl config set-context hp-context --cluster=hpcluster

用户绑定token和Context

# $token是为ServiceAccount 的token
kubectl config set-credentials hp-reader --token=$token
kubectl config set-context hp-context --user=hp-reader

绑定Roles与ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: handpay-pod-reader-binding
  namespace: michael
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: handpay-pod-reader
subjects:
 - kind: ServiceAccount
  name: hzeng
  namespace: michael

验证结果

# 查看目前存在的Context
[root@michael-00359-drome rbac]# kubectl config  get-contexts
CURRENT   NAME         CLUSTER           AUTHINFO    NAMESPACE
          hp-context   hpcluster         hp-reader   
*         internal     internalCluster   user

# 切换Context
[root@michael-00359-drome rbac]#  kubectl config  use-context hp-context 
Switched to context "hp-context".

# 只授权了 michael namespace的对pod的 list get watch 权限
[root@michael-00359-drome rbac]# kubectl get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:michael:hzeng" cannot list pods in the namespace "default"
# 非michael的namespace 的pod操作直接forbidden
[root@michael-00359-drome rbac]# kubectl get pods -n michael
No resources found.
[root@michael-00359-drome rbac]# kubectl get svc -n michael
No resources found.
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:michael:hzeng" cannot list services in the namespace "michael"

添加用户对 svc的操作管理员下面

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: handpay-pod-reader
  namespace: michael
rules:
 - apiGroups:
 - ""
  resources:
 - pods
 - services #添加对应的资源就可以了
  verbs:
 - get
 - list
 - watch

验证结果

[root@michael-00359-drome rbac]# kubectl get svc  -n michael
No resources found.

[root@michael-00359-drome rbac]# kubectl get svc   
No resources found.
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:michael:hzeng" cannot list services in the namespace "default"

创建超级用户

创建ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system

绑定 ClusterRoles 和ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin # 默认clister-admin 为超级管理员
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system

帮助命令

 kubectl get roles --all-namespaces # 查看Roles
 kubectl get clusterroles --all-namespaces # 查看 ClusterRoles
 kubectl get RoleBinding --all-namespaces # 查看RoleBinding
 kubectl get ClusterRoleBinding --all-namespaces# 查看ClusterRoleBinding
 kubectl get sa --all-namespaces # 查看ServiceAccount
 kubectl config  get-contexts  # 查看 目前存在的Context
 kubectl config current-context # 查看当前使用的Context
 kubectl config view # 查看集群内所有的Context