k8s-Authorization鉴权

最新推荐文章于 2022-10-05 10:23:52 发布
最新推荐文章于 2022-10-05 10:23:52 发布
阅读量2.8k 收藏
点赞数
分类专栏: k8s
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_39122146/article/details/110626700
版权

Authorization鉴权

小知识:

平常我们访问都是使用API restful风格,比如,kubectl get pod 其实他也是通过http协议进行访问的。

先暴露8080端口:

kubectl proxy --port=8080

例子1:
另起终端:

curl http://localhost:8080/api/v1/namespaces

这时我们访问到v1版本下的所有命名空间。
例子2:

[root@master helm]# kubectl get deployments.apps  -n kube-system 
NAME      READY   UP-TO-DATE   AVAILABLE   AGE
coredns   2/2     2            2           19d

[root@master helm]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/

这两个效果类似

HTTP request verb:
get,post,put,delete

API request verb:
get,list,create,update,patch,watch,proxy,redirect,delete,deletecollection

API Server 鉴权模式:

• AlwaysDeny:拒绝所有请求
• AlwaysAllow:允许所有请求
• ABAC:基于属性的访问控制。使用用户配置的授权规则
• Webbook:通过调用外部 REST 服务对用户进行授权
• RBAC:基于角色的访问控制。默认
通过 --authorization-mode 设置

RBAC:

k8s 1.5 引入。
• 对集群中的资源和非资源均有完整的覆盖
• 整个 RBAC完全由几个 API 对象完成,可以通过 kubectl 或 API 进行操作
• 运行时动态生效,无需重启 API-Server

练习RBAC可以去中文官网,讲的很详细:
RBAC官网:https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/

实践:

1.创建用户和密码

adduser userdev
passwd userdev

2.创建证书:

mkdir -p /usr/local/install-k8s/cert/userdev

vim /usr/local/install-k8s/cert/userdev/userdev-csr.json

{
  "CN": "userdev",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048  
  },
  "names": [    
    {"C": "CN",
     "ST": "BeiJing",
     "L": "BeiJing",
     "O": "k8s",
    "OU": "System"    
    }  
  ]
}

解释:
在这里插入图片描述

3.下载证书生成工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

cd /etc/kubernetes/pki/

发现这个目录下都是k8s系统保留的证书:
在这里插入图片描述
所有https证书的签发都是根据k8s集群的根证书ca进行签发

cfssl gencert -ca=ca.crt -ca-key=ca.key  -profile=kubernetes /usr/local/install-k8s/cert/userdev/userdev-csr.json | cfssljson -bare userdev

执行完后会发现多出了userdev-key.pemuserdev.pemuserdev.csr
在这里插入图片描述
userdev.csr证书签名请求,要发给 CA 组织
userdev.pem :证书
userdev-key.pem:私钥

4.设置集群参数

cd /usr/local/install-k8s/cert/userdev/

export KUBE_APISERVER="https://192.168.10.180:6443"

kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=userdev.kubeconfig

这是会在当前目录下生成一个userdev.kubeconfig文件

[root@master cert]# cat userdev.kubeconfig

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01USXdNVEF4TXpJMU4xb1hEVE13TVRFeU9UQXhNekkxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjBMCldmbUJIdEc5a2lycVZ4U3U3WEtETm05QjdZcTNlSjRvaFVPZ2JFQjZZYVNYNU5ENnZXWDFLS2lWZWRoMGZTc3UKVEQyTFBSYVNqSXVlOXNpOERxWWR5aVlPVlNETFl1bzNzTnB3MmkwK1hJd0FnQVJQd215YzdGUVR3ckxxcDdPRgpsZVowejdndlQ5NHB3REhpZXJRdGVNSlZ5cXkrenRvcnA3bXZHNXEzV0Jtc3ZVRFByVytiRHlFRFozKzVlMXpZCkVXaWtQeDRwclRQb2RCaHNVWG1ZRVNQMzhsd0dTN2xNZVJabnBwck9oWlk4MGVzcXFHUyt2YndIbmpaOEhQc3kKZDlkaStJWDBrTXoyUHBWWmJVK1Q4a3FZM1F6blZ6Qm13OEtSd2czRi8wMm5raVNzU09JbEU4NGRtMzJJY1JOKwpZamp1ZWZuVnNKL3JralE4eUVFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJVjhCSUN2a01QelkyYmZVdnRFdWgybHV4OFVNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCOFExMkxiLzcvcGRXZDNuWjEyMUFobS9QZFdHbkxLSWVqdUtxbEVVRWc5cFJEcGI5Mwppbjg4TmpIVFRnY2ZScE5zbzZjYnJmUEtCRW10Sk9XRjRFWWdDdThXb0loV0ZPWXRqckdKZUtkOGhTbS9XY2M3Cm9nN1YxKzQ0MkxsYS81Wk9SRHlmRmhTeThtRit3ZnBoQ25mTklGUW4veGY2ME1WWWJ3YkJhL3ord0J2Uis4UmgKTS91NG9hNFU5aUhDRkE4UFhOU0ZKUGdWdVFSUU5lSDNOSDhrU1FtSk9MbC95MWRmYXoxMFlQWmNsSkZFQ1pRegpobXFPMGpMR29QbVlERGtrY0E5NTdCa1NRTTRvSy9nQkdmSENpOU1UTFdHaCtRNDRyZXFTbjBOQWQvYzM3Z0g3Cm1XL0tqeDkzRlJCdnAzcUdLeklVaWFjSU5XUE9DTWdjMUNsZwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.10.180:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

此时可以看到已经有了集群信息clusters

5.设置客户端认证参数

kubectl config set-credentials userdev --client-certificate=/etc/kubernetes/pki/userdev.pem --client-key=/etc/kubernetes/pki/userdev-key.pem --embed-certs=true --kubeconfig=userdev.kubeconfig

[root@master cert]# cat userdev.kubeconfig 

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01USXdNVEF4TXpJMU4xb1hEVE13TVRFeU9UQXhNekkxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjBMCldmbUJIdEc5a2lycVZ4U3U3WEtETm05QjdZcTNlSjRvaFVPZ2JFQjZZYVNYNU5ENnZXWDFLS2lWZWRoMGZTc3UKVEQyTFBSYVNqSXVlOXNpOERxWWR5aVlPVlNETFl1bzNzTnB3MmkwK1hJd0FnQVJQd215YzdGUVR3ckxxcDdPRgpsZVowejdndlQ5NHB3REhpZXJRdGVNSlZ5cXkrenRvcnA3bXZHNXEzV0Jtc3ZVRFByVytiRHlFRFozKzVlMXpZCkVXaWtQeDRwclRQb2RCaHNVWG1ZRVNQMzhsd0dTN2xNZVJabnBwck9oWlk4MGVzcXFHUyt2YndIbmpaOEhQc3kKZDlkaStJWDBrTXoyUHBWWmJVK1Q4a3FZM1F6blZ6Qm13OEtSd2czRi8wMm5raVNzU09JbEU4NGRtMzJJY1JOKwpZamp1ZWZuVnNKL3JralE4eUVFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJVjhCSUN2a01QelkyYmZVdnRFdWgybHV4OFVNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCOFExMkxiLzcvcGRXZDNuWjEyMUFobS9QZFdHbkxLSWVqdUtxbEVVRWc5cFJEcGI5Mwppbjg4TmpIVFRnY2ZScE5zbzZjYnJmUEtCRW10Sk9XRjRFWWdDdThXb0loV0ZPWXRqckdKZUtkOGhTbS9XY2M3Cm9nN1YxKzQ0MkxsYS81Wk9SRHlmRmhTeThtRit3ZnBoQ25mTklGUW4veGY2ME1WWWJ3YkJhL3ord0J2Uis4UmgKTS91NG9hNFU5aUhDRkE4UFhOU0ZKUGdWdVFSUU5lSDNOSDhrU1FtSk9MbC95MWRmYXoxMFlQWmNsSkZFQ1pRegpobXFPMGpMR29QbVlERGtrY0E5NTdCa1NRTTRvSy9nQkdmSENpOU1UTFdHaCtRNDRyZXFTbjBOQWQvYzM3Z0g3Cm1XL0tqeDkzRlJCdnAzcUdLeklVaWFjSU5XUE9DTWdjMUNsZwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.10.180:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: userdev
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoRENDQW15Z0F3SUJBZ0lVZWhLUU9EV3IrQ0VJVTQzQUNaNWwvYnZvb0RJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1ERXlNRFF3TXpJNE1EQmFGdzB5TVRFeQpNRFF3TXpJNE1EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhkWE5sY21SbGRqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtFQgp6M0Y3UHBwWlNsWElWNUMzMmpzOEtSSnhKekxlYmVMMDkrNEVycFJlSEhDNlh4b1o2ZWxVbGg1aGxVUndCQ3BXCmpQUllIU0Q2Znd1RDJxMWRpWGcwSVBZRWRqdm9aTVF2NS9FN3Z0bXNWOXIxS0dzTE1wWjJFYmlCUmVPY0dFZ3UKUTkzZDh2cllqd1VhSWduSHZRd3NXMWp2TGF0QUY3dmtSUlQ1R2tlOUIvNENxYy9kNUQzNDh0anozRXpvQnBFMAoyVlAxbEFpVHhmWXU5cFQ1Z1c1QUQvcVh5bUJsRVBEVm0vcSswdW9DWWNyU0RvOWs0bVZkbGlrSllUbU9EVWZvCjN2dlFyYTZzNjE4ZFR6U0cyWkZMS3U4WHhveHhNR2FUOGZpSUYrVGFObkEvYUZ0Z3VZbnMzNHpiajhVZlpoNWIKQTczR0grVmMyZ0htSDB5bHRGTUNBd0VBQWFOL01IMHdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlNjClJGSlJZNTl5TjhtM3RxOXJ5a3Y0TGRNWTNEQWZCZ05WSFNNRUdEQVdnQlNGZkFTQXI1REQ4Mk5tMzFMN1JMb2QKcGJzZkZEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFldDJLVDdEMjRONnpBdjFQR2VJdHY3RG9iRHBKd3JDMQpEOUhvY3ltRHh4YTNxVW1BOTNDSzdSM3NmVlNBTzhxckdxV1dqbFhDWVd3WlFxelpJaGxiVmR4UDh4ajI3aDc3CklhbHF6ekxPaWc2aFhFdUQySkd4WFM2K3creWc3KzlEaGUxM3lSTWl3dEJMUTdkZ1diUTNxcXlIbldxenNpYVMKMnIwTVlJQUNNK2Z6OUxqMTY3UWh4S2tkQmloemIzUitaajFRbW8vY3J1dTZPUldURDNULzA0dEdtY2dxVW16QgpqcHVFeHhIbWhGNEwzajZFSWxpRkpRZ2JsZWdZOEl0TWdqSVpOU3hNUmRLRHNpUDZRU1lQazl6Q3JzYlFLbUc3CmZrQThDZXRTSXlFcUY4UWxvZUU0eUJOQVhaSEQvVC9Bam1CelBybE02dktEWUdyQzF6dzNMUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb1FIUGNYcyttbGxLVmNoWGtMZmFPendwRW5Fbk10NXQ0dlQzN2dTdWxGNGNjTHBmCkdobnA2VlNXSG1HVlJIQUVLbGFNOUZnZElQcC9DNFBhclYySmVEUWc5Z1IyTytoa3hDL244VHUrMmF4WDJ2VW8KYXdzeWxuWVJ1SUZGNDV3WVNDNUQzZDN5K3RpUEJSb2lDY2U5REN4YldPOHRxMEFYdStSRkZQa2FSNzBIL2dLcAp6OTNrUGZqeTJQUGNUT2dHa1RUWlUvV1VDSlBGOWk3MmxQbUJia0FQK3BmS1lHVVE4TldiK3I3UzZnSmh5dElPCmoyVGlaVjJXS1FsaE9ZNE5SK2plKzlDdHJxenJYeDFQTkliWmtVc3E3eGZHakhFd1pwUHgrSWdYNU5vMmNEOW8KVzJDNWllemZqTnVQeFI5bUhsc0R2Y1lmNVZ6YUFlWWZUS1cwVXdJREFRQUJBb0lCQUdjSytJK0JOOXlpbnE5dAo2NVRFQlpmNWRiUEcxVFo2SWt1cFNlOTc4WnNrN0FDOVZsWW5GWXZ1UmJFbDlOajY4NytBNnU4S1lZSVVyekJZCmI2Q2FoM3QxcVU2cUpsMUs2d3FnT2tvcVdZZUlCQ1l1MW5KRGxWbTBNTDByaHVZWHBYYTBuVnltU25aK0dISkUKZWxwV0NjaDdydTZwREVwWVY1ZzVqSGpTd0IzK2VlUm5YU2JjZzJFaU5haUwreGJhVitpTUsyNndTL0NLYXZDbwp0SjVoUFgvMFBDdENSc0IwOVVPZG5nOFlBMmJHS2xRY0RaeVVQN3pQQWdub0RLazFwSVNyVkVJd3Q4WXpYTXM1CmI0Q0Z6MVAxZXR3d0xiREViSmcvZUdOeStpdEI0LytZSVE4K25lY3dwUGFwdUZ6K0hWem5JN3FWTGo5RXVaZ2sKbjAyYkhwa0NnWUVBMEh6WERVOTdyMi9CUkFqRjFkVUZ2Z21HQUFiR3BZeHVYUUZsa2RpRHlNUXZULzdiWWduQgppbXo1c1VaSGF2dDdaUTFRaGZOQW5PRUVGSS9lQnMzak5IN0ZndEsyOXdaVTB1NTRGNWllUkFCeEkrVTRFdGRICmVQbTdFUzQ4NlRtWmw2UmNZckFUYzBleEQ0eGNDQURTR2ZtVzR0M2xBK1haNi8rOWkxaUl2ZTBDZ1lFQXhiTDAKaVM2MjViTXdBWUxrb2ZUZWcwYnVKZ2tzWnFDdC9FMEQ2QUVMeFdPVDFhSzRNS0lhdjBycDlvZDdxRGl3RHFjRQpyb1BadThFSjJ6RkRNS293b3o1alFJbjROaVJ3cVlSampSVStvR0gzTVBRWEV1a2xYTXZHWExxVEsyaUNrc213ClVvS2NsU3dlQTZFMzBGVlV0Z2NEdGdjcGdxZ1ZzN0k1dUZLejh6OENnWUVBb0RadkpBRmljTXlXWGV2SDY2eUoKZnlIZVlZTFRnRUJNUnhoZHJ4Z05IV2oxV3Fua2VKQTZ0RjlOK2RhaDV5cGVCcWVXcTNqa3ZDbUdjeTZqVmVNOQpxQWVMVEI4VkR2dEVqOXRGV2d5a0FtbThoL01MaGg3OUE1QVZHdnpIUGdwUFoyS2N4Qkcrd0tYbEFLZkJ5VHlvCk4rRysrNU84KzZQVU5URVB2VmRKclhrQ2dZQi8wMU4xRjNVK1UzdG9ucjlCVUZoR3ZTZmlBL0JuY3VETHp1Z0YKckJkMlN3b2RDWmJhS3hYc05YM00zcEMvbGRlUHdjR3ZMS1V0Vm9VTzZtMHRHLzFTcjFYeE5zUDhEZGVpWTIwUwpuWGZlcnpqcXVBZnJQRC9pSGdkbGtXVHluaUkrMHBWazQvcG1JUjVPN29CdC9aNUdDNGNFdk9ERUQvWG9PQVpGCi9ZTklkUUtCZ0RXMXFtNHAzNGRlL25IdzB6SUs2a2hLU0xGVEYydTBWWS9UMkxsTHU2LzhBS2YwZWZWa1JUaVQKcU1FSm0xUGlBMzhkdXJIdVFGOGtENmJiTW4rMEVMRXQxS05HbHBRVmUwNE1mSFl1cEJZRzdnNjBDalozTTIrSgpJSS9XOHNDVkgxZllNc2dtU0duc3V0Z1QwT1VCaXRBV3dscmVWN1dyM0lVVkwwU1I0aGRlCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

此时可以看到已经有了用户信息:users:

6.设置上下文参数

创建dev命名空间:

kubectl create ns dev

kubectl config set-context kubernetes --cluster=kubernetes --user=userdev --namespace=dev --kubeconfig=userdev.kubeconfig

[root@master cert]# cat userdev.kubeconfig 

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01USXdNVEF4TXpJMU4xb1hEVE13TVRFeU9UQXhNekkxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjBMCldmbUJIdEc5a2lycVZ4U3U3WEtETm05QjdZcTNlSjRvaFVPZ2JFQjZZYVNYNU5ENnZXWDFLS2lWZWRoMGZTc3UKVEQyTFBSYVNqSXVlOXNpOERxWWR5aVlPVlNETFl1bzNzTnB3MmkwK1hJd0FnQVJQd215YzdGUVR3ckxxcDdPRgpsZVowejdndlQ5NHB3REhpZXJRdGVNSlZ5cXkrenRvcnA3bXZHNXEzV0Jtc3ZVRFByVytiRHlFRFozKzVlMXpZCkVXaWtQeDRwclRQb2RCaHNVWG1ZRVNQMzhsd0dTN2xNZVJabnBwck9oWlk4MGVzcXFHUyt2YndIbmpaOEhQc3kKZDlkaStJWDBrTXoyUHBWWmJVK1Q4a3FZM1F6blZ6Qm13OEtSd2czRi8wMm5raVNzU09JbEU4NGRtMzJJY1JOKwpZamp1ZWZuVnNKL3JralE4eUVFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJVjhCSUN2a01QelkyYmZVdnRFdWgybHV4OFVNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCOFExMkxiLzcvcGRXZDNuWjEyMUFobS9QZFdHbkxLSWVqdUtxbEVVRWc5cFJEcGI5Mwppbjg4TmpIVFRnY2ZScE5zbzZjYnJmUEtCRW10Sk9XRjRFWWdDdThXb0loV0ZPWXRqckdKZUtkOGhTbS9XY2M3Cm9nN1YxKzQ0MkxsYS81Wk9SRHlmRmhTeThtRit3ZnBoQ25mTklGUW4veGY2ME1WWWJ3YkJhL3ord0J2Uis4UmgKTS91NG9hNFU5aUhDRkE4UFhOU0ZKUGdWdVFSUU5lSDNOSDhrU1FtSk9MbC95MWRmYXoxMFlQWmNsSkZFQ1pRegpobXFPMGpMR29QbVlERGtrY0E5NTdCa1NRTTRvSy9nQkdmSENpOU1UTFdHaCtRNDRyZXFTbjBOQWQvYzM3Z0g3Cm1XL0tqeDkzRlJCdnAzcUdLeklVaWFjSU5XUE9DTWdjMUNsZwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.10.180:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: dev
    user: userdev
  name: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: userdev
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoRENDQW15Z0F3SUJBZ0lVZWhLUU9EV3IrQ0VJVTQzQUNaNWwvYnZvb0RJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1ERXlNRFF3TXpJNE1EQmFGdzB5TVRFeQpNRFF3TXpJNE1EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhkWE5sY21SbGRqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtFQgp6M0Y3UHBwWlNsWElWNUMzMmpzOEtSSnhKekxlYmVMMDkrNEVycFJlSEhDNlh4b1o2ZWxVbGg1aGxVUndCQ3BXCmpQUllIU0Q2Znd1RDJxMWRpWGcwSVBZRWRqdm9aTVF2NS9FN3Z0bXNWOXIxS0dzTE1wWjJFYmlCUmVPY0dFZ3UKUTkzZDh2cllqd1VhSWduSHZRd3NXMWp2TGF0QUY3dmtSUlQ1R2tlOUIvNENxYy9kNUQzNDh0anozRXpvQnBFMAoyVlAxbEFpVHhmWXU5cFQ1Z1c1QUQvcVh5bUJsRVBEVm0vcSswdW9DWWNyU0RvOWs0bVZkbGlrSllUbU9EVWZvCjN2dlFyYTZzNjE4ZFR6U0cyWkZMS3U4WHhveHhNR2FUOGZpSUYrVGFObkEvYUZ0Z3VZbnMzNHpiajhVZlpoNWIKQTczR0grVmMyZ0htSDB5bHRGTUNBd0VBQWFOL01IMHdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlNjClJGSlJZNTl5TjhtM3RxOXJ5a3Y0TGRNWTNEQWZCZ05WSFNNRUdEQVdnQlNGZkFTQXI1REQ4Mk5tMzFMN1JMb2QKcGJzZkZEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFldDJLVDdEMjRONnpBdjFQR2VJdHY3RG9iRHBKd3JDMQpEOUhvY3ltRHh4YTNxVW1BOTNDSzdSM3NmVlNBTzhxckdxV1dqbFhDWVd3WlFxelpJaGxiVmR4UDh4ajI3aDc3CklhbHF6ekxPaWc2aFhFdUQySkd4WFM2K3creWc3KzlEaGUxM3lSTWl3dEJMUTdkZ1diUTNxcXlIbldxenNpYVMKMnIwTVlJQUNNK2Z6OUxqMTY3UWh4S2tkQmloemIzUitaajFRbW8vY3J1dTZPUldURDNULzA0dEdtY2dxVW16QgpqcHVFeHhIbWhGNEwzajZFSWxpRkpRZ2JsZWdZOEl0TWdqSVpOU3hNUmRLRHNpUDZRU1lQazl6Q3JzYlFLbUc3CmZrQThDZXRTSXlFcUY4UWxvZUU0eUJOQVhaSEQvVC9Bam1CelBybE02dktEWUdyQzF6dzNMUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb1FIUGNYcyttbGxLVmNoWGtMZmFPendwRW5Fbk10NXQ0dlQzN2dTdWxGNGNjTHBmCkdobnA2VlNXSG1HVlJIQUVLbGFNOUZnZElQcC9DNFBhclYySmVEUWc5Z1IyTytoa3hDL244VHUrMmF4WDJ2VW8KYXdzeWxuWVJ1SUZGNDV3WVNDNUQzZDN5K3RpUEJSb2lDY2U5REN4YldPOHRxMEFYdStSRkZQa2FSNzBIL2dLcAp6OTNrUGZqeTJQUGNUT2dHa1RUWlUvV1VDSlBGOWk3MmxQbUJia0FQK3BmS1lHVVE4TldiK3I3UzZnSmh5dElPCmoyVGlaVjJXS1FsaE9ZNE5SK2plKzlDdHJxenJYeDFQTkliWmtVc3E3eGZHakhFd1pwUHgrSWdYNU5vMmNEOW8KVzJDNWllemZqTnVQeFI5bUhsc0R2Y1lmNVZ6YUFlWWZUS1cwVXdJREFRQUJBb0lCQUdjSytJK0JOOXlpbnE5dAo2NVRFQlpmNWRiUEcxVFo2SWt1cFNlOTc4WnNrN0FDOVZsWW5GWXZ1UmJFbDlOajY4NytBNnU4S1lZSVVyekJZCmI2Q2FoM3QxcVU2cUpsMUs2d3FnT2tvcVdZZUlCQ1l1MW5KRGxWbTBNTDByaHVZWHBYYTBuVnltU25aK0dISkUKZWxwV0NjaDdydTZwREVwWVY1ZzVqSGpTd0IzK2VlUm5YU2JjZzJFaU5haUwreGJhVitpTUsyNndTL0NLYXZDbwp0SjVoUFgvMFBDdENSc0IwOVVPZG5nOFlBMmJHS2xRY0RaeVVQN3pQQWdub0RLazFwSVNyVkVJd3Q4WXpYTXM1CmI0Q0Z6MVAxZXR3d0xiREViSmcvZUdOeStpdEI0LytZSVE4K25lY3dwUGFwdUZ6K0hWem5JN3FWTGo5RXVaZ2sKbjAyYkhwa0NnWUVBMEh6WERVOTdyMi9CUkFqRjFkVUZ2Z21HQUFiR3BZeHVYUUZsa2RpRHlNUXZULzdiWWduQgppbXo1c1VaSGF2dDdaUTFRaGZOQW5PRUVGSS9lQnMzak5IN0ZndEsyOXdaVTB1NTRGNWllUkFCeEkrVTRFdGRICmVQbTdFUzQ4NlRtWmw2UmNZckFUYzBleEQ0eGNDQURTR2ZtVzR0M2xBK1haNi8rOWkxaUl2ZTBDZ1lFQXhiTDAKaVM2MjViTXdBWUxrb2ZUZWcwYnVKZ2tzWnFDdC9FMEQ2QUVMeFdPVDFhSzRNS0lhdjBycDlvZDdxRGl3RHFjRQpyb1BadThFSjJ6RkRNS293b3o1alFJbjROaVJ3cVlSampSVStvR0gzTVBRWEV1a2xYTXZHWExxVEsyaUNrc213ClVvS2NsU3dlQTZFMzBGVlV0Z2NEdGdjcGdxZ1ZzN0k1dUZLejh6OENnWUVBb0RadkpBRmljTXlXWGV2SDY2eUoKZnlIZVlZTFRnRUJNUnhoZHJ4Z05IV2oxV3Fua2VKQTZ0RjlOK2RhaDV5cGVCcWVXcTNqa3ZDbUdjeTZqVmVNOQpxQWVMVEI4VkR2dEVqOXRGV2d5a0FtbThoL01MaGg3OUE1QVZHdnpIUGdwUFoyS2N4Qkcrd0tYbEFLZkJ5VHlvCk4rRysrNU84KzZQVU5URVB2VmRKclhrQ2dZQi8wMU4xRjNVK1UzdG9ucjlCVUZoR3ZTZmlBL0JuY3VETHp1Z0YKckJkMlN3b2RDWmJhS3hYc05YM00zcEMvbGRlUHdjR3ZMS1V0Vm9VTzZtMHRHLzFTcjFYeE5zUDhEZGVpWTIwUwpuWGZlcnpqcXVBZnJQRC9pSGdkbGtXVHluaUkrMHBWazQvcG1JUjVPN29CdC9aNUdDNGNFdk9ERUQvWG9PQVpGCi9ZTklkUUtCZ0RXMXFtNHAzNGRlL25IdzB6SUs2a2hLU0xGVEYydTBWWS9UMkxsTHU2LzhBS2YwZWZWa1JUaVQKcU1FSm0xUGlBMzhkdXJIdVFGOGtENmJiTW4rMEVMRXQxS05HbHBRVmUwNE1mSFl1cEJZRzdnNjBDalozTTIrSgpJSS9XOHNDVkgxZllNc2dtU0duc3V0Z1QwT1VCaXRBV3dscmVWN1dyM0lVVkwwU1I0aGRlCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

此时已经有了上下文参数:
在这里插入图片描述

7.rolebinding角色绑定赋予权限:

[root@master cert]# kubectl create rolebinding userdev-admin-binding --clusterrole=admin --user=userdev --namespace=dev
rolebinding.rbac.authorization.k8s.io/userdev-admin-binding created

rolebinding 名称:devuser-admin-binding
clusterrole:权限
user namepsace:授权目标

8.设置当前上下文:

kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig

9.用户使用:

mkdir /home/userdev/.kube/

将生成的config复制到/home/userdev/.kube/文件下

cp userdev.kubeconfig /home/userdev/.kube/

修改文件权限:

chown -R userdev:userdev /home/userdev/.kube/

切换用户:

su userdev
cd ~/.kube/

将文件修改为默认访问的文件名:

mv userdev.kubeconfig config

验证:

kubectl get pod只会显示dev命名空间的pod,而且查询的时候也不用添加-n dev指定命名空间,但是当指定-n default是查不到pod的,其他命名空间一样,因为我们只给了dev命名空间的权限。

[userdev@master root]$ kubectl get pod -o wide
NAME    READY   STATUS    RESTARTS   AGE    IP            NODE    NOMINATED NODE   READINESS GATES
nginx   1/1     Running   0          112s   10.244.2.48   node2   <none>           <none>

[userdev@master root]$ kubectl get pod -A
Error from server (Forbidden): pods is forbidden: User "testuser" cannot list resource "pods" in API group "" at the cluster scope

[userdev@master root]$ kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "testuser" cannot list resource "pods" in API group "" in the namespace "default"
小二来碗面
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
k8s安全机制(认证授权)
BushRo
03-28 2095
文章目录Kubernetes 安全机制Authentication 认证https证书认证需要认证的节点两种类型安全性说明证书颁发kubeconfigServiceAccountSecret 与 SA 的关系授权 Kubernetes 安全机制 Kubernetes 作为一个分布式集群的管理工具,保证集群的安全性是其一个重要的任务。API Server 是集群内部各个组件通信的中介,也是外部控制的入口。所以 Kubernetes 的安全机制基本就是围绕保护 API Server 来设计的。Kubernete
kubernetes视频教程笔记 (31)-安全-鉴权Authorization
软件工程小施同学 的专栏
12-15 434
一、Authorization 上面认证过程,只是确认通信的双方都确认了对方是可信的,可以相互通信。而鉴权是确定请求方有哪些资源的权限。 API Server 目前支持以下几种授权策略 (通过 API Server 的启动参数 “--authorization-mode” 设置) AlwaysDeny:表示拒绝所有的请求,一般用于测试 AlwaysAllow:允许接收所有请求,如果集群不需要授权流程,则可以采用该策略 ABAC(Attribute-Based Access Control):...
k8s安全 认证 鉴权 准入控制之二:授权(Authorization)
热门推荐
张成基
07-06 2万+
系列文章链接 k8s安全 认证 鉴权 准入控制之一:认证(Authentication) k8s安全 认证 鉴权 准入控制之二:授权(Authorization) 授权(Authorization) ·上面认证过程,只是确认通信的双方都确认了对方是可信的,可以相互通信。而鉴权是确定请求方有哪些资源的权 限。API Server 目前支持以下几种授权策略 (通过 API Server 的启动参数 “–authorization-mode” 设置) 默认使用RBAC AlwaysDeny:表示拒绝所有的请
Kubernetes authorization
zhixingheyi_tian的博客
07-05 278
Service Account A service account provides an identity for processes that run in a Pod. When you create a pod, if you do not specify a service account, it is automatically assigned the default service...
Kubernetes APIServer 鉴权
小楼一夜听春雨,深巷明朝卖杏花
07-14 432
前面介绍看k8s的各种认证方式,以及和企业认证如何集成,认证完之后,认证是用来知道request代表的人,或者个体,组件是谁。认证结束了只能认清楚你是谁了,你能够做什么操作我还是不确定的,这个事情就要通过鉴权来解决。 k8s有各种各样的对象,因为是声明式的系统,在任何用户操作这些对象的时候,我要去知道你有没有这个操作权限,所以要通过严格的鉴权策略来定义整个集群,哪些用户有哪些对象的操作权限。授权主要是用于对集群资源的访问控制,通过检查请求包含的相关属性值,与相对应的访问策略相比较,API请求必须满足某些策略
spring-reactive-authorization-server
03-07
支持具有较旧版本的spring的支持项目,这些项目希望转换为响应式和/或等待使用响应式实现发布Spring Authorization Server项目。 笔记 我无意声称Pivotal作品是我自己的作品。 我只创建旧的Spring授权服务器的React...
k8s中部署prometheus的镜像
最新发布
03-23
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: prometheus rules: - apiGroups: [""] resources: ["services", "pods", "endpoints", "nodes"] verbs: ["get", "list", "watch"]...
K8S之 metrics-server 组件
06-17
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: metrics-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:aggregated-metrics-...
spring-security-oauth2-authorization-server.zip
08-25
本项目“spring-security-oauth2-authorization-server”将带你深入理解如何利用Spring Security OAuth2构建一个授权服务器,以保护你的API并提供安全的访问控制。 OAuth2是一种开放标准,用于授权第三方应用访问...
mezzio-generic-authorization-laminasviewrenderer:mezzio通用授权的viewhelper
04-12
mezzio-generic-authorization-laminasviewrenderer代码状态安装跑步$ composer require mimmi20/mezzio-generic-authorization-laminasviewrenderer用法调用视图助手中的视图脚本中的菜单: <!-- ... --><...
逃脱只会部署集群系列 —— k8s集群认证、授权、安全控制
一别两宽丶各生欢喜
11-20 1760
文章主要介绍了k8s集群的认证、授权、安全控制模式,说明一个组件或者一个用户是如何划分应有的权限,具体追溯kubectl、kubelet、Service Account等整个控制过程。 一、APIServer安全控制机制 1、Authentication:身份认证 这个环节它面对的输入是整个http request,负责对来自client的请求进行身份校验,支持的方法包括: basic auth(基本废弃) ...
oracle 字典_Oracle权限授权管理
weixin_39868034的博客
12-04 405
Oracle权限授权管理Oracle的权限主要有系统权限和对象权限两种。系统权限主要是连接权限(session)、user权限等,系统权限主要是对数据库具有系统级的操作。对象权限,指的是对数据库对象具有特定操作的权限。Oracle授予权限的对象可以是用户,也可以是角色。授予权限的操作包括授予系统权限或对象权限给用户(或角色)。我们在进行授予权限时候,要注意,系统权限的授予必须具有DBA权限的用户进...
k8s集群搭建报错:error:kubectl get csr No resources found.
王大雏的博客
08-13 2905
k8s集群搭建报错:error:kubectl get csr No resources found.问题原因解决方法测试成功 问题 kubectl get csr No resources found. 原因 因为原来的ssl证书在重启后失效了,不删除的话,即重启kubelet也无法与master通讯 解决方法 node节点 cd /opt/kubernetes/ssl ls kubelet-client-2021-04-14-08-41-36.pem kubelet-client-current.p
Kubernetes API访问鉴权之Basic模式
Go中国
09-25 976
Kubernetes 支持多种模式的API访问鉴权方式。包括私钥+证书模式,Basic 用户名密码模式,Bearer Token 模式等。其中最常用的是基于Service...
nacos添加权限控制的鉴权功能
认知 行动 坚持
10-05 4615
nacos添加权限控制
配置kubeconfig_clientgo系列之2管理kubeconfig
weixin_42511602的博客
01-18 554
1. 写在前面2. 集群配置管理2.1 加载配置文件2.2 合并配置文件1. 写在前面个人主页: https://gzh.readthedocs.io关注容器技术、关注Kubernetes。问题或建议,请公众号留言。本系列内容都是基于这个版本的client-go[1]进行讲解,不同版本的略有差异。在使用 client-go 开发时,通常会遇到两种情况:在集群内部访问 kubernetes...
猿创征文|云原生|kubernetes学习之RBAC(六)
zsk_john的技术分享专用博客
09-04 554
kubernetes集群系统比较复杂的部分应该算是权限验证了,本文也主要就二进制安装的k8s集群的权限控制做一个简单的抛砖引玉。主要还是根据前面所写的部署博客来分析,博文地址为:kubernetes二进制安装教程单master_zsk_john的博客-CSDN博客一,什么是权限控制?什么是RBAC?一般我们认为RBAC就是权限控制,是基于角色来进行的细度话的权限控制,主要在于用户可能有一个,但,用户的属性,角色可能会有很多个,这样组合方式就非常多,也能做到更加的精细,细粒度很高。RBAC(Role-Base
mvc4.0 html.actionlink comfired,FormsAuthentication 在asp.net MVC中的应用
weixin_35182625的博客
06-11 897
(function(e,t){var n,r,i=typeof t,o=e.location,a=e.document,s=a.documentElement,l=e.jQuery,u=e.$,c={},p=[],f="1.10.2",d=p.concat,h=p.push,g=p.slice,m=p.indexOf,y=c.toString,v=c.hasOwnProperty,b=f.trim...
【CKA考试笔记】十五、安全管理:验证与授权
戴陵FL的博客
08-08 1万+
k8s的认证方式,k8s中的权限、用户、角色,service account
x-authorization
09-18
X-Authorization是HTTP请求头部的一种字段,用于传递用户身份验证凭证。它通常用于在API请求中传递访问令牌或密钥。 X-Authorization的作用是确保请求的合法性和安全性。在发送HTTP请求时,服务器需要对请求的合法性进行验证,以确保只有授权的用户才能访问相关资源。因此,在请求头部中添加X-Authorization字段是一种常见的验证机制。 在使用X-Authorization时,通常需要在请求头部中添加一个键值对,其中X-Authorization是键,而值则是用户的身份验证凭证,如令牌或密钥。服务器收到请求后,会通过验证该凭证,来判断请求是否合法。如果凭证验证通过,服务器将对请求进行处理,并返回相应的响应;如果凭证验证失败,则服务器将拒绝访问,并返回相应的错误信息。 X-Authorization的设计灵活性较高,可以根据具体的需求进行定制。例如,可以使用Bearer Token作为X-Authorization字段的值,以遵循OAuth 2.0协议的规范。此外,X-Authorization还可以用于不同类型的身份验证方式,如基本身份验证(Basic Authentication)或其他自定义的验证方式。 总的来说,X-Authorization是一种用于传递用户身份验证凭证的HTTP请求头部字段,它可以确保请求的合法性和安全性,为API请求提供身份验证机制。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值