RBAC是什么?
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization.
基于角色的访问控制(RBAC)是一种基于组织中各个用户的角色来调节对计算机或网络资源的访问的方法。
鉴权: 鉴别权限 --》识别出某个主体(用户、组、服务账户)具有什么权限
用户 --》角色 --》权限--》资源对象
目的:防止k8s里的pod(会运行程序)能随意获取整个集群里的信息和访问集群里的资源
概念:
Rule:规则,一组属于不同 API Group 的操作集合;
Role:角色,用于定义一组对 Kubernetes API 对象操作的一组规则,范围限定在 namespace;
ClusterRole:集群角色,该角色不受 namespace 的限制;
Subject:对象,也就是规则作用的对象;
RoleBinding:将角色和对象进行绑定,范围限定在 namespace;
ClusterRoleBinding:将集群角色和对象进行绑定,不受 namespace 限制
Useraccount和ServiceAccount介绍
kubernetes中账户分为:UserAccounts(用户账户) 和 ServiceAccounts(服务账户) 两种:
UserAccount是给kubernetes集群外部用户使用的,如kubectl访问k8s集群要用useraccount用户, kubeadm安装的k8s,默认的useraccount用户是kubernetes-admin;
人--》k8s客户端(一般用:kubectl) ------>API ServerAPIServer需要对客户端做认证,使用kubeadm安装的K8s,会在用户家目录下创建一个认证配置文件 .kube/config 这里面保存了客户端访问API Server的密钥相关信息,这样当用kubectl访问k8s时,它就会自动读取该配置文件,向API Server发起认证,然后完成操作请求。
ServiceAccount是Pod使用的账号,Pod容器的进程需要访问API Server时用的就是ServiceAccount账户;
ServiceAccount仅局限它所在的namespace,每个namespace创建时都会自动创建一个default service account;创建Pod时,如果没有指定Service Account,Pod则会使用default Service Account。
ServiceAccount使用案例介绍
1、创建sa,并绑定到pod
[root@k8smaster ~]# kubectl create sa sa-jack
serviceaccount/sa-jack created
[root@k8smaster ~]# kubectl get sa
NAME SECRETS AGE
default 1 11d
sa-jack 1 4s
2、创建pod
[root@k8smaster sa]# cat pod-sa.yaml
apiVersion: v1
kind: Pod
metadata:
name: sa-jack
namespace: default
labels:
app: sa-jack
spec:
serviceAccountName: sa-jack #指定服务账号
containers:
- name: sa-nginx
ports:
- containerPort: 80
image: nginx
imagePullPolicy: IfNotPresent
[root@k8smaster sa]# kubectl apply -f pod-sa.yaml
pod/sa-jack created
[root@k8smaster sa]# kubectl get pod
NAME READY STATUS RESTARTS AGE
sa-jack 1/1 Running 0 3s
因为pod 会去访问k8s集群的apiserver,所以需要进入到pod里
[root@k8smaster sa]# kubectl exec -it sa-jack -- bash
root@sa-jack:/# cd /var/run/secrets/kubernetes.io/serviceaccount/
root@sa-jack:/var/run/secrets/kubernetes.io/serviceaccount# ls
ca.crt namespace token
执行下面的命令去访问我们的apiserver
root@sa-jack:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/kube-system
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:default:sa-jack\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "kube-system",
"kind": "namespaces"
},
"code": 403
}root@sa-jack:/var/run/secrets/kubernetes.io/serviceaccount#
3、对sa做授权
cluster-admin 这是一个权力非常大的clusterrole 集群角色
将default命名空间里的sa-jack服务账号绑定到集群角色 cluster-admin 上
[root@k8smaster sa]# kubectl create clusterrolebinding sa-jack-admin --clusterrole=cluster-admin --serviceaccount=default:sa-jack
clusterrolebinding.rbac.authorization.k8s.io/sa-jack-admin created
4、再次请求,使用绑定好的集群角色
}root@sa-jack:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/kube-system
{
"kind": "Namespace",
"apiVersion": "v1",
"metadata": {
"name": "kube-system",
"uid": "9f79fef1-0445-478e-be47-705102ba8abf",
"resourceVersion": "25",
"creationTimestamp": "2023-03-23T09:59:09Z",
"managedFields": [
{
"manager": "kube-apiserver",
"operation": "Update",
"apiVersion": "v1",
"time": "2023-03-23T09:59:09Z",
"fieldsType": "FieldsV1",
"fieldsV1": {"f:status":{"f:phase":{}}}
}
]
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
}root@sa-jack:/var/run/secrets/kubernetes.io/serviceaccount#
查看有哪些服务账号进行了集群角色绑定
[root@k8smaster sa]# kubectl get clusterrolebinding
NAME ROLE AGE
calico-kube-controllers ClusterRole/calico-kube-controllers 11d
calico-node ClusterRole/calico-node 11d
cluster-admin ClusterRole/cluster-admin 11d
ingress-nginx ClusterRole/ingress-nginx 6h15m
ingress-nginx-admission ClusterRole/ingress-nginx-admission 6h15m
kubeadm:get-nodes ClusterRole/kubeadm:get-nodes 11d
kubeadm:kubelet-bootstrap ClusterRole/system:node-bootstrapper 11d
kubeadm:node-autoapprove-bootstrap ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient 11d
kubeadm:node-autoapprove-certificate-rotation ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 11d
kubeadm:node-proxier ClusterRole/system:node-proxier 11d
metrics-server:system:auth-delegator ClusterRole/system:auth-delegator 8d
sa-jack-admin ClusterRole/cluster-admin 53m
sa-jack1-admin ClusterRole/secret-reader 20m
[root@k8smaster sa]# kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
bindings v1 true Binding
componentstatuses cs v1 false ComponentStatus
configmaps cm v1 true ConfigMap
endpoints ep v1 true Endpoints
events ev v1 true Event
limitranges limits v1 true LimitRange
cluster-admin 这是一个权力非常大的clusterrole 集群角色
这个角色是k8s系统内部就有的,这是一个内置的集群角色
[root@k8smaster sa]# kubectl get clusterroles
NAME CREATED AT
admin 2023-03-23T09:59:09Z
calico-kube-controllers 2023-03-23T10:02:31Z
calico-node 2023-03-23T10:02:31Z
cluster-admin 2023-03-23T09:59:09Z
edit 2023-03-23T09:59:09Z
ingress-nginx 2023-04-04T02:59:27Z
ingress-nginx-admission 2023-04-04T02:59:28Z
kubeadm:get-nodes 2023-03-23T09:59:11Z
secret-reader 2023-04-04T08:50:36Z
[root@k8smaster sa]# kubectl describe clusterroles cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
Resources 代表这个角色可以访问的资源 *.* 代表任意命名空间里的任意资源
Verbs : 可以采取的动作 : get list watch
自己创建一个role
[root@k8smaster sa]# cat role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" 标明 core API 组
resources: ["pods"]
verbs: ["get", "watch", "list"]
[root@k8smaster sa]# kubectl apply -f role.yaml
role.rbac.authorization.k8s.io/pod-reader created
[root@k8smaster sa]# kubectl get role
NAME CREATED AT
pod-reader 2023-04-04T08:44:34Z
sa绑定role
[root@k8smaster sa]# kubectl create rolebinding sa-jack-admin --role=pod-reader --serviceaccount=default:sa-jack
rolebinding.rbac.authorization.k8s.io/sa-jack-admin created
查看已经绑定的rolebinding
[root@k8smaster sa]# kubectl get rolebinding
NAME ROLE AGE
sa-jack-admin Role/pod-reader 4m30s
创建一个clusterrole
[root@k8smaster sa]# cat clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" 被忽略,因为 ClusterRoles 不受名字空间限制
name: secret-reader
rules:
- apiGroups: [""]
# 在 HTTP 层面,用来访问 Secret 资源的名称为 "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]
[root@k8smaster sa]# kubectl apply -f clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/secret-reader created
[root@k8smaster sa]# kubectl get clusterrole
NAME CREATED AT
secret-reader 2023-04-04T08:50:36Z
将sa-jack1-admin 绑定到secret-reader 的集群角色上
[root@k8smaster sa]# kubectl create clusterrolebinding sa-jack1-admin --clusterrole=secret-reader --serviceaccount=default:sa-jack
clusterrolebinding.rbac.authorization.k8s.io/sa-jack1-admin created
[root@k8smaster sa]# kubectl get clusterrolebinding
NAME ROLE AGE
sa-jack-admin ClusterRole/cluster-admin 61m
sa-jack1-admin ClusterRole/secret-reader 28m
验证:
启动就是进入sa-jack启动的pod,去访问apiserver里的pod资源和secret资源
[root@k8smaster sa]# kubectl get pod
NAME READY STATUS RESTARTS AGE
sa-jack 1/1 Running 0 68m
[root@k8smaster sa]# kubectl exec -it sa-jack -- bash
root@sa-jack:~# cd /var/run/secrets/kubernetes.io/serviceaccount/
root@sa-jack:/var/run/secrets/kubernetes.io/serviceaccount#
root@sa-jack:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Auhorization: Bearer $(cat ./token)" https://kubernetes/api/v1/pods
root@sa-jack:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat .token)" https://kubernetes/api/v1/secrets