在日常管理kubernetes中,使用的方式无非就是使用命令行方式(kubectl)和图像化方式(dashboard)。kubernetes官方提供的dashboard可以让kubernete管理员、公司开放人员和运维人员使用图形化的方式操作集群、查看日志、执行容器命令或增删改查资源等,当然也有其他图形化的管理方式,kubeboard就是一款不错的开源工具。
从实际使用实践来看,并不希望每个用户都有管理员的权限,也不希望A项目组的人员去访问B项目组的资源,这时我们可以使用kubernetes的权限管理RBAC进行访问控制。
具体的实现思路是:根据项目名称创建namespace,并创建同名的serviceaccount,并创建合适权限的Role,ClusterRole和RoleBinding、ClusterRoleBingding,然后对serviceaccount进行授权,那么对应人员就有了相关的管理权限。
具体的实现方式示例
1.创建测试命名空间
kubectl create ns kube-rbac-test
2.创建ServiceAccount
kubectl create sa rbac-teat -n kube-rbac-test
3.创建集群角色
3.1针对整个集群的view角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dashboard-viewonly
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- nodes
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- volumeattachments
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- get
- list
- watch
3.2 pod日志查看和执行命令的权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-log-exec
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
3.3 全局namespaces的只读权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-readonly
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- podss
verbs:
- get
- list
- watch
4.授权
4.1使用ClusterRoleBinding将查看namespaces列表的权限授权给kube-rbac-test命名空间下所有的serviceaccount,这个此命名空间下所有的sa账户都有查看的权限
kubectl create clusterrolebinding namespace-readonly --clusterrole=namespace-readonly --serviceaccount=system:serviceaccounts:kube-rbac-test
4.2使用RoleBinding将相关权限赋权给对应的用户
kubectl create rolebinding sa-test-rbac --clusterrole=pod-log-exec --serviceaccount=kube-rbac-test:rbac-teat -n kube-rbac-test
5.使用token登录
kubectl describe serviceaccount rbac-teat -n kube-rbac-test
kubectl -n kube-rbac-test describe $(kubectl -n kube-rbac-test get secret -n kube-system -o name | grep namespace) | grep token
6.根据token创建kubeconfig
kubectl config set-cluster kubernetes-dashboard-viewonly \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://10.10.20.60:6443 \
--kubeconfig=dashboard-viewonly-kubeconfig
2.配置用户token信息
kubectl config set-credentials kubernetes-dashboard-viewonly --token=$token --kubeconfig=dashboard-viewonly-kubeconfig
3.配置上下文信息
kubectl config set-context kubernetes-dashboard-viewonly \
--cluster=kubernetes-dashboard-viewonly \
--user=kubernetes-dashboard-viewonly \
--kubeconfig=dashboard-viewonly-kubeconfig
4.设置默认上下文
kubectl config use-context kubernetes-dashboard-viewonly --kubeconfig=dashboard-viewonly-kubeconfig