kube-apiserver rbac鉴权源码分析

简介

kube-apiserver中与权限相关的主要有三种机制，即认证、鉴权和准入控制。上节讲到认证流程。

认证与授权很容易混淆：

• 认证(Authentication), 负责检查你是谁，识别user
• 授权(Authorization), 你能做什么，是否允许User对资源的操作
• 审计(Audit), 负责记录操作信息，方便后续审查

本文主要分析apiserver的rbac授权流程。

认证流程分析

权限相关代码从k8s.io/apiserver/pkg/server/config.go中DefaultBuildHandlerChain函数开始执行

func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
	handler := genericapifilters.WithAuthorization(apiHandler, c.Authorization.Authorizer, c.Serializer)
	handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
	handler = genericapifilters.WithImpersonation(handler, c.Authorization.Authorizer, c.Serializer)
	handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
	failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth)
	failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker)
	handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences)
	handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
	handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
	handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup)
	handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver)
	handler = genericfilters.WithPanicRecovery(handler)
	return handler
}

DefaultBuildHandlerChain中包含了多种filter（如认证，链接数检验，RBAC权限检验等），授权步骤在WithAuthorization中，如下：

// WithAuthorizationCheck passes all authorized requests on to handler, and returns a forbidden error otherwise.
func WithAuthorization(handler http.Handler, a authorizer.Authorizer, s runtime.NegotiatedSerializer) http.Handler {
	// 检查是否需要权限校验
	if a == nil {
		klog.Warningf("Authorization is disabled")
		return handler
	}
	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
		ctx := req.Context()
		// 用作审计
		ae := request.AuditEventFrom(ctx)

		// 获取Attribute, 通过reqeust获取到请求的user, resource, verb, 是否为namespace级别的等
		attributes, err := GetAuthorizerAttributes(ctx)
		if err != nil {
			responsewriters.InternalError(w, req, err)
			return
		}
		// 执行认证流程
		authorized, reason, err := a.Authorize(ctx, attributes)
		// an authorizer like RBAC could encounter evaluation errors and still allow the request, so authorizer decision is checked before error here.
		if authorized == authorizer.DecisionAllow {
			audit.LogAnnotation(ae, decisionAnnotationKey, decisionAllow)
			audit.LogAnnotation(ae, reasonAnnotationKey, reason)
			// 校验成功，记录信息，转到下一个handler
			handler.ServeHTTP(w, req)
			return
		}
		if err != nil {
			audit.LogAnnotation(ae, reasonAnnotationKey, reasonError)
			responsewriters.InternalError(w, req, err)
			return
		}

		// 校验失败返回403，注意认证失败返回的是401
		klog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason)
		audit.LogAnnotation(ae, decisionAnnotationKey, decisionForbid)
		audit.LogAnnotation(ae, reasonAnnotationKey, reason)
		responsewriters.Forbidden(ctx, attributes, w, req, reason, s)
	})
}

授权流程比较清晰，从request获取请求信息，进行鉴权，成功进入后续handler，失败返回403。

Authorize接口有多种实现，通过在apiserver配置--authorization-mode选择鉴权模式，包括：

• ABAC
• RBAC
• Node, 用于kubelet鉴权exec/logs等
• AlwaysAllow
• AlwaysDeny
• Webhook， 用于扩展权限，用户可实现Webhook与其他权限系统集成

如果选择AlwaysAllow,即不做鉴权, 开启后强制不允许匿名用户

// ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) {
	if o == nil || authorization == nil || o.Anonymous == nil {
		return
	}

	// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
	// in such a case the AnonymousAuth is stomped to false and you get a message
	if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) {
		klog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer")
		o.Anonymous.Allow = false
	}
}

rbac鉴权

rbac是常用的鉴权方式，实现Authorize接口, 代码在rbac.go

func (r *RBACAuthorizer) Authorize(ctx context.Context, requestAttributes authorizer.Attributes) (authorizer.Decision, string, error) {
	ruleCheckingVisitor := &authorizingVisitor{requestAttributes: requestAttributes}
	// 调用VisitRulesFor来检查是否用权限
	r.authorizationRuleResolver.VisitRulesFor(requestAttributes.GetUser(), requestAttributes.GetNamespace(), ruleCheckingVisitor.visit)
	if ruleCheckingVisitor.allowed {
		// 成功直接返回
		return authorizer.DecisionAllow, ruleCheckingVisitor.reason, nil
	}

	// 失败，打印日志返回失败原因
	// Build a detailed log of the denial.
	// Make the whole block conditional so we don't do a lot of string-building we won't use.
	if klog.V(5) {
		var operation string
		if requestAttributes.IsResourceRequest() {
			b := &bytes.Buffer{}
			b.WriteString(`"`)
			b.WriteString(requestAttributes.GetVerb())
			b.WriteString(`" resource "`)
			b.WriteString(requestAttributes.GetResource())
			if len(requestAttributes.GetAPIGroup()) > 0 {
				b.WriteString(`.`)
				b.WriteString(requestAttributes.GetAPIGroup())
			}
			if len(requestAttributes.GetSubresource()) > 0 {
				b.WriteString(`/`)
				b.WriteString(requestAttributes.GetSubresource())
			}
			b.WriteString(`"`)
			if len(requestAttributes.GetName()) > 0 {
				b.WriteString(` named "`)
				b.WriteString(requestAttributes.GetName())
				b.WriteString(`"`)
			}
			operation = b.String()
		} else {
			operation = fmt.Sprintf("%q nonResourceURL %q", requestAttributes.GetVerb(), requestAttributes.GetPath())
		}

		var scope string
		if ns := requestAttributes.GetNamespace(); len(ns) > 0 {
			scope = fmt.Sprintf("in namespace %q", ns)
		} else {
			scope = "cluster-wide"
		}

		klog.Infof("RBAC DENY: user %q groups %q cannot %s %s", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), operation, scope)
	}

	reason := ""
	if len(ruleCheckingVisitor.errors) > 0 {
		reason = fmt.Sprintf("RBAC: %v", utilerrors.NewAggregate(ruleCheckingVisitor.errors))
	}
	return authorizer.DecisionNoOpinion, reason, nil
}

Authorize调用了VisitRulesFor来处理具体鉴权操作, 代码在rule.go

func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) {
	// 获取所有clusterrolebinding
	if clusterRoleBindings, err := r.clusterRoleBindingLister.ListClusterRoleBindings(); err != nil {
		if !visitor(nil, nil, err) {
			return
		}
	} else {
		sourceDescriber := &clusterRoleBindingDescriber{}
		// 遍历clusterrolebing
		for _, clusterRoleBinding := range clusterRoleBindings {
			// 检查是否有对应的user
			subjectIndex, applies := appliesTo(user, clusterRoleBinding.Subjects, "")
			if !applies {
				continue
			}
			// 如果user存在于subject, 获取对应的rules即clusterrole
			rules, err := r.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "")
			if err != nil {
				if !visitor(nil, nil, err) {
					return
				}
				continue
			}
			sourceDescriber.binding = clusterRoleBinding
			sourceDescriber.subject = &clusterRoleBinding.Subjects[subjectIndex]
			for i := range rules {
				// 调用visitor判断是否需要进入下一步鉴权
				if !visitor(sourceDescriber, &rules[i], nil) {
					return
				}
			}
		}
	}

	// clusterrole遍历完还没有鉴权成功，接着遍历所在namespace的role，流程同上
	if len(namespace) > 0 {
		if roleBindings, err := r.roleBindingLister.ListRoleBindings(namespace); err != nil {
			if !visitor(nil, nil, err) {
				return
			}
		} else {
			sourceDescriber := &roleBindingDescriber{}
			for _, roleBinding := range roleBindings {
				subjectIndex, applies := appliesTo(user, roleBinding.Subjects, namespace)
				if !applies {
					continue
				}
				rules, err := r.GetRoleReferenceRules(roleBinding.RoleRef, namespace)
				if err != nil {
					if !visitor(nil, nil, err) {
						return
					}
					continue
				}
				sourceDescriber.binding = roleBinding
				sourceDescriber.subject = &roleBinding.Subjects[subjectIndex]
				for i := range rules {
					if !visitor(sourceDescriber, &rules[i], nil) {
						return
					}
				}
			}
		}
	}
}

visit函数, 用来判断是否认证成功，成功返回false, 不需要进行下一步鉴权

func (v *authorizingVisitor) visit(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool {
	if rule != nil && RuleAllows(v.requestAttributes, rule) {
		// allowed用来表示是否认证成功
		v.allowed = true
		v.reason = fmt.Sprintf("RBAC: allowed by %s", source.String())
		return false
	}
	if err != nil {
		v.errors = append(v.errors, err)
	}
	return true
}

rbac的鉴权流程如下:

1. 通过Request获取Attribute包括用户，资源和对应的操作
2. Authorize调用VisitRulesFor进行具体的鉴权
3. 获取所有的ClusterRoleBindings，并对其进行遍历操作
4. 根据请求User信息，判断该是否被绑定在该ClusterRoleBinding中
5. 若在将通过函数GetRoleReferenceRules()获取绑定的Role所控制的访问的资源
6. 将Role所控制的访问的资源，与从API请求中提取出的资源进行比对，若比对成功，即为API请求的调用者有权访问相关资源
7. 遍历ClusterRoleBinding中，都没有获得鉴权成功的操作，将会判断提取出的信息中是否包括了namespace的信息，若包括了，将会获取该namespace下的所有RoleBindings，类似ClusterRoleBindings
8. 若在遍历了所有CluterRoleBindings，及该namespace下的所有RoleBingdings之后，仍没有对资源比对成功，则可判断该API请求的调用者没有权限访问相关资源, 鉴权失败

总结

本文结合RBAC分析了Kubernetes的鉴权流程，整体这部分比较代码清晰。RBAC是Kubernetes比较推荐的鉴权方式，了解完整个流程后，居然所有请求都会先遍历一遍ClusterRoleBindings，这样实现起来比较简单，但随着规模和用户的扩大，这部分是否会有性能问题，需不需要实现能够快速鉴权的方式。