访问控制
- Kubernetes API的每个请求都会经过多阶段的访问控制之后才会被接受,这包括认证、授权以及准入控制(Admission Control)等。
- 认证->授权->准入控制(adminationcontroller)
认证
-
在kubernetes中,在集群开启TLS后,客户端发往Kubernetes的所有API请求都需要进行认证, 以验证用户的合法性。
-
Kubernetes支持多种认证机制,并支持同时开启多个认证插件(只要有一个认证通过即可)。如果认证成功,则用户的username会被传入授权模块做进一步授权验证;而对于认证失败的 请求则返回HTTP 401。
-
管理节点:
-
kubectl
-
~/.kube/config: kubernetes 的认证文件
cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ETXhOekExTkRVeE5Wb1hEVE15TURNeE5EQTFORFV4TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUFpZCjU4aldxaVp5MFZ2Q1NiRnJtZEhSUnF2UFA5T1BNZkpYT3FPOUN0K0hZZDlMYkN0cTF1R2EvbjFuVTV0WUE5b24KWFFkTmt6bHIwQWR0L0lucnNUOWxKbXRRK3hqcXRReDFIeVFVTDBnNTlRNXNSWXNydXd0MEU4cG05d2ZWR2dBNQovQnFMQk85WTBWWTF5WUY2cXJ6TlVQRlVheVpLNVZuNDAySTQveFp3cll0U01tMGpUQ044c0dHdW9zL0tGWGtECmZUZ2U0MGx2TWF1UWNiNnk2U3krQlM3aDBwMDR6dHFNdDRBNDJENmxSWUZjM3NZYVdaanZSWUh0WWdLMDRUWlcKSEd4TldRT3krVGthbnRzQmFyTUhUUHNTMG91RGpCK2l0ZTVjZnBFTTI4WHJ5K2M4eEhpRXc1RWZKNk8rb3BQMgorOGVuL281dFlJMEliK2pUdk1rQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZGV3RJK3h6eXpmMTlub2NnVTYxMkZUMzAxRjBNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSjhtVnQvYzBzNHgvT21lWW8vKwpjVHRqN3lTdGtDNkRELzZib3MwbjZvbjZPMGZWVC9weGE5NTVnZUh1YkV3SzVsZG5MRTM0U1BvTG42VEtMeGpVCk16d1J3Q1NWTE5XZmZwTDQwaml6NzU4bHJIbHhrRTQ0Z2MzQ1VMTzF0a29PS1pKa1JiQkUvRkFkWjFLYjNGdjEKSXBTMWo5b3dUSThhSnd6VzhCaHBGQWU4ckZGaXUvRUxab29TdjJ2Vmswd1VxcmFSNXEvTGZZaTl1YUxZSjlPWgp5WGYxMS9kQnRuVDJiSUxjdVNFVEltdDUrbXJlZlhHc0FEdW42VVRMOWx6MmFmS014QSt2eS95VXE4S1hMb2RRClJFdVJtVXY4ZTBXN3BTb1d1aVNFYnJkT1lFNnZSYmZzaWZISE85S0lWZUJSSkdqVWtqeG42bFpyZ0gwRldWRFoKU1VBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://172.16.16.3:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJT01xWjM1NTJGbU13RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UY3dOVFExTVRWYUZ3MHlNekF6TVRjd05UUTFNVGhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXluQ29aOTQ2bndMeHJ1K0UKcyt0TGFuUkRTMWRuR3N3RWM0T25PYTBGYTdndk1NK2tZdUo3UFZ3U1VXWEYxS3lRVnhOWUxDUG1JSXl5WjlOWAo4b1F2d0VmSGhWZkF6VENieGpqcXJKL1lXN2NBa0YvbXNqNDRRVGFBRnQyemN3eWdxTGtYZDRkOXV3OTliQ01VCkh3aW9pOGpoT1RaRUJxL0N1c3ZEUjlEajJCWXJFRGZCTVMxSjBORHd3dExTbExkS0d0SktjRnpEVkJlTVhDSWIKQkRFZno5Q0FzQjVWTEplRHVma2tIZ3cyaW83Mmw0Sy9Uay9WWGZnajZnc2Z2aGhNRVoyYXZwQ1RHYzhON0lzRgpxUlpJUEo4ZUlHR3BKRmpvQkxsNTdNTE00Umk5aW0rY3BpMGlMV2VoSlVwM2xEMnJKMGpMZGppNmgwa3JoakJzCjdZV0hId0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JSVnJTUHNjOHMzOWZaNkhJRk90ZGhVOTlOUgpkREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVjJtVXRNWmpZLzFqUUoraFg4cVhJVVBPSURvWDM0QmN5QUk1CkZucUxLYnpaZGI3V0Vra0NodWxjcDlhcnM5aHZ6WjlMaTd0cmR5NmlJZlJjWmxPdFlQTDcrUVZPYUVxVTZ0U2oKYnhmb0Y4U0QxNitRSTJiZ3FDelFtVkluTnhaV1VtQkZXendJdElzbHFvUHhyQWRZZDdTR2cydEZHNEl6bVpsdwpLem55V2JwYldKV3NwaEtITlk0c244UlVXWVl5UDFvd2k2ZXcyMXdzYmZIM2xpTVUzTkE4QjcyNkhlR3FaRWRsCkgwbDBEZTJtZzZsZXlMaktjM0JzZDRVam9OOWh0UEFSK2ZxaDJLYlVJdHE2TWpGbGtNMjZXaDBaa0psekdLVkgKQTRLb0FxbER1bHNCMlRuRVBtYmZMN3ltTlR0bURNL3pvZVpRRk82WDlseWh3VDEyYWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeW5Db1o5NDZud0x4cnUrRXMrdExhblJEUzFkbkdzd0VjNE9uT2EwRmE3Z3ZNTStrCll1SjdQVndTVVdYRjFLeVFWeE5ZTENQbUlJeXlaOU5YOG9RdndFZkhoVmZBelRDYnhqanFySi9ZVzdjQWtGL20Kc2o0NFFUYUFGdDJ6Y3d5Z3FMa1hkNGQ5dXc5OWJDTVVId2lvaThqaE9UWkVCcS9DdXN2RFI5RGoyQllyRURmQgpNUzFKME5Ed3d0TFNsTGRLR3RKS2NGekRWQmVNWENJYkJERWZ6OUNBc0I1VkxKZUR1ZmtrSGd3MmlvNzJsNEsvClRrL1ZYZmdqNmdzZnZoaE1FWjJhdnBDVEdjOE43SXNGcVJaSVBKOGVJR0dwSkZqb0JMbDU3TUxNNFJpOWltK2MKcGkwaUxXZWhKVXAzbEQyckowakxkamk2aDBrcmhqQnM3WVdISHdJREFRQUJBb0lCQUhOUU51MXJqZkxUeDMyQgpYQkxzZmJuMjNmcEZvQ3FJZWlTZW9wdmM3ZENOU3Z3LzJ3Q2t4OVNNNUxaUEJhQitaMzNpUEFCd3RuNW1CcDNUCnFpNHZrOCt3VTN1bUgrSUJ4VW5sVSsvZTRXeGswc0pxamt1TDI1bHlCUWFCWk4ydEhMcmZLL25mU1FSTDc0S3cKZko2czNPMDdFT2Y0L0VqZXgwcUdGUWVNZXF5eitGaHJKaVcrU21MUi9yNzBpd0dTM1dBZjBYaENQbGlnaytuTgpzUWo3YUR2akxTYytqUmtSSGhWNlNQSHRlcmdZOFdGbmRKN2phZnI5RTVFaUJ0OWdJbkIrTG5OZjZ2a1hEc1ZrCm1MY1BudEZFWXJDbGE0alh1bVJGeTVaancyYXlSL2Fmd2ZaYnFhOUFhYytXYlNrc1NlQjZVajNKNWM4N1AxaFEKL0JReVY5RUNnWUVBN2lVSUJwRjNteUppWWwvYm9oMm1UK0JNL1VMSExPWWFLVFNZRDMwT3JrVHdZNnhwSVI5NgpJRmRiZ3pkdzk2YW1ncWNjbXk1TDh3RFc0d2JEaW1qQm5lcm1pQXZ1M3FrbXRNRWVZVHQ2UHpnd2tEdHlCYnd6CjdrK2xqeDRYaWdjbHZKMFBuS3gzQWhCRmRqc3ZoYVdELzArYzE3VnVaOTk3dXpkZXJ5Tzd5d2NDZ1lFQTJaNVAKUnR5b0kwUWt6SlFIandDMlhtUHVxRG03SmpUVkcrM1paU1VVK3dxb0YvTmh5UlVrdnRBcHRJb1lTZjdlRVRjUApmdHJ3U1VRSDRpMHNPTG5YMWtqSGYwK2dXZjBYOW8zK0dyZDluYW10WjNwYTNuRWN3aWszWXJKcmxVbzVPLzMrCktLNWlNZ0Y3cWxYQ3VWKy9xaGhyWlp2TXRJaGZ0TzJBVVphV0pTa0NnWUJaazA1SWdqRDJCbUh4Vk5NZFVIKzkKTGNabndOV0FXdkRlTE8xQmJpMjJlVEhlbS94VFBDN0l1WE12a1F3SjZ3Sll4SmpxK2VnUmVIQmJwckNvZ0N6TAp4STUvLzlVU3BaZHNoL053YVZuYks3eUFsQXVZZ3FrWjY1Vi9scmNOOFJCTnVOb2xlVzJ1TmdhYXFUcC96N2t0CnNIbHpYY2d3aEF4YmFFRlNLV082d3dLQmdRREhNSHVaL2hFOHJud01jWloxazQ1WjJaaXlqSjA3L0hId0xZYW0KYVFuS08xZmZERncrSlVkTUROZVB0RE5GVDY5T0RKcjNYMGsvbHJDc212SjJQYzFOQzdMbldpZ0pGbnZmcHRxbQo4N3RjRzlwbjgvdkd6YndvRUhmc3RDbDdMY1F6b0dvS0xJd2UvM0tGV0JoemV5dkJjcmFpKzdla3E0c0czYmx0CmRLdWIrUUtCZ0JySSt6bXd5UW91MGVpMS9BQVRZMDVJK1dsNEJxYytjQnc2dUZxOTMwZ0NtZVFHZFlkNm1hUjkKenZybHIwRk45ejZWUmlmSy84ZGRzaExZL2w5Y05wVnd1VlE2MmZqcG5pOHdla0lhcWh4WTRJQWphZUNiQVpqLwo5aG95alA1R2gzc3M4cUg2VTV6OUtuTnI5bEtjcW16d3luaHNIUGZPSjNUcklmTmhOOTZMCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
上述精简后如下
# gvk
apiVersion: v1
kind: Config
#集群连接地址
clusters:
- cluster:
certificate-authority-data: LS0tLS1CR
server: https://192.168.0.180:6443
name: sdfdfdf
- cluster:
certificate-authority-data: sdfasdfasdfsd
server: https://10.100.100.100:6443
name: mycluster
# 用户
# 证书认证
users:
- name: xxxx
user:
client-certificate-data: LS0tLS1
client-key-data: LS0tLS1CRUdJTiB
- name: mycluster-admin
user:
client-certificate-data: LS0tLS1
client-key-data: LS0tLS1CRUdJTiB
- name: kubernetes-user1
user:
client-certificate-data: LS0tLS1
client-key-data: LS0tLS1CRUdJTiB
# 上下文,将用户与集群绑定
contexts:
- context:
cluster: sdfdfdf
user: xxxx
name: kubernetes-admin@kubernetes
- context:
cluster: mycluster
user: mycluster-admin
name: mycluster-admin@mycluster
- context:
cluster: mycluster
user: kubernetes-user1
name: kubernetes-user1@mycluster
# 当前上下文
current-context: kubernetes-admin@kubernetes
k8s常用认证类型
证书(自签名)认证
- 使用X509客户端证书只需要API Server启动时配置–client-ca-file=SOMEFILE。在证书认证时,其CN 域用作用户名,而组织机构域则用作group名。
- 超级管理员是证书认证,认证文件存在文件/etc/kubernetes/admin.conf 中
集群连接地址
clusters:
- cluster:
certificate-authority-data: LS0tLS1CR
server: https://192.168.0.180:6443
name: sdfdfdf
- cluster:
certificate-authority-data: sdfasdfasdfsd
server: https://10.100.100.100:6443
name: mycluster
# 用户
# 证书认证
users:
- name: xxxx
user:
client-certificate-data: LS0tLS1
client-key-data: LS0tLS1CRUdJTiB
- name: mycluster-admin
user:
client-certificate-data: LS0tLS1
client-key-data: LS0tLS1CRUdJTiB
- name: kubernetes-user1
user:
client-certificate: /tmp/train.crt
client-key: /tmp/train.key
# 上下文
contexts:
- context:
cluster: sdfdfdf
user: xxxx
name: kubernetes-admin@kubernetes
- context:
cluster: mycluster
user: mycluster-admin
name: mycluster-admin@mycluster
- context:
cluster: mycluster
user: kubernetes-user1
name: kubernetes-user1@mycluster
- 生成证书-既创建用户的过程
openssl genrsa -out train.key 2048
openssl req -new -key train.key -out train.csr -subj "/CN=train/O=dfrt"
openssl x509 -req -in train.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out train.crt -days 500
- 上下文相关命令
# 获取上下文:
# kubectl config get-contexts
获取当前上下文:
kubectl config current-context
# 切换上下文:
kubectl config use-context kubernetes-train@kubernetes
sa(Service Account)认证-比较常用
- 引导Token是动态生成的,存储在kube-system namespace的Secret中,用来部署新的Kubernetes集群。
- 使用引导Token需要API Server启动时配置–experimental-bootstrap-token-auth,并且ControllerManager开启TokenCleaner --controllers=*,tokencleaner,bootstrapsigner。
- 在使用kubeadm部署Kubernetes时,kubeadm会自动创建默认token,可通过kubeadm token list命令查询。
- 被kubernetes所管理的用户,基于token做认证,是namespaced级别的资源对象
sa 相关命令
kubectl create sa user1 -n cka
kubectl delete sa user1 -n cka
kubectl edit sa user1 -n cka
kubectl describe sa user1 -n cka
kubectl get sa -n cka
生成的token没有有效期,可以一直使用
示例代码
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ETXhOekExTkRVeE5Wb1hEVE15TURNeE5EQTFORFV4TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUFpZCjU4aldxaVp5MFZ2Q1NiRnJtZEhSUnF2UFA5T1BNZkpYT3FPOUN0K0hZZDlMYkN0cTF1R2EvbjFuVTV0WUE5b24KWFFkTmt6bHIwQWR0L0lucnNUOWxKbXRRK3hqcXRReDFIeVFVTDBnNTlRNXNSWXNydXd0MEU4cG05d2ZWR2dBNQovQnFMQk85WTBWWTF5WUY2cXJ6TlVQRlVheVpLNVZuNDAySTQveFp3cll0U01tMGpUQ044c0dHdW9zL0tGWGtECmZUZ2U0MGx2TWF1UWNiNnk2U3krQlM3aDBwMDR6dHFNdDRBNDJENmxSWUZjM3NZYVdaanZSWUh0WWdLMDRUWlcKSEd4TldRT3krVGthbnRzQmFyTUhUUHNTMG91RGpCK2l0ZTVjZnBFTTI4WHJ5K2M4eEhpRXc1RWZKNk8rb3BQMgorOGVuL281dFlJMEliK2pUdk1rQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZGV3RJK3h6eXpmMTlub2NnVTYxMkZUMzAxRjBNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSjhtVnQvYzBzNHgvT21lWW8vKwpjVHRqN3lTdGtDNkRELzZib3MwbjZvbjZPMGZWVC9weGE5NTVnZUh1YkV3SzVsZG5MRTM0U1BvTG42VEtMeGpVCk16d1J3Q1NWTE5XZmZwTDQwaml6NzU4bHJIbHhrRTQ0Z2MzQ1VMTzF0a29PS1pKa1JiQkUvRkFkWjFLYjNGdjEKSXBTMWo5b3dUSThhSnd6VzhCaHBGQWU4ckZGaXUvRUxab29TdjJ2Vmswd1VxcmFSNXEvTGZZaTl1YUxZSjlPWgp5WGYxMS9kQnRuVDJiSUxjdVNFVEltdDUrbXJlZlhHc0FEdW42VVRMOWx6MmFmS014QSt2eS95VXE4S1hMb2RRClJFdVJtVXY4ZTBXN3BTb1d1aVNFYnJkT1lFNnZSYmZzaWZISE85S0lWZUJSSkdqVWtqeG42bFpyZ0gwRldWRFoKU1VBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://172.16.16.3:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: kubernetes-hengine
name: kubernetes-hengine@kubernetes
- context:
cluster: kubernetes
user: kubernetes-sa
name: kubernetes-sa@kubernetes
current-context: kubernetes-admin@kubernetes
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJT01xWjM1NTJGbU13RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UY3dOVFExTVRWYUZ3MHlNekF6TVRjd05UUTFNVGhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXluQ29aOTQ2bndMeHJ1K0UKcyt0TGFuUkRTMWRuR3N3RWM0T25PYTBGYTdndk1NK2tZdUo3UFZ3U1VXWEYxS3lRVnhOWUxDUG1JSXl5WjlOWAo4b1F2d0VmSGhWZkF6VENieGpqcXJKL1lXN2NBa0YvbXNqNDRRVGFBRnQyemN3eWdxTGtYZDRkOXV3OTliQ01VCkh3aW9pOGpoT1RaRUJxL0N1c3ZEUjlEajJCWXJFRGZCTVMxSjBORHd3dExTbExkS0d0SktjRnpEVkJlTVhDSWIKQkRFZno5Q0FzQjVWTEplRHVma2tIZ3cyaW83Mmw0Sy9Uay9WWGZnajZnc2Z2aGhNRVoyYXZwQ1RHYzhON0lzRgpxUlpJUEo4ZUlHR3BKRmpvQkxsNTdNTE00Umk5aW0rY3BpMGlMV2VoSlVwM2xEMnJKMGpMZGppNmgwa3JoakJzCjdZV0hId0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JSVnJTUHNjOHMzOWZaNkhJRk90ZGhVOTlOUgpkREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVjJtVXRNWmpZLzFqUUoraFg4cVhJVVBPSURvWDM0QmN5QUk1CkZucUxLYnpaZGI3V0Vra0NodWxjcDlhcnM5aHZ6WjlMaTd0cmR5NmlJZlJjWmxPdFlQTDcrUVZPYUVxVTZ0U2oKYnhmb0Y4U0QxNitRSTJiZ3FDelFtVkluTnhaV1VtQkZXendJdElzbHFvUHhyQWRZZDdTR2cydEZHNEl6bVpsdwpLem55V2JwYldKV3NwaEtITlk0c244UlVXWVl5UDFvd2k2ZXcyMXdzYmZIM2xpTVUzTkE4QjcyNkhlR3FaRWRsCkgwbDBEZTJtZzZsZXlMaktjM0JzZDRVam9OOWh0UEFSK2ZxaDJLYlVJdHE2TWpGbGtNMjZXaDBaa0psekdLVkgKQTRLb0FxbER1bHNCMlRuRVBtYmZMN3ltTlR0bURNL3pvZVpRRk82WDlseWh3VDEyYWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeW5Db1o5NDZud0x4cnUrRXMrdExhblJEUzFkbkdzd0VjNE9uT2EwRmE3Z3ZNTStrCll1SjdQVndTVVdYRjFLeVFWeE5ZTENQbUlJeXlaOU5YOG9RdndFZkhoVmZBelRDYnhqanFySi9ZVzdjQWtGL20Kc2o0NFFUYUFGdDJ6Y3d5Z3FMa1hkNGQ5dXc5OWJDTVVId2lvaThqaE9UWkVCcS9DdXN2RFI5RGoyQllyRURmQgpNUzFKME5Ed3d0TFNsTGRLR3RKS2NGekRWQmVNWENJYkJERWZ6OUNBc0I1VkxKZUR1ZmtrSGd3MmlvNzJsNEsvClRrL1ZYZmdqNmdzZnZoaE1FWjJhdnBDVEdjOE43SXNGcVJaSVBKOGVJR0dwSkZqb0JMbDU3TUxNNFJpOWltK2MKcGkwaUxXZWhKVXAzbEQyckowakxkamk2aDBrcmhqQnM3WVdISHdJREFRQUJBb0lCQUhOUU51MXJqZkxUeDMyQgpYQkxzZmJuMjNmcEZvQ3FJZWlTZW9wdmM3ZENOU3Z3LzJ3Q2t4OVNNNUxaUEJhQitaMzNpUEFCd3RuNW1CcDNUCnFpNHZrOCt3VTN1bUgrSUJ4VW5sVSsvZTRXeGswc0pxamt1TDI1bHlCUWFCWk4ydEhMcmZLL25mU1FSTDc0S3cKZko2czNPMDdFT2Y0L0VqZXgwcUdGUWVNZXF5eitGaHJKaVcrU21MUi9yNzBpd0dTM1dBZjBYaENQbGlnaytuTgpzUWo3YUR2akxTYytqUmtSSGhWNlNQSHRlcmdZOFdGbmRKN2phZnI5RTVFaUJ0OWdJbkIrTG5OZjZ2a1hEc1ZrCm1MY1BudEZFWXJDbGE0alh1bVJGeTVaancyYXlSL2Fmd2ZaYnFhOUFhYytXYlNrc1NlQjZVajNKNWM4N1AxaFEKL0JReVY5RUNnWUVBN2lVSUJwRjNteUppWWwvYm9oMm1UK0JNL1VMSExPWWFLVFNZRDMwT3JrVHdZNnhwSVI5NgpJRmRiZ3pkdzk2YW1ncWNjbXk1TDh3RFc0d2JEaW1qQm5lcm1pQXZ1M3FrbXRNRWVZVHQ2UHpnd2tEdHlCYnd6CjdrK2xqeDRYaWdjbHZKMFBuS3gzQWhCRmRqc3ZoYVdELzArYzE3VnVaOTk3dXpkZXJ5Tzd5d2NDZ1lFQTJaNVAKUnR5b0kwUWt6SlFIandDMlhtUHVxRG03SmpUVkcrM1paU1VVK3dxb0YvTmh5UlVrdnRBcHRJb1lTZjdlRVRjUApmdHJ3U1VRSDRpMHNPTG5YMWtqSGYwK2dXZjBYOW8zK0dyZDluYW10WjNwYTNuRWN3aWszWXJKcmxVbzVPLzMrCktLNWlNZ0Y3cWxYQ3VWKy9xaGhyWlp2TXRJaGZ0TzJBVVphV0pTa0NnWUJaazA1SWdqRDJCbUh4Vk5NZFVIKzkKTGNabndOV0FXdkRlTE8xQmJpMjJlVEhlbS94VFBDN0l1WE12a1F3SjZ3Sll4SmpxK2VnUmVIQmJwckNvZ0N6TAp4STUvLzlVU3BaZHNoL053YVZuYks3eUFsQXVZZ3FrWjY1Vi9scmNOOFJCTnVOb2xlVzJ1TmdhYXFUcC96N2t0CnNIbHpYY2d3aEF4YmFFRlNLV082d3dLQmdRREhNSHVaL2hFOHJud01jWloxazQ1WjJaaXlqSjA3L0hId0xZYW0KYVFuS08xZmZERncrSlVkTUROZVB0RE5GVDY5T0RKcjNYMGsvbHJDc212SjJQYzFOQzdMbldpZ0pGbnZmcHRxbQo4N3RjRzlwbjgvdkd6YndvRUhmc3RDbDdMY1F6b0dvS0xJd2UvM0tGV0JoemV5dkJjcmFpKzdla3E0c0czYmx0CmRLdWIrUUtCZ0JySSt6bXd5UW91MGVpMS9BQVRZMDVJK1dsNEJxYytjQnc2dUZxOTMwZ0NtZVFHZFlkNm1hUjkKenZybHIwRk45ejZWUmlmSy84ZGRzaExZL2w5Y05wVnd1VlE2MmZqcG5pOHdla0lhcWh4WTRJQWphZUNiQVpqLwo5aG95alA1R2gzc3M4cUg2VTV6OUtuTnI5bEtjcW16d3luaHNIUGZPSjNUcklmTmhOOTZMCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
- name: kubernetes-hengine
user:
client-certificate: /tmp/train.crt
client-key: /tmp/train.key
# token 认证
- name: kubernetes-sa
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlNHOEstdmJBVEZNb2xIY1d3VzBKa3ZKRFZYWmNOZEhfcFFQXzV5YzFocWcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InVzZXIxLXRva2VuLXFxNTU5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InVzZXIxIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZjYxMjFlZDUtYjFmZi00M2Q5LWIzYTEtMjBmZDY0NjRhODM1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dXNlcjEifQ.pFZXfGFgOMlVzauOkGv8YZA-rpphMYBGDh5mk9zrb3JB9SXvpEKkmDn2tW10IAnekvLy3BNiMfH0WhkpzrUJlOPlMMztWkK3PWkAIWsGwyP-frO0ckTx8V7hv3Dn6Z0MvoHbbvjQt57T_MRHLN7r_mXFcmjzG4Z9xooczA4VWhxJSiq1UeSQhqROYdkr0vJ__kYE02bw9YjVWXsEB6jZ4PJy3BIDrlQAAfNDOqZCRWmn_iZKofGaoAovHq1KzIh5qzHblm2-5qwlewcVk7ovk5XsDlVL1cF7G61pJXUizhVvWDzayl5fsU4wVXghYB8VAQSfjh-qHkja6Xqxni6CFw
授权
- 当用户通过认证之后,还必须获得相应用的授权,才能集群执行相应的操作
- 授权主要是用于对集群资源的访问控制,通过检查请求包含的相关属性值,与相对应的访问策略相比较,API请求必须满足某些策略才能被处理。
- 跟认证类似,Kubernetes也支持多种授权机制,并支持同时开启多个授权插件(只要有一个 验证通过即可)。如果授权成功,则用户的请求会发送到准入控制模块做进一步的请求验证; 对于授权失败的请求则返回HTTP 403。
# 权限操作
get --> describe pod
create --> create pod
delete --> delete pod
update --> edit pod
list --> get pod
授权插件
- 目前,Kubernetes支持以下授权插件:
- ABAC: 基于属性的访问控制
- RBAC
- RBAC全称为role-base access controll,即基于角色的授权
- 将一个个小的权限创建为一个集合,称之为role
- 将一个或一组role与用户或用户组进行绑定,完成授权
- Webhook: 基于http回调机制的访问控制
- Node:节点认证
RBAC
- 使用”rbac.authorization.k8s.io” API Group实现授权决策,允许管理员通过Kubernetes API动态配置策略。
- 在k8s的授权机制当中,采用RBAC的方式进行授权,其工作逻辑是 把对对象的操作权限定义到一个角色当中,再将用户绑定到该角色,从而使用户得到对应角色的权限。此种方式仅作用于名称空间当中,这是什么意思呢?当User1绑定到Role角色当中,User1就获取了对该NamespaceA的操作权限,但是对NamespaceB是没有权限进行操作的,如get,list等操作。
- k8s为此还有一种集群级别的授权机制,就是定义一个集群角色(ClusterRole),对集群内的所有资源都有可操作的权限,从而将User2,User3通过ClusterRoleBinding到ClusterRole,从而使User2、User3拥有集群的操作权限
Role与ClusterRole
- Role :namespaced级别
- kubectl get role -n kube-system
NAME CREATED AT
extension-apiserver-authentication-reader 2022-03-17T05:45:32Z
kube-proxy 2022-03-17T05:45:33Z
kubeadm:kubelet-config-1.22 2022-03-17T05:45:32Z
kubeadm:nodes-kubeadm-config 2022-03-17T05:45:32Z
system::leader-locking-kube-controller-manager 2022-03-17T05:45:32Z
system::leader-locking-kube-scheduler 2022-03-17T05:45:32Z
system:controller:bootstrap-signer 2022-03-17T05:45:32Z
system:controller:cloud-provider 2022-03-17T05:45:32Z
system:controller:token-cleaner 2022-03-17T05:45:32Z
- ClusterRole: 非namespaced级别
- kubectl get clusterroles
- admin 管理员权限
- cluster-admin: 超级管理员权限
- edit 编辑权限
辑权限 - view 只读权限
- kubectl get clusterroles
NAME CREATED AT
admin 2022-03-17T05:45:31Z
calico-kube-controllers 2022-03-17T06:01:10Z
calico-node 2022-03-17T06:01:10Z
cluster-admin 2022-03-17T05:45:31Z
edit 2022-03-17T05:45:31Z
ks-installer 2022-03-22T03:06:38Z
kubeadm:get-nodes 2022-03-17T05:45:33Z
nfs-external-provisioner-role 2022-03-22T08:36:54Z
system:aggregate-to-admin 2022-03-17T05:45:31Z
system:aggregate-to-edit 2022-03-17T05:45:31Z
system:aggregate-to-view 2022-03-17T05:45:31Z
system:aggregated-metrics-reader 2022-03-23T05:52:41Z
system:auth-delegator 2022-03-17T05:45:31Z
system:basic-user 2022-03-17T05:45:31Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-03-17T05:45:31Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-03-17T05:45:31Z
system:certificates.k8s.io:kube-apiserver-client-approver 2022-03-17T05:45:31Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-03-17T05:45:31Z
system:certificates.k8s.io:kubelet-serving-approver 2022-03-17T05:45:31Z
system:certificates.k8s.io:legacy-unknown-approver 2022-03-17T05:45:31Z
system:controller:attachdetach-controller 2022-03-17T05:45:31Z
system:controller:certificate-controller 2022-03-17T05:45:31Z
system:controller:clusterrole-aggregation-controller 2022-03-17T05:45:31Z
system:controller:cronjob-controller 2022-03-17T05:45:31Z
system:controller:daemon-set-controller 2022-03-17T05:45:31Z
system:controller:deployment-controller 2022-03-17T05:45:31Z
system:controller:disruption-controller 2022-03-17T05:45:31Z
system:controller:endpoint-controller 2022-03-17T05:45:31Z
system:controller:endpointslice-controller 2022-03-17T05:45:31Z
system:controller:endpointslicemirroring-controller 2022-03-17T05:45:31Z
system:controller:ephemeral-volume-controller 2022-03-17T05:45:31Z
system:controller:expand-controller 2022-03-17T05:45:31Z
system:controller:generic-garbage-collector 2022-03-17T05:45:31Z
system:controller:horizontal-pod-autoscaler 2022-03-17T05:45:31Z
system:controller:job-controller 2022-03-17T05:45:31Z
system:controller:namespace-controller 2022-03-17T05:45:31Z
system:controller:node-controller 2022-03-17T05:45:31Z
system:controller:persistent-volume-binder 2022-03-17T05:45:31Z
system:controller:pod-garbage-collector 2022-03-17T05:45:31Z
system:controller:pv-protection-controller 2022-03-17T05:45:31Z
system:controller:pvc-protection-controller 2022-03-17T05:45:31Z
system:controller:replicaset-controller 2022-03-17T05:45:31Z
system:controller:replication-controller 2022-03-17T05:45:31Z
system:controller:resourcequota-controller 2022-03-17T05:45:31Z
system:controller:root-ca-cert-publisher 2022-03-17T05:45:31Z
system:controller:route-controller 2022-03-17T05:45:31Z
system:controller:service-account-controller 2022-03-17T05:45:31Z
system:controller:service-controller 2022-03-17T05:45:31Z
system:controller:statefulset-controller 2022-03-17T05:45:31Z
system:controller:ttl-after-finished-controller 2022-03-17T05:45:31Z
system:controller:ttl-controller 2022-03-17T05:45:31Z
system:coredns 2022-03-17T05:45:33Z
system:discovery 2022-03-17T05:45:31Z
system:heapster 2022-03-17T05:45:31Z
system:kube-aggregator 2022-03-17T05:45:31Z
system:kube-controller-manager 2022-03-17T05:45:31Z
system:kube-dns 2022-03-17T05:45:31Z
system:kube-scheduler 2022-03-17T05:45:31Z
system:kubelet-api-admin 2022-03-17T05:45:31Z
system:metrics-server 2022-03-23T05:52:41Z
system:monitoring 2022-03-17T05:45:31Z
system:node 2022-03-17T05:45:31Z
system:node-bootstrapper 2022-03-17T05:45:31Z
system:node-problem-detector 2022-03-17T05:45:31Z
system:node-proxier 2022-03-17T05:45:31Z
system:persistent-volume-provisioner 2022-03-17T05:45:31Z
system:public-info-viewer 2022-03-17T05:45:31Z
system:service-account-issuer-discovery 2022-03-17T05:45:31Z
system:volume-scheduler 2022-03-17T05:45:31Z
view 2022-03-17T05:45:31Z
相关命令
- 创建role
kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]
rolebinding与clusterrolebinding
- rolebinding: namespaced级别
- clusterrolebinding: 全局级别
授权组合
- role + user + rolebinding:让一个用户只在特定命名空间有特定的权限,role和rolebinding都必须位于同一个命名空间,这个用户也只能在这个命名空间有相应权限
role + user + clusterrolebinding~~ ~~:无效组合- clusterRole + user + rolebinding:让一个用户在特定的命名空间拥有特定的权限,clusterrole此时会当成role使用
- **clusterrole + user + clusterrolebinding:**一个用户可以在所有命名空间获得相应权限
Kubernetes RBAC的演示
User --> Rolebinding --> Role
- 创建角色
-
获取yaml配置命令:
kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]
- 使用kubectl create进行创建角色,指定角色名称,–verb指定权限,–resource指定资源或者资源组,–dry-run单跑模式并不会创建
-
相关命令
- 创建角色:
kubectl apply -f role-demo.yaml
- 查看角色:
kubectl get role
kubectl get clusterrole
- 创建角色:
-
# 创建role角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role #资源类型
# metadata
metadata:
name: create-resources
namespace: cka
rules:
- apiGroups: #对那些api组内的资源进行操作
- "apps"
resources: #对那些资源定义
- deployments
- statefulsets
- daemonsets
verbs: #操作权限定义
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- create
# 创建ClusterRole角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
# metadata
metadata:
name: create-resources
rules:
- apiGroups:
- "apps"
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- list
- 示例:对deployment,statefulset, daemonsets,pod 这几种资源有创建的权限
# 权限
# gvk --> gvr gv group version
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
# metadata
metadata:
name: hengine-cr
rules:
- apiGroups:
- "apps"
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- list
角色的绑定
- 获取yaml配置命令:
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname]
使用kubectl create进行创建角色绑定,指定角色绑定的名称,–role|–clusterrole指定绑定哪个角色,–user指定哪个用户kubectl create rolebinding train@create-rs --clusterrole=create-resources --user=train -n cka
# ClusterRoleBinding 权限绑定
# gvk
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
# metadata
metadata:
name: user1@create-rs
# 绑定什么权限
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: create-resources
# 哪一个用户
subjects:
- kind: ServiceAccount
name: user1
namespace: default
# RoleBinding 权限绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: train@create-rs
namespace: cka
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: create-resources
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: train