一、概述
Kubernetes集群的所有操作基本上都是通过kube-apiserver这个组件进行的,它提供HTTP RESTful形式的API供集群内外客户端调用。这就引发了安全问题:假如别人知道你的API地址,那么你的服务器就很容易遭到恶意破坏。所以k8s 认证授权过程不支持HTTP连接到kube-apiserver。
使用kubectl cluster-info 可以看到API server的Endpoint地址,如下:
[root@k8s-master-dev ~]# kubectl cluster-info
Kubernetes master is running at https://192.168.20.79:6443
KubeDNS is running at https://192.168.20.79:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[root@k8s-master-dev ~]# 对APIServer的访问要经过的三个步骤,前面两个是认证和授权,第三个是 Admission Control,它也能在一定程度上提高安全性,不过更多是资源管理方面的作用。
client --> | authentication(认证 验证用户名与密码是否正确)
| authorization (授权 控制当前用户的权限)
| admissionControl (资源依赖、关联及环境检查) --> Resourcesk8s模块化程度非常高,认证、授权、准入控制都是由用户指定某种插件实现相应功能。
Authentication
kubernetes提供了多种认证方式,比如客户端证书、静态token、静态密码文件、ServiceAccountTokens等等,都是以插件(plugin)的形式由用户指定。可以同时指定使用一种或多种认证方式。client 经过任何一种plugin的成功认证 即表示认证成功,无需再经过其它额外认证。
常见如下两种:
1) token(例预共享密钥,是通过http首部Restful方式传递密钥)
2) SSL/TLS(authentication、双向身份验证、https通信)
Authorization
k8s 1.6之后支持 RBAC、node、ABAC、webhook等plugins。 RBAC(Role-Based Access)只有许可授权(默认拒绝所有),kubeadm安装的k8s默认都是使用RBAC的授权。 RBAC让集群管理员可以针对特定使用者或服务账号的角色,进行更精确的资源访问控制。在RBAC中,权限与角色相关联,用户通过成为适当角色的成员而得到这些角色的权限。这就极大地简化了权限的管理。在一个组织中,角色是为了完成各种工作而创造,用户则依据它的责任和资格来被指派相应的角色,用户可以很容易地从一个角色被指派到另一个角色。
AdmissionControl
准入控制:本质上为一段准入代码,在对kubernetes api的请求过程中,顺序为:先经过认证 & 授权,然后执行准入操作,最后对目标对象进行操作。这个准入代码在api-server中,而且必须被编译到二进制文件中才能被执行。在对集群进行请求时,每个准入控制代码都按照一定顺序执行。如果有一个准入控制拒绝了此次请求,那么整个请求的结果将会立即返回,并提示用户相应的error信息。
常用组件(控制代码)如下:
- AlwaysAdmit:允许所有请求
- AlwaysDeny:禁止所有请求,多用于测试环境
- ServiceAccount:它将serviceAccounts实现了自动化,它会辅助serviceAccount做一些事情,比如如果pod没有serviceAccount属性,它会自动添加一个default,并确保pod的serviceAccount始终存在
- LimitRanger:他会观察所有的请求,确保没有违反已经定义好的约束条件,这些条件定义在namespace中LimitRange对象中。如果在kubernetes中使用LimitRange对象,则必须使用这个插件。
- NamespaceExists:它会观察所有的请求,如果请求尝试创建一个不存在的namespace,则这个请求被拒绝
二、访问API server的方式
k8s API server 提供了丰富的Restful接口 提用户访问 。
REST request path: http://apiServerName:port/apis/apps/version_name/namespaces/default/deployments/myapp-deploy/(add/delete/edit/get)
API request verb : get/list/create/update/patch/watch/proxy/redirect/delete/deletecollection/
使用kubectl 命令时默认调用${HOME}/.kube/目录中的认证信息,但其它访问方式则不能调用这些认证信息(例curl),如果希望通过curl方式访问API server,可以使用代理功能。
在本地启用代理:
[root@k8s-master-dev ~]# ls .kube/
cache config http-cache
[root@k8s-master-dev ~]# kubectl proxy --port=8080
Starting to serve on 127.0.0.1:8080然后在另一个终端使用curl 的方式访问,如下所示:
[root@k8s-master-dev ~]# curl http://localhost:8080/api/v1/namespaces
{
"kind": "NamespaceList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces",
"resourceVersion": "768383"
}
...
[root@k8s-master-dev ~]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments
{
"kind": "DeploymentList",
"apiVersion": "apps/v1",
"metadata": {
"selfLink": "/apis/apps/v1/namespaces/kube-system/deployments",
"resourceVersion": "768654"
},
...三、Authentication
哪些client需要与API server 交互?cluster 外部的client (kubectl)和cluster内部的 client(Pod)都需要与API server交互。
[root@k8s-master-dev ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 5d
mongo ClusterIP None <none> 27017/TCP 1d
[root@k8s-master-dev ~]# kubectl describe svc kubernetes
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP: 10.96.0.1
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 192.168.20.79:6443
Session Affinity: None
Events: <none>
[root@k8s-master-dev ~]#以上显示 cluster内部的各pods 、及其它组件访问API server时使用 10.96.0.1; 而 kubectl 命令及外部访问API server时使用 172.16.20.79:6443 。
访问API server 时的认证用户也分为两类:
1) serviceAccountName (cluster内部pod客户端)
2) UserAccount (cluster外部访问)
1、serviceAccountName
ServiceAccount(服务帐户)是由Kubernetes API管理的用户。它们绑定到特定的命名空间,并由API服务器自动创建或通过API调用手动创建。服务帐户与存储为Secrets的一组证书相关联,这些凭据被挂载到pod中,以便集群进程与Kubernetes API通信。(登录dashboard时我们使用的就是ServiceAccount)
当kubernetes集群搭建好后,系统中就存在多个ServiceAccount,它们隶属于不同的名称空间,不同名称空间之间的ServiceAccount名称可以相同。通过下面的命令查看当前系统的ServiceAccount
[root@k8s-master-dev ~]# kubectl get sa
NAME SECRETS AGE
default 1 5d
[root@k8s-master-dev ~]#使用kubectl get sa --all-namespaces 查看所有名称空间的sa 。
手工创建ServiceAccount,语法如下:
kubectl create serviceaccount my-service-account
例:
[root@k8s-master-dev ~]# kubectl create sa admin
serviceaccount/admin created
[root@k8s-master-dev ~]# kubectl get sa
NAME SECRETS AGE
admin 1 23h
default 1 5dServiceAccount创建的同时会自动创建secrets,名称以account的名称为前缀。例:
[root@k8s-master-dev ~]# kubectl get secrets
NAME TYPE DATA AGE
admin-token-q99pz kubernetes.io/service-account-token 3 23h
default-token-m66jg kubernetes.io/service-account-token 3 5d
[root@k8s-master-dev ~]#ServiceAccount中主要用于保存token,而token又属于 secrets 资源,如下:
[root@k8s-master-dev ~]# kubectl describe sa admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: admin-token-q99pz
Tokens: admin-token-q99pz
Events: <none>
[root@k8s-master-dev ~]#可以使用 kubectl describe secrets admin-token-q99pz 命令查看该token的信息。例:
[root@k8s-master-dev ~]# kubectl describe secrets/admin-token-q99pz
Name: admin-token-q99pz
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name=admin
kubernetes.io/service-account.uid=3f0f0199-4539-11e9-ac19-000c295011ce
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJ..............
[root@k8s-master-dev ~]#每一个Pod创建的时候,都会被分配到指定的ServiceAccount下面,通常是default,也可以在编写Pod的manifest文件的时候指定。例:
[root@k8s-master-dev ~]# vim pod-sa-demo.yaml
[root@k8s-master-dev ~]# cat pod-sa-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-sa-demo
namespace: default
labels:
app: myapp
tier: frontend
annotations:
inspiry.com/author: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccountName: admin
[root@k8s-master-dev ~]# kubectl apply -f pod-sa-demo.yaml
pod/pod-sa-demo created
[root@k8s-master-dev ~]# 在Pod创建时,相关的认证文件会被以volume的形式挂载进Pod,目的是方便在Pod里访问API SERVER(例如kubernetes的dashboard)。例:
[root@k8s-master-dev ~]# kubectl describe pods pod-sa-demo
Name: pod-sa-demo
Namespace: default
Priority: 0
PriorityClassName: <none>
Node: k8s-node1-dev/192.168.20.78
Start Time: Wed, 13 Mar 2019 10:41:59 +0800
Labels: app=myapp
tier=frontend
Annotations: inspiry.com/author=cluster admin
kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"inspiry.com/author":"cluster admin"},"labels":{"app":"myapp","tier":"frontend"},"name":"pod..."
Status: Running
IP: 10.244.1.107
Containers:
myapp:
Container ID: docker://729b24ee03040b09a0d93a977e65e206bd434b6c35003f0fea953b661c635af2
Image: ikubernetes/myapp:v1
Image ID: docker-pullable://ikubernetes/myapp@sha256:9c3dc30b5219788b2b8a4b065f548b922a34479577befb54b03330999d30d513
Port: 80/TCP
Host Port: 0/TCP
State: Running
Started: Wed, 13 Mar 2019 10:42:00 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from admin-token-q99pz (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
admin-token-q99pz:
Type: Secret (a volume populated by a Secret)
SecretName: admin-token-q99pz
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
[root@k8s-master-dev ~]#
2、UserAccount
是用于 k8s集群 外部或独立服务 管理访问集群使用的,由管理员分配私钥。平时常用的kubectl命令就是UserAccount执行的。
kubeconfig 称为认证配置,就是为集群外部client访问k8s集群所作的认证配置。
外部用户访问k8s集群(例使用kubectl命令)时,需要配置用户访问k8s集群所用到的账户、证书、私钥、集群名、API server地址等,这些信息被存放在kubeconfig 中。
可以使用kubectl config 命令对 访问k8s集群的认证配置文件 进行各种操作。具体可参考:kubectl config --help 。
使用kubectl config view 可查看认证配置,如下所示:
[root@k8s-master-dev ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.20.79:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master-dev ~]#说明:
apiVersion: v1
clusters: [] #配置要访问的kubernetes集群名称列表。
contexts: [] #配置访问kubernetes集群的具体上下文列表。定义哪个集群被哪个用户访问
current-context: "" #配置当前使用的上下文环境
kind: Config
preferences: {}
users: [] #配置访问的用户信息列表,用户名以及证书信息 (其中REDACTED表示私密数据)
创建UserAccount所需要的访问密钥及证书,利用当前k8s的CA证书进行签名
[root@k8s-master-dev ~]# cd /etc/kubernetes/pki/
[root@k8s-master-dev pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@k8s-master-dev pki]# (umask 077; openssl genrsa -out meteor.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................+++
.............+++
e is 65537 (0x10001)
[root@k8s-master-dev pki]# openssl req -new -key meteor.key -out meteor.csr -subj "/CN=meteor"
[root@k8s-master-dev pki]# openssl x509 -req -in meteor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out meteor.crt -days 365
Signature ok
subject=/CN=meteor
Getting CA Private Key
[root@k8s-master-dev pki]# openssl x509 -in meteor.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b2:d2:50:2a:92:52:e0:63
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Mar 13 07:35:17 2019 GMT
Not After : Mar 12 07:35:17 2020 GMT
Subject: CN=meteor
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:69:52:bd:c8:f2:43:39:3c:5e:b3:49:f7:5a:
29:17:1d:80:f9:b8:b1:f5:dc:1a:72:d9:96:7b:96:
77:bd:cc:73:ac:88:dd:be:8f:32:d5:7f:37:f7:57:
d8:c1:ae:bd:04:1a:5f:9f:64:8a:34:49:9b:06:96:
91:16:2e:1e:af:b7:9a:e0:c8:ca:1f:73:12:54:0d:
ff:95:c1:c0:b0:8c:e5:0c:fe:c1:20:9d:32:fb:2b:
09:59:7e:9b:39:17:9c:83:4f:a5:34:4a:4c:4f:e4:
22:ef:ee:ba:ee:80:21:49:ca:62:6c:3b:46:45:a5:
98:bd:37:4b:3b:b0:eb:4b:63:1a:f2:9d:1a:f9:19:
9d:22:43:70:83:1b:c9:a8:70:de:45:e1:9c:89:e3:
db:a9:41:47:83:cc:38:1e:f3:16:17:4d:91:b1:44:
b3:8a:ee:5f:77:aa:db:9c:de:50:c7:c2:be:9e:9d:
a9:ff:a6:a7:e1:0a:8d:b3:48:c5:34:e2:c3:2d:ac:
8c:e0:ed:fa:2c:03:7e:05:ce:df:ba:66:24:bc:4c:
8b:36:a1:1a:90:7b:11:3d:54:ba:22:c9:58:ce:de:
8a:07:3c:ca:50:df:4e:6b:e3:3b:62:77:88:99:c2:
a8:b5:48:f2:cd:93:20:3b:7e:46:e4:ba:ef:8d:86:
ac:a9
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
1c:02:98:15:57:e1:60:c7:90:7f:6d:c0:d4:2c:f5:5e:33:9e:
c1:23:48:91:9f:8d:d1:20:4c:17:8d:c6:b5:fe:09:e7:92:5f:
7f:5a:5a:c0:13:d7:03:4e:a9:03:be:a2:09:56:90:06:ef:47:
94:29:13:81:61:f0:c7:9b:de:c6:89:7d:c6:43:8a:9b:89:d6:
10:b5:cb:1e:46:16:3f:89:8f:70:4a:28:33:05:84:61:d3:ed:
88:fd:ab:63:d4:33:c8:1b:b5:bf:36:b1:84:a4:a0:24:20:ec:
cd:35:d1:82:57:fa:09:ff:48:07:a2:04:c3:90:2b:ba:c0:f9:
4b:ea:2e:55:45:79:f3:d9:7c:8c:e5:08:f8:0a:b2:51:3e:11:
16:6d:e1:ec:8c:03:f0:b6:c4:a1:77:80:22:aa:48:b1:40:e5:
61:3d:3c:9f:cf:d3:d0:3e:e3:73:46:84:96:0d:f8:3a:4e:6f:
cf:cd:97:ea:d6:25:98:af:3e:b7:15:f1:17:30:56:be:32:a5:
45:bb:8d:53:bb:4c:00:ef:b2:94:5f:da:da:72:f7:da:81:09:
3e:47:15:a0:d8:ff:79:af:9c:42:8d:da:e4:44:6f:a9:38:e0:
b4:8d:58:fb:15:7a:39:cb:87:b7:db:fe:4a:af:8e:b7:7c:fc:
ab:77:eb:c0
[root@k8s-master-dev pki]# ls
apiserver.crt apiserver-kubelet-client.crt ca.srl front-proxy-client.crt meteor.key
apiserver-etcd-client.crt apiserver-kubelet-client.key etcd front-proxy-client.key sa.key
apiserver-etcd-client.key ca.crt front-proxy-ca.crt meteor.crt sa.pub
apiserver.key ca.key front-proxy-ca.key meteor.csr
[root@k8s-master-dev pki]#创建一个访问凭证(UserAccount),并指定相应的证书及私钥
如果指定了一个已存在的名字,将合并新字段并覆盖旧字段
[root@k8s-master-dev pki]# kubectl config set-credentials meteor --client-certificate=meteor.crt --client-key=meteor.key --embed-certs=true
User "meteor" set.修改kubeconfig(认证配置),创建一个新的Context及指定访问凭据(UserAccount)
[root@k8s-master-dev pki]# kubectl config set-context meteor@kubernetes --cluster=kubernetes --user=meteor
Context "meteor@kubernetes" created.
[root@k8s-master-dev pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.20.79:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context: #上下文创建成功
cluster: kubernetes
user: meteor
name: meteor@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: meteor
user: #meteor用户凭据(证书)成功
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master-dev pki]#切换并测试新的上下文配置
[root@k8s-master-dev pki]# kubectl config use-context meteor@kubernetes
Switched to context "meteor@kubernetes".
[root@k8s-master-dev pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.20.79:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: meteor
name: meteor@kubernetes
current-context: meteor@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: meteor
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master-dev pki]#
[root@k8s-master-dev pki]# kubectl get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "default"
[root@k8s-master-dev pki]# 当然也可以在当前新定义一个集群的认证配置(kubeconfig),例:
需要指定ca的证书、API service地址、隐藏证书选项、配置文件的路径(不指定默认在当前家目录),如下所示:
[root@k8s-master-dev pki]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://192.168.20.79:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "mycluster" set.
[root@k8s-master-dev pki]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.20.79:6443
name: mycluster
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
[root@k8s-master-dev pki]# cd四、Authorization
当认证通过,下一步要做的就是授权,授权决定一个用户可以干什么。Kubernetes可以配置多种授权方式,其中目前使用的是RBAC(Role Based Access Control)。RBAC涉及几个重要概念,它们是: Role/ RoleBinding / ClusterRole / ClusterRoleBinding
首先必须清楚一点:授权离不开认证,授权是基于ServiceAccount/UserAccount的。Role可以理解为权限(例如get,list,update,delete,add),它决定了ServiceAccount可以干什么,RoleBinding用于把Role绑定到指定的ServiceAccount。
下图是Role的绑定
ClusterRole和ClusterRoleBinding的作用一样,不同的是,它们的作用域是整个集群,而Role和RoleBinding的作用域是namespace。
创建角色role
[root@k8s-master-dev ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > manifests/role-demo.yaml
[root@k8s-master-dev ~]# vim manifests/role-demo.yaml
[root@k8s-master-dev ~]# cat manifests/role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pods-reader
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@k8s-master-dev ~]# kubectl apply -f manifests/role-demo.yaml
role.rbac.authorization.k8s.io/pods-reader created
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl get roles
NAME AGE
pods-reader 14m
[root@k8s-master-dev ~]# kubectl describe roles/pods-reader
Name: pods-reader
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroup..."
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
[root@k8s-master-dev ~]#创建角色绑定rolebinding,并绑定用户到角色
[root@k8s-master-dev ~]# kubectl create rolebinding meteor-read-pods --role=pods-reader --user=meteor --dry-run -o yaml > manifests/rolebinding-demo.yaml
[root@k8s-master-dev ~]# vim manifests/rolebinding-demo.yaml
[root@k8s-master-dev ~]# cat manifests/rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: meteor-read-pods
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: meteor
[root@k8s-master-dev ~]# kubectl apply -f manifests/rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/meteor-read-pods created
[root@k8s-master-dev ~]# kubectl get rolebinding
NAME AGE
meteor-read-pods 13s
[root@k8s-master-dev ~]# kubectl describe rolebinding/meteor-read-pods
Name: meteor-read-pods
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"meteor-read-pods","namespace":"default"},"roleRe..."
Role:
Kind: Role
Name: pods-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User meteor
[root@k8s-master-dev ~]#创建新用户,测试新的配置
[root@k8s-master-dev ~]# useradd k8suser01
[root@k8s-master-dev ~]# cp -rp .kube ~k8suser01/
[root@k8s-master-dev ~]# chown -R k8suser01.k8suser01 ~k8suser01/.kube
[root@k8s-master-dev ~]# su - k8suser01
[k8suser01@k8s-master-dev ~]$ kubectl config use-context meteor@kubernetes
Switched to context "meteor@kubernetes".
[k8suser01@k8s-master-dev ~]$ kubectl get pods
NAME READY STATUS RESTARTS AGE
mongo-0 2/2 Running 0 6h
mongo-1 2/2 Running 0 6h
mongo-2 2/2 Running 0 6h
pod-sa-demo 1/1 Running 0 5h
[k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "kube-system"
[k8suser01@k8s-master-dev ~]$ logout由于Role和RoleBinding的作用域namespace 为default,所以meteor@kubernetes上下文无法访问kube-system 名称空间中的资源。如果希望该上下文可以访问kube-system名称空间内的资源 ,需要使用ClusterRole和ClusterRoleBinding。如下所示:
[root@k8s-master-dev ~]# kubectl get rolebinding
NAME AGE
meteor-read-pods 4m
[root@k8s-master-dev ~]# kubectl delete rolebinding meteor-read-pods
rolebinding.rbac.authorization.k8s.io "meteor-read-pods" deleted
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run > manifests/clusterRole-demo.yaml
[root@k8s-master-dev ~]# vim manifests/clusterRole-demo.yaml
[root@k8s-master-dev ~]# cat manifests/clusterRole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@k8s-master-dev ~]# kubectl apply -f manifests/clusterRole-demo.yaml
clusterrole.rbac.authorization.k8s.io/cluster-reader created
[root@k8s-master-dev ~]# kubectl get clusterrole
NAME AGE
admin 5d
cluster-admin 5d
cluster-reader 8s
edit 5d
flannel 5d
......
[root@k8s-master-dev ~]# kubectl describe clusterrole cluster-reader
Name: cluster-reader
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-reader","namespace":""},"rules":[{"apiGr..."
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl create clusterrolebinding meteor-read-all-pods --clusterrole=cluster-reader --user=meteor --dry-run -o yaml >> manifests/clusterRoleBinding-demo.yaml
[root@k8s-master-dev ~]# vim manifests/clusterRoleBinding-demo.yaml
[root@k8s-master-dev ~]# cat manifests/clusterRoleBinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: meteor-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: meteor
[root@k8s-master-dev ~]# kubectl apply -f manifests/clusterRoleBinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io/meteor-read-all-pods created
[root@k8s-master-dev ~]# kubectl get clusterrolebinding meteor-read-all-pods
NAME AGE
meteor-read-all-pods 16s
[root@k8s-master-dev ~]#再次测试meteor@kubernetes 上下文 ,如下所示:
[root@k8s-master-dev ~]# su - k8suser01
上一次登录:三 3月 13 16:09:07 CST 2019pts/0 上
[k8suser01@k8s-master-dev ~]$ kubectl get pods
NAME READY STATUS RESTARTS AGE
mongo-0 2/2 Running 0 1d
mongo-1 2/2 Running 0 1d
mongo-2 2/2 Running 0 1d
pod-sa-demo 1/1 Running 0 1d
[k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78fcdf6894-9t2x5 1/1 Running 0 5d
coredns-78fcdf6894-tvbtd 1/1 Running 0 5d
etcd-k8s-master-dev 1/1 Running 0 5d
kube-apiserver-k8s-master-dev 1/1 Running 0 5d
kube-controller-manager-k8s-master-dev 1/1 Running 1 5d
kube-flannel-ds-amd64-9tmns 1/1 Running 0 5d
kube-flannel-ds-amd64-cn8v5 1/1 Running 0 5d
kube-flannel-ds-amd64-gwf76 1/1 Running 0 5d
kube-flannel-ds-amd64-v4g6w 1/1 Running 0 5d
kube-proxy-4ks89 1/1 Running 0 5d
kube-proxy-b47qm 1/1 Running 0 5d
kube-proxy-dz778 1/1 Running 0 5d
kube-proxy-mg5rr 1/1 Running 0 5d
kube-scheduler-k8s-master-dev 1/1 Running 1 5d
[k8suser01@k8s-master-dev ~]$ logout
[root@k8s-master-dev ~]#RoleBinding也可以引用ClusterRole,对属于同一命名空间内ClusterRole定义的资源主体进行授权。但ClusterRoleBinding中的角色只能是ClusterRole。如下meter用户仅能对它所在的名称空间进行操作。
[root@k8s-master-dev rbac]# kubectl delete -f clusterRoleBinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io "meteor-read-all-pods" deleted
[root@k8s-master-dev rbac]# kubectl create rolebinding meteor-read-pods --clusterrole=cluster-reader --user=meteor --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
[root@k8s-master-dev rbac]# vim rolebinding-clusterrole-demo.yaml
[root@k8s-master-dev rbac]# cat rolebinding-clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: meteor-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: meteor
[root@k8s-master-dev rbac]# kubectl apply -f rolebinding-clusterrole-demo.yaml
rolebinding.rbac.authorization.k8s.io/meteor-read-pods created
[root@k8s-master-dev rbac]# kubectl get rolebinding
NAME AGE
meteor-read-pods 10s
[root@k8s-master-dev rbac]#
[root@k8s-master-dev rbac]# su - k8suser01
上一次登录:四 3月 14 15:33:42 CST 2019pts/0 上
[k8suser01@k8s-master-dev ~]$ kubectl get pods
NAME READY STATUS RESTARTS AGE
mongo-0 2/2 Running 0 1d
mongo-1 2/2 Running 0 1d
mongo-2 2/2 Running 0 1d
pod-sa-demo 1/1 Running 0 1d
[k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "kube-system"
[k8suser01@k8s-master-dev ~]$ logout
[root@k8s-master-dev rbac]#k8s集群内置了一些clusterRole ,可以利用上述方法为某个名称空间指定特定管理员。操作如下:
kubectl create rolebinding default-ns-admin --clusterrole=admin --user=meteor转载于:https://blog.51cto.com/caiyuanji/2362416
1040
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
