目录
文章目录
写在前面
本文,我将带你实战演示k8s中基于角色的权限访问控制-RBAC实验。
我的博客主旨:我希望每一个人拿着我的博客都可以做出实验现象,先把实验做出来,然后再结合理论知识更深层次去理解技术点,这样学习起来才有乐趣和动力。并且,我的博客内容步骤是很完整的,也分享源码和实验用到的软件,希望能和大家一起共同进步!
各位小伙伴在实际操作过程中如有什么疑问,可随时联系本人免费帮您解决问题:
-
个人微信二维码:x2675263825 (舍得), qq:2675263825。
-
个人博客地址:www.onlyonexl.cn
-
个人微信公众号:云原生架构师实战
-
个人csdn
https://blog.csdn.net/weixin_39246554?spm=1010.2135.3001.5421
基础知识介绍
实验环境
实验环境:
1、win10,vmwrokstation虚机;
2、k8s集群:3台centos7.6 1810虚机,1个master节点,2个node节点
k8s version:v1.21
CONTAINER-RUNTIME:docker://20.10.7
实验软件
cfssl.tar.gz rbac.zip
链接:https://pan.baidu.com/s/1PJAKrXjejcvRUSw8MNyFng
提取码:dvgi
老师原课件内容
基于角色的权限访问控制:RBAC
案例:为指定用户授权访问不同命名空间权限,例如新入职一个小弟,希望让他先熟悉K8s集群,为了安全性,先不能给他太大权限,因此先给他授权访问default命名空间Pod读取权限。
实施大致步骤:
1. 用K8S CA签发客户端证书
2. 生成kubeconfig授权文件
3. 创建RBAC权限策略
4. 指定kubeconfig文件测试权限:
kubectl get pods --kubeconfig=./aliang.kubeconfig
#角色权限分配:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [“”] # api组,例如apps组,空值表示是核心API组,像namespace、pod、service、pv、pvc都在里面
resources: [“pods”] #资源名称(复数),例如pods、deployments、services
verbs: [“get”, “watch”, “list”] # 资源操作方法,例如create/delete
#将主体与角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User # 主体
name: jane # 主体名称
apiGroup: rbac.authorization.k8s.io
roleRef: # 绑定的角色
kind: Role
name: pod-reader # 角色名称
apiGroup: rbac.authorization.k8s.io
1.、用K8S CA签发客户端证书
注意,前期需要先安装cfgssl命令才行,请自行百度或查看我之前的文章。
[root@k8s-master ~]#ll -h
total 4.0K
-rw-r--r-- 1 root root 1.4K Jul 6 14:02 rbac.zip
drwxr-xr-x 6 root root 78 Jul 6 13:59 yaml #上传rbac.zip文件到家目录下并解压
[root@k8s-master ~]#unzip rbac.zip
[root@k8s-master ~]#cd rbac/
[root@k8s-master rbac]#ls
cert.sh kubeconfig.sh rbac.yaml
[root@k8s-master rbac]#sh cert.sh #直接执行
2021/07/05 05:50:00 [INFO] generate received request
2021/07/05 05:50:00 [INFO] received CSR
2021/07/05 05:50:00 [INFO] generating key: rsa-2048
2021/07/05 05:50:00 [INFO] encoded CSR
2021/07/05 05:50:00 [INFO] signed certificate with serial number 159473389712332926121043715574924065961218702913
2021/07/05 05:50:00 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master rbac]#
注意:用K8S CA签发客户端证书
2. 生成kubeconfig授权文件
[root@k8s-master rbac]#pwd
/root/rbac
[root@k8s-master rbac]#ls
aliang.csr aliang-csr.json aliang-key.pem aliang.pem ca-config.json cert.sh kubeconfig.sh rbac rbac.yaml rbac.zip
[root@k8s-master rbac]#sh kubeconfig.sh #直接执行
Cluster "kubernetes" set.
User "aliang" set.
Context "kubernetes" created.
Switched to context "kubernetes".
[root@k8s-master rbac]#ls #注意,生成为kubeconfig文件如下aliang.kubeconfig
aliang.csr aliang-csr.json aliang-key.pem aliang.kubeconfig aliang.pem ca-config.json cert.sh kubeconfig.sh rbac rbac.yaml rbac.zip
[root@k8s-master rbac]#
修改aliang.kubeconfig文件:
此时,我们可以测试下:
[root@k8s-master rbac]#kubectl get pod --kubeconfig=aliang.kubeconfig
Error from server (Forbidden): pods is forbidden: User "aliang" cannot list resource "pods" in API group "" in the namespace "default"
#此时可以看到,访问被禁止了。到这里我们相当于完成了第一步"鉴权":即k8s是认你这个客户端证书的。现在就将要开始第二步授权操作了。
3. 创建RBAC权限策略
查看rbac.yaml内容:
[root@k8s-master rbac]#cat rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: aliang
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
[root@k8s-master rbac]#
apply下rbac.yaml并查看:
#apply下rbac.yaml
[root@k8s-master rbac]#kubectl apply -f rbac.yaml
role.rbac.authorization.k8s.io/pod-reader created
rolebinding.rbac.authorization.k8s.io/read-pods created
#查看
[root@k8s-master rbac]#kubectl get role|grep pod-reader
pod-reader 2021-07-04T22:20:54Z
[root@k8s-master rbac]#kubectl describe role pod-reader
Name: pod-reader
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get watch list]
[root@k8s-master rbac]#
4.指定kubeconfig文件测试权限
以上all策略均已经配置完成了,现在进行测试:
[root@k8s-master rbac]#kubectl get pod --kubeconfig=aliang.kubeconfig #现在终于可以查看了
NAME READY STATUS RESTARTS AGE
my-pod 1/1 Running 0 38h
my-pod1 1/2 CrashLoopBackOff 23 38h
#以下无分配权限,次用户将不能进行其他操作
[root@k8s-master rbac]#kubectl get deployments --kubeconfig=aliang.kubeconfig #一下均查看失败
Error from server (Forbidden): deployments.apps is forbidden: User "aliang" cannot list resource "deployments" in API group "apps" in the namespace "default"
[root@k8s-master rbac]#kubectl get pod --kubeconfig=aliang.kubeconfig -n kube-system
Error from server (Forbidden): pods is forbidden: User "aliang" cannot list resource "pods" in API group "" in the namespace "kube-system"
[root@k8s-master rbac]#kubectl get service --kubeconfig=aliang.kubeconfig
Error from server (Forbidden): services is forbidden: User "aliang" cannot list resource "services" in API group "" in the namespace "default"
#同样,kubectl describe也是可以使用的
[root@k8s-master rbac]#kubectl describe pod my-pod1 --kubeconfig=aliang.kubeconfig
Name: my-pod1
Namespace: default
Priority: 0
Node: k8s-node2/172.29.9.33
Start Time: Sat, 03 Jul 2021 15:43:45 +0800
Labels: <none>
Annotations: cni.projectcalico.org/podIP: 10.244.169.149/32
5.现在这个小伙子技术差不多了,该如何给他放大权限呢?
继续编辑rbac.yaml:
[root@k8s-master rbac]#vim rbac.yaml #注意,以下有没有空格都是ok的
……
- apiGroups: ["", "apps"] #添加
resources: ["pods", "deployments", "services"] #添加,这里都是复数
verbs: ["get", "watch", "list"]
……
再次apply下并测试:
#apply
[root@k8s-master rbac]#kubectl apply -f rbac.yaml
role.rbac.authorization.k8s.io/pod-reader configured
rolebinding.rbac.authorization.k8s.io/read-pods unchanged
#查看=>符合预期,可以正常查看deployment/svc资源
[root@k8s-master rbac]#kubectl get deployments --kubeconfig=aliang.kubeconfig
NAME READY UP-TO-DATE AVAILABLE AGE
web 1/1 1 1 5s
[root@k8s-master rbac]#kubectl get service --kubeconfig=aliang.kubeconfig
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 33d
技巧:如果我们实在不知道该如何配置策略,我们可以根据权限不足提示进行配置策略。
注意:
deployments/statefulsets/repilcasets在apps组里面;
namespace、pod、service、pv、pvc都在核心组里面;
[root@k8s-master rbac]#kubectl get deployments --kubeconfig=aliang.kubeconfig #一下均查看失败
Error from server (Forbidden): deployments.apps is forbidden: User "aliang" cannot list resource "deployments" in API group "apps" in the namespace "default"
[root@k8s-master rbac]#kubectl get pod --kubeconfig=aliang.kubeconfig -n kube-system
Error from server (Forbidden): pods is forbidden: User "aliang" cannot list resource "pods" in API group "" in the namespace "kube-system"
[root@k8s-master rbac]#kubectl get service --kubeconfig=aliang.kubeconfig
Error from server (Forbidden): services is forbidden: User "aliang" cannot list resource "services" in API group "" in the namespace "default"
- 再测试:我们给这个小弟添加delete权限
1、默认删除失败:
[root@k8s-master rbac]#kubectl get deployments.apps --kubeconfig=aliang.kubeconfig
NAME READY UP-TO-DATE AVAILABLE AGE
web 1/1 1 1 18m
[root@k8s-master rbac]#kubectl delete deployments.apps web --kubeconfig=aliang.kubeconfig
Error from server (Forbidden): deployments.apps "web" is forbidden: User "aliang" cannot delete resource "deployments" in API group "apps" in the namespace "default"
[root@k8s-master rbac]#
2、添加delete权限
[root@k8s-master rbac]#vim rbac.yaml
- apiGroups: ["","apps"]
resources: ["pods","deployments","services"]
verbs: ["get","watch","list","delete"] #添加dlete权限,注意,这里添加了删除操作后,代表对上面所有资源都具有删除权限。
3、apply并查看
[root@k8s-master rbac]#kubectl apply -f rbac.yaml
role.rbac.authorization.k8s.io/pod-reader configured
rolebinding.rbac.authorization.k8s.io/read-pods unchanged
[root@k8s-master rbac]#kubectl delete deployments.apps web --kubeconfig=aliang.kubeconfig #添加delete后,删除成功
deployment.apps "web" deleted
[root@k8s-master rbac]#kubectl get deployments.apps --kubeconfig=aliang.kubeconfig
No resources found in default namespace.
[root@k8s-master rbac]#
- 注意:我们可以通过如下命令来查看当前用户在k8s中拥有哪权限?
[root@k8s-master rbac]#kubectl describe role pod-reader
Name: pod-reader
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments [] [] [get watch list delete]
pods [] [] [get watch list delete]
services [] [] [get watch list delete]
deployments.apps [] [] [get watch list delete]
pods.apps [] [] [get watch list delete]
services.apps [] [] [get watch list delete]
[root@k8s-master rbac]#
- 我们可以通过如下命令来查看某个资源归属的组信息?
[root@k8s-master ~]#kubectl api-resources
6.此时,这个小伙子就可以欢乐去使用k8s集群了
我们 可以把这个aliang.kubeconfig配置文件发给小弟,他可以通过如下命令进行访问k8s集群:
[root@k8s-master rbac]#pwd
/root/rbac
[root@k8s-master rbac]#ls
aliang.csr aliang-csr.json aliang-key.pem aliang.kubeconfig aliang.pem ca-config.json cert.sh kubeconfig.sh rbac rbac.yaml rbac.zip
[root@k8s-master rbac]#
kubectl get pod --kubeconfig=aliang.kubeconfig
kubectl get deployment --kubeconfig=aliang.kubeconfig
kubectl get service --kubeconfig=aliang.kubeconfig
注意:
他可以在任何机器上去访问这个k8s集群,但要能通是前提。
使用之前可以先安装好kubectl命令。
aliang.kubeconfig访问k8s里面所有的资源都在这里面了。
它如果不想每次后面都加上–kubeconfig=aliang.kubeconfig的话,我们可以去修改默认kubeconfig文件的,但如何修改呢?(我也不知道,暂且搁置??。。。。)
如果登录到了master,默认使用的就是/root/.kube/config配置文件了。
总结
好了,关于k8s中基于角色的权限访问控制-RBAC实验就到这里了,感谢大家阅读,我们下期见!
扫一扫
7645
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
