*一个k8s集群中可以有不同部门的容器,为了确保数据的安全,各部门的访问权限应该受到限制。现在将linux用户与useraccount绑定实现该功能。
大致步骤如下:
先在root用户上将/.kube/config 这个配置文件复制到linux登陆用户miqiang的家目录下,再把config文件中的kubernetes-admin@kubernetes这个useraccount账户的认证全部删掉,只留下自己创建miqiang@kubernetes用户的认证,该用户只有某个命名空间的部分文件访问权限,切换到miqiang用户登陆linux访问minqiang-test命名空间的pod即可验证是否有权限。*
流程图:
linux用户:miqiang—>linux系统—>k8s的useraccount:miqiang—>k8s客户端(一般用:kubectl) —>API Server
ssl认证
需要使用root用户去创建证书
生成一个证书
(1)生成一个私钥
[root@master ~]# cd /etc/kubernetes/pki/
[root@master pki]# (umask 077; openssl genrsa -out miqiang.key 2048)
(2)生成一个证书请求
[root@master pki]# openssl req -new -key miqiang.key -out miqiang.csr -subj "/CN=miqiang"
(3)生成一个证书
[root@master pki]# openssl x509 -req -in miqiang.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out miqiang.crt -days 3650
在kubeconfig下新增用户
(1)把miqiang这个用户添加到kubernetes集群中,可以用来认证apiserver的连接
[root@master pki]# kubectl config set-credentials miqiang --client-certificate=./miqiang.crt --client-key=./miqiang.key --embed-certs=true
(2)在~/.kube/config添加miqiang用户
在kubeconfig下新增加一个miqiang这个账号,相当于在~/.kube/config添加miqiang用户
[root@master pki]# kubectl config set-context miqiang@kubernetes --cluster=kubernetes --user=miqiang
(3)切换账号到miqiang,默认没有任何权限
具体命令如下:
[root@master .kube]# kubectl config use-context miqiang@kubernetes
Switched to context "miqiang@kubernetes".
[root@master .kube]# kubectl get node
Error from server (Forbidden): nodes is forbidden: User "miqiang" cannot list resource "nodes" in API group "" at the cluster scope
[root@master .kube]#
发现miqiang这个k8s里的用户不能访问api server
发现没有任何权限,然后使用下面的命令切换回去kubernetes-admin@kubernetes集群用户
[root@master .kube]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@master .kube]#
把miqiang 这个用户通过rolebinding绑定到clusterrole上,授予权限,权限只是在miqiang这个命名空间有效
修改用户权限
(1)把用户绑定clusterrole
把miqiang这个用户通过rolebinding绑定到clusterrole上
kubectl create ns miqiang-test
kubectl create rolebinding miqiang -n miqiang-test --clusterrole=cluster-admin --user=miqiang
kubectl create rolebinding miqiang --namespace miqiang-test --clusterrole=cluster-admin --user=miqiang
(2)切换到miqiang这个用户
kubectl config use-context miqiang@kubernetes
(3)测试是否有权限
[root@master .kube]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "miqiang" cannot list resource "pods" in API group "" in the namespace "default"
[root@master .kube]# kubectl get pods -n miqiang-test
No resources found in miqiang-test namespace.
[root@master .kube]#
可看出有权限操作这个miqiang-test名称空间
在linux操作系统里创建miqiang这个用户,可以用来登录k8s集群所在的linux系统,不同部门给与不同的linux系统账号,然后关联不同的k8s集群里的useraccout
(4) 添加一个miqiang的普通用户
useradd miqiang
cp -ar /root/.kube/ /home/miqiang/
chown -R miqiang.miqiang /home/miqiang/
修改/home/miqiang/.kube/config文件,把kubernetes-admin相关的删除,只留miqiang用户。
[root@master .kube]# cd /home/miqiang/.kube/
[root@master .kube]# ls
cache config
[root@master .kube]# vim config
删除kubernetes-admin后相关的效果如下:
[root@master .kube]# vim config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1EZ3hOakEzTWpRek4xb1hEVE16TURneE16QTNNalF6TjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSjJnClZHQk15bkkyczU4dVNjT1ZGS3N5TzJ4aVhZL2sxcHdpeURMaVZDd2MyQVRDNW5vQTFOTG05a3BFK1BXT1BSNWwKOEJ2SXN4a0ZtL1lPZndZR0htMFl0aDA0eGttNVh1dkdPaitoYU0wdUl2OGwvTThHaGRJZUJOZFRydFRET3lKdQp4RGE4T24zazlzS0NxZENMRGIxUGlKRXRzdGtKNnZJNlRzN0RpNCt2ck9TNXA0Uy9UZ0xSQjY4RWVydWhmZyttCkNGRHFkUlNGWGJHUTNiVmFLRzdSNkdrdVFaSksrUDd1d0Z2Nlk3QW9ZZG41ZXcwa2xySDZrUnRrd1czdVNydTEKR3B3UXpPS2VvdkpFNkptL1lZdEpVRGhEeGNiTG9IakU3Q1VpMkVaRkEyaVlIQXRIVlJlVHNmZkJMRVNZOUVMMgpIQWF3bmhtQnhURVVmNGZRVXA4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZHZytjT3BHUkZDUW5SOWpnL2JZMkNpMVNPQVpNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDU2orQUNlM3hGOEVYU1VudHFOYWxyeE1kZWxlY2oyZGFRVjREa1VWeUpDc1pZVDhaOQoxWk50dkRaYWJvMC93R1F2RUhFNEtDcnZSd0pFM3VkZkhRdVJpZWIvWVdTOFp0dHk2TjJJVTVVMEpxN2I5aXFLClY4ZEhFdjlpR2xSbUUrak44WGFMRS9ZSVVNZURWcDlPR1JNQ0svQ2M0ZTBxckZQQkh0Wm5lQjl1N2U2U2ZtT1MKcm9HNHcxMDFsb3hybUlkeFArWDJLZzB6YXA4SDh2NFFPMmJ6SGcvU0hMNzd1ZldLSmx4U1RMaUVtaStYUmJxbgo4NG9oYXZtR05QZ2VsMzMxZ1VhYkFHb0RlVGtQRUlsZTM4R2d3QzAxengraGprMGxMU2dpQXVmcmJGQnhibXdVCjVOMHVYVmZYZWl0UUJWS2lBNzIwZXpCM2pkU1pUSnpkdW00TgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.203.128:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: miqiang
name: miqiang@kubernetes
current-context: miqiang@kubernetes
kind: Config
preferences: {}
users:
- name: miqiang
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvekNDQVlzQ0NRRElKTjk5bDFtUmhEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXpNRGt3TnpBM01Ea3pORm9YRFRNek1Ea3dOREEzTURrek5Gb3dFakVRTUE0RwpBMVVFQXd3SGJXbHhhV0Z1WnpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSytKCnQwdnA1WFRtazIrdVdIYnFHTnpQZ01KaWlXL044UkhNTkZPK0pSdk5HUDU4aG5GYjl4SDN5RzV0WkZZSWpjK0cKMHBvckg3R1hXKzBRMUpCZFVPSFFXckQyejNKaWE3T21XN2hDOGtxY2VYRDBjTkdvaGhsU0dWcVFCM0Njd3dVeQpFRTMxRmhMcXBRTnFKYUxIMGtEZDhwRUV6eEV3QlAwYXpqbEZrT25sZHl0TXZEYWovU2VVaFJsb3A5S3RDS2F4CkJ4ckxldEZhWUxhTTVjaTJRMzhETGtkV1R2R09nNXZEY3hidzFGZ1BiMWJSbkRQOTEwSlU4WDhyV1NWbHpwd3AKRUd2a1lHU2ZwKzVkMWtLb29QK2pNUm5mRDlDVDdxRU5OV2RtcTNhclMwNE9vYXBwRWpaOUczMFFSY0VuQ1ZvUgpzRStEVndqMnN6a2w1MVUrdnVjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVXg0NGR2eEdZYWhaCmtOYnByM0ExUlBsYU1PVFB3OFQ3NmJDUEIzZTNSUjlZbFZ0eEdISVpvRmlOMVpKT05vTWNUME1sTWxKdDFzdW4KT1BOOHFEdFloUmcrWjNFaGNMWU44S1dnRkxVQXFHVkMvN3VGcmtIRk5xSEtyYUFIVlpjeU5qb3VBZU16TmVzcgptTDVhSTFjZjlRN3FGS2Z2R3RMNFJRT0JtMEQyazNuK2E1V2VmOHArczBuak5pTzA0ZHFsZzFiaHZ0cENEVmVxCmxVVWd4UklvcGN6K0l5VlVFZkZ3YUhDMFAvM1B6aHlldE1KdmV0K3BYbXpPTDNDeHNCR2UwN01VbUVaLzRYV0kKd1VsT3V6cU5UeVdrWmJTSk1rakFLMzF5ZnF3Y3FwSWN1bk56UmVNTXNvMDZpOER5c1NEMWYvRE52U3V2K0g2LwpJd3BpdzN5S1N3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcjRtM1MrbmxkT2FUYjY1WWR1b1kzTStBd21LSmI4M3hFY3cwVTc0bEc4MFkvbnlHCmNWdjNFZmZJYm0xa1ZnaU56NGJTbWlzZnNaZGI3UkRVa0YxUTRkQmFzUGJQY21KcnM2WmJ1RUx5U3B4NWNQUncKMGFpR0dWSVpXcEFIY0p6REJUSVFUZlVXRXVxbEEyb2xvc2ZTUU4zeWtRVFBFVEFFL1JyT09VV1E2ZVYzSzB5OApOcVA5SjVTRkdXaW4wcTBJcHJFSEdzdDYwVnBndG96bHlMWkRmd011UjFaTzhZNkRtOE56RnZEVVdBOXZWdEdjCk0vM1hRbFR4Znl0WkpXWE9uQ2tRYStSZ1pKK243bDNXUXFpZy82TXhHZDhQMEpQdW9RMDFaMmFyZHF0TFRnNmgKcW1rU05uMGJmUkJGd1NjSldoR3dUNE5YQ1Bhek9TWG5WVDYrNXdJREFRQUJBb0lCQVFDZWZnVE8rVGZoYmhMdgpBb2NEajJpMWJuRytrVU93ZkV6T21nY2hHWXpkNWpoTUJ0bEkzeFZjMXRIVXl0YU9TNWpuS0w5Y3pkVUcvemZUCis1OUJYZEFhbzRwUFAvbWNPTHN2OE9QZG9peXNLMDRISzkzMW4yaTgwZ0RzWVNFbWo1UVNTOXFtMk1SK2ZmaFIKOWZSWFhuNDdiV3FIZjhVS3FzWEdWZjZmZlcxVGtRbzFtUmsyMUdOVXNTcnJrK0ZzSHFycGVldHZDY1JlTWFiSQpmQ3hFVW1GTlhJd3Erak0yQ0pxQlR2SklSdHhYb3E4bWkzdlVXcnZvTzdXQjNBZXdLbGlmYU9Bc0hkSVpzTm5vClV6TWtCM2RicGIyL3d2WXJHc0FNTHhEdTFhTEVVeFdrbXJyWm5jVnd5TVgrbE9TTXZrMjdvYm1UaGE3eUVQN2YKc2RaRGhlRXhBb0dCQU5rNTQxeVNveW5uempQeVQ0STlhNDBjMjcrOVY2SzJsUlRYWHEzdlVMcGNGS3RHZjlWKwpNSlJ2YjJzVnBLZUxsT0pOMlY5NkdzS3Nwd25PdFR3c3lQZjJMV2NWUmNCUTk2REYxWW01bUJSWjFpRXV1ZU5BCnlCUytGd0s4WlErYkFiY2w3MEIwSXpnZEMzaEVmTG1OempNR1M3RU43V1UxT3NSc1FRTHQ3Y3NKQW9HQkFNN2UKNU11R25MRTlZREV0bkRRTjgxQ2N2V0YxQnBDQURKbzkrV2RmRnVLZVRpd3Erb21oUjBWU3RxbjU4bEhISFM2RApXb01EQ0p3aTZiZWIwN0tBQjZvUkluZEIxZ3h1VnhBamt2TERoTm9CZFNEamI5OUtGMklmT09NbGtWMWd1aHdTCnNuZXh1K3FXdmI4cjhzbEVrUG8razdDa1dHYXFCa2ZPZnYvYU5ZWnZBb0dBR0lta2VER01RdENQaDJpb3VKS04Ka3B3ZTZwTE4wbkNEZUo0M2NMaG15eFpaczFzOFYzWndzR1BDRnp1VHBPVnNoUCs4UFQvQ3hCalNxWlh5L1FBbQpGM1IwZm45MXFKcTh6aWxxektydFZlY3IvQVdXTStoK2NYRmprZ2lMOWU1UmpFbTVzL01xZzAwc25ZSkhBSUxYCk53WlFDSWtGTnZpRFVlclVrU3NsUUZrQ2dZRUF3aUYvZWRNNEprZWZobWJ6NkJHVFhQbko2clFFVmdRa1QzYUwKSHN1b1VVQVh3ZkVQTGFyUWxDaDd6R1VIVm1EUmJMM05hWmFtTk1lNnBoZ3dnSmtQR0RSK01JWHkxYldTTkUzOQo3NTAxaGRQS1UvTzdIMEtMVVFSVndTdVhENWJlNzh0SCtYVXNFSWduUmtoNnpROXdNYllacUxHQlY4NkVtRXdhCitBU1JLRGNDZ1lBRmlQWUMydkhtY1NueWFFMldvYXc0TkVqUkdvdWd4bXcrd3hjcmQ3NnRiN3R1OVFrVXBySkcKWkVrNHRyRFJ2SUxWQmhTbytwRHRjU2p6Z3VRWEdXMzNFTEE1MFhxcCt0eFBFdm51UEFRVEh4bE9ndStrOTlKQwpsUldNc2NrRCswMWRjWklJSTBNNWhJcGlFWjlhdW4xTUNuZ3h2SkJ2RlBBUEwvY21kZEtxT3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
测试
再次使用miqiang登录linux系统
[root@master .kube]# su - miqiang
[miqiang@master ~]$ kubectl get pods #不可以访问default命名空间
Error from server (Forbidden): pods is forbidden: User "miqiang" cannot list resource "pods" in API group "" in the namespace "default"
[miqiang@master ~]$ kubectl get pods -n miqiang-test #可以访问miqiang-test命名空间
No resources found in miqiang-test namespace.
[miqiang@master ~]$
退出miqiang用户返回到root用户
miqiang@master ~]$ exit
[root@master .kube]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernestes".
查看pod资源
[root@master .kube]# kubectl get pods
NAME READY STATUS RESTARTS AGE
configmap-demo-pod 1/1 Running 9 23h
configmap-nginx 1/1 Running 1 22h
mysql 1/1 Running 4 2d22h
nginx 1/1 Running 3 2d3h
nginx-configmap-test 1/1 Running 1 22h
sa-lihaihui 1/1 Running 0 4h11m
sc-pv-pod-nfs 1/1 Running 1 24h
task-pv-pvc-pod 1/1 Running 1 27h
test-pd 1/1 Running 1 29h
test-pd-2 1/1 Running 1 29h
wordpress-mysql-85d8585554-4lblh 1/1 Running 1 21h
[root@master .kube]#