K8S源码剖析(Auth)
k8s源码中auth部分主要两大块:
- authorization(abac)
- nodeidentify
ABAC
k8s可以提供abac权限控制,只需要配置对应policy(每条policy就是一个json数据),比如这样:
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*" }}
那核心的模块其实主要在几个match函数中
- subjectMatches定义了主体的匹配(user/group)
- verbMatches定义了行为的匹配(是否readonly)
- resourceMatches定义了资源的匹配(namespace/apigroup/resource)
// subjectMatches returns true if specified user and group properties in the policy match the attributes
func subjectMatches(p abac.Policy, user user.Info) bool {
matched := false
if user == nil {
return false
}
username := user.GetName()
groups := user.GetGroups()
// If the policy specified a user, ensure it matches
if len(p.Spec.User) > 0 {
if p.Spec.User == "*" {
matched = true
} else {
matched = p.Spec.User == username
if !matched {
return false
}
}
}
// If the policy specified a group, ensure it matches
if len(p.Spec.Group) > 0 {
if p.Spec.Group == "*" {
matched = true
} else {
matched = false
for _, group := range groups {
if p.Spec.Group == group {
matched = true
break
}
}
if !matched {
return false
}
}
}
return matched
}
func verbMatches(p abac.Policy, a authorizer.Attributes) bool {
// TODO: match on verb
// All policies allow read only requests
if a.IsReadOnly() {
return true
}
// Allow if policy is not readonly
if !p.Spec.Readonly {
return true
}
return false
}
func resourceMatches(p abac.Policy, a authorizer.Attributes) bool {
// A resource policy cannot match a non-resource request
if a.IsResourceRequest() {
if p.Spec.Namespace == "*" || p.Spec.Namespace == a.GetNamespace() {
if p.Spec.Resource == "*" || p.Spec.Resource == a.GetResource() {
if p.Spec.APIGroup == "*" || p.Spec.APIGroup == a.GetAPIGroup() {
return true
}
}
}
}
return false
}
在前面进行完匹配后决定是否鉴权成功
func matches(p abac.Policy, a authorizer.Attributes) bool {
if subjectMatches(p, a.GetUser()) {
if verbMatches(p, a) {
// Resource and non-resource requests are mutually exclusive, at most one will match a policy
if resourceMatches(p, a) {
return true
}
if nonResourceMatches(p, a) {
return true
}
}
}
return false
}
Nodeidentifier
Nodeidentify用来限制kubelet对api-server的访问鉴权,目前做的也比较简单,主要是对前缀进行匹配,看前缀是否是“system:node:”
// nodeUserNamePrefix is the prefix for usernames in the form `system:node:<nodeName>`
const nodeUserNamePrefix = "system:node:"
// NodeIdentity returns isNode=true if the user groups contain the system:nodes
// group and the user name matches the format system:node:<nodeName>, and
// populates nodeName if isNode is true
func (defaultNodeIdentifier) NodeIdentity(u user.Info) (string, bool) {
// Make sure we're a node, and can parse the node name
if u == nil {
return "", false
}
userName := u.GetName()
if !strings.HasPrefix(userName, nodeUserNamePrefix) {
return "", false
}
isNode := false
for _, g := range u.GetGroups() {
if g == user.NodesGroup {
isNode = true
break
}
}
if !isNode {
return "", false
}
nodeName := strings.TrimPrefix(userName, nodeUserNamePrefix)
return nodeName, true
}