文章目录
一、RBAC概念
1.RBAC官网介绍:使用 RBAC 鉴权 | Kubernetes
2.RBAC(基于角色的访问控制):是一种基于组织中各个用户的角色来调节对计算机或网络资源的访问方法。
作用:防止k8s里的pod能随意获取整个集群里的信息和访问集群里的资源
2.UserAccount和ServiceAccount介绍
二、实验步骤(serviceaccoount使用案例介绍)
1.创建sa并绑定到pod
[root@k8smaster ingress]# kubectl create sa sa-lay
serviceaccount/sa-lay created
[root@k8smaster ~]# kubectl get sa
NAME SECRETS AGE
default 1 103d
sa-lay 1 2d3h
2.创建pod
[root@k8smaster sa]# cat sa-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: sa-lay
namespace: default
labels:
app: sa-lay
spec:
serviceAccountName: sa-lay
containers:
- name: sa-nginx
ports:
- containerPort: 80
image: nginx
imagePullPolicy: IfNotPresent
[root@k8smaster sa]# kubectl apply -f sa-pod.yaml
pod/sa-lay created
3.验证(拒绝访问)
访问apiserver,没权限
sa能通过https方式成功认证API,但是没有权限访问k8s资源,所以code状态码是403,表示没有权限操作k8s资源
[root@k8smaster sa]# kubectl exec -it sa-lay -- bash
root@sa-lay:/# cd /var/run/secrets/kubernetes.io/serviceaccount
root@sa-lay:/var/run/secrets/kubernetes.io/serviceaccount# ls
ca.crt namespace token
root@sa-lay:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/kube-system
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:default:sa-lay\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "kube-system",
"kind": "namespaces"
},
"code": 403
4.对sa做授权
[root@k8smaster sa]# kubectl create clusterrolebinding sa-test-admin --clusterrole=cluster-admin --serviceaccount=default:sa-lay
clusterrolebinding.rbac.authorization.k8s.io/sa-test-admin created
5.再次请求验证
[root@k8smaster sa]# kubectl exec -it sa-lay -- bash
root@sa-lay:/# cd /var/run/secrets/kubernetes.io/serviceaccount
root@sa-lay:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/kube-system
{
"kind": "Namespace",
"apiVersion": "v1",
"metadata": {
"name": "kube-system",
"uid": "1afd57db-8217-4eab-9015-42629f340013",
"resourceVersion": "17",
"creationTimestamp": "2023-05-15T12:19:01Z",
"managedFields": [
{
"manager": "kube-apiserver",
"operation": "Update",
"apiVersion": "v1",
"time": "2023-05-15T12:19:01Z",
"fieldsType": "FieldsV1",
"fieldsV1": {"f:status":{"f:phase":{}}}
}
]
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
三、自定义角色
1.创建角色,控制权限
[root@k8smaster sa]# cat role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" 标明 core API 组
resources: ["pods"]
verbs: ["get", "watch", "list"]
[root@k8smaster sa]# kubectl apply -f role.yaml
role.rbac.authorization.k8s.io/pod-reader created
2.角色绑定
[root@k8smaster sa]# kubectl create rolebinding sa-test-lay --role=pod-reader --serviceaccount=default:sa-lay
rolebinding.rbac.authorization.k8s.io/sa-test-lay created
[root@k8smaster sa]# kubectl get rolebinding
NAME ROLE AGE
sa-test-lay Role/pod-reader 38s
总结
以上就是使用RBAC将角色和对应的权限绑定的实验操作