k8s(十四)、RBAC权限控制

最新推荐文章于 2024-06-07 11:19:48 发布
最新推荐文章于 2024-06-07 11:19:48 发布
阅读量1.4w 收藏 34
点赞数 5
分类专栏: kubernetes kubernetes那些事儿 文章标签: kubernetes RBAC
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/ywq935/article/details/84840935
版权

前言

kubernetes 集群相关所有的交互都通过apiserver来完成,对于这样集中式管理的系统来说,权限管理尤其重要,在1.5版的时候引入了RBAC(Role Base Access Control)的权限控制机制.

RBAC也是初接触k8s的用户较难理解的一部分,同时RBAC作为集群管理的基础组件之一,本该放在最前面几篇,但是最近才想起来这个方面的知识点,赶紧梳理总结输出了本篇

工作流程

流程图

在这里插入图片描述

流程拆解

一、基于资源申明和管理方法申明组成rule规则,和Role(命名空间范围))或ClusterRole(集群范围)对象进行绑定,Role类的对象将拥有所申明资源及的指定方法的权限。
二、将Role权限落到实际用户或程序上,即RoleBinding(命名空间范围)或CLusterRoleBinding(集群范围)

有两种方式:
1.用户使用:如果是用户需求权限,则将Role与User(或Group)绑定(这需要创建User/Group);
2.程序使用:如果是程序需求权限,将Role与ServiceAccount指定(这需要创建ServiceAccount并且在deployment中指定ServiceAccount)。
相当于Role是一个类,用作权限申明,User/Group/ServiceAccount将成为类的实例

实战

一、用户使用

安装cfssl工具,生成ca-config.json文件。这一步骤在安装集群的时候已经做过,这里不再复述,参考:
k8s(一)、 1.9.0高可用集群本地离线部署记录

准备ca配置json文件如下:

cat >  ca-config.json <<EOF
{
"signing": {
"default": {
  "expiry": "8760h"
},
"profiles": {
  "kubernetes": {
    "usages": [
        "signing",
        "key encipherment",
        "server auth",
        "client auth"
    ],
    "expiry": "8760h"
  }
}
}
}
EOF

安装好的k8s集群,默认在ca文件在如下路径:

~ /rbac-test# ls /etc/kubernetes/pki/ca*
/etc/kubernetes/pki/ca.crt  /etc/kubernetes/pki/ca.key

创建用户的证书签署请求配置json文件:

~/rbac-test# cat opsuser-csr.json
{
  "CN": "opsuser",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

CN即comman name,后面用户证书认证时使用的用户名

生成opsuser的证书:

cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=./ca-config.json -profile=kubernetes ./opsuser-csr.json | cfssljson -bare opsuser

会生成下面3个文件:

opsuser-key.pem  opsuser.pem  opsuser.csr

生成用户的专属配置文件
完整的配置文件包含3块,分别是cluster/context/user部分,包含相应的内容,分3个步骤生成,后方详解

1.cluster部分:
生成此部分需要有集群的ca.pem文件,此文件在/etc/kubernetes/pki目录下默认没有,可以使用openssl命令基于ca.key文件去生成ca.pem文件;也可以直接使用已有的/etc/kubernetes/admin.conf文件中cluster部分:

# 只取cluster的上下文
~/rbac-test# cat /etc/kubernetes/admin.conf 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: [CERT DATA]
    server: https://10.90.1.238:6443
  name: kubernetes

# 将cluster部分写入opsuser的配置文件内
cat >  opsuser.kubeconfig <<EOF
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: [CERT DATA]
    server: https://10.90.1.238:6443
  name: kubernetes
EOF

2.context部分

kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=opsuser \
--namespace=default \
--kubeconfig=opsuser.kubeconfig

3.user认证部分

kubectl config set-credentials opsuser \
--client-certificate=./opsuser.pem \
--client-key=./opsuser-key.pem \
--embed-certs=true \
--kubeconfig=opsuser.kubeconfig

查看最终生成的配置文件:

# cat opsuser.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: [CRET DATA]
    server: https://10.90.1.238:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: default
    user: opsuser
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: opsuser
  user:
    as-user-extra: {}
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lVV2ZKMlNLb1NJWWhBMHFJdzRaVUZERnlWY1pzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweE9ERXlNRFV3T0RNek1EQmFGdzB4T1RFeQpNRFV3T0RNek1EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhiM0J6ZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU93Wgo4d1hpdFhrOGtKNk9PSkFvUHZGaWw2ZkdKUDFWT3VyYWFqTWMyZ2ROSkV0Q3o2Mzk2eTNIZGw1T2NXdlBNNURvCjJ3a0NGKzlJd09jVzljVHhTZFZMUEg3OVEvQVhHcm9Nd2ltZk9WRUNlYm9aVkswRUx3azk1K2piRUpVVHY4eTYKMForM2JvMGtwL2p2Q2pzdmwxWUR3RGtGeGtwckZ3SXliOGt0cVBLMVFkb2ZrOE16Z3NTMnNZYTR1MWFydHd0dQozSTZZbEViUFNIOXhGbmx1UUFvbjZnSmkrM0c1YTdVRGxvRm9MSHlqL00wMStPRi9YWVpEcWgwK3hoZTlVRWdHClZBZkNSQkYyZlg2WjdCaFkybnpsblZOejV5SXhmSlpJclNIYnFhUlAxZXY1Tk1ndVNRcnl3UGQ5OG5jM201RnkKMkVXa28xeEJmQ1FXSHJKd04vMENBd0VBQWFOZU1Gd3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlFXCmpDR2NYVjRPOTRqZlV1Mk9Kd2hqTC9xMVZEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFBeXdlZk5uckNKU0MKdDdrT2tHL1RUSHA1NG1tT0QxS2FPZW82TnpycFRuNVQwa0h3VEdrYmNHcWxvcDIvM1lhQXJDUHo2Q1J4VDd0QQpaTUNiOXhRZkJ0cllpeHJUdGF0TTZ4YlJuQTBqaC96Y2tvRHVuYjFEYkhxbG1JQW5jLzdaTEthQklKSnA5L0IwCjB2NnJXTEd2N0F1YmZJT1ZZVTdBVTVnZmh1LzJoWC93MzFJWlgwaXZ0WEtDR0lJb1Bya2hsL3NvUTEwdVFhUmgKeFFBdzhUbTc0dTBJTDE3OFFsRlhSYm1JQXpuWk42Skh1YW5QZE82TVI1Z0dobVMzRDRaUDg2RE5DenZCOVZFcQpWa0w4R0E2bHJHNm1sem5MN0pxODlQajdOdElwZnRaeDBsdTBYRmsxTm9DWk9VMFl5Yk9peWlPS2N0NVNia3VKClVLUjVYMC9GTUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBN0JuekJlSzFlVHlRbm80NGtDZys4V0tYcDhZay9WVTY2dHBxTXh6YUIwMGtTMExQCnJmM3JMY2QyWGs1eGE4OHprT2piQ1FJWDcwakE1eGIxeFBGSjFVczhmdjFEOEJjYXVnekNLWjg1VVFKNXVobFUKclFRdkNUM242TnNRbFJPL3pMclJuN2R1alNTbitPOEtPeStYVmdQQU9RWEdTbXNYQWpKdnlTMm84clZCMmgrVAp3ek9DeExheGhyaTdWcXUzQzI3Y2pwaVVSczlJZjNFV2VXNUFDaWZxQW1MN2NibHJ0UU9XZ1dnc2ZLUDh6VFg0CjRYOWRoa09xSFQ3R0Y3MVFTQVpVQjhKRUVYWjlmcG5zR0ZqYWZPV2RVM1BuSWpGOGxraXRJZHVwcEUvVjYvazAKeUM1SkN2TEE5MzN5ZHplYmtYTFlSYVNqWEVGOEpCWWVzbkEzL1FJREFRQUJBb0lCQVFEQ0F6amUxME5FMHU0TQpQTlppTDVBNWowa01CeGtTUzkxVWJCTGsyWXFZZ1YyWHN0a3lJdndFN0dscWFZOXVoaC9icmwxL2M0YnpqSmRuCnprZzdoQU9tRUdNdi96SzZzbUcyRFJIb1hmMGRncWxBc2R3UktPVDE5VGNDOURFV0w5cG1oQVlKOXhRVFM5SDAKRDRvYXhLclpkYytaakJNN3gvQnFUOFBvVDJzTHRTN1FuTjhpNGNpTjVSeTl1TUsrOFZJcitPUVJqNWlVSHpDLwoyWXRBT0daYlJHekhZaXR1a2xtZG45RmhYV1NreGFBY0p0RkdWcGlMS2FWdjdoYVZsZm40SUJaSkZrdkJNQkxCClR4N2JCb25MYkF1K2Ezd0ZzYzlMd1NTNUJXK296eUZJYlJoWVV0SmhTdmZLUjZxTVJFMHRMV2IwUFJoRDVjZEUKenR5dWRoWEpBb0dCQVBYanVOYXA1TGNSSnUwaDhvVWxLTE9SZ1psYXFKSlpCUThrQ3A4ZTBJNXNpdFlxMEZlRwpOMnJibGdPV0RKSW5TR0pCc0I2VzFhOHI2S1F5L3dlcG9wTHJSQUE1VFo2YVMzMDBQeEgyY1paUE1aMHJpTmVXCnpLZGdIalczM0FORWtGQm5nVlA3Y3M2UENXSVlkajhyRElDUGowbWhkZEhWckd4elNycXNwWFczQW9HQkFQWFAKTWZjcEVQdVA1dGNvS0tnSXF5ZzVrNzRlZ0J0M2JUT2NHR05TellDeGV0bjJseHJWRW1nMktlOWNrMElGT0hFaAovUnFqNnJtY1VNV0JnRWExS0pNajlCRW56NWo4S2pGN3l2Z3o5ZDJPNHVkTlMyeG50R2MrZVJ1T0NpU0JNejRhCkFVZ2xSdGRJZXhkeWdoVWJsNVhMaitTeFRYVXRmWDgzZENMZEZCL3JBb0dCQUlsOU5LeHJRT1VRSlNqeEUyOVoKa01HZmVjenJBVmtiaDVXb3ZIdXV1a1Q0OGtUQW1kQm16dlBrSnFTSXNTekQ1RmgwakdyK1FpdDVyTktyWlNpKwp0SlhjRVNEaTZjRG1XNUY5dGtwdjk2RnBWTCtpU1JqclRESEdyLzJ2ZWNrbC9GL0pFR3FLTGU3TDBoNVV1VUdtCjY0MnpPQmFldm9kL0o3TllZQSt6VzYxUEFvR0JBUEFWQU01UTg5OWdlNnlsOHArOFo3K1FEUGRpUHVtVXlibmcKdWdrNHRMTC9wZWdCYXpDdjc1eU5Xb1FKUFdMOFNsWmxSaHFoQXY5cTU1RWduVE55ZVVETm12S3VtWnJvb0NWWQpyYk9pdkg4N3NlOE1sYUE1NGYvOUNyaVpFTnI2dmh2bnRseksyOWdsV09SYjJTWFluME9WWU9PVE1QNUVBaEVoCkRuT0d6c01sQW9HQUtrSXJ3Z2Y5dnVubnBTeGJCMU9UeCtUR2pkUEN3RThDUWNxWTBBeUhXZnk2eTBNaTNTSXMKTXBKZmpmbXN3NlRDSHZ1VFUvOXBkL3dYWEZ6ZU03OHBwWU5wcHZBVjQzVEVQNTdHRXZRV3VBSkNFQklvekZhdQpXZWVrRGd6bzBCc3NCMFFOUnRnUS9HdTBnaDRCWjFMdDB4QmJmWHhrMjRMTmJpSFBHTHRQL3pjPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

最后,加载启用此配置文件

kubectl config use-context kubernetes --kubeconfig=opsuser.kubeconfig

此时,用户已经创建完成,下面开始进行RoleBinding步骤赋予权限。

RoleBinding绑定
创建Role:

~/rbac-test# cat pod-reader.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: kube-system
  name: pod-reader
rules:
- apiGroups: [""] # ""代表核心api组
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

~/rbac-test# cat opsuser-role-bind.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: kube-system
subjects:
- kind: User
  name: opsuser   # 目标用户
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader  # 角色信息
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f pod-reader.yaml
kubectl apply -f opsuser-role-bind.yaml

RoleBinding步骤已完成
检验

# 将此配置文件作为当前kubectl配置文件使用
~/rbac-test# mv /root/.kube/config /root/.kube/config.bak
~/rbac-test# cp opsuser.kubeconfig /root/.kube/config

# 查看资源
:~/rbac-test# kubectl get pods 
NAME                                     READY     STATUS             RESTARTS   AGE
appdev-5c4b65bbbb-t4lvr                  1/1       Running            2          44d
deptest13dev-fb79d9957-d55vb             0/1       Pending            0          35d
deptest13test-8687769d58-lzm2r           0/1       Pending            0          41d
deptest14dbtm-ffbd5c56c-ph68l            0/2       Pending            0          41d
deptest14test-7cb7bf6cc-xnrxw            0/1       Pending            0          41d

:~/rbac-test# kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "opsuser" cannot list nodes at the cluster scope

可以看到,基于生成的用户配置文件,已经可以管理申明的pod资源,无法管理申明以外的资源类型。测试成功

二、程序使用

与用户使用User不同的是,程序的权限赋予是通过ServiceAccount来作为权限载体的,因此,首先要拥有程序/deployment/ServiceAccount等资源,这里以前面文章里没有讲的kube dashboard为例进行说明。

首先我们来看官方最新版本的kube dashboard的yaml文件(服务暴露方式稍作修改成了NodePort):

~/dashboard# cat kubernetes-dashboard.yaml
# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1beta2
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard
:~/dashboard# ls
admin-token.yaml  kubernetes-dashboard.yaml
:~/dashboard# vim kubernetes-dashboard.yaml 
:~/dashboard# cat kubernetes-dashboard.yaml 
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1beta2
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard

部署dashboard:

kubectl apply -f kubernetes-dashboard.yaml

浏览器访问dashboard需要token,或者kube-config文件,这里使用token,在创建好ServiceAccount且和role进行bind绑定之后,会自动创建一个名为${ServiceAccountName}-token-xxx 的Secret,其内包含token,为base64编码,可以使用kubectl describe直接查看:

:~/dashboard# kubectl get secret -o wide -n kube-system | grep kubernetes-dashboard
istio.kubernetes-dashboard                       istio.io/key-and-cert                 3         2d
kubernetes-dashboard-certs                       Opaque                                0         2d
kubernetes-dashboard-key-holder                  Opaque                                2         2d
kubernetes-dashboard-token-t2mmr                 kubernetes.io/service-account-token   3         2d


:~/dashboard# kubectl describe secret -n kube-system kubernetes-dashboard-token-t2mmr
Name:         kubernetes-dashboard-token-t2mmr
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=kubernetes-dashboard
              kubernetes.io/service-account.uid=4f237c6c-f7ad-11e8-9859-0050569da8f2

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi10Mm1tciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjRmMjM3YzZjLWY3YWQtMTFlOC05ODU5LTAwNTA1NjlkYThmMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.UEJ0MBO9RhSF_fzZHPKezWqkZsWG3atFQQgoPGlyyIDXtQN-ZYlZPEScjunwp4FVgX5uRMpxHGyexJN5e8zYouMTRrGaDaIu7cGj5ICP80iabi8wyMCnJrR5_p0Tmy2PkNZDCyh0MbDCJE6lbOv7Lu7CldivEMtr4BAvxvMmBdmoT0CixQexfw2tioeeoYBwEKgxjL6mMBIGKE0spGZQova7bzTN8f2ZGpNn8jFI_EW9Y7Et5sitw3rCRwxxMSDwUwwCOv26NXPnPVA7cWJeuzPRTS0BHE0euRYojQN7F77NkfwCynx8iWGpM2MEuHIj6coCUcTuCyN5yMD1Zag2zg

使用此token登录dashboard:
在这里插入图片描述

在这里插入图片描述

第二张截图可以发现,dashboard无多种资源类型的list权限,这是因为在上面的yaml文件中,定义的role权限是限定的:

# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

可以修改这里的Role内部的权限,也可以自行配置更高级的权限,我这里为了方便,直接配置了一个admin的ServiceAccount:

~/dashboard# cat admin-token.yaml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole  # ClusterRole拥有集群级别权限,于此同时绑定时不能再使用RoleBinding而应该使用ClusterRoleBinding
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile

创建:

~/dashboard# kubectl apply -f admin-token.yaml

查看token:

:~/dashboard# kubectl get secret -n kube-system | grep admin
admin-token-b9r26                                kubernetes.io/service-account-token   3         1d

~/dashboard# kubectl describe secret -n kube-system admin-token-b9r26
Name:         admin-token-b9r26
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=admin
              kubernetes.io/service-account.uid=d471a78c-f833-11e8-9859-0050569da8f2

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1iOXIyNiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImQ0NzFhNzhjLWY4MzMtMTFlOC05ODU5LTAwNTA1NjlkYThmMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.euwxJkmtt7mjbpzHdMzJWmxO0swuVRjYFGkEwzX1E6caXrUj1XXrSQO4J3mttJvMOVQaGEztInI-cKMiTDzLYHE_85VISHbZTUA8dcSFDIuGOt4SRI_XoA11pIlUAmH4b_4kxgaA3DA5TdUX6O2mo93QEvLOOngBkLO55Z9y980H_J5JiBgbndnycOGXVIW-gEgEjBewtiH1ZCiha-lwUlTvSNJkLrTPlm5Rjoao8lONn4vcD1sgzrSrW8VMxxclw8Cu3C79zyujHo0F_YuwHteIlBwOPSTaiokbuyQr-IS2UTpwUxlzf__wXgidc_SXqTC9vecM7hcRVhEi_d_hnw

dashboard退出之前的账号,使用admin-token重新登录,可以发现已经拥有全部权限:
在这里插入图片描述

总结

k8s角色授权使用的流程有多个环节多种资源类型搭配完成,权限粒度明确、用户与进程分工有序,理解了顶部的流程图,相信你将不再为RBAC疑惑。

ywq935
关注
  • 5
    点赞
  • 34
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
k8sRBAC授权模式
weixin_37337210的博客
01-13 1048
导读 上一篇说了k8s的授权管理,这一篇就来详细看一下RBAC授权模式的使用 RBAC授权模式 基于角色的访问控制,启用此模式,需要在API Server的启动参数上添加如下配置,(k8s默然采用此授权模式)。 --authorization-mode=RBAC /etc/kubernetes/manifests/kube-apiserver.yaml (1)对集群中的资源及非资源权限均有完整的覆盖 (2)整个RBAC完全由几个API对象完成,同其他API对象一样,可以用kube.
CFSSL: 证书管理工具:3:使用CA私钥与证书签发证书
知行合一 止于至善
12-15 2050
这篇文章介绍一下如何使用CFSSL的命令创建出来的CA私钥和CA证书签发新的证书。
k8s——Kubernetes-RBAC基于角色的访问控制
weixin_55985097的博客
07-27 861
kubernetes-RBAC 一:RBAC详解 RBAC基于角色的访问控制 Service Account为服务提供了一种方便的认证机制,但它不关心授权的问题。可以配合RBAC来为Service Account鉴权,在Kubernetes中,授权有ABAC(基于属性的访问控制)、RBAC(基于角色的访问控制)、Webhook、Node、AlwaysDeny(一直拒绝)和AlwaysAllow(一直允许)这6种模式。 从1.6版起,Kubernetes 默认启用RBAC访问控制策略。 从1.8开始,RBAC
RBAC 模型梳理
最新发布
cliffordl的专栏
06-07 1306
权限是资源的集合,这里的资源指的是软件中所有的内容,包括模块、菜单、页面、字段、操作功能(增删改查)等等。页面权限操作权限和数据权限
修改kubernetes服务nodeport类型的端口范围
feelnature的专栏
08-01 7779
kuberntes服务nodeport端口,默认是3000-32767。但是某些场合下,这个限制并不适用。 kubernetes提供了自定义服务端口的方法,方法如下: 在初始化集群时,加入如下参数: apiServerExtraArgs:   service-node-port-range: 6-33000 初始化集群,即可改变端口范围。 yml文件示例: apiVersion: k...
ETCD TLS 配置的坑
weixin_33841722的博客
10-26 462
一、环境准备 环境总共 3 台虚拟机,系统为centos7,1个 master,2 个 etcd 节点,master 同时也作为 node 负载 pod,在分发证书等阶段将在另外一台主机上执行,该主机对集群内所有节点配置了 ssh 秘钥登录 IP 节点 192.168.0.153 master、node、etcd 192.168.0.154 master、...
K8S用户权限管理工具permission-manager-v1.6.0
12-13
KubernetesK8S)集群环境中,权限管理是至关重要的,它确保了资源的安全性和访问控制。"permission-manager-v1.6.0"是一个专为K8S设计的用户权限管理工具,它帮助管理员更好地控制和管理用户对Kubernetes资源的...
K8S创建用户账号User Account并赋予权限
06-12
KubernetesK8S)集群管理中,为了实现安全的多租户环境和权限控制,需要为不同的用户和团队创建独立的账号,并授予适当的访问权限。本篇将详细介绍如何在K8S中创建用户账号(User Account)以及如何为其赋予权限...
calico flannel k8s 安装yaml文件
03-05
Kubernetesk8s)集群中,网络插件起着至关重要的作用,它们负责为Pod之间提供网络通信。在本话题中,我们将探讨两个流行的网络插件:Calico和Flannel,以及如何通过YAML文件来安装它们。YAML是Kubernetes的主要...
k8s集群环境搭建资源
10-27
8. **安全性**:k8s提供了RBAC(Role-Based Access Control)进行权限管理,通过Role和RoleBinding来定义用户或用户组的权限。此外,还有NetworkPolicy来控制Pod间的网络通信。 9. **日志、监控和调试**:k8s集群...
k8s dashboard v2.7.0离线镜像包
10-15
4. **安全访问控制**:Kubernetes Dashboard 支持 RBAC(Role-Based Access Control)授权,确保只有授权的用户或服务账户能访问特定资源。 5. **多语言支持**:Dashboard 提供多种语言界面,便于不同地区的用户...
K8S学习笔记-003】权限管理RBAC
DeusExMachina_V的博客
08-05 1102
Role RoleBinding ClusterRole ClusterRoleBinding ServiceAccount
Kubernetesk8s权限管理RBAC详解
匠人精神,持之以恒!
10-16 8151
文章目录一、简介二、K8s三种认证方式三、用户分类四、K8s权限控制(以ServiceAccount展开讲解)1)介绍2)Role和ClusterRole3)RoleBinding和ClusterRoleBinding1、Role角色绑定ServiceAccount2、ClusterRole角色绑定ServiceAccount五、实战1)User1、创建K8S 用户2、对用户授权2)Group1、创建K8S 用户和用户组2、对组授权3)ServiceAccount4)为ServiceAccount生成Tok
k8s rbac
SHELLCODE_8BIT的博客
03-10 1326
简单就如下所示,给谁分配什么权限,这是大家经常在后台管理系统遇到的。
k8s - 安全认证(RBAC
栋院
03-18 2969
api server 是集群访问控制的统一入口 k8s认证过程: 认证 -> 授权 - > 准入控制 (adminationcontroller) 1 认证()是对客户端的认证,简单说就是账户密码 2 授权()是资源的授权,容器、网络、存储资源的权限 3 准入机制 准入控制器位于api server ,在对象被持久化之前,准入控制器拦截对api server 的请求,一般用来做认证和授权。其中包括连个控制器: MutatingAdmissionWebhook 和 Validating
K8s RBAC认证授权深度解析
博客虽小,世界尽在其中
04-20 2087
随着Kubernetes在云原生领域的广泛应用,如何有效地管理和控制用户对集群资源的访问权限成为了一个重要的问题。基于角色的访问控制RBAC)作为一种灵活的权限管理机制,在Kubernetes中发挥着至关重要的作用。本文深入探讨了Kubernetes RBAC认证授权的核心概念、实现方式以及实践应用,旨在帮助读者更好地理解和管理Kubernetes集群中的权限问题。
K8s中的RBAC(Role-Based Access Control)
多头注意力探索Now
09-05 1029
K8s上的RBAC设计和实现方式说明
kubernetes系列】KubernetesRBAC
margu_168的博客
07-11 1128
k8s权限控制在实际工作中不那么经常使用,但是却是很重要的,我们需要深入理解才能很好的解决某些问题。在我们现目前的了解中,常用的授权插件有以下几种: Node(节点认证) ABAC(基于属性的访问控制) RBAC(基于角色的访问控制) Webhook(基于http回调机制的访问控制kubernetes 集群相关所有的交互都需要通过apiserver来完成,对于这样集中式管理的系统来说,权限管理尤其重要,Kubernetes的授权是基于插件形式的,在1.5版的时候引入了基于角色的访问控制(Role-Bas
k8sRBAC是什么意思
07-17
RBACKubernetes中的一种访问控制机制,全为Role-Based Access Control,即基于角色的访问控制RBAC用于定义和管理用户、ServiceAccount或其他身份对Kubernetes资源的问权限RBAC允许管理员根用户的职责和角色来授予不同级别的权限,以限制和管理对Kubernetes集群中的资源的操作。通过使用RBAC,可以实现精细的访问控制权限分配。 在RBAC中,主要有以下几个核心概念: 1. Role:定义了一组权限规则,用于授权对特定命名空间中的资源进行操作。 2. ClusterRole:类似于Role,但是作用于整个集群而不是单个命名空间。 3. RoleBinding:将Role绑定到用户、ServiceAccount或其他身份上,从而为其授予相应的权限。 4. ClusterRoleBinding:将ClusterRole绑定到用户、ServiceAccount或其他身份上,赋予其集群级别的权限。 通过使用RBAC,管理员可以根据实际需求创建和配置不同的角色和绑定,确保每个用户或身份只能访问其所需的资源,并限制其对资源的操作。 RBACKubernetes中重要的安全机制之一,可以帮助管理员实现对集群的访问控制权限管理,提高集群的安全性和可管理性。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值