Kubernetes authorization

最新推荐文章于 2024-05-09 07:00:49 发布
最新推荐文章于 2024-05-09 07:00:49 发布
阅读量280 收藏
点赞数
分类专栏: 云计算 kubernetes
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/zhixingheyi_tian/article/details/94717991
版权

Service Account

A service account provides an identity for processes that run in a Pod.
When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. If you get the raw json or yaml for a pod you have created (for example, kubectl get pods/ -o yaml), you can see the spec.serviceAccountName field has been automatically set.

default service account

Every namespace has a default service account resource called default.

Service Account Permissions
Grant a role to an application-specific service account (best practice)

This requires the application to specify a serviceAccountName in its pod spec, and for the service account to be created (via the API, application manifest, kubectl create serviceaccount, etc.).

kubectl create rolebinding my-sa-view \
  --clusterrole=view \
  --serviceaccount=my-namespace:my-sa \
  --namespace=my-namespace
Grant a role to the “default” service account in a namespace

If an application does not specify a serviceAccountName, it uses the “default” service account.
Note: Permissions given to the “default” service account are available to any pod in the namespace that does not specify a serviceAccountName.

kubectl create rolebinding default-view \
  --clusterrole=view \
  --serviceaccount=my-namespace:default \
  --namespace=my-namespace
Grant a role to all service accounts in a namespace

If you want all applications in a namespace to have a role, no matter what service account they use, you can grant a role to the service account group for that namespace.

For example, grant read-only permission within “my-namespace” to all service accounts in that namespace:

kubectl create rolebinding serviceaccounts-view \
  --clusterrole=view \
  --group=system:serviceaccounts:my-namespace \
  --namespace=my-namespace
Grant a limited role to all service accounts cluster-wide (discouraged)

If you don’t want to manage permissions per-namespace, you can grant a cluster-wide role to all service accounts.
For example, grant read-only permission across all namespaces to all service accounts in the cluster:

kubectl create clusterrolebinding serviceaccounts-view \
  --clusterrole=view \
 --group=system:serviceaccounts
Grant super-user access to all service accounts cluster-wide (strongly discouraged)

If you don’t care about partitioning permissions at all, you can grant super-user access to all service accounts.

kubectl create clusterrolebinding serviceaccounts-cluster-admin \
  --clusterrole=cluster-admin \
  --group=system:serviceaccounts

User accounts Vs Service accounts

When you (a human) access the cluster (for example, using kubectl), you are authenticated by the apiserver as a particular User Account (currently this is usually admin, unless your cluster administrator has customized your cluster). Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).

Kubernetes distinguishes between the concept of a user account and a service account for a number of reasons:

  • User accounts are for humans. Service accounts are for processes, which run in pods.
  • User accounts are intended to be global. Names must be unique across all namespaces of a cluster, future user resource will not be namespaced. Service accounts are namespaced.
  • Typically, a cluster’s User accounts might be synced from a corporate database, where new user account creation requires special privileges and is tied to complex business processes. Service account creation is intended to be more lightweight, allowing cluster users to create service accounts for specific tasks (i.e. principle of least privilege).

Add-ons

Add-ons extend the functionality of Kubernetes.
For example

Calico is a secure L3 networking and network policy provider.
Flannel is an overlay network provider that can be used with Kubernetes.
Weave Net provides networking and network policy, will carry on working on both sides of a network partition, and does not require an external database.

Checking API Access

kubectl provides the auth can-i subcommand for quickly querying the API authorization layer. The command uses the SelfSubjectAccessReview API to determine if the current user can perform a given action, and works regardless of the authorization mode used.

kubectl auth can-i create deployments --namespace dev

RBAC Authorization

Role and ClusterRole

A Role can only be used to grant access to resources within a single namespace. Here’s an example Role in the “default” namespace that can be used to grant read access to pods:

A ClusterRole can be used to grant the same permissions as a Role, but because they are cluster-scoped, they can also be used to grant access to:

  • cluster-scoped resources (like nodes)
  • non-resource endpoints (like “/healthz”)
  • namespaced resources (like pods) across all namespaces (needed to run kubectl get pods --all-namespaces, for example)
RoleBinding and ClusterRoleBinding

A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. Permissions can be granted within a namespace with a RoleBinding, or cluster-wide with a ClusterRoleBinding.

A RoleBinding or ClusterRoleBinding binds a role to subjects. Subjects can be groups, users or service accounts.
Service Accounts have usernames with the system:serviceaccount: prefix and belong to groups with the system:serviceaccounts: prefix.

RoleBinding

A RoleBinding may reference a Role in the same namespace. The following RoleBinding grants the “pod-reader” role to the user “jane” within the “default” namespace. This allows “jane” to read pods in the “default” namespace.

A RoleBinding may also reference a ClusterRole to grant the permissions to namespaced resources defined in the ClusterRole within the RoleBinding’s namespace. This allows administrators to define a set of common roles for the entire cluster, then reuse them within multiple namespaces.

ClusterRoleBinding

a ClusterRoleBinding may be used to grant permission at the cluster level and in all namespaces.

Privilege Escalation

A user can only create/update a role binding if they already have all the permissions contained in the referenced role (at the same scope as the role binding) or if they’ve been given explicit permission to perform the bind verb on the referenced role. For example, if “user-1” does not have the ability to list secrets cluster-wide, they cannot create a ClusterRoleBinding to a role that grants that permission.

reference

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions

zhixingheyi_tian
关注
专栏目录
如何使用RBAC授权和OPA来保护Kubernetes集群 Securing Kubernetes Clusters with RBAC Authorization
程序员光剑
08-13 97
Kubernetes是一个开源容器集群管理系统,通过提供自动化部署、横向扩展和滚动更新等功能,能够方便地部署容器化应用。它具有强大的API,允许用户创建、配置和管理多个容器化应用,并提供丰富的工具和组件来简化部署流程。在生产环境中,为了确保应用的安全性,需要对集群进行保护,以防止恶意攻击或安全漏洞导致的应用损失。在Kubernetes集群中,可以使用基于角色的访问控制(RBAC)和开放策略代理(OPA)实现权限控制。本文将讨论如何使用RBAC授权和OPA来保护Kubernetes集群。
kubernetes Authorization
xiaomin1991222的专栏
03-09 158
kubernetes授权设置 在kubernetes中授权 和 认证是各自独立的部分。认证部分参见 kubernetes认证。授权操作适用于所有面向于kubernetes api的http请求。 授权 将会针对每一个请求,根据访问策略来检查对比请求中的属性信息(比如 用户,资源,namespace等)。一个API请求必须满足指定的策略才能继续执行。 有如下几种策略方式: --autho...
Kubernetes(k8s)的授权(Authorization)策略解析
最新发布
专注于数据库技术分享,包含但不限于Oracle,MySQL,PostgreSQL,ElasticSearch及国产数据库等
05-09 1026
Kubernetes(k8s)的授权(Authorization)策略决定了已经通过认证的用户或服务账户可以访问哪些资源以及可以执行哪些操作。在实际应用中,通常推荐使用RBAC,因为它提供了细粒度的权限控制且易于管理。配置文件中的授权模式通过API Server启动参数。在多种模式并存时,只要有任何一种模式允许访问,请求就被认为是授权通过;如果所有模式都拒绝访问,则请求被拒绝。指定,可以组合使用多种模式,如。
Kubernetes认证和准入控制
qq42004的博客
04-13 811
让一个用户(Users)扮演一个角色(Role),角色拥有权限,从而让用户拥有这样的权限,随后在授权机制当中,只需要将权限授予某个角色,此时用户将获取对应角色的权限,从而实现角色的访问控制。当采用RBAC的方式进行授权时,把对对象(k8s的资源一类)的操作权限定义到一个角色当中,再将用户绑定到该角色,从而使用户得到对应角色的权限。如果是通过rolebinding绑定role,只能对rolebingding所在的名称空间的资源有权限,属于名称空间级别的。
kubernetes视频教程笔记 (31)-安全-鉴权Authorization
软件工程小施同学 的专栏
12-15 441
一、Authorization 上面认证过程,只是确认通信的双方都确认了对方是可信的,可以相互通信。而鉴权是确定请求方有哪些资源的权限。 API Server 目前支持以下几种授权策略 (通过 API Server 的启动参数 “--authorization-mode” 设置) AlwaysDeny:表示拒绝所有的请求,一般用于测试 AlwaysAllow:允许接收所有请求,如果集群不需要授权流程,则可以采用该策略 ABAC(Attribute-Based Access Control):...
k8s-Authorization鉴权
kxq的博客
12-05 3165
所谓鉴权就是创建用后,将k8s的权限按照需求将权限分配给该用户。 1.创建用户和密码 adduser userdev passwd userdev 2.创建证书: mkdir -p /usr/local/install-k8s/cert/userdev vim /usr/local/install-k8s/cert/userdev/userdev-csr.json { "CN": "userdev", "hosts": [], "key": { "algo": "rsa",
Kubernetes
01-22 241
Kubernetes-Docker集群管理 Kubernetes介绍 Kubernetes-Docker集群管理(理论) Kubernetes是一个开源的Docker容器编排系统,Kubernetes简称K8S。 调度计算集群的节点,动态管理上面的作业 通过使用[labels]和[pods]的概念,将应用按逻辑单元进行分组 1、K8S用于容器应用程序的部署,扩展和管理 2、K8S提供了容器编排,资...
Kubernetes RBAC Authorization(基于角色的访问控制)
山不转的博客
07-12 4892
基于角色的访问控制(RBAC),是一种其于用户的角色控制其对资源访问的方法。RBAC利用rbac.authorization.k8s.io API组实现授权决策,允许管理通过kubernetes API动态配置策略。在kubernetes 1.8版本中RBAC成为稳定特性,由rbac.authorization.k8s.io/v1 API在后端实现。通过为apiserver指定--authoriz...
k8s安全机制(认证授权)
BushRo
03-28 2117
文章目录Kubernetes 安全机制Authentication 认证https证书认证需要认证的节点两种类型安全性说明证书颁发kubeconfigServiceAccountSecret 与 SA 的关系授权 Kubernetes 安全机制 Kubernetes 作为一个分布式集群的管理工具,保证集群的安全性是其一个重要的任务。API Server 是集群内部各个组件通信的中介,也是外部控制的入口。所以 Kubernetes 的安全机制基本就是围绕保护 API Server 来设计的。Kubernete
kubernetes访问控制——Authentication认证、Authorization授权、服务账户的自动化
Aimee_c的博客
07-05 2249
文章目录1.kubernetes API 访问控制2. Authentication(认证)1.创建serviceaccount2.添加secrets到serviceaccount3.把serviceaccount和pod绑定起来:4. 创建UserAccount3. Authorization(授权)3.1 RBAC(基于角色访问控制授权)介绍3.2 RBAC授权1.创建Role(权限的集合)2. RoleBinding和ClusterRoleBinding3.1 RBAC 1.kubernetes AP
kubernetes-dashboard.yaml
08-11
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] verbs: ["get", "update", "delete"] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. -...
k8s安全 认证 鉴权 准入控制之二:授权(Authorization)
热门推荐
张成基
07-06 2万+
系列文章链接 k8s安全 认证 鉴权 准入控制之一:认证(Authentication) k8s安全 认证 鉴权 准入控制之二:授权(Authorization) 授权(Authorization) ·上面认证过程,只是确认通信的双方都确认了对方是可信的,可以相互通信。而鉴权是确定请求方有哪些资源的权 限。API Server 目前支持以下几种授权策略 (通过 API Server 的启动参数 “–authorization-mode” 设置) 默认使用RBAC AlwaysDeny:表示拒绝所有的请
Prometheus Thanos部署手册
因上努力,果上随缘。但行好事,莫问前程。
01-04 528
thanos安装以下组件:query #查询 (通过prometheus和storegateway)compactor #压缩和降采样storegateway #为query提供查询objstoresidecar #在kube-prometheus-stack安装时已安装, 用于数据上传和query查询ruler #(可不安装)
k8s 部署kubernetes-dashboard 管理界面的权限设置
255.255.255.0
06-04 2589
#部署kubernetes-dashboard后web界面提示 #清理旧提权 kubectl delete clusterrolebinding serviceaccount-cluster-admin #创建集群用户 kubectl create clusterrolebinding serviceaccount-cluster-admin --clusterrole=cluster-admin --user=system:serviceaccount:kubernetes-dash...
Kubernetes 1.6新特性:RBAC授权
程序源234的专栏
04-15 1万+
概述 Kuberntes中API Server的访问控制过程图示如下: 在Kubernetes中,授权(authorization)是在认证(authentication)之后的一个步骤。授权就是决定一个用户(普通用户或ServiceAccount)是否有权请求Kubernetes API做某些事情。 之前,Kubernetes中的授权策略主要是ABAC(Attribut
k8s(十四)、RBAC权限控制
ywq935的博客
12-06 1万+
前言 kubernetes 集群相关所有的交互都通过apiserver来完成,对于这样集中式管理的系统来说,权限管理尤其重要,在1.5版的时候引入了RBAC(Role Base Access Control)的权限控制机制. PS: RBAC作为集群管理的基础组件之一,本该放在最前面几篇,但是最近才想起来这个方面的知识点,赶紧梳理总结输出了本篇 工作流程 流程图 流程拆解 一、基于资源申明和管...
kubernetes安全控制认证与授权(二)
程序源234的专栏
07-29 7441
本文将继续kubernetes授权体系。授权主要是用于对集群资源的访问控制,通过检查请求包含的相关属性值,与相对应的访问策略相比较,API请求必须满足某些策略才能被处理。跟认证类似,Kubernetes也支持多种授权机制,并支持同时开启多个授权插件(只要有一个验证通过即可)。如果授权成功,则用户的请求会发送到准入控制模块做进一步的请求验证;对于授权失败的请求则返回HTTP 403。
【收藏】docker的privileged 与 k8s的privileged 设置方式
学亮编程手记
07-28 1613
https://blog.csdn.net/Asa_Prince/article/details/113865008
Kubernetes Dashboard安装与安全访问指南
可以参考访问控制文档(https://github.com/kubernetes/dashboard/wiki/Access-control#authorization-header),例如,通过设置ServiceAccount和RoleBinding来限制权限。 4. 启动Dashboard:启动Dashboard通常涉及...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值