2. 技术
    3. RBAC

    RBAC

    技术2022-07-10  150

    1.什么是RBAC

    RBAC(Role-Based Access Control) 基于角色的访问控制,顾名思义就是通过给角色赋予相应的权限,从而使得该角色具有访问相关资源的权限,而在K8s中这些资源分属于两个级别,名称空间(role/rolebinding)和集群级别(clusterrole/clusterrolebinding)这两个都是标准的K8s资源,可以直接定义。 k8s集群有两类认证时的Account:useraccount(管理者、访问者)、serviceaccount(pod)。这些Account就是下文中我们提到的User,这两种User面向的对象不同。

    ServiceAccount是为了方便Pod里面的进程调用Kubernetes API或其他外部服务。 User account是为人设计的,而ServiceAccount则是为了Pod中的进程,此外User Account是跨Namespace的,而ServiceAccount则是仅局限它所在的Namespace

    创建ServiceAccount(sa) #创建用户 [root@k-m73 sa]# cat mysa.yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null name: mysa [root@k-m73 sa]# kubectl get sa NAME SECRETS AGE default 1 46h mysa 1 36h [root@k-m73 sa]# kubectl describe sa default mysa [root@k-m73 sa]# kubectl describe sa mysa Name: mysa Namespace: default Labels: <none> Annotations: Image pull secrets: <none> Mountable secrets: mysa-token-gk2qx Tokens: mysa-token-gk2qx Events: <none> [root@k-m73 sa]# kubectl get secret NAME TYPE DATA AGE default-token-b88nd kubernetes.io/service-account-token 3 47h mysa-token-gk2qx kubernetes.io/service-account-token 3 36h

    创建UserAccount并自签证书

    #!/bin/bash cd /etc/kubernetes/pki/ (umask 077; openssl genrsa -out mysa.key 2048) openssl req -new -key mysa.key -out rsq.csr -subj "/CN=mysa" #我的是8天 openssl x509 -req -in mysa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mysa.crt -days 8 # 输出证书信息 openssl x509 -in mysa.crt -text -noout #创建rsq的UserAccount,使用set-credentials写入kubeconfig中 kubectl config set-credentials mysa --client-certificate=./mysa.crt --client-key=./mysa.key --embed-certs=true kubectl config view

    为mysa配置上下文context

    kubectl config set-context mysa@kubernetes --cluster=kubernetes --user=mysa [root@k-m73 pki]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://10.98.2.73:6443 name: kubernetes contexts: - context: # 生成 rsq上下文环境 cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes - context: cluster: kubernetes user: mysa name: mysa@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: mysa user: client-certificate-data: REDACTED client-key-data: REDACTED

    切换集群上下文

    [root@k-m73 pki]# kubectl config use-context mysa@kubernetes Switched to context "mysa@kubernetes". # 执行get命令会发现没有权限去访问,因为rsq@kubernetes没有授权 [root@k-m73 pki]# kubectl get pods Error from server (Forbidden): pods is forbidden: User "mysa" cannot list resource "pods" in API group "" in the namespace "default" # 切换为默认的集群环境 [root@k-m73 pki]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes".

    创建新Cluster

    kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://10.98.2.73:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true kubectl config view --kubeconfig=/tmp/test.conf

    RBAC认证授权 RBAC绑定流程 定义一个角色role operations(对哪个对象进行操作)许可授权,只能允许objects 定义用户账号或者服务账号,绑定(rolebinding) user account or service account(让这个用户) role(绑定到这个角色)

    创建一个只对pod有查看的role kubectl apply -f role.yaml

    apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: jbjb-read-pods namespace: opx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: mysa

    创建RoleBinding,绑定创建的mysa用户 kubectl apply -f role-bing.yaml

    apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: jbjb-read-pods namespace: opx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: mysa

    ##超级权限

    [root@k-m73 role]# kubectl create rolebinding default-ns-admin --clusterrole=admin --user=mysa rolebinding.rbac.authorization.k8s.io/default-ns-admin created

    创建一个系统用户测试一下

    useradd k8s passwd k8s cp -rp .kube/ /home/k8s/ chown -R k8s:k8s /home/k8s/ #模拟登陆 [root@k-m73 ~]# su - k8s 上一次登录:三 7月 1 10:58:23 CST 2020pts/1 上 [k8s@k-m73 ~]$ kubectl get pods NAME READY STATUS RESTARTS AGE busybox1 1/1 Running 45 45h sa-v1-66757f4cf6-cj9fm 1/1 Running 0 9h [k8s@k-m73 ~]$ kubectl get pods -n opx NAME READY STATUS RESTARTS AGE busybox1 1/1 Running 45 45h http-v1-7675d88556-m99ps 1/1 Running 0 47h http-v1-7675d88556-ww78t 1/1 Running 0 47h #报错原因是创建Role时只授权opx命名空间所以别的空间不可以查看 [k8s@k-m73 ~]$ kubectl get pods -n kube-system Error from server (Forbidden): pods is forbidden: User "mysa" cannot list resource "pods" in API group "" in the namespace "kube-system"

    可以删除

    [k8s@k-m73 ~]$ kubectl delete pods sa-v1-66757f4cf6-cqfhb pod "sa-v1-66757f4cf6-cqfhb" deleted [k8s@k-m73 ~]$ kubectl get pods NAME READY STATUS RESTARTS AGE busybox1 1/1 Running 45 45h sa-v1-66757f4cf6-l4k2d 1/1 Running 0 24s
    Processed: 0.017, SQL: 9