第一章、RBAC介紹
在Kubernetes中,授權有ABAC(基於屬性的訪問控制)、RBAC(基於角色的訪問控制)、Webhook、Node、AlwaysDeny(一直拒絕)和AlwaysAllow(一直允許)這6種模式。從1.6版本起,Kubernetes 默認啟用RBAC訪問控制策略。從1.8開始,RBAC已作為穩定的功能。通過設置–authorization-mode=RBAC,啟用RABC。在RABC API中,通過如下的步驟進行授權:1)定義角色:在定義角色時會指定此角色對於資源的訪問控制的規則;2)綁定角色:將主體與角色進行綁定,對用戶進行訪問授權。
1、 角色和集群角色
在RBAC API中,角色包含代表權限集合的規則。在這里,權限只有被授予,而沒有被拒絕的設置。在Kubernetes中有兩類角色,即普通角色和集群角色。可以通過Role定義在一個命名空間中的角色,或者可以使用ClusterRole定義集群范圍的角色。一個角色只能被用來授予訪問單一命令空間中的資源。 集群角色(ClusterRole)能夠被授予如下資源的權限: 集群范圍的資源(類似於Node) 非資源端點(類似於”/healthz”) 集群中所有命名空間的資源(類似Pod)
2、角色綁定和集群角色綁定
角色綁定用於將角色與一個或一組用戶進行綁定,從而實現將對用戶進行授權的目的。主體分為用戶、組和服務帳戶。角色綁定也分為角色普通角色綁定和集群角色綁定。角色綁定只能引用同一個命名空間下的角色。
角色綁定也可以通過引用集群角色授予訪問權限,當主體對資源的訪問僅限與本命名空間,這就允許管理員定義整個集群的公共角色集合,然后在多個命名空間中進行復用。
集群角色可以被用來在集群層面和整個命名空間進行授權。
3、資源
在Kubernets中,主要的資源包括:Pods、Nodes、Services、Deployment、Replicasets、Statefulsets、Namespace、Persistents、Secrets和ConfigMaps等。另外,有些資源下面存在子資源,例如:Pod下就存在log子資源
4、主體
RBAC授權中的主體可以是組,用戶或者服務帳戶。用戶通過字符串表示,比如“alice”、 “bob@example.com”等,具體的形式取決於管理員在認證模塊中所配置的用戶名。system:被保留作為用來Kubernetes系統使用,因此不能作為用戶的前綴。組也有認證模塊提供,格式與用戶類似。
第二章、簡單示例
1、使用RoleBanding將用戶綁定到Role上
查看命令幫助及格式
[root@k8s-master01 ~]# kubectl create role -h #查看創建role的命令幫助,以及一些簡單的示例 [root@k8s-master01 RBAC]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml #通過 -o參數導出yaml格式,可以大致看到Role是如何定義的 [root@k8s-master01 RBAC]# cat role-demo.yaml #最后完成的yaml文件如下 apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pods-reader namespace: default #名稱空間名稱 rules: - apiGroups: - "" resources: #包含哪些資源 - pods verbs: #對以上資源允許進行哪些操作 - get
- list - watch
創建role
[root@k8s-master01 RBAC]# kubectl apply -f role-demo.yaml role.rbac.authorization.k8s.io "pods-reader" created [root@k8s-master01 RBAC]# kubectl get role #查看role的信息 NAME AGE pods-reader 8s [root@k8s-master01 RBAC]# kubectl describe role pods-reader #查看pods-reader 的詳細信息 Name: pods-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroup... PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch] # Resources:資源類別,表示對該資源類別下的所有資源進行操作 Non-Resource URLs:非資源URL,對某些資源進行某種特殊操作的存在 Resource Names:對資源類別下某個或多個資源進行操作 Verbs:操作的類型
創建一個RoleBinding,將用戶qiangungun(該用戶在上一章節serviceaccount中已經被創建)綁定到pods-reader 這個role上去
[root@k8s-master01 ~]# kubectl create rolebinding -h #查看命令幫助 kubectl create rolebinding qiangungun-read-pods --role=pods-reader --user=qiangungun --dry-run -o yaml #創建名稱為qiangungun-read-pods的rolebinding,綁定到名稱為pods-reader的role上 [root@k8s-master01 RBAC]# cat rolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: qiangungun-read-pods roleRef: #role引用,表示引用哪個role apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: #動作的執行主題 - apiGroup: rbac.authorization.k8s.io kind: User name: qiangungun [root@k8s-master01 RBAC]# kubectl describe rolebinding qiangungun-read-pods Name: qiangungun-read-pods Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"qiangungun-read-pods","namespace":"default"},"ro...
Role: Kind: Role Name: pods-reader Subjects: Kind Name Namespace ---- ---- --------- User qiangungun
驗證操作
[root@k8s-master01 RBAC]# kubectl config use-context qiangungun@kubernetes #前后當前上下文到qiangungun用戶 Switched to context "qiangungun@kubernetes". [root@k8s-master01 RBAC]# kubectl get pods #獲取當前名稱空間的pod信息,可以看到能夠正常顯示 NAME READY STATUS RESTARTS AGE myapp-deploy-5cfd895984-262kz 1/1 Running 0 3d myapp-deploy-5cfd895984-7whdn 1/1 Running 0 3d myapp-deploy-5cfd895984-lg8sh 1/1 Running 0 3d myapp-deploy-5cfd895984-m7h5j 1/1 Running 0 3d myapp-deploy-5cfd895984-zd9cm 1/1 Running 0 3d [root@k8s-master01 RBAC]# kubectl get pods -n kube-system #查看其它空間pod的信息,可以看到提示沒有權限,即驗證RoleBanding的權限只對當前的名稱空間生效 Error from server (Forbidden): pods is forbidden: User "qiangungun" cannot list pods in the namespace "kube-system"
2、使用ClusterRoleBanding將用戶綁定到ClusterRole上
創建一個ClusterRole
[root@k8s-master01 RBAC]# kubectl config use-context kubernetes-admin@kubernetes #切換上下文 Switched to context "kubernetes-admin@kubernetes". [root@k8s-master01 RBAC]# kubectl create clusterrole -h [root@k8s-master01 RBAC]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run [root@k8s-master01 RBAC]# cat clusterrole-cluster.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-reader #ClusterRole屬於集群級別,所有不可以定義namespace rules: - apiGroups: - "" resources: - pods verbs: - get
- list - watch [root@k8s-master01 RBAC]# kubectl apply -f clusterrole-cluster.yaml [root@k8s-master01 RBAC]# useradd admin [root@k8s-master01 RBAC]# cp -rp ~/.kube/ /home/admin [root@k8s-master01 RBAC]# chown -R admin:admin /home/admin [root@k8s-master01 RBAC]# su - admin [admin@k8s-master01 ~]$ kubectl config use-context qiangungun@kubernetes [admin@k8s-master01 ~]$ kubectl config view
創建一個ClusterRoleBinding,將用戶qiangungun綁定到cluster-reader這個ClusterRole上面去
[root@k8s-master01 RBAC]# kubectl delete rolebinding qiangungun-read-pods #root用戶 [admin@k8s-master01 ~]$ kubectl get pods #admin用戶下驗證 Error from server (Forbidden): pods is forbidden: User "qiangungun" cannot list pods in the namespace "default" [root@k8s-master01 RBAC]# kubectl create clusterrolebinding -h [root@k8s-master01 RBAC]# kubectl create clusterrolebinding qiangungun-read-all-pods --clusterrole=cluster-reader --user=qiangungun --dry-run -o yaml #創建名稱為qiangungun-read-all-pods的才clusterrolebinding,將名稱為cluster-reader的clusterrole綁定到用戶名稱為qiangungun上 [root@k8s-master01 RBAC]# cat clusterrolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: qiangungun-read-all-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: qiangungun [root@k8s-master01 RBAC]# kubectl apply -f clusterrolebinding-demo.yaml [root@k8s-master01 RBAC]# kubectl describe clusterrolebinding qiangungun-read-all-pods
驗證
#切換到admin用戶終端下 [admin@k8s-master01 ~]$ kubectl get pods #可以查看當前名稱空間pod信息 NAME READY STATUS RESTARTS AGE myapp-deploy-5cfd895984-262kz 1/1 Running 0 3d myapp-deploy-5cfd895984-7whdn 1/1 Running 0 3d myapp-deploy-5cfd895984-lg8sh 1/1 Running 0 3d myapp-deploy-5cfd895984-m7h5j 1/1 Running 0 3d myapp-deploy-5cfd895984-zd9cm 1/1 Running 0 3d [admin@k8s-master01 ~]$ kubectl get pods -n ingress-nginx #可以查看其他空間的pod信息 NAME READY STATUS RESTARTS AGE default-http-backend-66c4fbf5b4-m8d6j 1/1 Running 0 24d nginx-ingress-controller-64bcff8657-6j4tq 1/1 Running 0 24d [admin@k8s-master01 ~]$ kubectl delete pod myapp-deploy-5cfd895984-262kz #無法刪除pod Error from server (Forbidden): pods "myapp-deploy-5cfd895984-262kz" is forbidden: User "qiangungun" cannot delete pods in the namespace "default"
3、使用RoleBinding綁定ClusterRole
創建一個RoleBinding(ClusterRole使用以及存在的),並將用戶綁定到ClusterRole上
[root@k8s-master01 RBAC]# kubectl delete clusterrolebinding qiangungun-read-all-pods #為了避免沖突,先將之前的clusterrolebinding刪除 clusterrolebinding.rbac.authorization.k8s.io "qiangungun-read-all-pods" deleted [root@k8s-master01 RBAC]#kubectl create rolebinding qiangungun-read-pods --clusterrole=cluster-reader --user=qiangungun --dry-run -o yam [root@k8s-master01 RBAC]# cat rolebinding-cluster-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: qiangungun-read-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: qiangungun [root@k8s-master01 RBAC]# kubectl apply -f rolebinding-cluster-demo.yaml rolebinding.rbac.authorization.k8s.io "qiangungun-read-pods" created [root@k8s-master01 RBAC]# kubectl describe rolebinding qiangungun-read-pods
驗證:
#admin用戶終端下 [admin@k8s-master01 ~]$ kubectl get pods #可以獲取當前名稱空間的pod信息 NAME READY STATUS RESTARTS AGE myapp-deploy-5cfd895984-262kz 1/1 Running 0 3d myapp-deploy-5cfd895984-7whdn 1/1 Running 0 3d myapp-deploy-5cfd895984-lg8sh 1/1 Running 0 3d myapp-deploy-5cfd895984-m7h5j 1/1 Running 0 3d myapp-deploy-5cfd895984-zd9cm 1/1 Running 0 3d [admin@k8s-master01 ~]$ kubectl get pods -n ingress-nginx #不可用獲取其他名稱空間的信息 Error from server (Forbidden): pods is forbidden: User "qiangungun" cannot list pods in the namespace "ingres
4、使用RoleBinding綁定集群自帶的ClusterRole
[root@k8s-master01 RBAC]# kubectl get clusterrole #查看當前集群存在的clusterrole [root@k8s-master01 RBAC]# kubectl create rolebinding default-ns-admin --clusterrole=admin --user=qiangungun --dry-run -o yaml #將qiangungun用戶綁定到名稱為admin的clusterrole上,可以使用get查看admin的配置 [root@k8s-master01 RBAC]# cat rolebinding-cluster-admin-demo.yaml piVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-ns-admin namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: qiangungun [root@k8s-master01 RBAC]# kubectl apply -f rolebinding-cluster-admin-demo.yaml [root@k8s-master01 RBAC]# kubectl describe rolebinding default-ns-admin
驗證
#admin用戶終端下 [admin@k8s-master01 ~]$ kubectl get pods #可以獲取當前名稱空間的pod信息 NAME READY STATUS RESTARTS AGE myapp-deploy-5cfd895984-262kz 1/1 Running 0 3d myapp-deploy-5cfd895984-7whdn 1/1 Running 0 3d myapp-deploy-5cfd895984-lg8sh 1/1 Running 0 3d myapp-deploy-5cfd895984-m7h5j 1/1 Running 0 3d myapp-deploy-5cfd895984-zd9cm 1/1 Running 0 3d ...... [admin@k8s-master01 ~]$ kubectl delete pod myapp-deploy-5cfd895984-262kz #可以刪除當前名稱空間的pod pod "myapp-deploy-5cfd895984-262kz" deleted [admin@k8s-master01 ~]$ kubectl get deploy #可以查看名稱空間中的其他資源,如deployment NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE nginx-deploy 5 5 5 5 3d [admin@k8s-master01 ~]$ kubectl delete deployment nginx-deploy #可以刪除當前名稱空間的其他資源,如deployment deployment.extensions "nginx-deploy" deleted [admin@k8s-master01 ~]$ kubectl get pods -n kube-system #對其名稱空間沒有任何權限 Error from server (Forbidden): pods is forbidden: User "qiangungun" cannot list pods in the namespace "kube-system"
第三章、Role、CluseterRole、RoleBinding、ClusterRoleBinding在系統的相關聯系
[root@k8s-master01 RBAC]# kubectl get clusterrolebinding #查看集群中的clusterrolebingding NAME AGE cluster-admin 31d ...... [root@k8s-master01 RBAC]# kubectl get clusterrolebinding cluster-admin -o yaml #獲取名稱為cluster-admin的clusterrolebingding配置信息 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: 2018-10-30T02:32:22Z labels: kubernetes.io/bootstrapping: rbac-defaults name: cluster-admin resourceVersion: "103" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin uid: 07b1d436-dbec-11e8-8969-5254001b07db roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group #類型是一個組 name: system:masters #這個組中包含了kubernetes-admin這個用戶,而這個用戶是默認的當前使用用戶 [root@k8s-master01 RBAC]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: REDACTED server: https://172.16.150.212:6443
name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin #默認使用的當前用戶 name: kubernetes-admin@kubernetes - context: cluster: kubernetes user: qiangungun name: qiangungun@kubernetes current-context: kubernetes-admin@kubernetes #當前的使用sa kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: qiangungun user: client-certificate-data: REDACTED client-key-data: REDACTED [root@k8s-master01 RBAC]# cd /etc/kubernetes/pki/ [root@k8s-master01 pki]# openssl x509 -in ./apiserver-kubelet-client.crt -text -noout #查看證書簽發的內容 Certificate: Data: Version: 3 (0x2) Serial Number: 3187679453637891293 (0x2c3ce992f3e5d4dd) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kubernetes Validity Not Before: Oct 30 02:32:03 2018 GMT Not After : Oct 30 02:32:03 2019 GMT Subject: O=system:masters, CN=kube-apiserver-kubelet-client #kubernetes-admin用戶之所以屬於system:master這個組,是因為在它的的證書中定義的,O表示組,如果以后我們想一次授權多個用戶,可以將這些用戶添加至一個組內,然后給這個組授權即可 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) .....
#如果RoleBinding或者ClusterRoleBinding的對象是serviceaccount,,那么任意一個pod(spec.serviceAcountName中定義)如果啟動時以這個serviceaccount name作為它是以的serviceaccount,那么pod中的應用程序也同時擁有了這個serviceaccount的權限,也就是擁有該serviceaccount綁定的Role或者ClusterRole的權限。系統上一下特殊的pod可能需要做這樣的設置,下面我就以集群創建時使用的flannel網絡插件為示例講解
查看flannel的配置
[root@k8s-master01 kubernetes]# cat kube-flannel.yml #flannel的配置文件 --- kind: ClusterRole #定義一個ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: flannel rules: - apiGroups: - "" resources: - pods verbs: - get
- apiGroups: - "" resources: - nodes verbs: - list - watch - apiGroups: - "" resources: - nodes/status verbs: - patch --- kind: ClusterRoleBinding #定義了一個ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: flannel roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: flannel subjects: - kind: ServiceAccount name: flannel namespace: kube-system --- apiVersion: v1 kind: ServiceAccount #定義了一個ServiceAccount metadata: name: flannel namespace: kube-system --- kind: ConfigMap apiVersion: v1 metadata: name: kube-flannel-cfg namespace: kube-system labels: tier: node app: flannel data: cni-conf.json: | { "name": "cbr0", "plugins": [ { "type": "flannel", "delegate": { "hairpinMode": true, "isDefaultGateway": true } }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } net-conf.json: | { "Network": "10.244.0.0/16", "Backend": { "Type": "vxlan" } } --- ......(以下省略)
查看flannel創建的pod信息
[root@k8s-master01 kubernetes]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE etcd-k8s-master01 1/1 Running 0 32d kube-apiserver-k8s-master01 1/1 Running 0 32d kube-controller-manager-k8s-master01 1/1 Running 0 7d kube-dns-86f4d74b45-72kdh 3/3 Running 0 32d kube-flannel-ds-amd64-847wt 1/1 Running 0 32d kube-flannel-ds-amd64-9v9t6 1/1 Running 0 32d kube-flannel-ds-amd64-k4blq 1/1 Running 0 32d kube-proxy-8l9tf 1/1 Running 0 32d kube-proxy-m6pqm 1/1 Running 0 32d kube-proxy-scj8n 1/1 Running 0 32d kube-scheduler-k8s-master01 1/1 Running 0 32d [root@k8s-master01 kubernetes]# kubectl get pod kube-flannel-ds-amd64-847wt -n kube-system -o yaml ......(省略) serviceAccount: flannel serviceAccountName: flannel #表示當前的pod在啟動容器時,運行的進程與APIserver進行通訊的時候,會以serviceAccountName的賬號與APIserver進行連接,從而獲得該serviceaccount的權限 .....(省略)
下面是一張我個人總結的關於user綁定到不同的Role和Binding時所擁有的權限邊界
| User |
Binding 類型 |
Role 類型 |
權限 |
| RoleBinding |
Role |
namespace |
|
| ClusterRoleBinding |
ClusterRole |
Cluster |
|
| RoleBinding |
ClusterRole |
namespace |