http://blog.itpub.net/28916011/viewspace-2215100/
對作者文章有點改動
注意kubeadm創建的k8s集群里面的認證key是有有效期的,這是一個大坑!!!!!!
目前RBAC是k8s授權方式最常用的一種方式。
在k8s上,一個客戶端向apiserver發起請求,需要如下信息:
1)username,uid, 2) group, 3) extra(額外信息) 4) API 5) request path,例如:http://127.0.0.1:8080/apis/apps/v1/namespaces/kube-system/d 6)HTTP request action,如get,post,put,delete, 7)Http request action,如 get,list,create,udate,patch,watch,proxy,redirect,delete,deletecollection 8) Rresource 9)Subresource 10)Namespace 11)API group
K8s可以支持多版本並存。
其實,我們用kubectl向apiserver發起的命令,都是http方式的。
k8s驗證分為useraccount和serviceaccount。
可以用代理:
[root@master ~]# kubectl proxy --port=8080 [root@master ~]# curl [root@master ~]# kubectl get deploy -n kube-system NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE coredns 2 2 2 2 20d [root@master ~]# curl http://127.0.0.1:8080/apis/apps/v1/namespaces/kube-system/deployments
[root@master ~]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 12d
[root@master ~]# kubectl describe svc kubernetes
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP: 10.96.0.1
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 172.16.100.64:6443
Session Affinity: None
Events: <none>
上面我們看到10.96.0.1是kubernetes apiserver的地址,從而實現了集群外部通過10.96.0.1訪問集群內部的pod,同時也實現了集群內部的pod訪問集群外部的應用的功能。
只要訪問apiserver,就必須實現認證。而認證信息是存儲在pod中的。
[root@master ~]# kubectl explain pods.spec.serviceAccountName
[root@master manifests]# kubectl create serviceaccount mysa -o yaml --dry-run > mysa.yaml
[root@master manifests]# cat mysa.yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null name: mysa
上面我們可以看到,只要是kubectl create的,只要加上-o yaml,就可以導出清單文件,這樣我們以后就不用從頭到尾寫清單文件了,而是只要生產一個,然后改改就行了,這個很不錯。
另外kubectl get 也可以導出yaml格式的,如下:
[root@master manifests]# kubectl get pods myapp-1 -o yaml --export
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
generateName: myapp-
labels:
app: myapp-pod
controller-revision-hash: myapp-8598dd746f
statefulset.kubernetes.io/pod-name: myapp-1
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: StatefulSet
name: myapp
uid: a98ebc48-c24f-11e8-bb35-005056a24ecb
selfLink: /api/v1/namespaces/default/pods/myapp-1
spec:
containers:
- image: ikubernetes/myapp:v1
imagePullPolicy: IfNotPresent
name: myapp
ports:
- containerPort: 80
name: web
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /usr/share/nginx/html
name: myappdata
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-5r85r
readOnly: true
dnsPolicy: ClusterFirst
hostname: myapp-1
nodeName: node2
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
subdomain: myapp-svc
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: myappdata
persistentVolumeClaim:
claimName: myappdata-myapp-1
- name: default-token-5r85r
secret:
defaultMode: 420
secretName: default-token-5r85r
status:
phase: Pending
qosClass: BestEffort
將上面的改改就成為我們新的配置清單了。
創建service account
[root@master manifests]# kubectl create serviceaccount admin serviceaccount/admin created
[root@master manifests]# kubectl get sa NAME SECRETS AGE admin 1 2s default 1 20d
[root@master manifests]# kubectl describe sa admin Name: admin Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: admin-token-6jpc5 Tokens: admin-token-6jpc5 Events: <none>
[root@master manifests]# kubectl get secret NAME TYPE DATA AGE admin-token-6jpc5 kubernetes.io/service-account-token 3 57s
看到自動就會多一個token。
下面我們用配置清單把serviceaccount和pod綁定起來。
[root@master k8syaml]# cat pod-sa-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-sa-demo
namespace: default
labels:
app: myapp
tier: frontend
annotations:
lihongxing.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccountName: admin
[root@master k8syaml]# kubectl apply -f pod-sa-demo.yaml pod/pod-sa-demo created
創建useraccount
kubeconfig是客戶端連接apiserver時使用的認證格式的配置文件。
[root@master manifests]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.16.1.100:6443
name: kubernetes
contexts:
- context: #context定義了哪個集群用哪個用戶來訪問。
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
證書存放位置:
[root@master manifests]# cd /etc/kubernetes/pki/ [root@master pki]# ls apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
例子:
1、做一個私鑰
[root@master pki]# cd /etc/kubernetes/pki [root@master pki]# (umask 077; openssl genrsa -out zhixin.key 2048) Generating RSA private key, 2048 bit long modulus ...........+++ ...........+++ e is 65537 (0x10001)
括號是子shell的意思。
2、基於私鑰生成一個證書
CN就是用戶的賬戶名字。
[root@master pki]# openssl req -new -key lihongxing.key -out lihongxing.csr -subj "/CN=lihongxing"
-subj:替換或指定證書申請者的個人信息
[root@master pki]# openssl x509 -req -in lihongxing.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lihongxing.crt -days 365 Signature ok subject=/CN=lihongxing Getting CA Private Key
-days:表示證書的過期時間
x509:生成x509格式證書
4、查看證書內容
[root@master pki]# openssl x509 -in lihongxing.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
ab:45:1b:b3:92:32:59:ae
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes #證書簽署人
Validity #有效期限
Not Before: Sep 28 08:01:20 2018 GMT
Not After : Sep 28 08:01:20 2019 GMT
Subject: CN=lihongxing#一會用這個賬戶登錄k8s
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bf:e5:b1:80:1a:a6:d1:24:ca:b8:75:a1:71:08:
d2:ba:43:ee:53:a1:10:b5:7a:83:e7:8b:06:65:c7:
8a:07:02:ca:cc:8f:5c:94:a9:7a:10:24:f6:41:a0:
c6:fe:5f:21:59:21:e7:72:30:12:38:89:85:78:54:
c1:15:c4:13:33:43:9c:94:c0:dc:99:e9:f0:44:7e:
35:66:cd:e0:d9:0c:82:dc:b3:73:ee:ea:47:9e:5e:
e5:bf:0b:45:fb:a3:cf:59:67:ae:13:31:9c:dc:b6:
78:da:b2:7e:c0:7e:c2:30:c5:fd:ea:6f:94:fa:81:
19:9f:71:9c:cf:60:07:5b:fa:0d:c0:6f:2c:b4:e0:
42:d6:6d:d3:39:23:2b:f7:ad:cc:21:f8:df:89:ff:
6e:45:59:1f:5d:db:aa:fa:07:ef:fc:b3:7e:3d:b1:
dd:3e:be:5e:43:de:8f:e2:ea:aa:ec:6c:48:df:2f:
2e:20:61:e3:5c:6a:37:3e:2b:32:e5:1a:ad:35:88:
d6:d2:db:aa:26:5d:cb:67:0a:65:9e:d4:79:76:92:
9a:41:fb:df:db:85:1a:ea:5e:ff:bb:7b:2f:01:10:
9f:8e:9c:a1:fe:ae:ac:9d:43:02:40:01:f7:d6:da:
bf:5a:99:ba:d0:bf:ea:53:1e:f5:51:06:9c:ac:6f:
32:43
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
91:43:cd:36:ad:88:17:a1:81:9f:8f:ad:9b:c5:41:d7:de:aa:
6a:f0:3a:00:f2:d7:9b:0e:89:bc:51:73:cc:4f:10:85:13:70:
aa:d1:67:f8:f3:a1:6b:83:ff:99:76:7f:14:a5:b4:82:fb:1b:
fb:cf:d5:fc:b0:2f:ff:68:c4:b1:c0:ee:f9:6b:41:ea:0a:96:
2f:55:1d:d7:77:f8:70:a6:15:a4:b6:e7:6d:93:61:2e:ac:7a:
10:70:fa:f7:43:da:56:f2:d0:e9:6b:01:72:73:2d:65:ea:4d:
c4:3b:46:2d:1b:ad:f8:1f:eb:71:88:35:51:2a:dc:3a:36:fe:
63:bb:28:ee:d2:a0:d4:e0:14:95:10:96:20:2e:f3:75:12:eb:
05:8e:34:a1:dc:74:19:a5:76:0f:f2:bd:f3:56:aa:c9:40:51:
c7:bd:1f:1f:c1:ec:a5:98:c8:b8:1d:07:67:fa:1c:a0:a3:1f:
d3:ba:cb:09:52:9a:e7:59:39:ce:c8:ef:01:c2:4b:98:ff:05:
12:bf:69:36:0e:a6:a9:f6:40:34:28:36:0d:1b:76:31:b4:96:
6e:09:33:8e:d5:0a:96:77:dd:41:b3:29:db:d5:5e:fa:05:f7:
e7:90:5d:79:6d:a9:59:20:60:0f:fe:d5:b6:38:6c:1a:ee:51:
66:c3:9b:4b
5、把用戶賬戶信息添加到k8s集群中
[root@master pki]# kubectl config set-credentials lihongxing--client-certificate=lihongxing.crt --client-key=lihongxing.key --embed-certs=true User "lihongxing" set.
embed-certs:表示把用戶信息隱藏起來。
5、設置context上下文,指定zhixin用戶訪問k8s的哪個集群
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.16.1.100:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: zhixin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master pki]# kubectl config set-context lihongxing@kubernetes --cluster=kubernetes --user=lihongxing Context "lihongxing@kubernetes" created.
[root@master k8syaml]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.16.100.64:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: lihongxing
name: lihongxing@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: lihongxing
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
上面看到contexts里面有lihongxing的名字了。
6、切換到lihongxing用戶登錄k8s
[root@master pki]# kubectl config use-context lihongxing@kubernetes Switched to context "lihongxing@kubernetes"
[root@master pki]# kubectl get pods No resources found. Error from server (Forbidden): pods is forbidden: User "lihongxing" cannot list pods in the namespace "default"
上面看到get pods時報錯了,這是因為用戶lihongxing@kubernetes沒有管理器權限。
7、切回k8s管理員
[root@master pki]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes".
8、設置新的k8s集群 ,感覺沒屌用這一步在實驗里面,想表達啥?
[root@master ~]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://127.0.0.1:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true Cluster "mycluster" set
--kubeconfig:指定認證文件位置,不指定的話默認就在~/.kube/config
--embed-certs=true 表示證書信息被隱藏
大家看到,我們上面就創建了一個新的k8s集群叫mycluster。
[root@master ~]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://127.0.0.1:6443
name: mycluster
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
RBAC(基於角色的訪問控制)
rbac:role based ac,也就是我們把用戶加入角色里面,這樣用戶就具有角色的權限了。
在k8s中,一切皆對象。
Object_URL: /apis/<GROUP>/<VERSION>/namespaces/<NAMESPACE_NAME>/<KIND>[OJJECT_ID]
RBAC是通過rolebinding把user綁定到role上的。而role是基於namespace設定的,也就是這說這個user只能訪問指定namespace下的pod資源。
而如果把user通過clusterrolebind綁定到clusterrole上后,那么這個user就突破了namespace的限制,而擁有了集群級別的權限,即這個用戶可以訪問這個集群下所有namespace下的pod了。
但是,我們也可以用rolebinding去把user綁定到clusterrole。在上圖中,我們把user1通過rolebinding綁定到clusterrole上,但是我們知道rolebinding只限制在namespace中,所以user1也只限定在namespace中,而不是整個集群中。
[root@master ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods 注意:想要授予所有權限可以用*來表示
[root@master ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: pods-reader rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
[root@master ~]# kubectl get role NAME AGE pods-reader 7s
[root@master ~]# kubectl describe role pods-reader Name: pods-reader Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch]
[root@master k8syaml]# kubectl create rolebinding lihongxing-read-pods --role=pods-reader --user=lihongxing rolebinding.rbac.authorization.k8s.io/lihongxing-read-pods created
[root@master ~]# kubectl create rolebinding lihongxing-read-pods --role=pods-reader --user=lihongxing-o yaml --dry-run apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: lihongxing-read-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: #就是引用的用戶 - apiGroup: rbac.authorization.k8s.io kind: User name: lihongxing
[root@master ~]# kubectl explain rolebinding
[root@master k8syaml]# kubectl describe rolebinding lihongxing-read-pods Name: lihongxing-read-pods Labels: <none> Annotations: <none> Role: Kind: Role Name: pods-reader Subjects: Kind Name Namespace ---- ---- --------- User lihongxing
[root@master k8syaml]# kubectl config use-context lihongxing@kubernetes Switched to context "lihongxing@kubernetes".
[root@master ~]# kubectl get pods NAME READY STATUS RESTARTS AGE client 0/1 Error 0 18d filebeat-ds-bn7wf 0/1 InvalidImageName 0 4d filebeat-ds-vd287 0/1 InvalidImageName 0 3d liveness-httpget-pod 1/1 Running 7 11d myapp-0 1/1 Running 0 23h
上面我們看到先前我們建立的lihongxing用戶是沒有get pods權限的,但是我這回把它加入了pods-reader role,也就擁有了pods-reader role的權限。
[root@master k8syaml]# kubectl get pods -n kube-system Error from server (Forbidden): pods is forbidden: User "lihongxing" cannot list resource "pods" in API group "" in the namespace "kube-system"
但是,zhixin用戶就沒有訪問kube-system權限,因為role就沒有訪問這個名稱空間的權限,而只有訪問default名稱空間的權限。
rolebinding只對namespace有效。
我們再切換回到管理員。
[root@master k8syaml]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes".
下面我們再定義一個clusterrole。
[root@master k8syaml]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run > clusterrole-demo.yaml
[root@master k8syaml]# cat clusterrole-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-reader rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
[root@master k8syaml]# kubectl apply -f clusterrole-demo.yaml clusterrole.rbac.authorization.k8s.io/cluster-reader created
創建了ik8s帳號,后面可以用這個賬戶開個終端,切到lihongxing上,就不用來回在lihongxing和kubernetes-admin之間切換了
[root@master k8syaml]# useradd ik8s
[root@master k8syaml]# cp -rp /root/.kube/ /home/ik8s/
[root@master k8syaml]# chown -R ik8s.ik8s /home/ik8s/
[root@master k8syaml]# su ik8s
[ik8s@master k8syaml]$ kubectl config use-context lihongxing@kubernetes
Switched to context "lihongxing@kubernetes".
[ik8s@master k8syaml]$ kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.16.100.64:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: lihongxing
name: lihongxing@kubernetes
current-context: lihongxing@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: lihongxing
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[ik8s@master k8syaml]$
[ik8s@master k8syaml]$
[ik8s@master k8syaml]$
[ik8s@master k8syaml]$ exit
exit
[root@master k8syaml]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.16.100.64:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: lihongxing
name: lihongxing@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: lihongxing
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master k8syaml]#
下面開始綁定了,把之前創建的lihongxing綁定到這個clusterrole上,這樣lihongxing就擁有了讀取整個cluster的權限,上面已經驗證是無法讀取kube-system的
先刪除之前的rolebinding,可以驗證lihongxing是無法讀取default里面的pods的
[root@master k8syaml]# kubectl config use-context lihongxing@kubernetes Switched to context "lihongxing@kubernetes". [root@master k8syaml]# kubectl get pods NAME READY STATUS RESTARTS AGE filebeat-ds-4llpp 1/1 Running 1 8d filebeat-ds-dv49l 1/1 Running 1 8d myapp-0 1/1 Running 0 16h myapp-1 1/1 Running 0 23h myapp-2 1/1 Running 0 22h myapp-3 1/1 Running 0 22h myapp-4 1/1 Running 0 22h pod-sa-demo 1/1 Running 0 61m pol-vol-hostpath 1/1 Running 1 5d18h redis-85b846ff9c-fjq69 1/1 Running 0 2d17h [root@master k8syaml]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes". [root@master k8syaml]# kubectl get rolebinding NAME AGE default-namespace-admin 16h lihongxing-read-pods 56m [root@master k8syaml]# kubectl delete rolebinding lihongxing-read-pods rolebinding.rbac.authorization.k8s.io "lihongxing-read-pods" deleted [root@master k8syaml]# kubectl config use-context lihongxing@kubernetes Switched to context "lihongxing@kubernetes". [root@master k8syaml]# kubectl get pods Error from server (Forbidden): pods is forbidden: User "lihongxing" cannot list resource "pods" in API group "" in the namespace "default" [root@master k8syaml]# kubectl config use-context kubernetes-admin@kubernetes
上面可以發現刪除之前的綁定是無法在去訪問pod資源了
接下來進行綁定
[root@master k8syaml]# kubectl create clusterrolebinding lihongxing-read-all-pods --clusterrole=cluster-reader --user=lihongxing -o yaml --dry-run apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: lihongxing-read-all-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: lihongxing
[root@master k8syaml]# kubectl create clusterrolebinding lihongxing-read-all-pods --clusterrole=cluster-reader --user=lihongxing -o yaml --dry-run > clusterrole-demo.yaml [root@master k8syaml]# cat clusterrole-demo.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: lihongxing-read-all-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: lihongxing [root@master k8syaml]# kubectl apply -f clusterrole-demo.yaml clusterrolebinding.rbac.authorization.k8s.io/lihongxing-read-all-pods created [root@master k8syaml]# kubectl get clusterrolebinding NAME AGE lihongxing-read-all-pods 13s
[root@master k8syaml]# kubectl describe clusterrolebinding lihongxing-read-all-pods
Name: lihongxing-read-all-pods
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"lihongxing-read-all-pod...
Role:
Kind: ClusterRole
Name: cluster-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User lihongxing
驗證,可以讀取kube-system的pod了
[root@master k8syaml]# kubectl config use-context lihongxing@kubernetes
[root@master k8syaml]# kubectl get pods NAME READY STATUS RESTARTS AGE filebeat-ds-4llpp 1/1 Running 1 8d filebeat-ds-dv49l 1/1 Running 1 8d ... [root@master k8syaml]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE coredns-78d4cf999f-lb8dp 1/1 Running 1 12d coredns-78d4cf999f-qfvns 1/1 Running 1 12d
刪是無發刪除的
[root@master k8syaml]# kubectl delete pods myapp-0 Error from server (Forbidden): pods "myapp-0" is forbidden: User "lihongxing" cannot delete resource "pods" in API group "" in the namespace "default"
可見,我們把用戶lihongxing綁定到clusterrole后,這個 用戶對所有的名稱空間都有權限了。因為cluserrolebinding是針對集群的,而rolebinding是只針對namespace的。
下面我們再測試一個,把用戶用rolebinding綁定到cluserrole里面,看是什么效果:
[root@master ~]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes".
[root@master ~]# kubectl delete clusterrolebinding lihongxing-read-all-pods clusterrolebinding.rbac.authorization.k8s.io "lihongxing-read-all-pods" deleted
[root@master ~]# kubectl create rolebinding lihongxing-read-pods --clusterrole=cluster-reader --user=lihongxing rolebinding.rbac.authorization.k8s.io/lihongxing-read-pods created
[root@master ~]# kubectl describe rolebinding lihongxing-read-pods Name: lihongxing-read-pods Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-read Subjects: Kind Name Namespace ---- ---- --------- User lihongxing
[root@master ~]# kubectl config use-context lihongxing@kubernetes Switched to context "lihongxing@kubernetes".
[root@master ~]# kubectl get pods NAME READY STATUS RESTARTS AGE client 0/1 Error 0 18d filebeat-ds-bn7wf 0/1 InvalidImageName 0 4d filebeat-ds-vd287 0/1 InvalidImageName 0 3d
[root@master ~]# kubectl get pods -n kube-system No resources found. Error from server (Forbidden): pods is forbidden: User "lihongxing" cannot list pods in the namespace "kube-system"
可以看出,clusterrole用rolebinding綁定后,會被降級到rolebinding所在的namespace里面。
[root@master ~]# kubectl get clusterrole admin -o yaml resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - get - list - patch - update - watch
[root@master ~]# kubectl create rolebinding default-nameespace-admin --clusterrole=admin --user=lihongxing rolebinding.rbac.authorization.k8s.io/default-nameespace-admin created
這樣,我們就把lihongxing設置為default名稱空間的管理員,而不是其他名稱空間的管理員。這就是用rolebinding綁定clusterrole的功能。
[root@master ~]# kubectl get clusterrolebinding cluster-admin -o yaml - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
[root@master pki]# openssl x509 -in ./apiserver-kubelet-client.crt -text -noout
Subject: O=system:masters, CN=kube-apiserver-kubelet-client
看到system:masters組具有管理員權限 ,lihongxing賬戶可以刪除了
[root@master k8syaml]# kubectl config use-context lihongxing@kubernetes Switched to context "lihongxing@kubernetes". [root@master k8syaml]# kubectl get pods -n kube-system Error from server (Forbidden): pods is forbidden: User "lihongxing" cannot list resource "pods" in API group "" in the namespace "kube-system" [root@master k8syaml]# kubectl delete pods myapp-0 pod "myapp-0" deleted