上一章中我們簡單講解了k8s集群用戶使用Role/ClusterRole/RoleBingding/ClusterRoleBingding設置不同的權限,但是kubeconfig文件使用的admin,實際部署過程中用戶應該使用自己的kubeconfig文件,下面我們參照實際使用配置用戶權限.
一、創建 dev namespace
[root@k8s-master-155-221 rbac]# cat create-namespace.yaml apiVersion: v1 kind: Namespace metadata: name: dev [root@k8s-master-155-221 rbac]# kubectl apply -f create-namespace.yaml namespace/dev created [root@k8s-master-155-221 rbac]# kubectl get namespaces NAME STATUS AGE default Active 51d dev Active 5s ingress-nginx Active 8d kube-node-lease Active 51d kube-public Active 51d kube-system Active 51d
二、在dev namesapce中創建測試pod
[root@k8s-master-155-221 rbac]# cat pod-demo.yaml apiVersion: v1 kind: Pod metadata: name: dev-pod-demo namespace: dev labels: app: dev-myapp spec: containers: - name: myapp image: ikubernetes/myapp:v1 [root@k8s-master-155-221 rbac]# kubectl apply -f pod-demo.yaml pod/dev-pod-demo created [root@k8s-master-155-221 rbac]# kubectl get pods -n dev NAME READY STATUS RESTARTS AGE dev-pod-demo 1/1 Running 0 5s
三、創建dev-read/dev-admin/cluster-read/cluster-admin四個用戶,分別對應namespace和cluster的讀取和管理
創建dev-read csr文件
[root@k8s-master-155-221 cert]# cat dev-read-csr.json { "CN": "dev-read", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "4Paradigm" } ] }
創建dev-read用戶的證書和秘鑰
[root@k8s-master-155-221 cert]# cfssl gencert -ca=/mnt/k8s/cert/ca.pem -ca-key=/mnt/k8s/cert/ca-key.pem dev-read-csr.json | cfssljson -bare dev-read 2020/01/20 15:59:20 [INFO] generate received request 2020/01/20 15:59:20 [INFO] received CSR 2020/01/20 15:59:20 [INFO] generating key: rsa-2048 2020/01/20 15:59:21 [INFO] encoded CSR 2020/01/20 15:59:21 [INFO] signed certificate with serial number 5387334044569180330097517551617071931 2020/01/20 15:59:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
創建dev-read用戶kubecofnig文件
[root@k8s-master-155-221 cert]# cat tem.kubeconfig #!/bin/bash # 設置集群參數 export KUBE_APISERVER="https://172.16.155.220:8443" kubectl config set-cluster kubernetes \ --certificate-authority=/mnt/k8s/cert/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=dev-read.kubeconfig # 設置客戶端認證參數 kubectl config set-credentials dev-read \ --client-certificate=/mnt/k8s/cert/dev-read.pem \ --client-key=/mnt/k8s/cert/dev-read-key.pem \ --embed-certs=true \ --kubeconfig=dev-read.kubeconfig # 設置上下文參數 kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=dev-read \ --kubeconfig=dev-read.kubeconfig # 設置默認上下文 kubectl config use-context kubernetes --kubeconfig=dev-read.kubeconfig [root@k8s-master-155-221 cert]# sh tem.kubeconfig Cluster "kubernetes" set. User "dev-read" set. Context "kubernetes" created. Switched to context "kubernetes".
四、對用戶設置不同的權限
1.配置dev-read用戶可以對dev namespace具有讀取pod的權限
拷貝dev-read用戶的kubeconfig文件,並查看默認權限
#master上
[root@k8s-master-155-221 cert]# scp dev-read.kubeconfig 172.16.155.224:/root #在master上拷貝dev-read用戶的kubeconfig到集群某個節點上
#測試節點上 [root@k8s-node-155-224 ~]# mkdir .kube #創建kubeconfig默認目錄並重命名文默認文件名config [root@k8s-node-155-224 ~]# mv dev-read.kubeconfig .kube/config [root@k8s-node-155-224 ~]# kubectl get pods Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default" #當前dev-read沒有任何權限 [root@k8s-node-155-224 ~]# kubectl get pods -n dev Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "dev"
創建一個對dev namespace具有讀取權限的role
[root@k8s-master-155-221 rbac]# cat role-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: dev-pods-reader namespace: dev rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch [root@k8s-master-155-221 rbac]# kubectl apply -f role-demo.yaml role.rbac.authorization.k8s.io/dev-pods-reader created [root@k8s-master-155-221 rbac]# kubectl get role -n dev NAME AGE dev-pods-reader 10s
創建一個rolebingding,將dev-read用戶和pods-reader
[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dev-read-pods namespace: dev roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: dev-pods-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: dev-read [root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml rolebinding.rbac.authorization.k8s.io/dev-read-pods created [root@k8s-master-155-221 rbac]# kubectl get rolebindings.rbac.authorization.k8s.io -n dev NAME AGE dev-read-pods 7s
測試:
[root@k8s-node-155-224 ~]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://172.16.155.220:8443 name: kubernetes contexts: - context: cluster: kubernetes user: dev-read name: kubernetes current-context: kubernetes kind: Config preferences: {} users: - name: dev-read user: client-certificate-data: REDACTED client-key-data: REDACTED [root@k8s-node-155-224 ~]# kubectl get pods -n dev NAME READY STATUS RESTARTS AGE dev-pod-demo 1/1 Running 0 30m [root@k8s-node-155-224 ~]# kubectl get pods -n default Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default"
2.配置dev-read用戶可以對dev namespace具有admin權限
[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dev-read-pods namespace: dev roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: dev-read [root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml rolebinding.rbac.authorization.k8s.io/dev-read-pods created
測試,查看是否可以刪除和創建pod
[root@k8s-node-155-224 ~]# cat deploy-demo.yaml apiVersion: apps/v1 kind: Deployment metadata: name: myapp-deploy namespace: dev spec: replicas: 3 selector: matchLabels: app: myapp release: canary template: metadata: labels: app: myapp release: canary spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: httpd containerPort: 80 [root@k8s-node-155-224 ~]# kubectl apply -f deploy-demo.yaml deployment.apps/myapp-deploy created [root@k8s-node-155-224 ~]# kubectl get deploy -n dev NAME READY UP-TO-DATE AVAILABLE AGE myapp-deploy 3/3 3 3 17s [root@k8s-node-155-224 ~]# kubectl get pods -n dev NAME READY STATUS RESTARTS AGE myapp-deploy-5c67ffb9fb-5cntq 1/1 Running 0 4m21s myapp-deploy-5c67ffb9fb-mvpkb 1/1 Running 0 4m21s myapp-deploy-5c67ffb9fb-rj5qp 1/1 Running 0 4m21s
#對於集群,可以通過綁定ClusterRoleBinding和ClusterRole來實現,具體過程類似,不再贅述