Kubernetes系統安全-授權策略(authorization policy)
作者:尹正傑
版權聲明:原創作品,謝絕轉載!否則將追究法律責任。
一.Kubernetes授權策略(authorization policy)概述
緊隨認證環節之后的是"授權"檢查環境;一個常規請求必須在其請求報文中包含用戶名,請求的動作以及目標對象;若存在某授權策略對於此請求給予了許可授權,即授權成功。 Kubernetes授權要求使用通用REST屬性與現有的組織范圍或雲提供商范圍的訪問控制系統進行交互。 Kubernetes支持多種授權模塊,如ABAC模式、RBAC模式和Webhook模式,當管理員創建集群時,他們配置了應該在API服務器中使用的授權模塊。
如果配置了多個授權模塊,Kubernetes將檢查每個模塊,如果有任何模塊授權請求,則可以繼續請求,如果所有模塊拒絕請求,則拒絕請求(HTTP狀態代碼403)。
1>.Kubernetes的請求屬性(Request Attributes)
user:
身份驗證期間提供的用戶字符串。
group:
經過身份驗證的用戶所屬的組名列表。
extra:
由身份驗證層提供的任意字符串密鑰到字符串值的映射。
API:
指示請求是否針對API資源。
Request path:
其他非資源終結點(如/api或/healthz)的路徑
API request verb:
API動詞get、list、create、update、patch watch、proxy、redirect、delete和deletecollection用於資源請求。
HTTP request web:
HTTP動詞get、post、put和delete用於非資源請求。
Resource:
正在訪問的資源的ID或名稱(僅限資源請求)-對於使用get、update、patch和delete謂詞的資源請求,必須提供資源名稱。
Subresource:
正在訪問的子資源(僅用於資源請求)
Namespace:
正在訪問的對象的命名空間(僅適用於命名空間資源請求)。
API group:
正在訪問的API組(僅用於資源請求)。enpty字符串指定核心API組。
2>.授權模塊(Authorization Modules)
Node:
專用的授權插件,根據Pod對象調度的結果為Node進行授權。
ABAC(Attribute-based access control):
基於屬性的訪問控制(ABAC)定義了一種訪問控制模式,通過使用將屬性組合在一起的策略,將訪問權限授予用戶。這些策略可以使用任何類型的屬性(用戶屬性、資源屬性、對象、環境屬性等)。
RBAC(Role-based access control):
基於角色的訪問控制(RBAC)是一種基於企業中各個用戶的角色來管理對計算機或網絡資源的訪問的方法。在這種情況下,訪問是單個用戶執行特定任務(如查看、創建或修改文件)的能力。
使用"rbac.authorization.k8s.io" API驅動授權策略,並支持動態配置。
Webhook:
WebHook其實就是一個HTTP回調:在發生某些事情時發生的HTTP POST;通過HTTP POST的簡單事件通知。實現WebHooks的web應用程序將在發生某些事情時向URL發送消息。
3>.查看當前操作系統啟動的授權
[root@master200.yinzhengjie.org.cn ~]# ll /etc/kubernetes/manifests/ total 16 -rw------- 1 root root 1798 Feb 4 19:39 etcd.yaml -rw------- 1 root root 2606 Feb 4 19:39 kube-apiserver.yaml -rw------- 1 root root 2533 Feb 4 19:39 kube-controller-manager.yaml -rw------- 1 root root 1120 Feb 4 19:39 kube-scheduler.yaml [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# grep authorization-mode /etc/kubernetes/manifests/kube-apiserver.yaml - --authorization-mode=Node,RBAC [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
4>.檢查API訪問權限
kubectl提供auth can-i子命令,用於快速查詢API授權層。
該命令使用SelfSubjectAccessReview API來確定當前用戶是否可以執行給定的操作,並且無論使用何種授權模式都可以工作。
管理員可以將此與用戶模擬結合起來,以確定其他用戶可以執行的操作。
二.RBAC授權模塊概述
1>.什么是RBAC
基於角色的訪問控制(RBAC)根據組織中的角色來限制網絡訪問,已成為高級訪問控制的主要方法之一。
RBAC中的角色是指員工對網絡的訪問級別。
員工僅可獲取有效履行其職責所需的信息:
訪問權限可以是多種因素,如權限、責任和工作能力。
此外,對計算機資源的訪問可以限制在特定的任務上,例如查看、創建或修改文件的能力。
2>.HTTP方法和kubectl命令的對應動作(verb)關系
HTTP方法與API endpoint(kubectl)的對應關系: POST: 對應API endpoint的create。 GET,HEAD: 對應API endpoint的get(for individual resources)和list(for collections)。 PUT: 對應API endpoint的update。 PATCH: 對應API endpoint的patch。 DELETE: 對應API endpoint的delete(for individual resources),deletecollection(for collections)。
3>.定義RBAC的規則
角色關聯:
只有當Subjects已選擇或已分配角色時,主題才能行使權限。需要注意的是,一個用戶可以對應多個角色。
角色授權:
必須為Subject授權Subjects的活動角色。
權限授權:
只有當權限被授權為使用者的活動角色時,使用者才能行使權限。
4>.Role和ClusterRole
在RBAC API中,角色包含表示一組權限的規則。權限純粹是附加的(沒有“拒絕”規則)。
角色可以用Role在命名空間中定義,也可以用Cluster Role在集群范圍內定義。
角色只能用於授予對單個命名空間中資源的訪問權限。
ClusterRole可用於授予與角色相同的權限,但由於它們是群集范圍的,因此也可用於授予對以下對象的訪問權限:
群集范圍的資源(如節點)
non-resource endpoints(like "/healthz")
所有命名空間中的命名空間資源(如pods)(例如,運行kubectl get pods所需的所有命名空間)
5>.Kubernetes內置的集群角色(ClusterRole)
kubernetes內置了四個角色(https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles): cluster-admin: 默認綁定system:master group。 admin: 未綁定(None) edit: 未綁定(None) view: 未綁定(None)
三.Role應用案例
1>.創建角色
[root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/rbac/pods-reader.yaml [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/rbac/pods-reader.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pods-reader rules: - apiGroups: [""] # "" 表示core API group resources: ["pods", "pods/log","services"] verbs: ["get", "list", "watch"] [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/pods-reader.yaml role.rbac.authorization.k8s.io/pods-reader created [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# kubectl get roles NAME AGE pods-reader 11s [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get roles -o yaml apiVersion: v1 items: - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["pods","pods/log","services"],"verbs":["get","list","watch"]}]} creationTimestamp: "2020-02-14T23:35:51Z" name: pods-reader namespace: default resourceVersion: "983543" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/roles/pods-reader uid: 0733946d-24d5-4af1-9aaf-7c902fd7769f rules: - apiGroups: - "" resources: - pods - pods/log - services verbs: - get - list - watch kind: List metadata: resourceVersion: "" selfLink: "" [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe roles Name: pods-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules... PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods/log [] [] [get list watch] pods [] [] [get list watch] services [] [] [get list watch] [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
2>.創建jason用戶,無權限獲取pods信息
博主推薦閱讀: https://www.cnblogs.com/yinzhengjie/p/12302138.html
3>.使用角色綁定(rolebinding)和創建的用戶進行綁定后,可以正常讀取pods信息啦
[root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/rbac/jason-pods-reader.yaml [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/rbac/jason-pods-reader.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: jason-pods-reader namespace: default subjects: - kind: User name: jason apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pods-reader apiGroup: rbac.authorization.k8s.io [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/jason-pods-reader.yaml rolebinding.rbac.authorization.k8s.io/jason-pods-reader created [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# kubectl get rolebinding NAME AGE jason-pods-reader 16s [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get rolebinding -o yaml apiVersion: v1 items: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"jason-pods-reader","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"pods-reader"},"subjects":[{"apiGroup":"rbac.a uthorization.k8s.io","kind":"User","name":"jason"}]} creationTimestamp: "2020-02-14T23:45:26Z" name: jason-pods-reader namespace: default resourceVersion: "985062" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/jason-pods-reader uid: 5cfa58f8-4253-4558-be14-058e7891503c roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: jason kind: List metadata: resourceVersion: "" selfLink: "" [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get rolebinding NAME AGE jason-pods-reader 72s [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# kubectl describe rolebinding Name: jason-pods-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"jason-pods-reader","namespace":"def... Role: Kind: Role Name: pods-reader Subjects: Kind Name Namespace ---- ---- --------- User jason [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
四.ClusterRole應用案例
1>.創建ClusterRole
[root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/rbac/cluster-pod-reader.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-pod-reader rules: - apiGroups: ["*"] resources: ["pods", "pods/log","services","deloyments"] verbs: ["get", "list", "watch"] [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/cluster-pod-reader.yaml clusterrole.rbac.authorization.k8s.io/cluster-pod-reader created [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrole cluster-pod-reader NAME AGE cluster-pod-reader 84s [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrole cluster-pod-reader -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-pod-reader"},"rules":[{"apiGroups":["*"],"resources":["pods","pods/log","services","deloyments"],"verbs":["get","list","watch"]}]} creationTimestamp: "2020-02-15T00:27:20Z" name: cluster-pod-reader resourceVersion: "991729" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-pod-reader uid: f2169cb2-89d9-4472-bcb8-a6fb3b80c0e7 rules: - apiGroups: - '*' resources: - pods - pods/log - services - deloyments verbs: - get - list - watch [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe clusterrole cluster-pod-reader Name: cluster-pod-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-pod-reader"},"rules":[{"api... PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- deloyments.* [] [] [get list watch] pods.*/log [] [] [get list watch] pods.* [] [] [get list watch] services.* [] [] [get list watch] [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
2>.創建ClusterRoleBinding
[root@master200.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/k8s/manifests/basic/rbac/jason-cluster-pods-reader.yaml [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/k8s/manifests/basic/rbac/jason-cluster-pods-reader.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: jason-pods-reader subjects: - kind: User name: jason apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-pod-reader apiGroup: rbac.authorization.k8s.io [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl apply -f /yinzhengjie/data/k8s/manifests/basic/rbac/jason-cluster-pods-reader.yaml clusterrolebinding.rbac.authorization.k8s.io/jason-pods-reader created [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrolebinding jason-pods-reader NAME AGE jason-pods-reader 51s [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrolebinding jason-pods-reader NAME AGE jason-pods-reader 81s [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]# kubectl get clusterrolebinding jason-pods-reader -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"jason-pods-reader"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-pod-reader"},"subjects":[{"apiGroup":"rbac.auth orization.k8s.io","kind":"User","name":"jason"}]} creationTimestamp: "2020-02-15T00:31:56Z" name: jason-pods-reader resourceVersion: "992468" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/jason-pods-reader uid: 01fc89b3-6b9c-4f79-ac9c-18563824b3b7 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-pod-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: jason [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
[root@master200.yinzhengjie.org.cn ~]# kubectl describe clusterrolebinding jason-pods-reader Name: jason-pods-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"jason-pods-reader"},"roleRef... Role: Kind: ClusterRole Name: cluster-pod-reader Subjects: Kind Name Namespace ---- ---- --------- User jason [root@master200.yinzhengjie.org.cn ~]# [root@master200.yinzhengjie.org.cn ~]#
五.