1)RBAC簡述
RBAC - 基於角色的訪問控制
在 1.8 版本中,RBAC 模式是穩定的並通過 rbac.authorization.k8s.io/v1 API 提供支持,要啟用 RBAC,在啟動 API 服務器時添加 --authorization-mode=RBAC 參數(1.6 版本以上的都默認開啟了RBAC)
什么是RBAC(基於角色的訪問控制)?
讓一個用戶(Users)扮演一個角色(Role),角色擁有權限,從而讓用戶擁有這樣的權限,隨后在授權機制當中,只需要將權限授予某個角色,此時用戶將獲取對應角色的權限,從而實現角色的訪問控制。如圖:
定義角色:在定義角色時會指定此角色對於資源的訪問控制的規則;
綁定角色:將主體與角色進行綁定,對用戶進行訪問授權
說明:
在k8s的授權機制當中,采用RBAC的方式進行授權,其工作邏輯是,
- 把對對象的操作權限定義到一個角色當中,再將用戶綁定到該角色,從而使用戶得到對應角色的權限
- 如果通過rolebinding綁定role,只能對rolebinding所在的名稱空間的資源有權限,上圖user1這個用戶綁定到role1上,只對role1這個名稱空間的資源有權限,對其他名稱空間資源沒有權限,屬於名稱空間級別的;
- 另外,k8s為此還有一種集群級別的授權機制,就是定義一個集群角色(ClusterRole),對集群內的所有資源都有可操作的權限,從而將User2通過ClusterRoleBinding到ClusterRole,從而使User2擁有集群的操作權限
- Role、RoleBinding、ClusterRole和ClusterRoleBinding的關系如下圖:
上面說了兩個角色綁定:
(1)用戶通過rolebinding綁定role
(2)用戶通過clusterrolebinding綁定clusterrole
還有一種:rolebinding綁定clusterrole
假如有6個名稱空間,每個名稱空間的用戶都需要對自己的名稱空間有管理員權限,那么需要定義6個role和rolebinding,然后依次綁定
如果名稱空間更多,我們需要定義更多的role,這個是很麻煩的,所以我們引入clusterrole,定義一個clusterrole,對clusterrole授予所有權限
然后用戶通過rolebinding綁定到clusterrole,就會擁有自己名稱空間的管理員權限
注:RoleBinding僅僅對當前名稱空間有對應的權限
常見的資源: Pods,ConfigMaps , Deployments,Nodes, Secrets, Namespaces,StatefulSets,DaemonSets,Ingress,Volumes,Services,Persistents等
常見的權限: create,get,delete,list,update,edit,watch,exec,patch,proxy,redirect
2)role與rolebinding
說明:
主體由幾種,分別為User和ServiceAccount
subjects: #定義組 - kind:Group name:"frontend-admins" apiGroup:rbac.authorization.k8s.io subjects: #定義用戶 - kind:User name: louis apiGroup:rbac.authorization.k8s.io subjects: #sa - kind:ServiceAccount name:default namespace:kube-system subjects: #在qa命名空間下所有賬戶 - kind:Group name:system:serviceaccounts:qa apiGroup:rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: devops
name: pod-read
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","watch","list"]
---
#定義rolebinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-read
namespace: devops
subjects: #定義主體
- kind: User
name: louis
apiGroup: rbac.authorization.k8s.io
roleRef: #引用的角色
kind: Role
name: pod-read
apiGroup: rbac.authorization.k8s.io
#創建一個louis用戶
[root@master01 role]# cat create_user.sh
#!/bin/bash
mkdir certs
# 設置一些變量
KUBE_URL=https://192.168.31.80:6443
CLUSTER=kubernetes
CRT_DAYS=3650
USER_NAME=$1
# 一般就在 /etc/kubernetes/ssl 或者 /etc/kubernetes/pki 里面
CA_CRT_PATH=/etc/kubernetes/pki/ca.crt
CA_KEY_PATH=/etc/kubernetes/pki/ca.key
# 生成私有密鑰
openssl genrsa -out certs/$USER_NAME.key 2048
# 用私鑰生成證書,CN 表示用戶名,O 表示用戶組
openssl req -new -key certs/$USER_NAME.key -out certs/$USER_NAME.csr \
-subj "/CN=$USER_NAME/O=example"
# 然后用 CA 證書來給剛才生成的證書來簽名
openssl x509 -req -in certs/$USER_NAME.csr -CA $CA_CRT_PATH -CAkey $CA_KEY_PATH \
-CAcreateserial -out certs/$USER_NAME.crt -days $CRT_DAYS
# 存放 kubectl config 的文件
export KUBECONFIG=/root/k8s-$USER_NAME.conf
# 設置 cluster
kubectl config set-cluster $CLUSTER --server="$KUBE_URL" \
--certificate-authority="$CA_CRT_PATH" --embed-certs=true
# 設置私鑰以及已簽名證書
kubectl config set-credentials $USER_NAME --client-certificate=certs/$USER_NAME.crt \
--client-key=certs/$USER_NAME.key --embed-certs=true
# 設置 context
kubectl config set-context $USER_NAME-context --cluster=$CLUSTER --user=$USER_NAME
kubectl config use-context $USER_NAME-context
[root@master01 role]# kubectl get pods -n dev --kubeconfig /root/k8s-louis.conf
Error from server (Forbidden): pods is forbidden: User "louis" cannot list resource "pods" in API group "" in the namespace "dev"
[root@master01 role]#
[root@master01 role]# kubectl get pods -n devops --kubeconfig /root/k8s-louis.conf #上面授權louis可以訪問devops空間
NAME READY STATUS RESTARTS AGE
apollo-adminservice-5f54494f55-jqf9c 1/1 Running 1 43d
apollo-configservice-74bc85dcdb-2zbdg 1/1 Running 1 43d
apollo-portal-5d6c8cd8dc-2vndf 1/1 Running 1 47h
yapi-5df96d9984-58q2b 1/1 Running 1 8d
yapi-mongodb-5d7f6d47c8-2ffn9 1/1 Running 1 9d
[root@master01 role]# kubectl get deployment -n devops --kubeconfig /root/k8s-louis.conf
Error from server (Forbidden): deployments.apps is forbidden: User "louis" cannot list resource "deployments" in API group "apps" in the namespace "devops"
更改role權限
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: devops
name: pod-read
rules:
- apiGroups: ["apps","v1","extensions"]
resources: ["pods","deployments"]
verbs: ["get","watch","list"]
---
#定義rolebinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-read
namespace: devops
subjects: #定義主體
- kind: User
name: louis
apiGroup: rbac.authorization.k8s.io
roleRef: #引用的角色
kind: Role
name: pod-read
apiGroup: rbac.authorization.k8s.io
[root@master01 role]# kubectl get deployment -n devops --kubeconfig /root/k8s-louis.conf
NAME READY UP-TO-DATE AVAILABLE AGE
apollo-adminservice 1/1 1 1 77d
apollo-configservice 1/1 1 1 77d
apollo-portal 1/1 1 1 47h
yapi 1/1 1 1 9d
yapi-mongodb 1/1 1 1 9d
2) 命令行工具
kubectl create rolebinding
kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=louis --namespace=dev (在dev命名空間中,將admin集群角色授予louis用戶) kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=dev:myapp --namespace=dev (在acme命名空間中,將admin集群角色授予acme:myapp服務帳戶)
kubectl create clusterrolebinding
kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=louis #授權louis擁有集群管理員權限 kubectl create clusterrolebinding myapp-view-binding --clusterrole=view --serviceaccount=dev:myapp
在dev命名空間內,授予mysa服務帳戶view集群角色
[root@master01 role]# kubectl create sa mysa -n dev serviceaccount/mysa created [root@master01 role]# kubectl create rolebinding mysa-view --clusterrole=view --serviceaccount=dev:mysa --namespace=dev rolebinding.rbac.authorization.k8s.io/mysa-view created
apiVersion: v1 kind: ServiceAccount metadata: name: mysa namespace: dev --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: mysa-view namespace: dev roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - kind: ServiceAccount name: mysa namespace: dev
案例1) 限制不同用戶訪問不同名稱空間的資源生成一個證書
1)生成一個私鑰 cd /etc/kubernetes/pki/ (umask 077; openssl genrsa -out testlouis.key 2048) (2)生成一個證書請求 openssl req -new -key testlouis.key -out testlouis.csr -subj "/CN=testlouis" (3)生成一個證書 openssl x509 -req -in testlouis.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out testlouis.crt -days 3650 在kubeconfig下新增加一個testlouis這個用戶 kubectl config set-cluster kubernetes --server="https://192.168.31.80:6443" --certificate-authority="/etc/kubernetes/pki/ca.crt" --embed-certs=true --kubeconfig=/root/k8s-testlouis.conf kubectl config set-credentials testlouis --client-certificate=./testlouis.crt --client-key=./testlouis.key --embed-certs=true --kubeconfig=/root/k8s-testlouis.conf(2)在kubeconfig下新增加一個lucky這個賬號 kubectl config set-context testlouis@kubernetes --cluster=kubernetes --user=testlouis --kubeconfig=/root/k8s-testlouis.conf kubectl config use-context testlouis@kubernetes --kubeconfig=/root/k8s-testlouis.conf [root@master01 pki]# kubectl get pods -n dev --kubeconfig=/root/k8s-testlouis.conf error: Missing or incomplete configuration info. Please point to an existing, complete config file: 1. Via the command-line flag --kubeconfig 2. Via the KUBECONFIG environment variable 3. In your home directory as ~/.kube/config To view or setup config directly use the 'config' command. #這個是集群用戶,有任何權限 把user這個用戶通過rolebinding綁定到clusterrole上,授予權限,權限只是在testlouis這個名稱空間有效 授權: kubectl create rolebinding testlouis -n dev --clusterrole=cluster-admin --user=testlouis 添加一個testlouis用戶 userad testlouis mkdir /home/testlouis/.kube cp -rf /root/k8s-testlouis.conf /home/testlouis/.kube/config chown -R testlouis.testlouis /home/testlouis su - testlouis [root@master01 pki]# su - testlouis Last login: Thu Aug 13 16:02:03 CST 2020 on pts/2 kubectl get pods -n dev [testlouis@master01 ~]$ kubectl get pods -n dev NAME READY STATUS RESTARTS AGE admin-server-65bd476ff8-756rs 1/1 Running 3 17d 通過上面可以發現testlouis可以管理dev名稱空間