目錄
Kubernetes操作賬號及權限設置
目前RBAC是k8s授權方式最常用的一種方式。在k8s上,一個客戶端向apiserver發起請求,需要如下信息:
1)username,uid,
2) group,
3) extra(額外信息)
4) API
5) request path,例如:http:``//127.0.0.1:8080/apis/apps/v1/namespaces/kube-system/d
6)HTTP request action,如get,post,put,``delete``,
7)Http request action,如 get,list,create,udate,patch,watch,proxy,redirect,``delete``,deletecollection
8) Rresource
9)Subresource
10)Namespace
11)API group
創建serviceaccount
# In GKE need to get RBAC permissions first with
# kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>|--group=<group-name>]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace:jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
創建useraccount
一.生成賬號
例如:給K8S集群創建一個gpu用戶
在k8s的master節點上執行:
#創建證書
(umask 077; openssl genrsa -out gpu.key 2048)
openssl req -new -key gpu.key -out gpu.csr -subj "/CN=gpu"
openssl x509 -req -in gpu.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out gpu.crt -days 3650
openssl x509 -in gpu.crt -text -noout
#把用戶賬戶信息添加到k8s集群中
kubectl config set-credentials gpu --client-certificate=./gpu.crt --client-key=./gpu.key --embed-certs=true
#創建賬戶,設置用戶訪問的集群
kubectl config set-context gpu@kubernetes --cluster=kubernetes --user=gpu
#切換用戶
kubectl config use-context gpu@kubernetes
#驗證權限
kubectl get pods
#切換成管理員
kubectl config use-context kubernetes-admin@kubernetes
查看所有用戶
kubectl config get-contexts
查看集群角色
kubectl get ClusterRole
查看服務賬戶
kubectl get serviceAccount
二.設置權限
在管理員權限下創建角色和權限並綁定到用戶(role 和role-binding)
role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: gpu
name: gpu-reader
rules:
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["services"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: ["batch", "externsions"]
resources: ["jobs"]
verbs: ["get","list","watch","create", "update","patch","delete"]
role-binding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: read-pods
namespace: gpu
subjects:
- kind: User
name: gpu
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: gpu-reader
apiGroup: rbac.authorization.k8s.io
三.生成用戶config文件
輸出全部用戶配置
kubectl config view --raw --output='json' >1.json
vim 1.json
刪除users內除"name": "gpu"的其他內容
刪除contexts內除"name": "gpu@kubernetes"的其他內容
mv 1.json config //分發config給用戶
RBAC
一、基於角色的訪問控制
rbac:role based ac,也就是我們把用戶加入角色里面,這樣用戶就具有角色的權限了。
RBAC是通過rolebinding把user綁定到role上的。而role是基於namespace設定的,也就是這說這個user只能訪問指定namespace下的pod資源。
而如果把user通過ClusterRoleBind綁定到ClusterRole上后,那么這個user就突破了namespace的限制,而擁有了集群級別的權限,即這個用戶可以訪問這個集群下所有namespace下的pod了。
但是,我們也可以用RoleBinding去把user綁定到ClusteRrole。在下圖中,我們把user1通過rolebinding綁定到ClusteRrole上,但是我們知道rolebinding只限制在namespace中,所以user1也只限定在namespace中,而不是整個集群中。
二、CluserRoleBinding和RoleBinding的區別
CluserRoleBinding是針對集群的,而RoleBinding是只針對namespace的。
三、useraccount和serviceaccount
k8s驗證分為useraccount和serviceaccount。
個人理解serviceaccount是指服務賬戶,是指在POD的啟動賬戶,serviceaccount設置的就是該POD啟動后的權限。比如linux服務器下httpd服務可以指定http賬戶啟動,但http賬戶本身沒有對系統的登錄權限。
useraccount就好比是linux服務器的登錄賬戶,是有登錄權限的。可以使用confi在客戶端連接K8S集群的賬戶。
附錄
一、使用create生成配置的yaml文件
kubectl create serviceaccount mysa -o yaml --dry-run > mysa.yaml
上面我們可以看到,只要是kubectl create的,只要加上-o yaml,就可以導出清單文件,這樣我們以后就不用從頭到尾寫清單文件了,而是只要生產一個,然后改改就行了,這個很不錯。
另外kubectl get 也可以導出yaml格式的,如下:
kubectl get pods myapp``-1` `-o yaml --export
二、創建jenkins的serviceaccount
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: jenkins
name: service-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["services"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
#在jenkins命名空間下創建一個服務賬號jenkins
#kubectl create serviceaccount jenkins -n jenkins -o yaml
kubectl create serviceaccount jenkins -n servers
#創建一個名為“service-reader-pod”的集群角色綁定,它的“clusterrole”是“service-reader”,它的名字是“default:default”,其中第一個“default”是名空間(namespace),第二個“default”是服務賬戶名字
kubectl create clusterrolebinding service-reader-pod --clusterrole=service-reader --serviceaccount=servers:jenkins