锐客网

  1. 首页 > it技术 > >

23.kubernetes(k8s)笔记 认证、授权与准入控制(三) RBAC 访问控制

RBAC 访问控制 Users Accounts 前言: 【23.kubernetes(k8s)笔记 认证、授权与准入控制(三) RBAC 访问控制】前面已经对ServiceAccount、Users Account认证进行了介绍与创建,但最后的测试发现是Users Account并没有访问权限,本节介绍RBAC授权 对ServiceAccount、Users Account认证进行授权

  • RBAC是什么?
    RBAC 是基于角色的访问控制(Role-Based Access Control )在 RBAC 中,权限与角色相关联,用户通过成为适当角色的成员而得到这些角色的权限。这就极大地简化了权限的管理。这样管理都是层级相互依赖的,权限赋予给角色,而把角色又赋予用户,这样的权限设计很清楚,管理起来很方便。
  • 角色
    Role:角色,名称空间级别; 授权特定命名空间的访问权限
    ClusterRole:集群角色,全局级别; 授权所有命名空间的访问权限
  • 角色绑定
    RoleBinding:将角色绑定到主体(即subject),意味着,用户仅得到了特定名称空间下的Role的权限,作用范围也限于该名称空间;
    ClusterRoleBinding:将集群角色绑定到主体,让用户扮演指定的集群角色; 意味着,用户得到了是集群级别的权限,作用范围也是集群级别;
  • 主体(subject)
    User:用户
    Group:用户组
    ServiceAccount:服务账号
  • 绑定对应关系
    主体(Subject) --> RoleBinding --> Role #主体获得名称空间下的Role的权限
    主体(Subject) --> ClusterRoleBinding --> clusterRoles #主体获得集群级别clusterRoles的权限
    主体(Subject) --> Rolebindig -->ClusterRole #权限降级 主体获得名称空间下的clusterRoles的权限
  • rules中的参数说明:
    1、apiGroups:支持的API组列表,例如:"apiVersion: batch/v1"等
    2、resources:支持的资源对象列表,例如pods、deplayments、jobs等
    3、resourceNames: 指定resource的名称
    3、verbs:对资源对象的操作方法列表。
23.kubernetes(k8s)笔记 认证、授权与准入控制(三) RBAC 访问控制
文章图片

  • RBAC使用rbac.authorization.k8s.io API Group 来实现授权决策,允许管理员通过 Kubernetes API 动态配置策略,要启用RBAC,需要在 apiserver 中添加参数--authorization-mode=RBAC,如果使用的kubeadm安装的集群,都默认开启了RBAC,可以通过查看 Master 节点上 apiserver 的静态Pod定义文件:
[root@k8s-master usercerts]# cat /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1 kind: Pod metadata: ... spec: containers: - command: - kube-apiserver - --advertise-address=192.168.4.170 - --allow-privileged=true - --authorization-mode=Node,RBAC#默认支持BRAC 基于角色的访问控制 - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction - --enable-bootstrap-token-auth=true - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt ...

  • 查看 kube-system名称空间下的role角色详情
[root@k8s-master ~]# kubectl get role -n kube-system NAMECREATED AT extension-apiserver-authentication-reader2021-06-28T17:43:31Z kube-proxy2021-06-28T17:43:33Z kubeadm:kubelet-config-1.192021-06-28T17:43:31Z kubeadm:nodes-kubeadm-config2021-06-28T17:43:31Z system::leader-locking-kube-controller-manager2021-06-28T17:43:31Z system::leader-locking-kube-scheduler2021-06-28T17:43:31Z system:controller:bootstrap-signer2021-06-28T17:43:31Z system:controller:cloud-provider2021-06-28T17:43:31Z system:controller:token-cleaner2021-06-28T17:43:31Z[root@k8s-master ~]# kubectl get role kube-proxy -n kube-system -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: "2021-06-28T17:43:33Z" managedFields: - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:rules: {} manager: kubeadm operation: Update time: "2021-06-28T17:43:33Z" name: kube-proxy namespace: kube-system resourceVersion: "195" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/kube-proxy uid: a5404b1f-90f0-447f-b104-86fcbdd388e0 rules:#角色规则详细信息 - apiGroups: - "" resourceNames: - kube-proxy resources: - configmaps verbs:#能执行的操作 - get

  • role角色绑定
  • RoleBinding 角色绑定
[root@k8s-master ~]# kubectl explain rolebinding KIND:RoleBinding VERSION:rbac.authorization.k8s.io/v1 ... roleRef -required- RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.subjects<[]Object> Subjects holds references to the objects the role applies to.
示例1: 创建role角色绑定 作用域为名称空间
[root@k8s-master authfiles]# cat pods-reader-rbac.yaml kind : Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pods-reader rules: - apiGroups: [""]#空表示默认群组 resources: ["pods","services","pods/log"]#对象资源 verbs: ["get","list","watch"]#权限[root@k8s-master authfiles]# cat tom-pods-reader.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tom-pods-reader namespace: default subjects: - kind: User name: tom#绑定的用户名 apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pods-reader#绑定之前的角色 apiGroup: rbac.authorization.k8s.io[root@k8s-master authfiles]# kubectl apply -f pods-reader-rbac.yaml [root@k8s-master authfiles]# kubectl apply -f tom-pods-reader.yaml [root@k8s-master authfiles]# kubectl get role NAMECREATED AT pods-reader2021-08-24T07:33:54Z [root@k8s-master authfiles]# kubectl get rolebinding NAMEROLEAGE tom-pods-readerRole/pods-reader15m

  • 使用tom用户验证权限 pod、svc
[root@k8s-master authfiles]# kubectl config get-contexts--kubeconfig=/tmp/mykubeconfig#查看当前用户 CURRENTNAMECLUSTERAUTHINFONAMESPACE *tom@kuberneteskubernetestom [root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig NAMEREADYSTATUSRESTARTSAGE centos-deployment-66d8cd5f8b-bnnw61/1Running07m8s [root@k8s-master authfiles]# kubectl get svc --kubeconfig=/tmp/mykubeconfig NAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGE demoappClusterIP10.97.26.180/TCP10d demoapp-svcClusterIP10.99.170.7780/TCP10d demodbClusterIPNone9907/TCP5d22h kubernetesClusterIP10.96.0.1443/TCP10d

  • 验证deployment、nodes权限 没有授权访问失败
[root@k8s-master authfiles]# kubectl get deployment--kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"[root@k8s-master authfiles]# kubectl get nodes--kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope

内建管理员admin
  • 名称空间管理员admin
  • clusterrole admin 名称空间级别资源 拥有所有名称空间下的资源 所有操作权限
  • 集群管理员 cluster-admin
  • clusterrole cluster-admin 集群级别资源 拥有集群所有空的资源 所有操作权限
  • 之前绑定的rolebinding只对默认名称空间有一定的权限
[root@k8s-master authfiles]# kubectl get pod -n longhorn-system--kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "longhorn-system"

  • clusterrole admin 对所有名称空间下的资源权限
[root@k8s-master authfiles]# kubectl get clusterrole admin NAMECREATED AT admin2021-06-28T17:43:30Z [root@k8s-master authfiles]# kubectl get clusterrole admin -o yaml

  • 删除绑定,重新绑定到clusterrole admin
[root@k8s-master authfiles]# kubectl get rolebinding NAMEROLEAGE tom-pods-readerRole/pods-reader35m[root@k8s-master authfiles]# kubectl delete Role/pods-reader role.rbac.authorization.k8s.io "pods-reader" deleted[root@k8s-master authfiles]# kubectl delete rolebinding/tom-pods-reader rolebinding.rbac.authorization.k8s.io "tom-pods-reader" deleted[root@k8s-master authfiles]# kubectl get pod--kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"

示例2: 绑定admin 并验证权限,作用域为名称空间
[root@k8s-master authfiles]# kubectl create --help ... Available Commands: clusterroleCreate a ClusterRole. clusterrolebindingCreate a ClusterRoleBinding for a particular ClusterRole configmapCreate a configmap from a local file, directory or literal value cronjobCreate a cronjob with the specified name. deploymentCreate a deployment with the specified name. jobCreate a job with the specified name. namespaceCreate a namespace with the specified name poddisruptionbudget Create a pod disruption budget with the specified name. priorityclassCreate a priorityclass with the specified name. quotaCreate a quota with the specified name. roleCreate a role with single rule. rolebindingCreate a RoleBinding for a particular Role or ClusterRole secretCreate a secret using specified subcommand serviceCreate a service using specified subcommand. serviceaccountCreate a service account with the specified name

  • 可以分别对--user、--group、--serviceaccount进行授权
[root@k8s-master authfiles]# kubectl create clusterrolebinding--help Create a ClusterRoleBinding for a particular ClusterRole. .... Usage: kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]

  • 绑定并进行权限验证
[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-admin --user=tom--clusterrole=admin clusterrolebinding.rbac.authorization.k8s.io/tom-admin created[root@k8s-master authfiles]# kubectl get pod -n longhorn-system--kubeconfig=/tmp/mykubeconfig NAMEREADYSTATUSRESTARTSAGE csi-attacher-54c7586574-bh88g1/1Running57d csi-attacher-54c7586574-fvv4p1/1Running719d csi-attacher-54c7586574-zkzrg1/1Running1019d csi-provisioner-5ff5bd6b88-9tqnh1/1Running57d csi-provisioner-5ff5bd6b88-bs6871/1Running819d csi-provisioner-5ff5bd6b88-qkzt41/1Running1219d csi-resizer-7699cdfc4-4w49w1/1Running819d ......[root@k8s-master authfiles]# kubectl get pod -n kube-system--kubeconfig=/tmp/mykubeconfig NAMEREADYSTATUSRESTARTSAGE coredns-f9fd979d6-l9zck1/1Running1656d coredns-f9fd979d6-s8fp51/1Running1556d etcd-k8s-master1/1Running1256d kube-apiserver-k8s-master1/1Running1656d kube-controller-manager-k8s-master1/1Running3956d kube-flannel-ds-6sppx1/1Running16d22h kube-flannel-ds-j5g9s1/1Running36d22h kube-flannel-ds-nfz771/1Running16d22h kube-flannel-ds-sqhq21/1Running16d22h[root@k8s-master authfiles]# kubectl get deployment--kubeconfig=/tmp/mykubeconfig NAMEREADYUP-TO-DATEAVAILABLEAGE centos-deployment1/1116d22h

  • node是集群级别资源 无权限
[root@k8s-master authfiles]# kubectl get node--kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope[root@k8s-master authfiles]# kubectl get pv--kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): persistentvolumes is forbidden: User "tom" cannot list resource "persistentvolumes" in API group "" at the cluster scope

示例3: 绑定cluster-admin 并验证权限 作用域为集群级别资源
[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-admin clusterrolebinding.rbac.authorization.k8s.io "tom-admin" deleted[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-cluste-admin --user=tom--clusterrole=cluster-admin clusterrolebinding.rbac.authorization.k8s.io/tom-cluste-admin created [root@k8s-master authfiles]# kubectl get pv--kubeconfig=/tmp/mykubeconfig NAMECAPACITYACCESS MODESRECLAIM POLICYSTATUSCLAIMSTORAGECLASSREASONAGE pv-nfs-demo00210GiRWXRetainAvailable21d pv-nfs-demo0031GiRWORetainAvailable21d pvc-33e9acff-afd9-417e-bbfb-293cb6305fb11GiRWXRetainBounddefault/data-demodb-1longhorn5d23h pvc-c5a0bfaa-6948-4814-886f-8bf079b00dd11GiRWXRetainBounddefault/data-demodb-0longhorn5d23h [root@k8s-master authfiles]# kubectl get node--kubeconfig=/tmp/mykubeconfig NAMESTATUSROLESAGEVERSION k8s-masterReadymaster56dv1.19.9 k8s-node1Ready56dv1.19.9 k8s-node2Ready56dv1.19.9 k8s-node3Ready20dv1.19.9

  • 需要注意的是 cluster-admin 是通过system:masters组方式进行授权,如果我们在创建用户证书时,/CN=XX/O=system:masters; 那么这个用户就拥有超级管理员的权限
[root@k8s-master authfiles]# kubectl describe clusterrolebinding cluster-admin Name:cluster-admin Labels:kubernetes.io/bootstrapping=rbac-defaults Annotations:rbac.authorization.kubernetes.io/autoupdate: true Role: Kind:ClusterRole Name:cluster-admin Subjects: KindNameNamespace ----------------- Groupsystem:masters#通过组授权所有system:masters都拥有超级管理员权限

示例4: rolebinding 绑定admin权限降级
  • 前面有提到
    User --> Rolebindig -->ClusterRole:权限降级,
    ClusterRole,用户得到的权限仅是ClusterRole的权限在Rolebinding所属的名称空间上的一个子集;
  • 删除之前绑定
[root@k8s-master authfiles]# kubectl deleteclusterrolebinding tom-cluste-admin clusterrolebinding.rbac.authorization.k8s.io "tom-cluste-admin" deleted

  • 创建角色绑定集群角色 权限降级 只对指定名称空间有权限
[root@k8s-master authfiles]# kubectl createrolebinding tom-admin --user=tom-n longhorn-system --clusterrole=admin rolebinding.rbac.authorization.k8s.io/tom-admin created

  • 测试权限 作用域尽为longhorn-system名称空间
[root@k8s-master authfiles]# kubectl get pod -n kube-system--kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system"[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"[root@k8s-master authfiles]# kubectl get deployment--kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"[root@k8s-master authfiles]# kubectl get pod -n longhorn-system--kubeconfig=/tmp/mykubeconfig NAMEREADYSTATUSRESTARTSAGE csi-attacher-54c7586574-bh88g1/1Running57d csi-attacher-54c7586574-fvv4p1/1Running719d csi-attacher-54c7586574-zkzrg1/1Running1019d csi-provisioner-5ff5bd6b88-9tqnh1/1Running57d csi-provisioner-5ff5bd6b88-bs6871/1Running819d csi-provisioner-5ff5bd6b88-qkzt41/1Running1219d csi-resizer-7699cdfc4-4w49w1/1Running819d csi-resizer-7699cdfc4-f5jph1/1Running67d csi-resizer-7699cdfc4-l2j491/1Running919d ...

    推荐阅读


    上一篇:和|和 .project 文件说“再见”—— VS Code Java 1.1.0 背后的故事

    下一篇:LightningChart|LightningChart JS v.3.3.0全新版本现已发布!