kubernetes访问控制
serviceaccount
创建serviceaccount:admin
kubectl create serviceaccount admin
查看这个sa信息
kubectl describe sa admin
此时k8s为用户自动生成认证信息,但没有授权 创建一个可以访问私有仓库的secret,并且添加secrets到serviceaccount中
kubectl create secret docker-registry myregistrykey --docker-server=reg.westos.org --docker-username=admin --docker-password=westos --docker-email=root@westos.org
kubectl patch serviceaccount admin -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'
如下图,可以看到 Image pull secrets: myregistrykey vim sa.yaml
将认证信息添加到serviceAccount中,要比直接在Pod指定imagePullSecrets要安全很多
apiVersion: v1
kind: Pod
metadata:
name: myapp
labels:
app: myapp
spec:
containers:
- name: myapp
image: reg.westos.org/westos/game2048
ports:
- name: http
containerPort: 80
serviceAccountName: admin
UserAccount
创建UserAccount:test
cd /etc/kubernetes/pki/
openssl genrsa -out test.key 2048
openssl req -new -key test.key -out test.csr -subj "/CN=test"
openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 365
openssl x509 -in test.crt -text -noout
kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
kubectl config view
kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
kubectl config use-context test@kubernetes
此时用户通过认证,但还没有权限操作集群资源,需要继续添加授权
role
Role是一系列的权限的集合,Role只能授予单个namespace 中资源的访问权限。
Role示例:
vim role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: myrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
vim rolebinding.yaml
使用rolebinding绑定Role
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-read-pods
namespace: default
subjects:
- kind: User
name: test
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: myrole
apiGroup: rbac.authorization.k8s.io
实验流程及效果:
[root@server2 roles]
Switched to context "test@kubernetes".
[root@server2 roles]
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
[root@server2 roles]
Switched to context "kubernetes-admin@kubernetes".
[root@server2 roles]
role.rbac.authorization.k8s.io/myrole created
[root@server2 roles]
rolebinding.rbac.authorization.k8s.io/test-read-pods created
[root@server2 roles]
Switched to context "test@kubernetes".
[root@server2 roles]
NAME READY STATUS RESTARTS AGE
my-nginx-6ff6f45df4-v77rp 1/1 Running 1 44h
myapp 1/1 Running 0 7m54s
由上可以看出,test用户已经可以查看默认ns的pod
ClusterRole
ClusterRole 跟 Role 类似,但是可以在集群中全局使用。
ClusterRole示例
vim clusterRole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myclusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
RoleBinding和ClusterRoleBinding RoleBinding是将Role中定义的权限授予给用户或用户组。它包含一个subjects列表(users,groups ,service accounts),并引用该Role。 RoleBinding是对某个namespace 内授权,ClusterRoleBinding适用在集群范围内使用。
vim rolebinding.yaml
使用rolebinding绑定clusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rolebind-myclusterrole
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
先切到kubernetes-admin,应用clusterRole.yaml,使用rolebinding绑定clusterRole并切换到test用户
[root@server2 roles]
Switched to context "kubernetes-admin@kubernetes".
[root@server2 roles]
clusterrole.rbac.authorization.k8s.io/myclusterrole created
[root@server2 roles]
rolebinding.rbac.authorization.k8s.io/rolebind-myclusterrole created
[root@server2 roles]
Switched to context "test@kubernetes".
编写一个deployment控制器的yaml文件
vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: myapp:v1
运行
kubectl apply -f deployment.yaml
可以发现 test用户可以创建deployment控制器及查看pod
vim clusterrolebinding.yaml
使用clusterrolebinding绑定clusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: clusterrolebinding-myclusterrole
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
重复操作,先切换到kubernetes-admin,使用clusterrolebinding绑定clusterRole并切换到test用户
[root@server2 roles]
Switched to context "kubernetes-admin@kubernetes".
[root@server2 roles]
clusterrolebinding.rbac.authorization.k8s.io/clusterrolebinding-myclusterrole created
[root@server2 roles]
Switched to context "test@kubernetes".
测试:可以看到其他ns的pod
|