k8s rbac增加user用戶配置roles

1.
k8s增加普通用戶User

普通用戶並不是通過k8s來創建和維護，是通過創建證書和切換上下文環境的方式來創建和切換用戶。
其實創建用戶的步驟，就是手動部署k8s集羣裏的一個步驟。
創建過程見下:

創建用戶證書:

[root@k8s-master1 quanxian]# cat jane-csr.json
{
  "CN": "jane",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "SZ",
      "L": "SZ",
      "O": "k8s",
      "OU": "4Paradigm"
    }
  ]
}

生成user證書

[root@k8s-master1 jane]#  cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes jane-csr.json | cfssljson -bare jane
2018/09/05 01:51:01 [INFO] generate received request
2018/09/05 01:51:01 [INFO] received CSR
2018/09/05 01:51:01 [INFO] generating key: rsa-2048
2018/09/05 01:51:01 [INFO] encoded CSR
2018/09/05 01:51:01 [INFO] signed certificate with serial number 520899621423670329054136035003302903598818113990
2018/09/05 01:51:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master1 jane]# ls
jane.csr  jane-csr.json  jane-key.pem  jane.pem
[root@k8s-master1 jane]#

設置集羣參數

[root@k8s-master1 jane]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.211.127:8443 --kubeconfig=kubectl.kubeconfig
Cluster "kubernetes" set.

設置客戶端認證參數

[root@k8s-master1 jane]# kubectl config set-credentials jane --client-certificate=jane.pem --client-key=jane-key.pem --embed-certs=true --kubeconfig=jane.kubeconfig
User "jane" set.

設置上下文參數

[root@k8s-master1 jane]# kubectl config set-context kubernetes --cluster=kubernetes --user=jane --kubeconfig=jane.kubeconfig
Context "kubernetes" created.

設置當前用戶環境爲新建的jane

[root@k8s-master1 jane]#  kubectl config use-context kubernetes --kubeconfig=jane.kubeconfig
Switched to context "kubernetes".

到這裏用戶已經生成
下面用這個用戶來測試role和clusterrole

2.
role
只能授予單個namespace空間資源的權限

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
 
##apiVersion   指定api版本     可以用命令  kubectl  api-versions  查看
##kind            指定資源類型

##metadata    元數據
##name          這個資源的名字
##namespace 指定namespace   

##rules           定義規則
##apiGroups   [" "]   所有核心api
##resources    指定可以操作的資源   比如pod   
##verbs           操作權限，這個權限就是操作上面資源的權限

3.
clusterrole
可以授予整個集羣的資源的權限。
也可也授予單個namespace空間資源的權限
取決於它的binding方式
不同的binding方式，授予的權限就不同。

4.
rolebinding

針對單個namespace使用rolebinding
將role權限綁定給用戶
就用上面的做示例

先創建role

[root@k8s-master1 quanxian]# cat role1.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
[root@k8s-master1 quanxian]#

[root@k8s-master1 quanxian]# kubectl apply -f role1.yaml
role.rbac.authorization.k8s.io "pod-reader" created
[root@k8s-master1 quanxian]#

綁定

[root@k8s-master1 quanxian]# cat rolebinding1.yaml
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane 
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
[root@k8s-master1 quanxian]#

[root@k8s-master1 quanxian]# kubectl apply -f rolebinding1.yaml
rolebinding.rbac.authorization.k8s.io "read-pods" created

參數說明:

kind: RoleBinding                                                                                        ##指定類型是rolebinding 
apiVersion: rbac.authorization.k8s.io/v1                                  ##api接口版本

metadata:                                                                               ##元數據
name: read-pods                                                                    ##指定這個rolebinding的名稱
namespace: default                                                                ##指定操作的namespace 這裏是默認  可以用kubectl get namespace 查看

subjects:                                                                                 ##我們要增加的用戶
- kind: User                                                                            ##kind可以是User或者serviceaccount
name: jane                                                                             ##新加的用戶名
apiGroup: rbac.authorization.k8s.io                                        ##用到的api接口

roleRef:                                                                                  ##綁定role
kind: Role                                                                               ##綁定的role類型
name: pod-reader                                                                  ##綁定role的名字
apiGroup: rbac.authorization.k8s.io                                        ##用到的api接口     

查看權限

[root@k8s-master1 jane]# kubectl describe role
Name:         pod-reader
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pod-reader","namespace":"default"},"rules":[{"apiGroups...
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get watch list]
[root@k8s-master1 jane]#

jane用戶只有pod的權限

5.
檢查用戶jane的role是否配置成功
記得保存原來的config文件（切記切記切記）
使用前面jane用戶生成的jane.kubeconfig配置文件

重新命名原config文件

[root@k8s-master1 .kube]# mv config config.admin
[root@k8s-master1 .kube]# ls
cache  config.admin  http-cache

把jane.kubeconfig移到目錄

[root@k8s-master1 .kube]# mv /root/k8s/jane/jane.kubeconfig  .
[root@k8s-master1 .kube]# ls
cache  config.admin  http-cache  jane.kubeconfig

改名

[root@k8s-master1 .kube]# mv jane.kubeconfig config
[root@k8s-master1 .kube]# ll
total 20
drwxr-xr-x 3 root root   23 Aug 28 22:34 cache
-rw------- 1 root root 6193 Sep  5 02:47 config
-rw------- 1 root root 6215 Aug 28 22:31 config.admin                    
drwxr-xr-x 3 root root 4096 Sep  5 02:52 http-cache

執行命令看看

[root@k8s-master1 .kube]# kubectl get all
NAME                             READY     STATUS    RESTARTS   AGE
pod/httpd-app-6dc78c4869-8dmmq   1/1       Running   5          5d
pod/httpd-app-6dc78c4869-dbpxc   1/1       Running   4          5d
pod/httpd-app-6dc78c4869-hs59j   1/1       Running   5          5d
pod/httpd-app-6dc78c4869-lp4hs   1/1       Running   5          5d
pod/httpd-app-6dc78c4869-z9mc9   1/1       Running   5          5d
Error from server (Forbidden): replicationcontrollers is forbidden: User "jane" cannot list replicationcontrollers in the namespace "default"
Error from server (Forbidden): services is forbidden: User "jane" cannot list services in the namespace "default"
Error from server (Forbidden): daemonsets.apps is forbidden: User "jane" cannot list daemonsets.apps in the namespace "default"
Error from server (Forbidden): deployments.apps is forbidden: User "jane" cannot list deployments.apps in the namespace "default"
Error from server (Forbidden): replicasets.apps is forbidden: User "jane" cannot list replicasets.apps in the namespace "default"
Error from server (Forbidden): statefulsets.apps is forbidden: User "jane" cannot list statefulsets.apps in the namespace "default"
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "jane" cannot list horizontalpodautoscalers.autoscaling in the namespace "default"
Error from server (Forbidden): jobs.batch is forbidden: User "jane" cannot list jobs.batch in the namespace "default"
Error from server (Forbidden): cronjobs.batch is forbidden: User "jane" cannot list cronjobs.batch in the namespace "default"
[root@k8s-master1 .kube]#

[root@k8s-master1 .kube]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "jane" cannot list services in the namespace "default"
[root@k8s-master1 .kube]#

[root@k8s-master1 .kube]# kubectl get roles
Error from server (Forbidden): roles.rbac.authorization.k8s.io is forbidden: User "jane" cannot list roles.rbac.authorization.k8s.io in the namespace "default"
[root@k8s-master1 .kube]#

[root@k8s-master1 .kube]# kubectl get pod
NAME                         READY     STATUS    RESTARTS   AGE
httpd-app-6dc78c4869-8dmmq   1/1       Running   5          5d
httpd-app-6dc78c4869-dbpxc   1/1       Running   4          5d
httpd-app-6dc78c4869-hs59j   1/1       Running   5          5d
httpd-app-6dc78c4869-lp4hs   1/1       Running   5          5d
httpd-app-6dc78c4869-z9mc9   1/1       Running   5          5d
[root@k8s-master1 .kube]#

[root@k8s-master1 .kube]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://192.168.211.127:8443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: jane
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: jane
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
[root@k8s-master1 .kube]#

可以看到User jane只有pods的權限

還記得前面遇到的問題嗎？

 [root@k8s-master1 .kube]# kubectl logs httpd-app-6dc78c4869-z9mc9
Error from server (Forbidden): pods "httpd-app-6dc78c4869-z9mc9" is forbidden: User "jane" cannot get pods/log in the namespace "default"
[root@k8s-master1 .kube]# 

這個問題在這裏模擬出來了
 

6.
深入點思考，這個操作實現了k8s集羣不同用戶不同操作權限的設定。