1.
開始前,想個問題?
在部署kubectl,kube-scheduler,kube-controller-manager,kubelet,都創建了user或者sa(service account).
創建的user和sa都具有rbac分配的權限操作api.
這個權限是怎麼生成分配的呢?
2.
新建一個user記錄整個過程
向ca申請證書,私鑰,csr(自動生成&&證書籤名請求&&用於交叉簽名或者重新簽名)
需要證書籤名請求文件,文件參考見下:
cat am1-csr.json
{
"CN": "am1",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GD",
"L": "SZ",
"O": "system:masters",
"OU": "k8s"
}
]
} 參數詳細說明:
CN ##Common Name,通用名稱.
##k8s集羣裏的特殊用法:kube-apiserver 從證書中提取該字段作爲請求的用戶名 (User Name);瀏覽器使用該字段驗證網站是否合法,網站一般使用域名或者ip;
hosts ##如果 hosts 字段不爲空則需要指定授權使用該證書的 IP 或域名列表,現在創建的是執行kubectl命令的用戶,該證書只會被 kubectl 當做 client 證書使用,所以 hosts 字段爲空;
C ##Country 國家
ST ##State 州,省
L ##Locality 地區,城市
O ##Organization Name 組織名稱,公司名稱,
##k8s裏的特殊用法:用這個參數指定使用證書的用戶Group,比如這裏"system:masters",通過證書認證後,用戶在rbac羣組爲system:masters,從而擁有這個羣組的所有權限.
##k8s集羣kube-apiserver預定義了部分rbac的rolebindings.這個後面檢索
OU ##Organization Unit Name 組織單位名稱,公司部門
##k8s裏的特殊用法:kube-apiserver 從證書中提取該字段作爲請求用戶所屬的組 (Group),可以隨意自定義.執行命令,向ca申請證書,見下:
[root@k8s-master1 am]# cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes am1-csr.json | cfssljson -bare am1
2019/03/05 14:03:45 [INFO] generate received request
2019/03/05 14:03:45 [INFO] received CSR
2019/03/05 14:03:45 [INFO] generating key: rsa-2048
2019/03/05 14:03:47 [INFO] encoded CSR
2019/03/05 14:03:47 [INFO] signed certificate with serial number 298701151984123590557480669424567076050696231266
2019/03/05 14:03:47 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master1 am]# ls
am1.csr am1-csr.json am1-key.pem am1.pem
[root@k8s-master1 am]#執行kubectl config命令,具體解釋,參考kubectl config命令篇
[root@k8s-master1 am]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.32.127:8443 --kubeconfig=am1config
Cluster "kubernetes" set.
[root@k8s-master1 am]# kubectl config set-credentials am1 --client-certificate=/root/k8s/key/am/am1.pem --client-key=/root/k8s/key/am/am1-key.pem --embed-certs=true --kubeconfig=am1config
User "am1" set.
[root@k8s-master1 am]# kubectl config set-context kubernetes --cluster=kubernetes --user=am1 --kubeconfig=am1config
Context "kubernetes" created.
[root@k8s-master1 am]# kubectl config use-context kubernetes --kubeconfig=am1config
Switched to context "kubernetes".
[root@k8s-master1 am]# ls
am1config am1.csr am1-csr.json am1-key.pem am1.pem
[root@k8s-master1 am]#把am1config文件複製到~/.kube/目錄下(注意:k8s改變用戶默認就是改變~/.kube/config文件)
[root@k8s-master1 am]# cp am1config ~/.kube
[root@k8s-master1 .kube]# ls
am1config cache config http-cache
[root@k8s-master1 .kube]#把am1config替換成config,
root@k8s-master1 .kube]# mv config config.bk
[root@k8s-master1 .kube]# ls
am1config cache config.bk http-cache
[root@k8s-master1 .kube]# mv am1config config
[root@k8s-master1 .kube]# ls
cache config config.bk http-cache
[root@k8s-master1 .kube]#到這裏,已經創建好用戶am1,並且已經使用成功.
3.
檢索k8s現在使用的用戶
[root@k8s-master1 am]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.32.127:8443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: am1
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: am1
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master1 am]#檢索am1使用k8s的權限
[root@k8s-master1 am]# kubectl get all
NAME READY STATUS RESTARTS AGE
pod/dnsutils-ds-4lslb 1/1 Running 17 4d
pod/dnsutils-ds-4svcr 1/1 Running 16 4d
pod/dnsutils-ds-7wqxf 1/1 Running 16 4d
pod/dnsutils-ds-f6qkj 1/1 Running 16 4d
pod/httpd-app-bbcbfb6cd-65phh 1/1 Running 7 5d
pod/httpd-app-bbcbfb6cd-6blv4 1/1 Running 4 5d
pod/httpd-app-bbcbfb6cd-pk9tk 1/1 Running 3 5d
pod/httpd-app-bbcbfb6cd-rl4w8 1/1 Running 4 5d
pod/httpd-app-bbcbfb6cd-rnhk8 1/1 Running 4 5d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dnsutils-ds NodePort 10.254.173.49 <none> 80:8977/TCP 4d
service/httpd-svc NodePort 10.254.120.185 <none> 80:8416/TCP 5d
service/kubernetes ClusterIP 10.254.0.1 <none> 443/TCP 5d
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/dnsutils-ds 4 4 4 4 4 <none> 4d
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/httpd-app 5 5 5 5 5d
NAME DESIRED CURRENT READY AGE
replicaset.apps/httpd-app-bbcbfb6cd 5 5 5 5d[root@k8s-master1 am]# kubectl get all -n kube-system
NAME READY STATUS RESTARTS AGE
pod/coredns-779ffd89bd-cwjt9 1/1 Running 3 4d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kube-dns ClusterIP 10.254.0.2 <none> 53/UDP,53/TCP 4d
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/coredns 1 1 1 1 4d
NAME DESIRED CURRENT READY AGE
replicaset.apps/coredns-779ffd89bd 1 1 1 4d
[root@k8s-master1 am]#可以看到am1這個用戶,實現了我們預設的權限要求,擁有了system:masters羣組的所有權限.
4.
檢索system:masters這個羣組的權限
檢索預設rbac的clusterrolebindings
[root@k8s-master1 am]# kubectl get clusterrolebindings
NAME AGE
auto-approve-csrs-for-group 5d
cluster-admin 5d
kube-apiserver 5d
kubelet-bootstrap 5d
node-client-cert-renewal 5d
node-server-cert-renewal 5d
system:aws-cloud-provider 5d
system:basic-user 5d
system:controller:attachdetach-controller 5d
system:controller:certificate-controller 5d
system:controller:clusterrole-aggregation-controller 5d
system:controller:cronjob-controller 5d
system:controller:daemon-set-controller 5d
system:controller:deployment-controller 5d
system:controller:disruption-controller 5d
system:controller:endpoint-controller 5d
system:controller:expand-controller 5d
system:controller:generic-garbage-collector 5d
system:controller:horizontal-pod-autoscaler 5d
system:controller:job-controller 5d
system:controller:namespace-controller 5d
system:controller:node-controller 5d
system:controller:persistent-volume-binder 5d
system:controller:pod-garbage-collector 5d
system:controller:pv-protection-controller 5d
system:controller:pvc-protection-controller 5d
system:controller:replicaset-controller 5d
system:controller:replication-controller 5d
system:controller:resourcequota-controller 5d
system:controller:route-controller 5d
system:controller:service-account-controller 5d
system:controller:service-controller 5d
system:controller:statefulset-controller 5d
system:controller:ttl-controller 5d
system:coredns 5d
system:discovery 5d
system:kube-controller-manager 5d
system:kube-dns 5d
system:kube-scheduler 5d
system:node 5d
system:node-proxier 5d
system:volume-scheduler 5d在哪個裏面呢?
[root@k8s-master1 am]# kubectl describe clusterrolebindings |grep -B 10 "system:masters"
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters 檢索下cluster-admin的權限
[root@k8s-master1 am]# kubectl describe clusterroles cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]5.
疑問:user am1加入到了system:masters羣組,可以不可以檢索system:masters羣組綁定了哪些用戶呢?
暫時沒有找到方法.