理論+實操：K8S之安全機制——創建相應的權限用戶

1.kubernetes的安全框架

2.傳輸安全，認證，授權，准入控制

3.使用RBAC授權

一：kubernetes的安全框架

三層：認證，授權，綁定角色

第一關是認證（authentication）,第二關是授權（authorization）,第三關是准入控制（admission control）,

1.1 結構分析：

kubectl、API、UI ，是訪問管理K8S的方式，api用於二次開發時調用，https協議，6443端口

在kubectl處提交需求，請求調用/api/v1、/apis、/healthz等，然後經過安全框架

安全框架有認證（authentication），驗證身份，使用【用戶名密碼】或者【token令牌】驗證

授權（authorization），綁定權限，授權過程，分配到指定空間中

准入控制（admission control）,空間准入控制，可以使用下面哪些資源，調用哪些插件

使用插件前先與etcd去驗證，查看etcd是否授權，若是允許，會執行，並將操作記錄到etcd中

1.2 工作流程：

kubectl 首先請求api資源，然後是過三關，第一關是認證（authentication）,第二關是授權（authorization）,第三關是准入控制（admission control）,只有通過這三關纔可能會被K8S創建資源

K8s安全控制框架主要由下面三個階段進行控制，每一個階段都支持插件方式，通過API Server配置來啓用插件

普通用戶若要安全訪問集羣api server，往往需要證書、token或者用戶名+密碼驗證；

pod訪問，需要serivceaccount

1.3 apiserver使用的是token認證

–enable-bootstrap-token-auth --token-auth-file=/k8s/cfg/token.csv

[root@master1 ~]# ps aux | grep apiserver 
root      56055  2.0  6.5 401116 254068 ?       Ssl  May08 261:28 /k8s/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.247.149:2379,https://192.168.247.143:2379,https://192.168.247.144:2379 --bind-address=192.168.247.149 --secure-port=6443 --advertise-address=192.168.247.149 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/k8s/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/k8s/ssl/server.pem --tls-private-key-file=/k8s/ssl/server-key.pem --client-ca-file=/k8s/ssl/ca.pem --service-account-key-file=/k8s/ssl/ca-key.pem --etcd-cafile=/k8s/etcd/ssl/ca.pem --etcd-certfile=/k8s/etcd/ssl/server.pem --etcd-keyfile=/k8s/etcd/ssl/server-key.pem
root      62506  0.0  0.0 112712   964 pts/1    S+   20:16   0:00 grep --color=auto apiserver

1.4 ServiceAccount

爲Pod中的進程和外部用戶提供身份信息，系統賬戶

可以通過serviceaccount在pod中區訪問apiserver

[root@master1 ~]# kubectl get sa	#sa就是serviceaccount的簡寫
NAME      SECRETS   AGE
default   1         17d

web頁面安全訪問需要使用證書驗證

外部傳輸安全：不再是8080，而是使用6443

內部傳輸監聽8080，供master及其他組件連接使用

[root@master1 ~]# netstat -natp | grep 8080 | grep LISTEN
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      56055/kube-apiserve 

對外提供的6443端口

[root@master1 ~]# netstat -natp | grep 6443 | grep LISTEN
tcp        0      0 192.168.247.149:6443    0.0.0.0:*               LISTEN      56055/kube-apiserve 

二：第一模塊，認證authentication

三種客戶端身份認證

• HTTPS證書認證：基於CA證書籤名的數字證書認證
• HTTP token 認證：通過一個token來識別用戶——在生產環境中使用廣泛
• HTTP base認證：用戶名+密碼的方式認證

2.1 K8S集羣的證書認證

https://blog.csdn.net/Lfwthotpt/article/details/105892377

cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.247.149",		#master1ip
      "192.168.247.148",		#master2ip
      "192.168.247.145",		#lb1ip
      "192.168.247.146",		#lb2ip
      "192.168.247.100",		#vip
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

2.2 httpd的token認證

[root@master1 ~]# cat /k8s/cfg/token.csv 
a031b816095ddada590b24c54a505a9e,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

三：第二模塊授權——authorization

RBAC（role-based access control，基於角色的訪問控制），負責完成授權（authorization）工作

kubernetes reviews only the following API request attributes:

• user——The user string provided during authentication
  • 身份驗證期間提供的用戶字符串
• group——the list of group names to which the authenticated user belongs
  • 已驗證用戶所屬的組名列表
• extra—— a map of arbitrary string keys to string values,provided by the authentication layer
  • 任意字符串鍵到字符串值的映射，由身份驗證層提供
• API——indicates whether the request is for an API resource
  • 指示請求是否針對API資源
• request path—— path to miscellaneous non-resource endpoints like /ap1 or /healthz
  • 到其他非資源端點(如/ap1或/healthz)的路徑
• api request verb- api verbs get,list,create,update,patch,watch,proxy,redirect,delete,and deletecollection are used for resource requests. To determine the request verb for a resouce api endpoint, see determine the request verb below.
  • api動詞get、list、create、update、patch、watch、proxy、redirect、delete和deletecollection用於資源請求。要確定resouce api端點的請求謂詞，請參見下面的確定請求謂詞。
• http request verb—— http verbs get,post,and delete are used for non-resource requests.
  • http動詞get、post和delete用於非資源請求。
• resource——the id or name of the resouce that is being accessed (for resource requests only) - for resource requests using get,update,patch and delete verbs,you must provide the resource name
  • 正在訪問的資源的id或名稱(僅用於資源請求)——對於使用get、update、patch和delete謂詞的資源請求，您必須提供資源名稱
• subresource —— the subresource that is being accessed (for resource requests only)
  • 正在訪問的子資源(僅用於資源請求)
• namespace—— the subresource that is being accessed ( for resource requests only)
  • 正在訪問的子資源(僅用於資源請求)
• api group —— the api group being accessed (for resource requests only),an empty string designates the core api group
  • 被訪問的api組(僅用於資源請求)，一個空字符串指定核心api組

RBAC是基於角色進行控制，所以:

• 要先創建角色
• 然後創建要綁定的資源
• 將角色與目標用戶甚至api和請求等綁定

綁定api模式適用於二次開發

四：第三模塊：准入控制(admission control)

admission control 實際上是一個准入控制器插件列表，發送到 api server的請求都需要經過這個列表中的每個准入控制器插件的檢查，檢查不通過，則拒絕請求

–enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction

NamespaceLifecycle:命令空間回收

LimitRanger：配額管理

ServiceAccount：每個pod中導入方便訪問API

ResourceQuota：基於命名空間的高級配額管理

NodeRestriction：Node加入到K8S集羣中以最小權限運行

–authorization-mode=RBAC,Node

[root@master1 ~]# ps aux | grep apiserver
root       9973  0.0  0.0 112712   964 pts/1    S+   10:45   0:00 grep --color=auto apiserver
root      56055  2.0  6.6 401116 256536 ?       Ssl  May12 262:21 /k8s/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.247.149:2379,https://192.168.247.143:2379,https://192.168.247.144:2379 --bind-address=192.168.247.149 --secure-port=6443 --advertise-address=192.168.247.149 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/k8s/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/k8s/ssl/server.pem --tls-private-key-file=/k8s/ssl/server-key.pem --client-ca-file=/k8s/ssl/ca.pem --service-account-key-file=/k8s/ssl/ca-key.pem --etcd-cafile=/k8s/etcd/ssl/ca.pem --etcd-certfile=/k8s/etcd/ssl/server.pem --etcd-keyfile=/k8s/etcd/ssl/server-key.pem

以下是官方推薦插件（1.11版本以上推薦使用）：

-enable-admission-plugins= \ NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds, ResourceQuota

五：基於授權機制創建新用戶

創建用戶，用戶名爲gsy，擁有的權限是查看pod

5.1 使用RBAC授權

RBAC（Role-Based Access Control，基於角色的訪問控制），允許通過kubernetes API 動態配置策略

動態意味着靈活

基於主體的角色綁定

• 角色：

Role——授權特定命名空間的訪問權限

CluserRole——授權所有命名空間的訪問權限

• 角色綁定

RoleBinding——將角色綁定到主體（即subject）

CluesterRoleBinding——將集羣角色綁定到主體（即subject）

• 主體（subject）

User——用戶

Group——用戶組

ServiceAccount——服務賬號

https://kubernetes.io/docs/reference/access-authn-authz/rbac/

5.2 創建新的命名空間以供驗證

[root@master1 ~]# kubectl get ns
NAME          STATUS   AGE
default       Active   21d
kube-public   Active   21d
kube-system   Active   21d
[root@master1 ~]# kubectl create ns gsy
namespace/gsy created
[root@master1 ~]# kubectl get ns
NAME          STATUS   AGE
default       Active   21d
gsy           Active   3s
kube-public   Active   21d
kube-system   Active   21d

5.3 在ns爲gsy下創建nginx的pod

[root@master1 ~]# kubectl run nginxgsy1 --image=nginx -n gsy
kubectl run --generator=deployment/apps.v1beta1 is DEPRECATED and will be removed in a future version. Use kubectl create instead.
deployment.apps/nginxgsy1 created
[root@master1 ~]# kubectl get pods -n gsy
NAME                         READY   STATUS    RESTARTS   AGE
nginxgsy1-74b78c5f6d-grq29   1/1     Running   0          13s

5.4 使用scale副本操作擴容副本

演示彈性擴展

[root@master1 ~]# kubectl scale deploy/nginxgsy1 --replicas=3 -n gsy
deployment.extensions/nginxgsy1 scaled

• 查看

[root@master1 ~]# kubectl get all -n gsy
NAME                             READY   STATUS    RESTARTS   AGE
pod/nginxgsy1-74b78c5f6d-4q2ds   1/1     Running   0          18s
pod/nginxgsy1-74b78c5f6d-c6zwg   1/1     Running   0          18s
pod/nginxgsy1-74b78c5f6d-grq29   1/1     Running   0          111s

NAME                        DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginxgsy1   3         3         3            3           111s

NAME                                   DESIRED   CURRENT   READY   AGE
replicaset.apps/nginxgsy1-74b78c5f6d   3         3         3       111s

5.5 創建role

Role——授權特定命名空間的訪問權限

• 指定角色權限

[root@master1 ~]# vim rbac-role-1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: gsy
  name: pod-reader
rules:
- apiGroups: [""] # "" 指示核心API組
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
[root@master1 ~]# kubectl apply -f rbac-role-1.yaml 
role.rbac.authorization.k8s.io/pod-reader created

• 查看

[root@master1 ~]# kubectl get role -n gsy
NAME         AGE
pod-reader   29s

5.6 創建rolebinding

RoleBinding——將角色綁定到主體（即subject）

可以理解爲：創建一個用戶，名叫gsy，這個用戶在K8S擔任Role的職位爲pod-reader，pod-reader的權限有

- apiGroups: [""] # "" 指示核心API組
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

• 編輯yaml文件，創建rolebinding綁定

[root@master1 ~]# vim rbac-rolebinding-1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: gsy
subjects:
- kind: User
  name: gsy
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role   
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

• 執行yaml文件

[root@master1 ~]# kubectl apply -f rbac-rolebinding-1.yaml 
rolebinding.rbac.authorization.k8s.io/read-pods created

• 查看生成結果

[root@master1 ~]# kubectl get role,rolebinding -n gsy
NAME                                        AGE
role.rbac.authorization.k8s.io/pod-reader   3m15s

NAME                                              AGE
rolebinding.rbac.authorization.k8s.io/read-pods   21s

3.7 爲用戶gsy創建證書

[root@master1 ~]# mkdir gsy
[root@master1 ~]# cd gsy/
[root@master1 gsy]# vim rbac-gsy.sh
cat > gsy-csr.json <<EOF
{
  "CN": "gsy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes gsy-csr.json | cfssljson -bare gsy

kubectl config set-cluster kubernetes \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server=https://192.168.247.100:6443 \
  --kubeconfig=zhangsan-kubeconfig

kubectl config set-credentials gsy \
  --client-key=gsy-key.pem \
  --client-certificate=gsy.pem \
  --embed-certs=true \
  --kubeconfig=gsy-kubeconfig

kubectl config set-context default \
  --cluster=kubernetes \
  --user=gsy \
  --kubeconfig=gsy-kubeconfig

kubectl config use-context default --kubeconfig=gsy-kubeconfig

3.8 將之前的K8S的ca證書及相關材料複製到gsy目錄下

[root@master1 gsy]# cp /root/k8s/k8s-cert/ca* .
[root@master1 gsy]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  rbac-gsy.sh

• 執行證書腳本

備註：若是在windows中將這個文件先寫好然後再導入到linux中，就需要使用dos2unix工具去轉化一下。dos2unix 文件名

基本上從Windows拖到Linux上的文件都要用一下dos2unix

[root@master1 gsy]# ll
total 24
-rw-r--r--. 1 root root  294 May 21 12:05 ca-config.json
-rw-r--r--. 1 root root 1001 May 21 12:05 ca.csr
-rw-r--r--. 1 root root  263 May 21 12:05 ca-csr.json
-rw-------. 1 root root 1675 May 21 12:05 ca-key.pem
-rw-r--r--. 1 root root 1359 May 21 12:05 ca.pem
-rw-r--r--. 1 root root  826 May 21 12:08 rbac-gsy.sh
[root@master1 gsy]# bash rbac-gsy.sh 
2020/05/21 12:11:20 [INFO] generate received request
2020/05/21 12:11:20 [INFO] received CSR
2020/05/21 12:11:20 [INFO] generating key: rsa-2048
2020/05/21 12:11:20 [INFO] encoded CSR
2020/05/21 12:11:20 [INFO] signed certificate with serial number 381291725503683566914286086248484446753078376014
2020/05/21 12:11:20 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Cluster "kubernetes" set.
User "gsy" set.
Context "default" created.
Switched to context "default".

• 查看生成結果

[root@master1 gsy]# ll
total 48
-rw-r--r--. 1 root root  294 May 21 12:05 ca-config.json
-rw-r--r--. 1 root root 1001 May 21 12:05 ca.csr
-rw-r--r--. 1 root root  263 May 21 12:05 ca-csr.json
-rw-------. 1 root root 1675 May 21 12:05 ca-key.pem
-rw-r--r--. 1 root root 1359 May 21 12:05 ca.pem
-rw-r--r--. 1 root root  948 May 21 12:11 gsy.csr
-rw-r--r--. 1 root root  176 May 21 12:11 gsy-csr.json
-rw-------. 1 root root 1679 May 21 12:11 gsy-key.pem
-rw-------. 1 root root 6181 May 21 12:11 gsy-kubeconfig
-rw-r--r--. 1 root root 1342 May 21 12:11 gsy.pem
-rw-r--r--. 1 root root  826 May 21 12:08 rbac-gsy.sh

3.9 查看gsy的kubeconfig信息

[root@master1 gsy]# cat gsy-kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVYk55WXFBQ2RjTW4rK0lKOVRlUUNpbUFGRU9Jd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURRek1EQXhOVGt3TUZvWERUSTFNRFF5T1RBeE5Ua3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbmw1WU1XeEQ5YWJjbCs3UVNRK0IKMTZxNnVOOFNXK3pWYW5nR1JiS2dmeStQN05PZjhJOFBrRkFjdjFSaFNNWWxWRTVnZGZibmw0VW5nY1E3bE5mUgpIcjM1eVdGZk01SnlzNnN4TXVYZlZ3dFZFZkV5aWNiL2JCNnQwTXd0ZGpQU2hqdUNCaW9sVE5tUXkrM2FpcHZtCnhkaHJ0OVNtcXRWcDNiZjdCR29lb0tmbU1wSWxyNWZRQ2tsOC9RandDK05GK2Y5aDlvOU03UFVCZE5mUkxla0YKaU1IT0k0NnUxUW8wLzNsclFKblBqb3A5TnJBSHlVUTNzNUoybXdiUk1VTEdEWFJiNmNwWUN5L20zZTZHZU1kRwp6U051RDAzN1Q3M01QYVRXeGJPbjQvSXMyZUlpOExZWEF5amt3blRvMUk1NFcwa2hkay9yMWVFVk0yVnlSMVNZCjB3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVNmV0RzdvWkVnZWhTcVNqZENhWFpVM2Z1ZzlJd0h3WURWUjBqQkJnd0ZvQVU2ZXRHN29aRQpnZWhTcVNqZENhWFpVM2Z1ZzlJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHQzFWWUtyckNNS3RsYXlnZHUyCitnTGNTMXg0eGJPdlRlOG5tKysvY01QWjhlcVVJdFJEUEhYcEo5NlJ0bmM3c1Q0VXhadndJZnpIL1dSZ2tpUUsKSlVWWGU2UGN1dTZqNFFhZGdEcTN5NDcxOFg3UVBoODFGTjRXcUZpMVlXekszSmZtU3h0VDF5cTRGTUczbE5qZQplYmZXVmJ3NzhqMWxCYlNoVENGNmRVZzgwb29Nd2xicldudmdjTVZpRys4SDlKSzZjK25PWWNWOHlQUkFicitKCnRvdUFYYmNHT01oUHMvRnRhTWhaNmlmdHR3RlpKZ3hMdm1meXRkUzI2YTZQa3MwS05BTnJROUd0ajl0VmRDYkwKUVJ0YWRCcUtMWnRud1RNM3dzUlI3Ym1IQmxmQmFXOTV3dXFjSmM3NlppcDUvblZYNmRmOFZKQS8zYmhRN1BMbQpXbEU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://192.168.247.100:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: gsy
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: gsy
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzVENDQXBtZ0F3SUJBZ0lVUXNtMldWeTJQOEVsNTZSQnFzcjN1Zlp6OWs0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURVeU1UQTBNRFl3TUZvWERUTXdNRFV4T1RBME1EWXdNRm93UHpFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFNVEEyZHplVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOcXFzNzc1CmxKN2FYSmg4MGViNEpZT3FBcDdmUzJXQWUxQ0pDdE9lSUVHeUNTSEpMdEc5NDJDR0lYZ1dBZUZBc3p3Ym1qcjYKcTVZdTJkVjhaOGRxVi9qNk5YR1ZmYXJ3a1VMNXpZY0krVElrNW9rNVoyWE5DMzZVc2VqT1hvNmJxMXlRZkgzQQpwZVBnZzV2eXRKd2xXNVJQRE1SNUNpN1paQmVSZ0o0cEIxTkFOQ0syVE9zc3BnSWtkdUpUdGJJTGl6S0RCNVN0CkpOb2tHazdEaitrdnNiUTFhSDI1MFljSlhhaE5NWlFmcjNJM1UxYytXbEFndEpLcG1xNHFpdVBxcXU2YnpXZGkKMUI5ZGF3c3pJUjV6azJTcXgwbGw4WWpadmllbXhsdUFWK3lxckpzcDlYNENaQ2swV2pQZ0FxV3Awck9rOHB6QQpCMm9Idm9iOUt3RGRtSnNDQXdFQUFhTi9NSDB3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHCkNDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJUeE1JeVUKbk5IQ1JzK01nWFFreUN6UERyWEZBVEFmQmdOVkhTTUVHREFXZ0JUcDYwYnVoa1NCNkZLcEtOMEpwZGxUZCs2RAowakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBTVo4Z043SC9SZVpPdTdHbjhhSHQwMTRodWZmTjBQNUVoaG5MClN2RFFGWmYwQThjN2JER2tKMHYrQkVLL214Q0xXd2UxZFVVRTN4SnhpNDRydzNjeWpEdDdXT2ZLM3gzVksxZ3oKTytGTVg0ODMwdjdXRFllWHRXWFR4dXdJYjJHZEFiT1V2bFpNUXIwWUY2NytoMUw0OTJXVC9MczU2dytpZUNIYwpDVnlzUmJhUWprQUJCODZxWmlpV0hEY2V0L1Uxdm1Eb2xEaG81cGdpNWVrU1lGeW9TMzVhc1N6TkQzT04xZ2R5CitiakNBZm9jV2wxYitMWVR2TXl2amxGTDNiZGRVbHhWTkFZTmlTbUlYQUplbG80Y2xFci9kYmNzcW5IU0x6a1cKUjl5Zjk1dFUyUnpDM3F2NFN5cW1NeFo3Uldmb1JmSWNvUHN5QVo4Z0wyM085c3dKS3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBMnFxenZ2bVVudHBjbUh6UjV2Z2xnNm9DbnQ5TFpZQjdVSWtLMDU0Z1FiSUpJY2t1CjBiM2pZSVloZUJZQjRVQ3pQQnVhT3ZxcmxpN1oxWHhueDJwWCtQbzFjWlY5cXZDUlF2bk5od2o1TWlUbWlUbG4KWmMwTGZwU3g2TTVlanB1clhKQjhmY0NsNCtDRG0vSzBuQ1ZibEU4TXhIa0tMdGxrRjVHQW5pa0hVMEEwSXJaTQo2eXltQWlSMjRsTzFzZ3VMTW9NSGxLMGsyaVFhVHNPUDZTK3h0RFZvZmJuUmh3bGRxRTB4bEIrdmNqZFRWejVhClVDQzBrcW1hcmlxSzQrcXE3cHZOWjJMVUgxMXJDek1oSG5PVFpLckhTV1h4aU5tK0o2YkdXNEJYN0txc215bjEKZmdKa0tUUmFNK0FDcGFuU3M2VHluTUFIYWdlK2h2MHJBTjJZbXdJREFRQUJBb0lCQVFDL1AwTmNTVjlpSEN1VwpOcjFDM0UrN095dDFsbWlVQ3U1UGZyeVlYeGxwTy9SZXQxMmFsaERUTUJ6L3NZZk5ZZEFoUnliNlpKbEVEZy81CmR3Z3hVbUpFNFZseTBVT0xDVUtUS0haSW4yR01LTmYwdHQ4bkcxSHRVTkhWZ3dFU2l6WXlERERGcjRPbnJZcU8KRDVWRmFDc1RxSnZMRHU0SUVaeElQTHNZR1Z4Tnd5Q0Q1MTh0RUh2dWJIOXZlaDV1bS9rL2J6STVEUURKRWRmbQoycU10dXA1ZU0wd2ttUFJlSjNRR2pxSmdzRm9mbnFxNDYrZEhudmZaUEFjS1dBN3FEb3ZONHRKSWVCVGtyZEprCk1MMm9qMTRFakNLSncwSkdLVDFLWFVFcmsxR1psYUV4UDBNK3BnZHJpRVdrRHBOemdQNks3UTZYWVM1Q0RNUEcKaGxkd0RXZ2hBb0dCQU9WRW5hcHZBQlRXNkQ4MGxBVlFCdHB4VUR6aWV3RzRKVXR0RThHRVpjS2s3NmxGUzl3Ngo0VThYUFBFVTBXN2NnTzBHc2dwQXVIU2NIMm1CRTdFTDh0bjY2UWRSNkRuL1JkQjhQRU0rQzRoZS8wUTh6bFRwCmZnMDhvbEt1dVVFMG9HN1NWT29yeVVucTFrSklnTVlpMWFoN1ZqcU9HczAzZnluS09zODhHcWF4QW9HQkFQUXAKcHVraFJqMHVpYzliUnY1eDVmL0hSQnE3L1VIOVd5U2w0L0hqd3A5R2t5aWNUOW42SUQvR2l5NUtubVVzSFNPdApBbjBFOS9HLzNWL2NLU0p5T2FZc0pPNFBVcVFieEFTVDdQdk5zRFhZUXRkRTkwZEI3QnJPSlMyUzNNZkw2ZWxKCjFCQmRMRXdxSjU0MmpqeWF2M2ZiV1YrREh3OFE0b09McHdlZVdSOExBb0dCQUpFSk5rQ2lWY2ZaS0RVTDJ2UDkKYTBoM1ZJNGZyRGNyT2hTY0hWcFhtbFJuS09ISlg3TWpZSE03UFNjNXh6KzlxS1hKalluazVZdUhWR3ZXNXhFaQpnUEFheFo0RzE4VVEweWFQNFVPY2xZa2dwNVdRYmVyVGh4VnluVEYzTE9TdUdTdmlUU3VTcFpUb1JjREt3d1FVCjkxck5JNENKY3pVTmZabC9RSExuRCtrUkFvR0JBTFZVdWNFcUZTQWJELzRQckFvTVRPUkkrU3Roc2hUd05HQmoKVTRheHdEaktFVUIzMWxYc2pVYlFEVTJ6M1M4R05CM3F2NDVad2txb1U2Qjl3WTd6aGgwRGErbmhOMTdwd0FvbQpVam92NkU0VTdvOHhpUFJDNFRhSEl0VlYzT0lGYnhMeTRhdkZoc0NLRGlKU0loQ2dYTktHOVRrYUNGY0lFekhlCjVZMmk3RTFCQW9HQUlTKzJxa2hHNjFlVW8rbzdzc2JjNnN6N3dTSUdNcWI3clhTTUhiVmxKaWNvTlVWbkJzQ1IKRmFOcHZ0ckFQRHpXa2MxNHBZUkJVRURIMjlnNjl2eWhjSUkxYUpkaDFmUzA0bGRadkNwdzNObnY2ZndOYWx1ZgpXUGdzVjBYQmZ3YjVXb2V2ODhnWUxKd3luaVZaTklmaXk5RElia1RYY1F3ZlNhNUNQc2RXSGd3PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

3.10 使用gsy身份去管理資源

指定kubeconifg的文件，會發現權限部分受限

[root@master1 gsy]# kubectl --kubeconfig=gsy-kubeconfig get pods
Error from server (Forbidden): pods is forbidden: User "gsy" cannot list resource "pods" in API group "" in the namespace "default"
[root@master1 gsy]# kubectl --kubeconfig=gsy-kubeconfig get pods -n gsy
NAME                         READY   STATUS    RESTARTS   AGE
nginxgsy1-74b78c5f6d-4q2ds   1/1     Running   0          33m
nginxgsy1-74b78c5f6d-c6zwg   1/1     Running   0          33m
nginxgsy1-74b78c5f6d-grq29   1/1     Running   0          34m

3.11 使用gsy-kubeconfig訪問svc資源會被拒絕

[root@master1 gsy]# kubectl --kubeconfig=gsy-kubeconfig get svc -n gsy
Error from server (Forbidden): services is forbidden: User "gsy" cannot list resource "services" in API group "" in the namespace "gsy"

3.12 UI訪問

使用gsy的身份去登陸

• 查看ui的IP地址

[root@master1 gsy]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)         AGE
kube-dns               ClusterIP   10.0.0.2     <none>        53/UDP,53/TCP   4d2h
kubernetes-dashboard   NodePort    10.0.0.237   <none>        443:30001/TCP   13d
[root@master1 gsy]# kubectl get all -n kube-system -o wide
NAME                                        READY   STATUS    RESTARTS   AGE    IP            NODE              NOMINATED NODE
pod/coredns-56684f94d6-ckxz7                1/1     Running   1          4d2h   172.17.57.3   192.168.247.143   <none>
pod/kubernetes-dashboard-7dffbccd68-l4tcd   1/1     Running   3          13d    172.17.88.2   192.168.247.144   <none>

NAME                           TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)         AGE    SELECTOR
service/kube-dns               ClusterIP   10.0.0.2     <none>        53/UDP,53/TCP   4d2h   k8s-app=kube-dns
service/kubernetes-dashboard   NodePort    10.0.0.237   <none>        443:30001/TCP   13d    k8s-app=kubernetes-dashboard

NAME                                   DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE    CONTAINERS             IMAGES                                       SELECTOR
deployment.apps/coredns                1         1         1            1           4d2h   coredns                coredns/coredns:1.2.2                        k8s-app=kube-dns
deployment.apps/kubernetes-dashboard   1         1         1            1           13d    kubernetes-dashboard   siriuszg/kubernetes-dashboard-amd64:v1.8.3   k8s-app=kubernetes-dashboard

NAME                                              DESIRED   CURRENT   READY   AGE    CONTAINERS             IMAGES                                       SELECTOR
replicaset.apps/coredns-56684f94d6                1         1         1       4d2h   coredns                coredns/coredns:1.2.2                        k8s-app=kube-dns,pod-template-hash=56684f94d6
replicaset.apps/kubernetes-dashboard-65f974f565   0         0         0       13d    kubernetes-dashboard   siriuszg/kubernetes-dashboard-amd64:v1.8.3   k8s-app=kubernetes-dashboard,pod-template-hash=65f974f565
replicaset.apps/kubernetes-dashboard-7dffbccd68   1         1         1       13d    kubernetes-dashboard   siriuszg/kubernetes-dashboard-amd64:v1.8.3   k8s-app=kubernetes-dashboard,pod-template-hash=7dffbccd68

• 訪問192.168.247.144:30001

3.13 這裏使用令牌登錄，首先要先給gsy一個令牌

先查看現有token

token是sercet安全資源

[root@master1 gsy]# kubectl get secret -n kube-system
NAME                               TYPE                                  DATA   AGE
coredns-token-lszn8                kubernetes.io/service-account-token   3      4d2h
dashboard-admin-token-dmlzw        kubernetes.io/service-account-token   3      13d
default-token-w9vck                kubernetes.io/service-account-token   3      21d
kubernetes-dashboard-certs         Opaque                                11     13d
kubernetes-dashboard-key-holder    Opaque                                2      13d
kubernetes-dashboard-token-7dhnw   kubernetes.io/service-account-token   3      13d
[root@master1 gsy]# kubectl describe secret dashboard-admin-token-dmlzw  -n kube-system
Name:         dashboard-admin-token-dmlzw
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: dashboard-admin
              kubernetes.io/service-account.uid: 34604321-90de-11ea-a668-000c29db840b

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1359 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tZG1senciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzQ2MDQzMjEtOTBkZS0xMWVhLWE2NjgtMDAwYzI5ZGI4NDBiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.iK6wXehw9ZlK4Qjln4uiPR5Ww1K14t23rvJ-pmn56ynHw1KXow1Pg1Qi2hUY01ncCBjbyjaJBtcVNez-XFr7VQXO7lCPbnxlXat0euD2Qg8DPy-PQBnyAd2Jgh_y1e_OIgcrMowhyKUhkqaNPxDG4HWUqIFzcnHdaxOtCPZQ3GTV8XfoAe4aLemCdIHsZHoCeWKbwFJgnczvbBnzyZ0w91JdoAYK6xVc-fpVz4Pin5IodQ81TOFS2uwLyTQ8aGyrK-HuOs-mTPqDMBS8fWvsJttRtgI2UUwdsSodxEgRREXWUNg15swcVVF9_fiO7wsoXk7IhXAaAnNCd7gIF419Lw
[root@master1 gsy]# 

• 編輯yaml文件

  創建K8S系統賬戶，名爲pod-reader，系統賬戶與角色(權限)綁定

  serviceaccount 可以理解爲程序用戶

[root@master1 gsy]# vim sa.yaml	#做權限設定
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pod-reader
  namespace: gsy

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: sa-read-pods
  namespace: gsy
subjects:
- kind: ServiceAccount
  name: pod-reader
roleRef:		#roleref 綁定規則
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

• 執行腳本

[root@master1 gsy]# kubectl apply -f sa.yaml 
serviceaccount/pod-reader created
rolebinding.rbac.authorization.k8s.io/sa-read-pods created

• 查看生成結果

[root@master1 gsy]#  kubectl get sa -n gsy
NAME         SECRETS   AGE
default      1         46m
pod-reader   1         18s

3.14 查看生成的token

[root@master1 gsy]# kubectl describe secret pod-reader -n gsy
Name:         pod-reader-token-g748p
Namespace:    gsy
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: pod-reader
              kubernetes.io/service-account.uid: 51718e1a-9b1b-11ea-a668-000c29db840b

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1359 bytes
namespace:  3 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJnc3kiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoicG9kLXJlYWRlci10b2tlbi1nNzQ4cCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJwb2QtcmVhZGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTE3MThlMWEtOWIxYi0xMWVhLWE2NjgtMDAwYzI5ZGI4NDBiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmdzeTpwb2QtcmVhZGVyIn0.Qpskpt__S1e6Bk2u1CBKw2ZGi737EQhLgNems2c3AcvfEENS8XIVlb-5rixsd9c_Do9IA_hzVf47nFEqWuuGae8-wYNloknq0Qa0tQd6jsPH8W_r8n807YDwO7l0WB_j1_-XVxSxntHr3tZZqErIkgUCylLQESvftXBnVcHWHnVIj5-daKfWi-stM7UeRf2QGND5gntNeSyzXMI427dgDFrUNYr7kKcgVhOzHRI1W8L0gknWAHkDOXkNAn-ABSd_lGuoRlNxpsFkPz_MuSvI1Wk6fYdZZKqWDrBgSIlZ0EGrQ5YUIs22V9CTW3WgzqzDWaZX1sCamJFuyQNdW6pEsg

3.15 登錄

• 可以發現權限會受限

• 只有在gsy的命名空間內的pod可以查看