文章目錄
1.kubernetes的安全框架
2.傳輸安全,認證,授權,准入控制
3.使用RBAC授權
一:kubernetes的安全框架
三層:認證,授權,綁定角色
第一關是認證(authentication),第二關是授權(authorization),第三關是准入控制(admission control),
1.1 結構分析:
kubectl、API、UI ,是訪問管理K8S的方式,api用於二次開發時調用,https協議,6443端口
在kubectl處提交需求,請求調用/api/v1、/apis、/healthz等,然後經過安全框架
安全框架有認證(authentication),驗證身份,使用【用戶名密碼】或者【token令牌】驗證
授權(authorization),綁定權限,授權過程,分配到指定空間中
准入控制(admission control),空間准入控制,可以使用下面哪些資源,調用哪些插件
使用插件前先與etcd去驗證,查看etcd是否授權,若是允許,會執行,並將操作記錄到etcd中
1.2 工作流程:
kubectl 首先請求api資源,然後是過三關,第一關是認證(authentication),第二關是授權(authorization),第三關是准入控制(admission control),只有通過這三關纔可能會被K8S創建資源
K8s安全控制框架主要由下面三個階段進行控制,每一個階段都支持插件方式,通過API Server配置來啓用插件
普通用戶若要安全訪問集羣api server,往往需要證書、token或者用戶名+密碼驗證;
pod訪問,需要serivceaccount
1.3 apiserver使用的是token認證
–enable-bootstrap-token-auth --token-auth-file=/k8s/cfg/token.csv
[root@master1 ~]# ps aux | grep apiserver
root 56055 2.0 6.5 401116 254068 ? Ssl May08 261:28 /k8s/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.247.149:2379,https://192.168.247.143:2379,https://192.168.247.144:2379 --bind-address=192.168.247.149 --secure-port=6443 --advertise-address=192.168.247.149 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/k8s/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/k8s/ssl/server.pem --tls-private-key-file=/k8s/ssl/server-key.pem --client-ca-file=/k8s/ssl/ca.pem --service-account-key-file=/k8s/ssl/ca-key.pem --etcd-cafile=/k8s/etcd/ssl/ca.pem --etcd-certfile=/k8s/etcd/ssl/server.pem --etcd-keyfile=/k8s/etcd/ssl/server-key.pem
root 62506 0.0 0.0 112712 964 pts/1 S+ 20:16 0:00 grep --color=auto apiserver
1.4 ServiceAccount
爲Pod中的進程和外部用戶提供身份信息,系統賬戶
可以通過serviceaccount在pod中區訪問apiserver
[root@master1 ~]# kubectl get sa #sa就是serviceaccount的簡寫
NAME SECRETS AGE
default 1 17d
web頁面安全訪問需要使用證書驗證
外部傳輸安全:不再是8080,而是使用6443
內部傳輸監聽8080,供master及其他組件連接使用
[root@master1 ~]# netstat -natp | grep 8080 | grep LISTEN
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 56055/kube-apiserve
對外提供的6443端口
[root@master1 ~]# netstat -natp | grep 6443 | grep LISTEN
tcp 0 0 192.168.247.149:6443 0.0.0.0:* LISTEN 56055/kube-apiserve
二:第一模塊,認證authentication
三種客戶端身份認證
- HTTPS證書認證:基於CA證書籤名的數字證書認證
- HTTP token 認證:通過一個token來識別用戶——在生產環境中使用廣泛
- HTTP base認證:用戶名+密碼的方式認證
2.1 K8S集羣的證書認證
https://blog.csdn.net/Lfwthotpt/article/details/105892377
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.247.149", #master1ip
"192.168.247.148", #master2ip
"192.168.247.145", #lb1ip
"192.168.247.146", #lb2ip
"192.168.247.100", #vip
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
2.2 httpd的token認證
[root@master1 ~]# cat /k8s/cfg/token.csv
a031b816095ddada590b24c54a505a9e,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
三:第二模塊授權——authorization
RBAC(role-based access control,基於角色的訪問控制),負責完成授權(authorization)工作
kubernetes reviews only the following API request attributes:
- user——The user string provided during authentication
- 身份驗證期間提供的用戶字符串
- group——the list of group names to which the authenticated user belongs
- 已驗證用戶所屬的組名列表
- extra—— a map of arbitrary string keys to string values,provided by the authentication layer
- 任意字符串鍵到字符串值的映射,由身份驗證層提供
- API——indicates whether the request is for an API resource
- 指示請求是否針對API資源
- request path—— path to miscellaneous non-resource endpoints like /ap1 or /healthz
- 到其他非資源端點(如/ap1或/healthz)的路徑
- api request verb- api verbs get,list,create,update,patch,watch,proxy,redirect,delete,and deletecollection are used for resource requests. To determine the request verb for a resouce api endpoint, see determine the request verb below.
- api動詞get、list、create、update、patch、watch、proxy、redirect、delete和deletecollection用於資源請求。要確定resouce api端點的請求謂詞,請參見下面的確定請求謂詞。
- http request verb—— http verbs get,post,and delete are used for non-resource requests.
- http動詞get、post和delete用於非資源請求。
- resource——the id or name of the resouce that is being accessed (for resource requests only) - for resource requests using get,update,patch and delete verbs,you must provide the resource name
- 正在訪問的資源的id或名稱(僅用於資源請求)——對於使用get、update、patch和delete謂詞的資源請求,您必須提供資源名稱
- subresource —— the subresource that is being accessed (for resource requests only)
- 正在訪問的子資源(僅用於資源請求)
- namespace—— the subresource that is being accessed ( for resource requests only)
- 正在訪問的子資源(僅用於資源請求)
- api group —— the api group being accessed (for resource requests only),an empty string designates the core api group
- 被訪問的api組(僅用於資源請求),一個空字符串指定核心api組
RBAC是基於角色進行控制,所以:
- 要先創建角色
- 然後創建要綁定的資源
- 將角色與目標用戶甚至api和請求等綁定
綁定api模式適用於二次開發
四:第三模塊:准入控制(admission control)
admission control 實際上是一個准入控制器插件列表,發送到 api server的請求都需要經過這個列表中的每個准入控制器插件的檢查,檢查不通過,則拒絕請求
–enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction
NamespaceLifecycle:命令空間回收
LimitRanger:配額管理
ServiceAccount:每個pod中導入方便訪問API
ResourceQuota:基於命名空間的高級配額管理
NodeRestriction:Node加入到K8S集羣中以最小權限運行
–authorization-mode=RBAC,Node
[root@master1 ~]# ps aux | grep apiserver
root 9973 0.0 0.0 112712 964 pts/1 S+ 10:45 0:00 grep --color=auto apiserver
root 56055 2.0 6.6 401116 256536 ? Ssl May12 262:21 /k8s/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.247.149:2379,https://192.168.247.143:2379,https://192.168.247.144:2379 --bind-address=192.168.247.149 --secure-port=6443 --advertise-address=192.168.247.149 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/k8s/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/k8s/ssl/server.pem --tls-private-key-file=/k8s/ssl/server-key.pem --client-ca-file=/k8s/ssl/ca.pem --service-account-key-file=/k8s/ssl/ca-key.pem --etcd-cafile=/k8s/etcd/ssl/ca.pem --etcd-certfile=/k8s/etcd/ssl/server.pem --etcd-keyfile=/k8s/etcd/ssl/server-key.pem
以下是官方推薦插件(1.11版本以上推薦使用):
-enable-admission-plugins= \ NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds, ResourceQuota
五:基於授權機制創建新用戶
創建用戶,用戶名爲gsy,擁有的權限是查看pod
5.1 使用RBAC授權
RBAC(Role-Based Access Control,基於角色的訪問控制),允許通過kubernetes API 動態配置策略
動態意味着靈活
基於主體的角色綁定
- 角色:
Role——授權特定命名空間的訪問權限
CluserRole——授權所有命名空間的訪問權限
- 角色綁定
RoleBinding——將角色綁定到主體(即subject)
CluesterRoleBinding——將集羣角色綁定到主體(即subject)
- 主體(subject)
User——用戶
Group——用戶組
ServiceAccount——服務賬號
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
5.2 創建新的命名空間以供驗證
[root@master1 ~]# kubectl get ns
NAME STATUS AGE
default Active 21d
kube-public Active 21d
kube-system Active 21d
[root@master1 ~]# kubectl create ns gsy
namespace/gsy created
[root@master1 ~]# kubectl get ns
NAME STATUS AGE
default Active 21d
gsy Active 3s
kube-public Active 21d
kube-system Active 21d
5.3 在ns爲gsy下創建nginx的pod
[root@master1 ~]# kubectl run nginxgsy1 --image=nginx -n gsy
kubectl run --generator=deployment/apps.v1beta1 is DEPRECATED and will be removed in a future version. Use kubectl create instead.
deployment.apps/nginxgsy1 created
[root@master1 ~]# kubectl get pods -n gsy
NAME READY STATUS RESTARTS AGE
nginxgsy1-74b78c5f6d-grq29 1/1 Running 0 13s
5.4 使用scale副本操作擴容副本
演示彈性擴展
[root@master1 ~]# kubectl scale deploy/nginxgsy1 --replicas=3 -n gsy
deployment.extensions/nginxgsy1 scaled
- 查看
[root@master1 ~]# kubectl get all -n gsy
NAME READY STATUS RESTARTS AGE
pod/nginxgsy1-74b78c5f6d-4q2ds 1/1 Running 0 18s
pod/nginxgsy1-74b78c5f6d-c6zwg 1/1 Running 0 18s
pod/nginxgsy1-74b78c5f6d-grq29 1/1 Running 0 111s
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/nginxgsy1 3 3 3 3 111s
NAME DESIRED CURRENT READY AGE
replicaset.apps/nginxgsy1-74b78c5f6d 3 3 3 111s
5.5 創建role
Role——授權特定命名空間的訪問權限
- 指定角色權限
[root@master1 ~]# vim rbac-role-1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: gsy
name: pod-reader
rules:
- apiGroups: [""] # "" 指示核心API組
resources: ["pods"]
verbs: ["get", "watch", "list"]
[root@master1 ~]# kubectl apply -f rbac-role-1.yaml
role.rbac.authorization.k8s.io/pod-reader created
- 查看
[root@master1 ~]# kubectl get role -n gsy
NAME AGE
pod-reader 29s
5.6 創建rolebinding
RoleBinding——將角色綁定到主體(即subject)
可以理解爲:創建一個用戶,名叫gsy,這個用戶在K8S擔任Role的職位爲pod-reader,pod-reader的權限有
- apiGroups: [""] # "" 指示核心API組
resources: ["pods"]
verbs: ["get", "watch", "list"]
- 編輯yaml文件,創建rolebinding綁定
[root@master1 ~]# vim rbac-rolebinding-1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: gsy
subjects:
- kind: User
name: gsy
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
- 執行yaml文件
[root@master1 ~]# kubectl apply -f rbac-rolebinding-1.yaml
rolebinding.rbac.authorization.k8s.io/read-pods created
- 查看生成結果
[root@master1 ~]# kubectl get role,rolebinding -n gsy
NAME AGE
role.rbac.authorization.k8s.io/pod-reader 3m15s
NAME AGE
rolebinding.rbac.authorization.k8s.io/read-pods 21s
3.7 爲用戶gsy創建證書
[root@master1 ~]# mkdir gsy
[root@master1 ~]# cd gsy/
[root@master1 gsy]# vim rbac-gsy.sh
cat > gsy-csr.json <<EOF
{
"CN": "gsy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes gsy-csr.json | cfssljson -bare gsy
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://192.168.247.100:6443 \
--kubeconfig=zhangsan-kubeconfig
kubectl config set-credentials gsy \
--client-key=gsy-key.pem \
--client-certificate=gsy.pem \
--embed-certs=true \
--kubeconfig=gsy-kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=gsy \
--kubeconfig=gsy-kubeconfig
kubectl config use-context default --kubeconfig=gsy-kubeconfig
3.8 將之前的K8S的ca證書及相關材料複製到gsy目錄下
[root@master1 gsy]# cp /root/k8s/k8s-cert/ca* .
[root@master1 gsy]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem rbac-gsy.sh
- 執行證書腳本
備註:若是在windows中將這個文件先寫好然後再導入到linux中,就需要使用dos2unix工具去轉化一下。dos2unix 文件名
基本上從Windows拖到Linux上的文件都要用一下dos2unix
[root@master1 gsy]# ll
total 24
-rw-r--r--. 1 root root 294 May 21 12:05 ca-config.json
-rw-r--r--. 1 root root 1001 May 21 12:05 ca.csr
-rw-r--r--. 1 root root 263 May 21 12:05 ca-csr.json
-rw-------. 1 root root 1675 May 21 12:05 ca-key.pem
-rw-r--r--. 1 root root 1359 May 21 12:05 ca.pem
-rw-r--r--. 1 root root 826 May 21 12:08 rbac-gsy.sh
[root@master1 gsy]# bash rbac-gsy.sh
2020/05/21 12:11:20 [INFO] generate received request
2020/05/21 12:11:20 [INFO] received CSR
2020/05/21 12:11:20 [INFO] generating key: rsa-2048
2020/05/21 12:11:20 [INFO] encoded CSR
2020/05/21 12:11:20 [INFO] signed certificate with serial number 381291725503683566914286086248484446753078376014
2020/05/21 12:11:20 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Cluster "kubernetes" set.
User "gsy" set.
Context "default" created.
Switched to context "default".
- 查看生成結果
[root@master1 gsy]# ll
total 48
-rw-r--r--. 1 root root 294 May 21 12:05 ca-config.json
-rw-r--r--. 1 root root 1001 May 21 12:05 ca.csr
-rw-r--r--. 1 root root 263 May 21 12:05 ca-csr.json
-rw-------. 1 root root 1675 May 21 12:05 ca-key.pem
-rw-r--r--. 1 root root 1359 May 21 12:05 ca.pem
-rw-r--r--. 1 root root 948 May 21 12:11 gsy.csr
-rw-r--r--. 1 root root 176 May 21 12:11 gsy-csr.json
-rw-------. 1 root root 1679 May 21 12:11 gsy-key.pem
-rw-------. 1 root root 6181 May 21 12:11 gsy-kubeconfig
-rw-r--r--. 1 root root 1342 May 21 12:11 gsy.pem
-rw-r--r--. 1 root root 826 May 21 12:08 rbac-gsy.sh
3.9 查看gsy的kubeconfig信息
[root@master1 gsy]# cat gsy-kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVYk55WXFBQ2RjTW4rK0lKOVRlUUNpbUFGRU9Jd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURRek1EQXhOVGt3TUZvWERUSTFNRFF5T1RBeE5Ua3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbmw1WU1XeEQ5YWJjbCs3UVNRK0IKMTZxNnVOOFNXK3pWYW5nR1JiS2dmeStQN05PZjhJOFBrRkFjdjFSaFNNWWxWRTVnZGZibmw0VW5nY1E3bE5mUgpIcjM1eVdGZk01SnlzNnN4TXVYZlZ3dFZFZkV5aWNiL2JCNnQwTXd0ZGpQU2hqdUNCaW9sVE5tUXkrM2FpcHZtCnhkaHJ0OVNtcXRWcDNiZjdCR29lb0tmbU1wSWxyNWZRQ2tsOC9RandDK05GK2Y5aDlvOU03UFVCZE5mUkxla0YKaU1IT0k0NnUxUW8wLzNsclFKblBqb3A5TnJBSHlVUTNzNUoybXdiUk1VTEdEWFJiNmNwWUN5L20zZTZHZU1kRwp6U051RDAzN1Q3M01QYVRXeGJPbjQvSXMyZUlpOExZWEF5amt3blRvMUk1NFcwa2hkay9yMWVFVk0yVnlSMVNZCjB3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVNmV0RzdvWkVnZWhTcVNqZENhWFpVM2Z1ZzlJd0h3WURWUjBqQkJnd0ZvQVU2ZXRHN29aRQpnZWhTcVNqZENhWFpVM2Z1ZzlJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHQzFWWUtyckNNS3RsYXlnZHUyCitnTGNTMXg0eGJPdlRlOG5tKysvY01QWjhlcVVJdFJEUEhYcEo5NlJ0bmM3c1Q0VXhadndJZnpIL1dSZ2tpUUsKSlVWWGU2UGN1dTZqNFFhZGdEcTN5NDcxOFg3UVBoODFGTjRXcUZpMVlXekszSmZtU3h0VDF5cTRGTUczbE5qZQplYmZXVmJ3NzhqMWxCYlNoVENGNmRVZzgwb29Nd2xicldudmdjTVZpRys4SDlKSzZjK25PWWNWOHlQUkFicitKCnRvdUFYYmNHT01oUHMvRnRhTWhaNmlmdHR3RlpKZ3hMdm1meXRkUzI2YTZQa3MwS05BTnJROUd0ajl0VmRDYkwKUVJ0YWRCcUtMWnRud1RNM3dzUlI3Ym1IQmxmQmFXOTV3dXFjSmM3NlppcDUvblZYNmRmOFZKQS8zYmhRN1BMbQpXbEU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.247.100:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: gsy
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: gsy
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzVENDQXBtZ0F3SUJBZ0lVUXNtMldWeTJQOEVsNTZSQnFzcjN1Zlp6OWs0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURVeU1UQTBNRFl3TUZvWERUTXdNRFV4T1RBME1EWXdNRm93UHpFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFNVEEyZHplVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOcXFzNzc1CmxKN2FYSmg4MGViNEpZT3FBcDdmUzJXQWUxQ0pDdE9lSUVHeUNTSEpMdEc5NDJDR0lYZ1dBZUZBc3p3Ym1qcjYKcTVZdTJkVjhaOGRxVi9qNk5YR1ZmYXJ3a1VMNXpZY0krVElrNW9rNVoyWE5DMzZVc2VqT1hvNmJxMXlRZkgzQQpwZVBnZzV2eXRKd2xXNVJQRE1SNUNpN1paQmVSZ0o0cEIxTkFOQ0syVE9zc3BnSWtkdUpUdGJJTGl6S0RCNVN0CkpOb2tHazdEaitrdnNiUTFhSDI1MFljSlhhaE5NWlFmcjNJM1UxYytXbEFndEpLcG1xNHFpdVBxcXU2YnpXZGkKMUI5ZGF3c3pJUjV6azJTcXgwbGw4WWpadmllbXhsdUFWK3lxckpzcDlYNENaQ2swV2pQZ0FxV3Awck9rOHB6QQpCMm9Idm9iOUt3RGRtSnNDQXdFQUFhTi9NSDB3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHCkNDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJUeE1JeVUKbk5IQ1JzK01nWFFreUN6UERyWEZBVEFmQmdOVkhTTUVHREFXZ0JUcDYwYnVoa1NCNkZLcEtOMEpwZGxUZCs2RAowakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBTVo4Z043SC9SZVpPdTdHbjhhSHQwMTRodWZmTjBQNUVoaG5MClN2RFFGWmYwQThjN2JER2tKMHYrQkVLL214Q0xXd2UxZFVVRTN4SnhpNDRydzNjeWpEdDdXT2ZLM3gzVksxZ3oKTytGTVg0ODMwdjdXRFllWHRXWFR4dXdJYjJHZEFiT1V2bFpNUXIwWUY2NytoMUw0OTJXVC9MczU2dytpZUNIYwpDVnlzUmJhUWprQUJCODZxWmlpV0hEY2V0L1Uxdm1Eb2xEaG81cGdpNWVrU1lGeW9TMzVhc1N6TkQzT04xZ2R5CitiakNBZm9jV2wxYitMWVR2TXl2amxGTDNiZGRVbHhWTkFZTmlTbUlYQUplbG80Y2xFci9kYmNzcW5IU0x6a1cKUjl5Zjk1dFUyUnpDM3F2NFN5cW1NeFo3Uldmb1JmSWNvUHN5QVo4Z0wyM085c3dKS3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBMnFxenZ2bVVudHBjbUh6UjV2Z2xnNm9DbnQ5TFpZQjdVSWtLMDU0Z1FiSUpJY2t1CjBiM2pZSVloZUJZQjRVQ3pQQnVhT3ZxcmxpN1oxWHhueDJwWCtQbzFjWlY5cXZDUlF2bk5od2o1TWlUbWlUbG4KWmMwTGZwU3g2TTVlanB1clhKQjhmY0NsNCtDRG0vSzBuQ1ZibEU4TXhIa0tMdGxrRjVHQW5pa0hVMEEwSXJaTQo2eXltQWlSMjRsTzFzZ3VMTW9NSGxLMGsyaVFhVHNPUDZTK3h0RFZvZmJuUmh3bGRxRTB4bEIrdmNqZFRWejVhClVDQzBrcW1hcmlxSzQrcXE3cHZOWjJMVUgxMXJDek1oSG5PVFpLckhTV1h4aU5tK0o2YkdXNEJYN0txc215bjEKZmdKa0tUUmFNK0FDcGFuU3M2VHluTUFIYWdlK2h2MHJBTjJZbXdJREFRQUJBb0lCQVFDL1AwTmNTVjlpSEN1VwpOcjFDM0UrN095dDFsbWlVQ3U1UGZyeVlYeGxwTy9SZXQxMmFsaERUTUJ6L3NZZk5ZZEFoUnliNlpKbEVEZy81CmR3Z3hVbUpFNFZseTBVT0xDVUtUS0haSW4yR01LTmYwdHQ4bkcxSHRVTkhWZ3dFU2l6WXlERERGcjRPbnJZcU8KRDVWRmFDc1RxSnZMRHU0SUVaeElQTHNZR1Z4Tnd5Q0Q1MTh0RUh2dWJIOXZlaDV1bS9rL2J6STVEUURKRWRmbQoycU10dXA1ZU0wd2ttUFJlSjNRR2pxSmdzRm9mbnFxNDYrZEhudmZaUEFjS1dBN3FEb3ZONHRKSWVCVGtyZEprCk1MMm9qMTRFakNLSncwSkdLVDFLWFVFcmsxR1psYUV4UDBNK3BnZHJpRVdrRHBOemdQNks3UTZYWVM1Q0RNUEcKaGxkd0RXZ2hBb0dCQU9WRW5hcHZBQlRXNkQ4MGxBVlFCdHB4VUR6aWV3RzRKVXR0RThHRVpjS2s3NmxGUzl3Ngo0VThYUFBFVTBXN2NnTzBHc2dwQXVIU2NIMm1CRTdFTDh0bjY2UWRSNkRuL1JkQjhQRU0rQzRoZS8wUTh6bFRwCmZnMDhvbEt1dVVFMG9HN1NWT29yeVVucTFrSklnTVlpMWFoN1ZqcU9HczAzZnluS09zODhHcWF4QW9HQkFQUXAKcHVraFJqMHVpYzliUnY1eDVmL0hSQnE3L1VIOVd5U2w0L0hqd3A5R2t5aWNUOW42SUQvR2l5NUtubVVzSFNPdApBbjBFOS9HLzNWL2NLU0p5T2FZc0pPNFBVcVFieEFTVDdQdk5zRFhZUXRkRTkwZEI3QnJPSlMyUzNNZkw2ZWxKCjFCQmRMRXdxSjU0MmpqeWF2M2ZiV1YrREh3OFE0b09McHdlZVdSOExBb0dCQUpFSk5rQ2lWY2ZaS0RVTDJ2UDkKYTBoM1ZJNGZyRGNyT2hTY0hWcFhtbFJuS09ISlg3TWpZSE03UFNjNXh6KzlxS1hKalluazVZdUhWR3ZXNXhFaQpnUEFheFo0RzE4VVEweWFQNFVPY2xZa2dwNVdRYmVyVGh4VnluVEYzTE9TdUdTdmlUU3VTcFpUb1JjREt3d1FVCjkxck5JNENKY3pVTmZabC9RSExuRCtrUkFvR0JBTFZVdWNFcUZTQWJELzRQckFvTVRPUkkrU3Roc2hUd05HQmoKVTRheHdEaktFVUIzMWxYc2pVYlFEVTJ6M1M4R05CM3F2NDVad2txb1U2Qjl3WTd6aGgwRGErbmhOMTdwd0FvbQpVam92NkU0VTdvOHhpUFJDNFRhSEl0VlYzT0lGYnhMeTRhdkZoc0NLRGlKU0loQ2dYTktHOVRrYUNGY0lFekhlCjVZMmk3RTFCQW9HQUlTKzJxa2hHNjFlVW8rbzdzc2JjNnN6N3dTSUdNcWI3clhTTUhiVmxKaWNvTlVWbkJzQ1IKRmFOcHZ0ckFQRHpXa2MxNHBZUkJVRURIMjlnNjl2eWhjSUkxYUpkaDFmUzA0bGRadkNwdzNObnY2ZndOYWx1ZgpXUGdzVjBYQmZ3YjVXb2V2ODhnWUxKd3luaVZaTklmaXk5RElia1RYY1F3ZlNhNUNQc2RXSGd3PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
3.10 使用gsy身份去管理資源
指定kubeconifg的文件,會發現權限部分受限
[root@master1 gsy]# kubectl --kubeconfig=gsy-kubeconfig get pods
Error from server (Forbidden): pods is forbidden: User "gsy" cannot list resource "pods" in API group "" in the namespace "default"
[root@master1 gsy]# kubectl --kubeconfig=gsy-kubeconfig get pods -n gsy
NAME READY STATUS RESTARTS AGE
nginxgsy1-74b78c5f6d-4q2ds 1/1 Running 0 33m
nginxgsy1-74b78c5f6d-c6zwg 1/1 Running 0 33m
nginxgsy1-74b78c5f6d-grq29 1/1 Running 0 34m
3.11 使用gsy-kubeconfig訪問svc資源會被拒絕
[root@master1 gsy]# kubectl --kubeconfig=gsy-kubeconfig get svc -n gsy
Error from server (Forbidden): services is forbidden: User "gsy" cannot list resource "services" in API group "" in the namespace "gsy"
3.12 UI訪問
使用gsy的身份去登陸
- 查看ui的IP地址
[root@master1 gsy]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.0.0.2 <none> 53/UDP,53/TCP 4d2h
kubernetes-dashboard NodePort 10.0.0.237 <none> 443:30001/TCP 13d
[root@master1 gsy]# kubectl get all -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
pod/coredns-56684f94d6-ckxz7 1/1 Running 1 4d2h 172.17.57.3 192.168.247.143 <none>
pod/kubernetes-dashboard-7dffbccd68-l4tcd 1/1 Running 3 13d 172.17.88.2 192.168.247.144 <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kube-dns ClusterIP 10.0.0.2 <none> 53/UDP,53/TCP 4d2h k8s-app=kube-dns
service/kubernetes-dashboard NodePort 10.0.0.237 <none> 443:30001/TCP 13d k8s-app=kubernetes-dashboard
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/coredns 1 1 1 1 4d2h coredns coredns/coredns:1.2.2 k8s-app=kube-dns
deployment.apps/kubernetes-dashboard 1 1 1 1 13d kubernetes-dashboard siriuszg/kubernetes-dashboard-amd64:v1.8.3 k8s-app=kubernetes-dashboard
NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR
replicaset.apps/coredns-56684f94d6 1 1 1 4d2h coredns coredns/coredns:1.2.2 k8s-app=kube-dns,pod-template-hash=56684f94d6
replicaset.apps/kubernetes-dashboard-65f974f565 0 0 0 13d kubernetes-dashboard siriuszg/kubernetes-dashboard-amd64:v1.8.3 k8s-app=kubernetes-dashboard,pod-template-hash=65f974f565
replicaset.apps/kubernetes-dashboard-7dffbccd68 1 1 1 13d kubernetes-dashboard siriuszg/kubernetes-dashboard-amd64:v1.8.3 k8s-app=kubernetes-dashboard,pod-template-hash=7dffbccd68
- 訪問192.168.247.144:30001
3.13 這裏使用令牌登錄,首先要先給gsy一個令牌
先查看現有token
token是sercet安全資源
[root@master1 gsy]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
coredns-token-lszn8 kubernetes.io/service-account-token 3 4d2h
dashboard-admin-token-dmlzw kubernetes.io/service-account-token 3 13d
default-token-w9vck kubernetes.io/service-account-token 3 21d
kubernetes-dashboard-certs Opaque 11 13d
kubernetes-dashboard-key-holder Opaque 2 13d
kubernetes-dashboard-token-7dhnw kubernetes.io/service-account-token 3 13d
[root@master1 gsy]# kubectl describe secret dashboard-admin-token-dmlzw -n kube-system
Name: dashboard-admin-token-dmlzw
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 34604321-90de-11ea-a668-000c29db840b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tZG1senciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzQ2MDQzMjEtOTBkZS0xMWVhLWE2NjgtMDAwYzI5ZGI4NDBiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.iK6wXehw9ZlK4Qjln4uiPR5Ww1K14t23rvJ-pmn56ynHw1KXow1Pg1Qi2hUY01ncCBjbyjaJBtcVNez-XFr7VQXO7lCPbnxlXat0euD2Qg8DPy-PQBnyAd2Jgh_y1e_OIgcrMowhyKUhkqaNPxDG4HWUqIFzcnHdaxOtCPZQ3GTV8XfoAe4aLemCdIHsZHoCeWKbwFJgnczvbBnzyZ0w91JdoAYK6xVc-fpVz4Pin5IodQ81TOFS2uwLyTQ8aGyrK-HuOs-mTPqDMBS8fWvsJttRtgI2UUwdsSodxEgRREXWUNg15swcVVF9_fiO7wsoXk7IhXAaAnNCd7gIF419Lw
[root@master1 gsy]#
-
編輯yaml文件
創建K8S系統賬戶,名爲pod-reader,系統賬戶與角色(權限)綁定
serviceaccount 可以理解爲程序用戶
[root@master1 gsy]# vim sa.yaml #做權限設定
apiVersion: v1
kind: ServiceAccount
metadata:
name: pod-reader
namespace: gsy
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sa-read-pods
namespace: gsy
subjects:
- kind: ServiceAccount
name: pod-reader
roleRef: #roleref 綁定規則
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
- 執行腳本
[root@master1 gsy]# kubectl apply -f sa.yaml
serviceaccount/pod-reader created
rolebinding.rbac.authorization.k8s.io/sa-read-pods created
- 查看生成結果
[root@master1 gsy]# kubectl get sa -n gsy
NAME SECRETS AGE
default 1 46m
pod-reader 1 18s
3.14 查看生成的token
[root@master1 gsy]# kubectl describe secret pod-reader -n gsy
Name: pod-reader-token-g748p
Namespace: gsy
Labels: <none>
Annotations: kubernetes.io/service-account.name: pod-reader
kubernetes.io/service-account.uid: 51718e1a-9b1b-11ea-a668-000c29db840b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 3 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJnc3kiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoicG9kLXJlYWRlci10b2tlbi1nNzQ4cCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJwb2QtcmVhZGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTE3MThlMWEtOWIxYi0xMWVhLWE2NjgtMDAwYzI5ZGI4NDBiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmdzeTpwb2QtcmVhZGVyIn0.Qpskpt__S1e6Bk2u1CBKw2ZGi737EQhLgNems2c3AcvfEENS8XIVlb-5rixsd9c_Do9IA_hzVf47nFEqWuuGae8-wYNloknq0Qa0tQd6jsPH8W_r8n807YDwO7l0WB_j1_-XVxSxntHr3tZZqErIkgUCylLQESvftXBnVcHWHnVIj5-daKfWi-stM7UeRf2QGND5gntNeSyzXMI427dgDFrUNYr7kKcgVhOzHRI1W8L0gknWAHkDOXkNAn-ABSd_lGuoRlNxpsFkPz_MuSvI1Wk6fYdZZKqWDrBgSIlZ0EGrQ5YUIs22V9CTW3WgzqzDWaZX1sCamJFuyQNdW6pEsg
3.15 登錄
- 可以發現權限會受限
- 只有在gsy的命名空間內的pod可以查看