前言
現在RBAC主要解決的一個問題,就是:所有人都拿的是admin的config文件,因此所有人都擁有最高權限,他可以爲所欲爲,從而很有可能在不知情的情況下,破壞k8s集羣。因此我們需要對其進行控制,給他創建admin之外的賬號,讓他無法操作k8s系統重要部分的namespace。
先不說原理,直接說操作步驟
一、創建證書
創建user私鑰
[root@node-01 ~]cd /etc/kubernetes/pki/
[root@node-01 pki](umask 077;openssl genrsa -out aideveloper.key 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................+++
..................+++
e is 65537 (0x10001)創建證書籤署請求
O=組織信息,CN=用戶名
[root@node-01 pki]openssl req -new -key aideveloper.key -out aideveloper.csr -subj "/O=jbt/CN=aideveloper"
簽署證書
[root@node-01 pki]openssl x509 -req -in aideveloper.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out aideveloper.crt -days 365
Signature ok
subject=/O=jbt/CN=aideveloper
Getting CA Private Key二、創建配置文件
創建配置文件主要有以下幾個步驟:
* kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE #集羣配置
*
* kubectl config set-credentials NAME --kubeconfig=/PATH/TO/SOMEFILE #用戶配置
*
* kubectl config set-context #context配置
*
* kubectl config use-context #切換context
一些說明:
* --embed-certs=true的作用是不在配置文件中顯示證書信息。
* --kubeconfig=/root/aideveloper.conf用於創建新的配置文件,如果不加此選項,則內容會添加到家目錄下.kube/config文件中,可以使用use-context來切換不同的用戶管理k8s集羣。
* context簡單的理解就是用什麼用戶來管理哪個集羣,即用戶和集羣的結合。
創建集羣配置
[root@node-01 pki] kubectl config set-cluster kubernetes --server=https://tw-master.senses-ai.com:6443 --certificate-authority=ca.crt --embed-certs=true --kubeconfig=/root/aideveloper.conf
Cluster "kubernetes" set.
[root@node-01 pki]# kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://tw-master.senses-ai.com:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null創建用戶配置
[root@node-01 pki] kubectl config set-credentials aideveloper --client-certificate=aideveloper.crt --client-key=aideveloper.key --embed-certs=true --kubeconfig=/root/aideveloper.conf User "aideveloper" set.
[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://tw-master.senses-ai.com:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: aideveloper
user:
client-certificate-data: REDACTED
client-key-data: REDACTED創建context配置
[root@node-01 pki] kubectl config set-context aideveloper@kubernetes --cluster=kubernetes --user=aideveloper --kubeconfig=/root/aideveloper.conf
Context "aideveloper@kubernetes" created.
[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://tw-master.senses-ai.com:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aideveloper
name: aideveloper@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: aideveloper
user:
client-certificate-data: REDACTED
client-key-data: REDACTED切換context
[root@node-01 pki] kubectl config use-context aideveloper@kubernetes --kubeconfig=/root/aideveloper.conf
Switched to context "aideveloper@kubernetes".
[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://tw-master.senses-ai.com:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aideveloper
name: aideveloper@kubernetes
current-context: aideveloper@kubernetes
kind: Config
preferences: {}
users:
- name: aideveloper
user:
client-certificate-data: REDACTED
client-key-data: REDACTED創建系統用戶及k8s驗證文件
[root@node-01 ~] useradd test #創建什麼用戶名都可以
[root@node-01 ~] mkdir /home/test/.kube
[root@node-01 ~] cp /root/aideveloper.conf /home/test/.kube/config [root@node-01 ~]# chown test.test -R /home/test/.kube/
[root@node-01 ~] su - test
[billy@node-01 ~]$ kubectl get pod
Error from server (Forbidden): pods is forbidden: User "aideveloper" cannot list resource "pods" in API group "" in the namespace "default"默認新用戶是沒有任何權限的。
創建Role
此role只有pod的get、list、watch權限
[root@node-01 rbac] vim aideveloper-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: aideveloper-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@node-01 rbac] kubectl apply -f aideveloper-role.yaml
role.rbac.authorization.k8s.io/aideveloper-role created創建Rolebinding
用戶aideveloper和role aideveloper-role的綁定
[root@node-01 rbac]# vim aideveloper-roleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: aideveloper-roleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: aideveloper-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: aideveloper
[root@node-01 rbac]# kubectl apply -f aideveloper-roleBinding.yaml
rolebinding.rbac.authorization.k8s.io/aideveloper-roleBinding created驗證結果
如果沒有指定命名空間的話,默認就是default命名空間。
[billy@node-01 ~]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-demo-95bd675d5-66xrm 1/1 Running 0 18d
tomcat-5c5dcbc885-7vr68 1/1 Running 0 18d
[billy@node-01 ~]$ kubectl -n kube-system get pod
Error from server (Forbidden): pods is forbidden: User "billy" cannot list resource "pods" in API group "" in the namespace "kube-system"所以我們是可以查看查看default命名空間的pod,但是其他空間的pod是無法查看的。
創建ClusterRole
[root@node-01 rbac]# cat cluster-reader.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@node-01 rbac]# kubectl apply -f cluster-reader.yaml
clusterrole.rbac.authorization.k8s.io/cluster-reader created創建ClusterRoleBinding
[root@node-01 rbac]# cat billy-read-all-pods.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: billy-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: billy
[root@node-01 rbac]# kubectl apply -f billy-read-all-pods.yaml
clusterrolebinding.rbac.authorization.k8s.io/billy-read-all-pods created創建了ClusterRole和ClusterRoleBinding後就可以看到所有命名空間的pod了。
RBAC的補充
RBAC相關的內容
rule下verbs有:
"get", "list", "watch", "create", "update", "patch", "delete", "exec"
rule下resource有:
"services", "endpoints", "pods","secrets","configmaps","crontabs","deployments",
"jobs","nodes","rolebindings","clusterroles","daemonsets","replicasets","statefulsets",
"horizontalpodautoscalers","replicationcontrollers","cronjobs"
rule下apiGroups有:
"","apps", "autoscaling", "batch"注意:
cluserRoleBinding只能綁定clusterRole
roleBinding既能綁定role,也能綁定clusterRole
想讓一個Bingding綁定多個角色,那就多寫幾個文件