K8S進階實踐 之 鑑權控制（ServiceAccount&RBAC）

1、RBAC的四種資源

一、Role

一個Role只能受權訪問單個namespace

## 示例定義一個名爲pod-reader的角色，該角色具備讀取default這個命名空間下的pods的權限
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" 表明全部
resources: ["pods"]
verbs: ["get", "watch", "list"]

## apiGroups: "","apps", "autoscaling", "batch", kubectl api-versions
## resources: "services", "pods","deployments"... kubectl api-resources
## verbs: "get", "list", "watch", "create", "update", "patch", "delete", "exec"

二、ClusterRole

一個ClusterRole可以授予和Role同樣的權限，可是它是集羣範圍內的。

## 定義一個集羣角色，名爲secret-reader，該角色能夠讀取全部的namespace中的secret資源
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]

三、Rolebinding

將role中定義的權限分配給用戶和用戶組。RoleBinding包含主題（users,groups,或service accounts）和授予角色的引用。對於namespace內的受權使用RoleBinding，集羣範圍內使用ClusterRoleBinding。

## 定義一個角色綁定，將pod-reader這個role的權限授予給jane這個User，使得jane能夠在讀取default這個命名空間下的全部的pod數據
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User   #這裏能夠是User,Group,ServiceAccount
name: jane 
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #這裏能夠是Role或者ClusterRole,如果ClusterRole，則權限也僅限於rolebinding的內部
name: pod-reader # match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io

注意：rolebinding既能夠綁定role，也能夠綁定clusterrole，當綁定clusterrole的時候，subject的權限也會被限定於rolebinding定義的namespace內部，若想跨namespace，須要使用clusterrolebinding

## 定義一個角色綁定，將dave這個用戶和secret-reader這個集羣角色綁定，雖然secret-reader是集羣角色，可是由於是使用rolebinding綁定的，所以dave的權限也會被限制在development這個命名空間內
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "dave" to read secrets in the "development" namespace.
# You need to already have a ClusterRole named "secret-reader".
kind: RoleBinding
metadata:
name: read-secrets
#
# The namespace of the RoleBinding determines where the permissions are granted.
# This only grants permissions within the "development" namespace.
namespace: development
subjects:
- kind: User
name: dave # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: dave # Name is case sensitive
namespace: luffy
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io

考慮一個場景： 若是集羣中有多個namespace分配給不一樣的管理員，每一個namespace的權限是同樣的，就能夠只定義一個clusterrole，而後經過rolebinding將不一樣的namespace綁定到管理員身上，不然就須要每一個namespace定義一個Role，而後作一次rolebinding。

四、ClusterRolebingding

容許跨namespace進行受權

apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io

二 、確認當前K8S集羣的受權策略

前面介紹過，認證能夠經過證書（kubectl），也能夠經過使用ServiceAccount（服務帳戶）的方式來作認證。大多數時候，咱們在基於k8s作二次開發時都是選擇經過ServiceAccount + RBAC 的方式

3、鑑權控制實例需求描述

例子：a,b,c,d四個用戶，分別權限以下：
a：受權訪問查看kang空間的pods資源
b：受權查看、刪除、更新kang空間的的pods資源
c：受權查看全部空間下的pods資源
d：受權查看、刪除、更新全部空間下的pods資源

4、a用戶受權演示

一、yaml文件

kind: Role         #建立一個role角色
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: kang
  name: reader
rules:
- apiGroups: [""] # "" 表明全部
  resources: ["pods"]  # 受權的資源
  verbs: ["get", "watch", "list"]   #可操做方法

---
apiVersion: v1 
kind: ServiceAccount        #建立一個ServiceAccount
metadata:
  name: a                   #a的ServiceAccount
  namespace: kang

---
kind: RoleBinding           #將role與ServiceAccount綁定
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: test
  namespace: kang           #RoleBinding需指定namespace空間
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: Role
  name: reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: a
  namespace: kang

二、根據yaml文件建立相關資源

三、查看a用戶token信息

四、Dashboard驗證權限

嘗試刪除其中一個pod，驗證是否只有查看

5、b\c\d用戶的對應yaml文件

b用戶

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: kang
  name: writer
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list","update", "patch", "delete"]

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: b
  namespace: kang

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: writer
  namespace: kang
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: Role
  name: writer
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: b
  namespace: kang

c用戶yaml文件

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: reader-allpod
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods","namespaces"]
  verbs: ["get", "watch", "list"]

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: c
  namespace: kang

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: reader-allpod
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: reader-allpod
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: c
  namespace: kang

d用戶yaml文件

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: writer-allpod
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods","namespaces"]
  verbs: ["get", "watch", "list","update", "patch", "delete"]

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: d
  namespace: kang

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: writer-allpod
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: writer-allpod
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: d
  namespace: kang

6、API請求方法（curl方法）