一、基本說明html
在生產環境使用k8s之後,大部分應用都實現了高可用,不只下降了維護成本,也簡化了不少應用的部署成本,可是同時也帶來了諸多問題。好比開發可能須要查看本身的應用狀態、鏈接信息、日誌、執行命令等。java
使用k8s後,業務應用以Pod爲單位,不像以前的以服務器爲單位,能夠直接經過登陸服務器進行相關操做。當業務應用使用k8s部署後,k8s官方的dashboard雖然能夠進行查看日誌、執行命令等基本操做,可是做爲運維人員,不想讓開發操做或查看本身範圍以外的Pod,此時就要使用RBAC進行相關的權限配置。git
本文章主要講解兩方面的問題:github
- 使用用戶名密碼登陸Dashboard
- 對已登陸用戶進行權限配置,實現只能操做本身Namespace的Pod,不能進入到未受權的其餘Namespace
二、更改Dashboard認證方式bootstrap
爲了方便開發和運維人員登陸Dashboard,須要將Dashboard登陸方式用戶名密碼認證(用戶名密碼和Token能夠同時開啓)。api
使用Ratel將kubernetes-dashboard的deployment的--authentication-mode改爲basic便可,未安裝Ratel的可使用kubectl edit進行更改,更改完成會自動重啓。服務器
以後更改kube-apiserver配置添加--basic-auth-file=/etc/kubernetes/basic_auth_fileapp
basic_auth_file爲存儲帳號密碼的文件,格式以下:運維
xxx1_2019,xxx1,3,"system:authentication" xxx2_2019,xxx2,4,"system:authentication" xxx3_2019,xxx3,5,"system:authentication" xxx4_2019,xxx4,6,"system:authentication"
依次是密碼、用戶名、ID號、用戶組,由於下面會爲已登陸的用戶進行受權,因此把組設置成了system:authentication,按需更改。gitlab
三、添加默認權限
首先配置一個system:authentication組容許查詢namespace列表(由於進入到指定namespace,必須能list該集羣的namespace):
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: ratel-namespace-readonly rules: - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ratel-namespace-readonly roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-namespace-readonly subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authentication
建立查看namespace資源的權限
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-resource-readonly rules: - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch
建立Pod執行權限
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-exec rules: - apiGroups: - "" resources: - pods - pods/log verbs: - get - list - apiGroups: - "" resources: - pods/exec verbs: - create
建立Pod刪除權限
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-delete rules: - apiGroups: - "" resources: - pods verbs: - get - list - delete
上述權限建立完成後,只須要將對應的用戶綁定對應的權限便可實現不一樣的用戶在不一樣的namespace實現不一樣的權限。
對RBAC不熟悉的能夠參考https://www.cnblogs.com/dukuan/p/9948063.html
或者參考書籍《不再踩坑的Kubernetes實戰指南》第二章。
四、配置權限
案例:假設有一個用戶叫java7,須要訪問default命名空間下的資源,能夠在容器執行命令和查看日誌
添加權限以前是不能查看任何信息的:
配置權限:
方式一:使用Ratel一鍵配置,選擇對應的集羣、Namespace、用戶名、勾選權限點擊建立便可。
建立成功後再次登陸,便可查看該Namespace的信息
查看日誌:
執行命令:
同時也不能查看其餘namespace的資源
方式二:使用yaml文件配置
使用Ratel進行權限配置,在配置權限後在對應的namespace下建立對應的RoleBinding,以下:
[root@k8s-master01 ~]# kubectl get rolebinding NAME AGE gitlab 112d ratel-pod-delete-java7 11m ratel-pod-exec-java7 11m ratel-resource-readonly-java7 11m
內容以下:
ource-readonly-java7 -o yaml apiVersion: v1 items: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2019-12-03T07:34:24Z" name: ratel-pod-delete-java7 namespace: default resourceVersion: "35887290" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-delete-java7 uid: 547f5d42-159f-11ea-b1b5-001e674e3dd6 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-pod-delete subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: java7 - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2019-12-03T07:34:24Z" name: ratel-pod-exec-java7 namespace: default resourceVersion: "35887289" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-exec-java7 uid: 547c5768-159f-11ea-b1b5-001e674e3dd6 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-pod-exec subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: java7 - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2019-12-03T07:34:24Z" name: ratel-resource-readonly-java7 namespace: default resourceVersion: "35887288" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-resource-readonly-java7 uid: 5476577f-159f-11ea-b1b5-001e674e3dd6 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-resource-readonly subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: java7 kind: List metadata: resourceVersion: "" selfLink: ""
在沒有安裝Ratel的狀況下,可使用上述yaml內容直接建立至對應的namespace下便可完成權限配置。
上述只是實現了對經常使用資源的權限控制,其餘權限控制相似。
Kubernetes多集羣資源管理平臺Ratel安裝能夠參考:https://github.com/dotbalo/ratel-doc
原文出處:https://www.cnblogs.com/dukuan/p/11976406.html