Openshift 用戶，角色和RBAC

OCP中的權限管理沿用的Kubernetes RBAC機制，受權模式主要取決於下面幾個因數

 

Rules	針對主要對象的操做權限，好比創建Pod Sets of permitted verbs on a set of objects. For example, whether something can create pods.
Roles	一系列的Rules的集合，用戶和組能關聯這些Roles Collections of rules. Users and groups can be associated with, or bound to, multiple roles at the same time.
Bindings	用戶和組針對角色的關聯 Associations between users and/or groups with a role.

 

RBAC分紅兩種，一種是集羣範圍內的，叫作Cluster RBAC,一種是項目範圍內的，叫Local RBAC,官方定義以下

Cluster RBAC	Roles and bindings that are applicable across all projects. Roles that exist cluster-wide are considered cluster roles. Cluster role bindings can only reference cluster roles.
Local RBAC	Roles and bindings that are scoped to a given project. Roles that exist only in a project are considered local roles. Local role bindings can reference both cluster and local roles.

 

而當前的Cluster Role包括以下：

Default Cluster Role	Description
admin	A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for quota.
basic-user	A user that can get basic information about projects and users.
cluster-admin	A super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.
cluster-status	A user that can get basic cluster status information.
edit	A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings.
self-provisioner	A user that can create their own projects.
view	A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings.

 

下面實際操做一下加深理解。

• 添加用戶

htpasswd /etc/origin/master/htpasswd  eric

htpasswd /etc/origin/master/htpasswd  alice

• 查看用戶

首先須要以管理員身份登陸

[root@master ~]# oc login -u system:admin
Logged into "https://master.example.com:8443" as "system:admin" using existing credentials.

You have access to the following projects and can switch between them with 'oc project <projectname>':

    default
    kube-public
    kube-service-catalog
    kube-system
    logging
    management-infra
    myproject
    openshift
    openshift-ansible-service-broker
    openshift-infra
    openshift-node
    openshift-template-service-broker
    openshift-web-console
  * test

Using project "test".
[root@master ~]# oc get users
NAME      UID                                    FULL NAME   IDENTITIES
admin     7594833f-efd1-11e8-bd01-0800275a35ec               htpasswd_auth:admin
alice     517c077e-f094-11e8-bc3a-0800275a35ec               htpasswd_auth:alice
eric      9ff08197-f093-11e8-bc3a-0800275a35ec               htpasswd_auth:eric

eric和alice各自創建project，eric建立myproject,alice建立test項目

• 以alice登陸後查看rolebinding

[root@master ~]# oc get rolebinding
NAME                    ROLE                    USERS     GROUPS                        SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  alice                                                      
system:deployers        /system:deployer                                                deployer           
system:image-builders   /system:image-builder                                           builder            
system:image-pullers    /system:image-puller              system:serviceaccounts:test                  

也就是說每一個新創建的項目包含的本地rolebinding包括

• 查看每一個rolebinding具體關聯的role和用戶

[root@master ~]# oc describe rolebinding.rbac
Name:         admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  admin
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  alice  


Name:         system:deployers
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:deployer
Subjects:
  Kind            Name      Namespace
  ----            ----      ---------
  ServiceAccount  deployer  test

Name:         system:image-builders
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-builder
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  builder  test


Name:         system:image-pullers
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-puller
Subjects:
  Kind   Name                         Namespace
  ----   ----                         ---------
  Group  system:serviceaccounts:test  

 

• 給alice用戶授予訪問myproject的admin權限

[root@master ~]# oc adm policy add-role-to-user admin alice -n myproject
role "admin" added: "alice"

 

若是隻是須要拉取myproject命名空間下的鏡像，能夠賦予image-puller權限就能夠了

[root@master ~]# oc adm policy add-role-to-user system:image-puller  alice -n myproject
role "system:image-puller" added: "alice"

 

再度describe一下

[root@master ~]# oc describe rolebinding.rbac  -n myproject
Name:         admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  admin
Subjects:
  Kind  Name  Namespace
  ----  ----  ---------
  User  eric  


Name:         admin-0
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  admin
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  alice  
Name:         system:deployers
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:deployer
Subjects:
  Kind            Name      Namespace
  ----            ----      ---------
  ServiceAccount  deployer  myproject


Name:         system:image-builders
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-builder
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  builder  myproject

Name:         system:image-puller
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-puller
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  alice  


Name:         system:image-pullers
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-puller
Subjects:
  Kind   Name                              Namespace
  ----   ----                              ---------
  Group  system:serviceaccounts:myproject  

 

•  查看全部的clusterrole

[root@master ~]# oc get clusterrole
NAME
admin
asb-access
asb-auth
basic-user
cluster-admin
cluster-debugger
cluster-reader
cluster-status
edit
hawkular-metrics
hawkular-metrics-admin
.....

• 查看具體的一個clusterrole能作的內容

[root@master ~]# oc describe clusterrole system:image-builder
Name:        system:image-builder
Created:    37 hours ago
Labels:        <none>
Annotations:    openshift.io/description=Grants the right to build, push and pull images from within a project.  Used primarily with service accounts for builds.
        openshift.io/reconcile-protect=false
Verbs        Non-Resource URLs    Resource Names    API Groups        Resources
[get update]    []            []        [image.openshift.io ]    [imagestreams/layers]
[create]    []            []        [image.openshift.io ]    [imagestreams]
[update]    []            []        [build.openshift.io ]    [builds/details]
[get]        []            []        [build.openshift.io ]    [builds]

全部缺省的ClusterRole都能綁定用戶或組到本地項目中。此外能夠本身定義本地Role

==============================================================================================

給權限和回收權限

給一個imager:pruner的權限，以及給一個集羣管理員的權限

oc adm policy add-cluster-role-to-user system:image-pruner  eric

oc adm policy add-cluster-role-to-user cluster-admin eric

查看

[root@master ~]# oc get rolebindings
NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  eric                                                             
system:deployers        /system:deployer                                                      deployer           
system:image-builders   /system:image-builder                                                 builder            
system:image-pruner     /system:image-pruner    eric                                                             
system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3        

 

回收

[root@master ~]# oc adm policy remove-role-from-user     system:image-pruner    eric 
role "system:image-pruner" removed: "eric"

 

取消eric的對項目的admin權限，而給只讀權限

[root@master ~]# oc adm policy add-role-to-user view eric
role "view" added: "eric"
[root@master ~]# oc adm policy remove-role-from-user admin eric
role "admin" removed: "eric"
[root@master ~]# oc get rolebinding
NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS
system:deployers        /system:deployer                                                      deployer           
system:image-builders   /system:image-builder                                                 builder            
system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3                      
view                    /view                   eric

 

 

 

能夠參考

https://docs.openshift.com/container-platform/3.9/admin_guide/manage_rbac.html