容器編排系統K8s之訪問控制--RBAC受權
前文咱們瞭解了k8s上的訪問控制機制,主要對訪問控制中的第一關用戶認證作了相關說明以及常規用戶的配置文件的製做,回顧請參考:http://www.javashuo.com/article/p-gocttrgh-ny.html;今天咱們來了解下k8s上的訪問控制第二關RBAC受權相關話題;html
在k8s上受權的機制有不少,最經常使用的有ABAC和RBAC;ABAC(attribute based access control)這種是基於屬性作訪問控制;RBAC(role based access control)這種是基於角色作訪問控制;所謂基於屬性作訪問控制是指,對k8s上的資源的某種屬性作受權,受權給相關用戶對該資源的某個屬性有什麼權限;一樣的邏輯基於角色作訪問控制就是指把k8s上的資源,受權給對應角色有什麼權限;那角色和用戶有什麼關係呢?對於RBAC受權模型來講,在k8s上用戶是無法直接關聯資源;它是經過角色對象來實現對資源的受權;用戶受權是經過角色綁定對象來關聯到對應角色;只要用戶綁定到對應角色,那麼該用戶就擁有綁定角色上的全部權限;好比,在k8s上有一個角色名爲pod-reader,這個角色可以對default名稱空間下的pod資源有隻讀權限;對其餘名稱空間任何資源沒有任何權限;若是一個用戶綁定到該角色上,對應用戶就有對default名稱空間下的pod資源擁有隻讀權限,對其餘名稱空間任何資源沒有任何權限;對於k8s上的資源來講,資源有兩個級別,一個是名稱空間級別的資源,一個是集羣級別的資源;好比pod,svc,pvc等等這些資源都是名稱空間級別資源,它們的存在必須是在某個名稱空間下;對於相似像pv,node,ns這些資源就是集羣級別資源,它們的存在不依賴任何名稱空間;這樣一來對於角色而言就有名稱空間級別的角色,也有集羣級別角色;名稱空間級別的角色就是用來定義特定名稱空間下的資源權限,集羣級別角色就是用來定義整個集羣上的資源權限;在k8s上這兩種角色分別叫role和clusterrole;role和clusterrole都是k8s上的資源,咱們要給某個用戶受權,首先把對應角色資源實例化爲一個角色對象,而後把用戶和角色對象綁定起來便可;用戶怎麼綁定到角色上呢?在k8s上綁定這個操做也是經過資源對象實現的;綁定也有兩種,一種是rolebinding,一種是clusterrolebinding;rolebinding是名稱空間級別資源,它主要用來把對應用戶和對應名稱空間上的角色(role)作綁定;對應用戶就能擁有對應角色在對應名稱空間下對應資源的權限;clusterrolebinding主要用來把用戶綁定到集羣級別角色(clusterrole)上,對應用戶就能擁有對整個集羣上的對應角色擁有的對應資源的權限;簡單講角色(role/clusterrole)就是用來定義資源的權限,rolebinding和clusterrolebinding是用來關聯用戶和角色的關係;以下圖所示;node
提示:這裏須要注意一點,clusterrole是包含名稱空間級別的role;也就是說clusterrole既能夠用clusterrolebinding來綁定,也能夠用rolebinding來綁定,若是rolebinding綁定的是一個集羣級別的角色(clusterrole)那麼對應綁定至clusterrole的用戶的權限就會縮小到對應名稱空間下,而非整個集羣,緣由是rolebinding是名稱空間級別資源;nginx
查看apiserver啓用受權插件web
提示:apiserver配置啓用RBAC插件須要用--authorization-mode選項來指定對應啓用的受權插件,在k8s1.6之後的版本,默認apiserver會啓用Node和RBAC受權插件;bootstrap
建立角色api
使用陳述時命令create,建立角色的語法格式bash
Usage: kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run=server|client|none] [options]
提示:以上create role表示建立的是名稱空間級別的角色,若是沒有指定其名稱空間表示默認名稱空間;--verb是用來指定對應的權限,好比get,list,watch等等;--resource使用來指定資源資源類型,好比pods,services,daemonsets,replicasets等等;--resource-name用來指定對應具體的資源的名稱;若是要指定名稱空間使用-n選項指定便可;默認不指定表示default名稱空間;app
示例:使用陳述時命令建立名爲pod-reader的角色,該角色擁有對default名稱空間下的pod資源有list,get和watch權限;工具
[root@master01 ~]# kubectl create role pod-reader --verb=list --verb=get --verb=watch --resource=pods role.rbac.authorization.k8s.io/pod-reader created [root@master01 ~]# kubectl get role NAME CREATED AT pod-reader 2020-12-31T11:27:39Z [root@master01 ~]# kubectl describe role pod-reader Name: pod-reader Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [list get watch] [root@master01 ~]#
提示:能夠看到pod-reader角色對pods資源有list,get,watch權限;編碼
使用陳述式命令建立clusterrole
命令使用語法格式
Usage: kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run=server|client|none] [options]
提示:使用語法和建立名稱空間級別的角色同樣,不一樣的是指定建立的是clusterrole;
示例:建立一個名爲cluster-pods-reader角色,擁有對集羣全部名稱空間下的pods和servers資源有get,list,watch權限;
[root@master01 ~]# kubectl create clusterrole cluster-pods-reader --verb=get --verb=list --verb=watch --resource=pods --resource=services clusterrole.rbac.authorization.k8s.io/cluster-pods-reader created [root@master01 ~]# kubectl get clusterrole cluster-pods-reader NAME CREATED AT cluster-pods-reader 2020-12-31T11:35:03Z [root@master01 ~]# kubectl describe clusterrole cluster-pods-reader Name: cluster-pods-reader Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch] services [] [] [get list watch] [root@master01 ~]#
提示:能夠看到cluster-pods-reader角色有對pods資源和services資源有get,list,watch權限;
建立rolebinding
命令語法格式
Usage: kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
提示:建立rolebinding須要指定對應的名稱,指定clusterrole或者role角色的名稱,指定對應的用戶名稱,或者對應的組名;若是對應用戶是sa帳號,須要用--serviceaccount選項來指定對應sa的名稱;sa的名稱由名稱空間:sa名稱;若是要指定名稱空間使用-n選項指定便可;默認不指定表示default名稱空間;
示例:建立名爲tom-pods-reader的rolebinding,其中指定對應tom用戶綁定至pod-reader角色
[root@master01 ~]# kubectl create rolebinding tom-pods-reader --role=pod-reader --user=tom rolebinding.rbac.authorization.k8s.io/tom-pods-reader created [root@master01 ~]# kubectl get rolebinding NAME ROLE AGE tom-pods-reader Role/pod-reader 5s [root@master01 ~]# kubectl describe rolebinding tom-pods-reader Name: tom-pods-reader Labels: <none> Annotations: <none> Role: Kind: Role Name: pod-reader Subjects: Kind Name Namespace ---- ---- --------- User tom [root@master01 ~]#
提示;這裏沒有顯示名稱空間是那個名稱空間;默認沒有顯示就是default名稱空間;
驗證:使用tom用戶的配置文件,看看是否能夠列出default名稱空間下的pod列表呢?
[root@master01 ~]# kubectl config view --kubeconfig=/tmp/myk8s.config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.0.41:6443
name: myk8s
contexts:
- context:
cluster: myk8s
user: tom
name: tom@myk8s
current-context: tom@myk8s
kind: Config
preferences: {}
users:
- name: tom
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
username: tom
[root@master01 ~]# kubectl get pod --kubeconfig=/tmp/myk8s.config
NAME READY STATUS RESTARTS AGE
nginx-pod-demo 1/1 Running 1 44h
web-0 1/1 Running 2 2d21h
web-1 1/1 Running 2 2d21h
web-2 1/1 Running 2 2d21h
web-3 1/1 Running 3 2d21h
[root@master01 ~]#
提示:能夠看到使用tom用戶的配置文件,使用kubectl工具加載對應配置文件,在default名稱空間下是能夠正常列出pod列表;
驗證:使用tom用戶的配置文件看看是否列出kube-system名稱空間下的pod列表呢?
[root@master01 ~]# kubectl get pod -n kube-system --kubeconfig=/tmp/myk8s.config Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system" [root@master01 ~]#
提示:能夠看到對應tom用戶是沒有權限列出kube-system名稱空間下的pod資源;
建立clusterrolebinding
命令使用語法格式
Usage: kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
提示:使用方式和建立rolebinding同樣,不一樣的是clusterrolebinding不能關聯role角色;
示例:建立名爲tom-all-pod-reader的clusterrolebinding,並關聯cluster-pods-reader角色和tom用戶;
[root@master01 ~]# kubectl create clusterrolebinding tom-all-pod-reader --clusterrole=cluster-pods-reader --user=tom clusterrolebinding.rbac.authorization.k8s.io/tom-all-pod-reader created [root@master01 ~]# kubectl get clusterrolebinding tom-all-pod-reader NAME ROLE AGE tom-all-pod-reader ClusterRole/cluster-pods-reader 20s [root@master01 ~]# kubectl describe clusterrolebinding tom-all-pod-reader Name: tom-all-pod-reader Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-pods-reader Subjects: Kind Name Namespace ---- ---- --------- User tom [root@master01 ~]#
驗證:使用tom用戶的配置文件查看kube-system名稱空間下的pod資源列表
[root@master01 ~]# kubectl get pod -n kube-system --kubeconfig=/tmp/myk8s.config NAME READY STATUS RESTARTS AGE coredns-7f89b7bc75-k9gdt 1/1 Running 18 23d coredns-7f89b7bc75-kp855 1/1 Running 16 23d etcd-master01.k8s.org 1/1 Running 22 23d kube-apiserver-master01.k8s.org 1/1 Running 17 23d kube-controller-manager-master01.k8s.org 1/1 Running 19 23d kube-flannel-ds-cx8d5 1/1 Running 20 23d kube-flannel-ds-jz6r4 1/1 Running 11 12d kube-flannel-ds-ndzl6 1/1 Running 21 23d kube-flannel-ds-rjtn9 1/1 Running 23 23d kube-flannel-ds-zgq92 1/1 Running 20 23d kube-proxy-cr8j8 1/1 Running 13 11d kube-proxy-h8fzw 1/1 Running 8 11d kube-proxy-jfzfh 1/1 Running 9 11d kube-proxy-rq8wl 1/1 Running 8 11d kube-proxy-sj72v 1/1 Running 8 11d kube-scheduler-master01.k8s.org 1/1 Running 19 23d [root@master01 ~]# kubectl get pod --kubeconfig=/tmp/myk8s.config NAME READY STATUS RESTARTS AGE nginx-pod-demo 1/1 Running 1 44h web-0 1/1 Running 2 2d21h web-1 1/1 Running 2 2d21h web-2 1/1 Running 2 2d21h web-3 1/1 Running 3 2d22h [root@master01 ~]# kubectl get svc --kubeconfig=/tmp/myk8s.config NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d1h nginx ClusterIP None <none> 80/TCP 3d [root@master01 ~]# kubectl get svc -n kube-system --kubeconfig=/tmp/myk8s.config NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 23d [root@master01 ~]#
提示:能夠看到把tom用戶用clusterrolebinding關聯到對應clusterrole角色上,就擁有對應角色上的權限;
驗證:使用tom用戶的配置文件查看pv或node集羣級別資源,看看是否能夠正常列出?
[root@master01 ~]# kubectl get pv --kubeconfig=/tmp/myk8s.config Error from server (Forbidden): persistentvolumes is forbidden: User "tom" cannot list resource "persistentvolumes" in API group "" at the cluster scope [root@master01 ~]# kubectl get node --kubeconfig=/tmp/myk8s.config Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope [root@master01 ~]#
提示:使用tom用戶的配置文件查看pv和node資源,apiserver直接拒絕了;緣由是對應的clusterrole角色上沒有查看pv和node的權限;因此對應用戶也就沒有相應的查看權限;
示例:建立rolebinding,把tom用戶關聯到clusterrole類型角色cluster-pods-reader
[root@master01 ~]# kubectl create rolebinding tom-rolebinding-clusterrole --clusterrole=cluster-pods-reader --user=tom rolebinding.rbac.authorization.k8s.io/tom-rolebinding-clusterrole created [root@master01 ~]# kubectl get rolebinding NAME ROLE AGE tom-pods-reader Role/pod-reader 20m tom-rolebinding-clusterrole ClusterRole/cluster-pods-reader 12s [root@master01 ~]# kubectl describe rolebinding tom-rolebinding-clusterrole Name: tom-rolebinding-clusterrole Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-pods-reader Subjects: Kind Name Namespace ---- ---- --------- User tom [root@master01 ~]#
驗證:使用tom用戶的配置文件,看看如今tom用戶是否還有對應kube-system中的pod資源有列出權限呢?
[root@master01 ~]# kubectl get pods -n kube-system --kubeconfig=/tmp/myk8s.config NAME READY STATUS RESTARTS AGE coredns-7f89b7bc75-k9gdt 1/1 Running 18 23d coredns-7f89b7bc75-kp855 1/1 Running 16 23d etcd-master01.k8s.org 1/1 Running 22 23d kube-apiserver-master01.k8s.org 1/1 Running 17 23d kube-controller-manager-master01.k8s.org 1/1 Running 19 23d kube-flannel-ds-cx8d5 1/1 Running 20 23d kube-flannel-ds-jz6r4 1/1 Running 11 12d kube-flannel-ds-ndzl6 1/1 Running 21 23d kube-flannel-ds-rjtn9 1/1 Running 23 23d kube-flannel-ds-zgq92 1/1 Running 20 23d kube-proxy-cr8j8 1/1 Running 13 11d kube-proxy-h8fzw 1/1 Running 8 11d kube-proxy-jfzfh 1/1 Running 9 11d kube-proxy-rq8wl 1/1 Running 8 11d kube-proxy-sj72v 1/1 Running 8 11d kube-scheduler-master01.k8s.org 1/1 Running 19 23d [root@master01 ~]#
提示:這裏仍是可以列出kube-system名稱空間下的pod,其緣由是咱們沒有刪除以前的clusterrolebinding,因此對應tom用戶還有對kube-system的權限;
驗證:刪除clusterrolebinding tom-all-pod-reader 看看tom用戶是否還有對kube-system中的pod列出權限呢?
[root@master01 ~]# kubectl get clusterrolebinding tom-all-pod-reader NAME ROLE AGE tom-all-pod-reader ClusterRole/cluster-pods-reader 14m [root@master01 ~]# kubectl delete clusterrolebinding tom-all-pod-reader clusterrolebinding.rbac.authorization.k8s.io "tom-all-pod-reader" deleted [root@master01 ~]# kubectl get rolebinding NAME ROLE AGE tom-pods-reader Role/pod-reader 27m tom-rolebinding-clusterrole ClusterRole/cluster-pods-reader 7m7s [root@master01 ~]# kubectl get pods -n kube-system --kubeconfig=/tmp/myk8s.config Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system" [root@master01 ~]#
提示:能夠看到此時tom用戶就沒有對kube-system名稱空間下的pod有列出權限了;
驗證:使用tom用戶的配置文件,查看default名稱空間下的pods和service資源,看看是否有權限?
[root@master01 ~]# kubectl get pods --kubeconfig=/tmp/myk8s.config NAME READY STATUS RESTARTS AGE nginx-pod-demo 1/1 Running 1 45h web-0 1/1 Running 2 2d22h web-1 1/1 Running 2 2d22h web-2 1/1 Running 2 2d22h web-3 1/1 Running 3 2d22h [root@master01 ~]# kubectl get svc --kubeconfig=/tmp/myk8s.config NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d1h nginx ClusterIP None <none> 80/TCP 3d [root@master01 ~]#
提示:能夠看到tom用戶在default名稱空間下可以正常列出pod和service資源;從上面的示例能夠看到當rolebinding綁定的是一個clusterrole,對應clusterrole的權限就會下降至對應rolebinding的名稱空間;
使用資源清單建立角色
示例:使用資源清單建立role-demo角色
[root@master01 ~]# cat role-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-demo namespace: testing rules: - apiGroups: [""] resources: ["pods","pods/log","services"] verbs: ["get","list","watch"] [root@master01 ~]#
提示:role資源沒有spec字段,它的羣組是rbac.authorization.k8s.io/v1,對應類型爲Role;metadata字段中的name用於指定對應role的名稱;namespace用戶指定對應的名稱空間;roles字段用來描述對資源和權限,該字段爲一個列表對象,一個對象必須有apiGroup,resources和verbs字段;其中apiGroup字段用來描述對應資源所屬羣組,默認不寫任何羣組表示核心羣組v1;若是是匹配全部羣組能夠寫成「*」;該字段是一個列表類型數據,因此必須用中括號將其括起來,即使沒有值;resources字段用來描述對應的資源,這裏的資源若是可使用複數形式的必須使用複數形式;所謂複數是指對應資源名稱單詞的複數形式;該字段也是一個列表,可使用中括號,也能夠直接使用-開頭寫對應的值;verbs字段用來描述對應的權限,該字段也是一個列表,可使用中括號或者「-」開頭從下一行直接寫值的方式;上述資源清單表示建立一個名爲role-demo的角色在testing名稱空間;對應角色擁有對該名稱空間下的pod,pods/log和services資源有get,list,watch權限;
建立名稱空間並應用配置清單
[root@master01 ~]# kubectl get ns NAME STATUS AGE default Active 23d ingress-nginx Active 9d kube-node-lease Active 23d kube-public Active 23d kube-system Active 23d [root@master01 ~]# kubectl create ns testing namespace/testing created [root@master01 ~]# kubectl apply -f role-demo.yaml role.rbac.authorization.k8s.io/role-demo created [root@master01 ~]# kubectl get role -n testing NAME CREATED AT role-demo 2020-12-31T12:46:53Z [root@master01 ~]# kubectl describe role role-demo -n testing Name: role-demo Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods/log [] [] [get list watch] pods [] [] [get list watch] services [] [] [get list watch] [root@master01 ~]#
示例:使用資源清單建立rolebinding
[root@master01 ~]# cat rolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: rolebinding-demo namespace: testing roleRef: kind: Role name: role-demo apiGroup: rbac.authorization.k8s.io subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: tom [root@master01 ~]#
提示:使用資源清單建立rolebinding,須要用roleRef字段來指定引用的role或clusterrole,該字段爲一個對象,其中kind指定對應角色的類型,Role表示引用名稱空間級別的role;ClusterRole表示引用集羣級別角色clusterrole;apiGroup是用來描述對應角色的不帶版本api羣組;subjects字段用來描述對應用戶或組,該字段爲一個列表對象;其中kind字段用來表示對應的是用戶仍是用戶組;User表示用戶,Group表示用戶組;ServiceAccount表示是一個sa用戶;apiGroup用來指定對應不帶版本的api羣組;name用來指定用戶名或組名或sa名;上述資源清單表示把tom用戶和role-demo角色作關聯,即受權tom用戶擁有role-demo角色的權限;
驗證:在未應用資源清單前使用tom用戶的配置文件查看testing名稱空間下的pod資源
[root@master01 ~]# kubectl get pods -n testing --kubeconfig=/tmp/myk8s.config Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "testing" [root@master01 ~]#
提示:在未應用上述資源清單,tom用戶對testing名稱空間的資源沒有任何權限;
應用資源清單
[root@master01 ~]# kubectl apply -f rolebinding-demo.yaml rolebinding.rbac.authorization.k8s.io/rolebinding-demo created [root@master01 ~]# kubectl get rolebinding -n testing NAME ROLE AGE rolebinding-demo Role/role-demo 31s [root@master01 ~]# kubectl describe rolebinding rolebinding-demo -n testing Name: rolebinding-demo Labels: <none> Annotations: <none> Role: Kind: Role Name: role-demo Subjects: Kind Name Namespace ---- ---- --------- User tom [root@master01 ~]# kubectl get pods -n testing --kubeconfig=/tmp/myk8s.config No resources found in testing namespace. [root@master01 ~]#
提示:能夠看到應用資源清單之後,再次使用tom用戶的配置文件查看testing名稱空間下的pod資源,就沒有提示沒有權限拒絕,只是告訴咱們對應名稱空間下沒有pod資源;
示例:使用資源清單建立clusterrole
[root@master01 ~]# cat clusterrole-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: clusterrole-demo rules: - apiGroups: [""] resources: ["pods","nodes","PersistentVolume"] verbs: ["get","list","watch","create","delete"] [root@master01 ~]#
提示:使用資源清單建立clusterrole和建立role是同樣的格式,不一樣的是對應kind的值不一樣,不須要指定名稱空間;其餘的都同樣;
應用資源清單
[root@master01 ~]# kubectl apply -f clusterrole-demo.yaml clusterrole.rbac.authorization.k8s.io/clusterrole-demo created [root@master01 ~]# kubectl get clusterrole clusterrole-demo NAME CREATED AT clusterrole-demo 2020-12-31T13:23:48Z [root@master01 ~]# kubectl describe clusterrole clusterrole-demo Name: clusterrole-demo Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- PersistentVolume [] [] [get list watch create delete] nodes [] [] [get list watch create delete] pods [] [] [get list watch create delete] [root@master01 ~]#
示例:使用資源清單建立clusterrolebinding
[root@master01 ~]# cat clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: clusterrolebinding-demo roleRef: kind: ClusterRole name: clusterrole-demo apiGroup: rbac.authorization.k8s.io subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: tom [root@master01 ~]#
提示:使用資源清單建立clusterrolebinding和建立rolebinding的格式同樣,不一樣的是建立clusterrolebinding不須要指定名稱空間,對應kind值爲ClusterRoleBinding;其餘字段的使用方式和role同樣;上述資源清單表示把tom用戶和clusterrole-demo角色作關聯;
驗證:在沒有應用資源清單前使用tom用戶的配置文件查看kube-system名稱空間下的pod資源
[root@master01 ~]# kubectl get pods -n kube-system --kubeconfig=/tmp/myk8s.config Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system" [root@master01 ~]#
提示:沒有應用資源清單前使用tom用戶的配置文件查看kube-system名稱空間下的pod資源,是被apiserver拒絕的;
應用配置清單
[root@master01 ~]# kubectl apply -f clusterrolebinding.yaml clusterrolebinding.rbac.authorization.k8s.io/clusterrolebinding-demo created [root@master01 ~]# kubectl get clusterrolebinding clusterrolebinding-demo NAME ROLE AGE clusterrolebinding-demo ClusterRole/clusterrole-demo 15s [root@master01 ~]# kubectl describe clusterrolebinding clusterrolebinding-demo Name: clusterrolebinding-demo Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: clusterrole-demo Subjects: Kind Name Namespace ---- ---- --------- User tom [root@master01 ~]# kubectl get pods -n kube-system --kubeconfig=/tmp/myk8s.config NAME READY STATUS RESTARTS AGE coredns-7f89b7bc75-k9gdt 1/1 Running 18 23d coredns-7f89b7bc75-kp855 1/1 Running 16 23d etcd-master01.k8s.org 1/1 Running 22 23d kube-apiserver-master01.k8s.org 1/1 Running 17 23d kube-controller-manager-master01.k8s.org 1/1 Running 19 23d kube-flannel-ds-cx8d5 1/1 Running 20 23d kube-flannel-ds-jz6r4 1/1 Running 11 13d kube-flannel-ds-ndzl6 1/1 Running 21 23d kube-flannel-ds-rjtn9 1/1 Running 23 23d kube-flannel-ds-zgq92 1/1 Running 20 23d kube-proxy-cr8j8 1/1 Running 13 11d kube-proxy-h8fzw 1/1 Running 8 11d kube-proxy-jfzfh 1/1 Running 9 11d kube-proxy-rq8wl 1/1 Running 8 11d kube-proxy-sj72v 1/1 Running 8 11d kube-scheduler-master01.k8s.org 1/1 Running 19 23d [root@master01 ~]#
提示:能夠看到應用資源清單之後,再使用tom用戶的配置文件查看kube-system名稱空間下的pod就能夠正常列出了,說明對應tom用戶受權成功;
查看系統默認的clusterrole
[root@master01 ~]# kubectl get clusterrole NAME CREATED AT admin 2020-12-08T06:39:13Z cluster-admin 2020-12-08T06:39:13Z cluster-pods-reader 2020-12-31T11:35:03Z clusterrole-demo 2020-12-31T13:23:48Z edit 2020-12-08T06:39:13Z flannel 2020-12-08T06:59:56Z kubeadm:get-nodes 2020-12-08T06:39:15Z nginx-ingress-clusterrole 2020-12-21T15:16:13Z system:aggregate-to-admin 2020-12-08T06:39:13Z system:aggregate-to-edit 2020-12-08T06:39:13Z system:aggregate-to-view 2020-12-08T06:39:13Z system:auth-delegator 2020-12-08T06:39:13Z system:basic-user 2020-12-08T06:39:13Z system:certificates.k8s.io:certificatesigningrequests:nodeclient 2020-12-08T06:39:13Z system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2020-12-08T06:39:13Z system:certificates.k8s.io:kube-apiserver-client-approver 2020-12-08T06:39:13Z system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2020-12-08T06:39:13Z system:certificates.k8s.io:kubelet-serving-approver 2020-12-08T06:39:13Z system:certificates.k8s.io:legacy-unknown-approver 2020-12-08T06:39:13Z system:controller:attachdetach-controller 2020-12-08T06:39:13Z system:controller:certificate-controller 2020-12-08T06:39:13Z system:controller:clusterrole-aggregation-controller 2020-12-08T06:39:13Z system:controller:cronjob-controller 2020-12-08T06:39:13Z system:controller:daemon-set-controller 2020-12-08T06:39:13Z system:controller:deployment-controller 2020-12-08T06:39:13Z system:controller:disruption-controller 2020-12-08T06:39:13Z system:controller:endpoint-controller 2020-12-08T06:39:13Z system:controller:endpointslice-controller 2020-12-08T06:39:13Z system:controller:endpointslicemirroring-controller 2020-12-08T06:39:13Z system:controller:expand-controller 2020-12-08T06:39:13Z system:controller:generic-garbage-collector 2020-12-08T06:39:13Z system:controller:horizontal-pod-autoscaler 2020-12-08T06:39:13Z system:controller:job-controller 2020-12-08T06:39:13Z system:controller:namespace-controller 2020-12-08T06:39:13Z system:controller:node-controller 2020-12-08T06:39:13Z system:controller:persistent-volume-binder 2020-12-08T06:39:13Z system:controller:pod-garbage-collector 2020-12-08T06:39:13Z system:controller:pv-protection-controller 2020-12-08T06:39:13Z system:controller:pvc-protection-controller 2020-12-08T06:39:13Z system:controller:replicaset-controller 2020-12-08T06:39:13Z system:controller:replication-controller 2020-12-08T06:39:13Z system:controller:resourcequota-controller 2020-12-08T06:39:13Z system:controller:root-ca-cert-publisher 2020-12-08T06:39:13Z system:controller:route-controller 2020-12-08T06:39:13Z system:controller:service-account-controller 2020-12-08T06:39:13Z system:controller:service-controller 2020-12-08T06:39:13Z system:controller:statefulset-controller 2020-12-08T06:39:13Z system:controller:ttl-controller 2020-12-08T06:39:13Z system:coredns 2020-12-08T06:39:15Z system:discovery 2020-12-08T06:39:13Z system:heapster 2020-12-08T06:39:13Z system:kube-aggregator 2020-12-08T06:39:13Z system:kube-controller-manager 2020-12-08T06:39:13Z system:kube-dns 2020-12-08T06:39:13Z system:kube-scheduler 2020-12-08T06:39:13Z system:kubelet-api-admin 2020-12-08T06:39:13Z system:monitoring 2020-12-08T06:39:13Z system:node 2020-12-08T06:39:13Z system:node-bootstrapper 2020-12-08T06:39:13Z system:node-problem-detector 2020-12-08T06:39:13Z system:node-proxier 2020-12-08T06:39:13Z system:persistent-volume-provisioner 2020-12-08T06:39:13Z system:public-info-viewer 2020-12-08T06:39:13Z system:service-account-issuer-discovery 2020-12-08T06:39:13Z system:volume-scheduler 2020-12-08T06:39:13Z view 2020-12-08T06:39:13Z [root@master01 ~]#
提示:以system開頭的都是系統默認建立的clusterrole角色;這些角色都是用來給對應組件受權用的,好比,system:kube-dns就是用來給kube-dns這個pod在apiserver上驗證受權須要使用的角色;system:kube-controller-manager這個角色就是用來kube-controller-manager這個pod在apiserver上擁有的權限;kube-controller-manager這個pod向apiserver驗證時,首先把對應的證書發送給apiserver,apiserver經過識別對應證書中CN的名字來肯定對應的用戶名;若是對應用戶名是system:kube-controller-manager,那麼對應kube-controller-manager這個pod就擁有對應該角色的全部權限;若是咱們手動部署的k8s集羣,對應controller-manager的證書中CN名稱不是system:kube-controller-manager,那麼咱們手動部署的k8s集羣將不能正常工做,對於其餘組件也是相似的邏輯;除了內置了以system開頭的不少clusterrole,k8s爲了方便咱們受權,它還內置了4個特殊的clusterrole,分別是cluster-admin,admin,edit和view;其中cluster-admin是擁有對整個集羣的全部資源擁有全部權限,默認這個角色被clusterrolebinding綁定在system:master這個組上;對應kuberctl使用的證書文件中O的信息就是system:master,因此咱們使用kubectl加載默認的配置文件能夠操做整個集羣上的全部資源;admin角色也是一個管理員權限,不一樣於cluster-admin,admin角色通常用於經過rolebinding來實現對特有名稱空間的管理員受權;edit和view也是相似的邏輯,主要用於經過rolebinding來實現特有名稱空間下的特定管理員;好比快速受權某個用戶在某個名稱空間下擁有隻讀權限,那麼咱們就能夠把對應用戶經過rolebinding將其綁定至view這個clusterrole角色上;若是隻容許某個用戶擁有對應名稱空間下的全部資源的修改權限,就能夠把對應用戶經過rolebinding綁定到edit這個clusterrole角色上;固然以上幾個角色也能夠經過clusterrolebinding來綁定,用clusterrolebinding來綁定,對應用戶就是對應整個集羣的全部資源;有了上述4個內置的clusterrole,咱們就能夠快速的將某個用戶受權爲特定的角色:
查看kubectl默認證書中的信息
複製配置文件中的client-certificate-data 對應的被base64編碼處理過的信息,而後經過base64 -d將其解密,而後使用openssl x509 -text -noout 來查看對應證書中的信息
提示:能夠看到當前kubectl的證書中O=system:master CN=kubernetes-admin;之因此kubectl可以管理集羣資源是由於對應證書中的O=system:master,該信息直接對應k8s上的集羣角色cluster-admin;對應集羣角色就是經過clusterrolebinding綁定到system:master組;因此kubectl就擁有對k8s整個集羣資源的管控;
示例:受權tom用戶爲集羣管理員
[root@master01 ~]# cat tom-clusterrolebinding-cluster-admin.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tom-cluster-admin roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: tom [root@master01 ~]#
提示:上述資源表示經過clusterrolebinding受權tom用戶擁有cluster-admin角色的全部權限,即集羣管理員;
應用資源清單
[root@master01 ~]# kubectl apply -f tom-clusterrolebinding-cluster-admin.yaml clusterrolebinding.rbac.authorization.k8s.io/tom-cluster-admin created [root@master01 ~]# kubectl get clusterrolebinding tom-cluster-admin NAME ROLE AGE tom-cluster-admin ClusterRole/cluster-admin 21s [root@master01 ~]# kubectl describe clusterrolebinding tom-cluster-admin Name: tom-cluster-admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- User tom [root@master01 ~]#
驗證:使用tom用戶的配置文件,管理集羣資源
[root@master01 ~]# kubectl get all --kubeconfig=/tmp/myk8s.config NAME READY STATUS RESTARTS AGE pod/nginx-pod-demo 1/1 Running 1 47h pod/web-0 1/1 Running 2 3d pod/web-1 1/1 Running 2 3d pod/web-2 1/1 Running 2 3d pod/web-3 1/1 Running 3 3d NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d3h service/nginx ClusterIP None <none> 80/TCP 3d3h NAME READY AGE statefulset.apps/web 4/4 3d3h [root@master01 ~]# kubectl delete all --all --kubeconfig=/tmp/myk8s.config pod "nginx-pod-demo" deleted pod "web-0" deleted pod "web-1" deleted pod "web-2" deleted pod "web-3" deleted service "kubernetes" deleted service "nginx" deleted statefulset.apps "web" deleted [root@master01 ~]# kubectl apply -f statefulset-demo.yaml --kubeconfig=/tmp/myk8s.config service/nginx created statefulset.apps/web created [root@master01 ~]# kubectl get all --kubeconfig=/tmp/myk8s.config NAME READY STATUS RESTARTS AGE pod/web-0 1/1 Running 0 9s pod/web-1 1/1 Running 0 6s pod/web-2 1/1 Running 0 4s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 85s service/nginx ClusterIP None <none> 80/TCP 9s NAME READY AGE statefulset.apps/web 3/3 9s [root@master01 ~]#
提示:能夠看到咱們使用tom用戶的配置文件和默認配置文件是同樣的效果,瞬間tom用戶就變成了集羣管理;
刪除tom-cluster-admin這個clusterrolebinding
[root@master01 ~]# kubectl delete -f tom-clusterrolebinding-cluster-admin.yaml clusterrolebinding.rbac.authorization.k8s.io "tom-cluster-admin" deleted [root@master01 ~]#
受權tom用戶只讀ingress-nginx名稱空間下的全部資源
[root@master01 ~]# cat tom-ingress-nginx-view.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tom-ingress-nginx-view namespace: ingress-nginx roleRef: kind: ClusterRole name: view apiGroup: rbac.authorization.k8s.io subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: tom [root@master01 ~]#
提示:上述配置表示經過ingress-nginx名稱 空間下的rolebinding把tom用戶綁定至view這個clusterrole上;即對應tom用戶對ingress-nginx名稱空間下的全部資源只有只讀權限;
應用資源配置清單
[root@master01 ~]# kubectl apply -f tom-ingress-nginx-view.yaml rolebinding.rbac.authorization.k8s.io/tom-ingress-nginx-view created [root@master01 ~]# kubectl get rolebinding -n ingress-nginx NAME ROLE AGE nginx-ingress-role-nisa-binding Role/nginx-ingress-role 9d tom-ingress-nginx-view ClusterRole/view 22s [root@master01 ~]# kubectl describe rolebinding tom-ingress-nginx-view -n ingress-nginx Name: tom-ingress-nginx-view Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: view Subjects: Kind Name Namespace ---- ---- --------- User tom [root@master01 ~]#
驗證:使用tom用戶的配置文件管理ingress-nginx名稱空間下的資源
[root@master01 ~]# kubectl get pods -n ingress-nginx --kubeconfig=/tmp/myk8s.config NAME READY STATUS RESTARTS AGE nginx-ingress-controller-5466cb8999-dzn5d 1/1 Running 0 33s [root@master01 ~]# kubectl get pods --kubeconfig=/tmp/myk8s.config Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default" [root@master01 ~]# kubectl delete pod nginx-ingress-controller-5466cb8999-dzn5d -n ingress-nginx --kubeconfig=/tmp/myk8s.config Error from server (Forbidden): pods "nginx-ingress-controller-5466cb8999-dzn5d" is forbidden: User "tom" cannot delete resource "pods" in API group "" in the namespace "ingress-nginx" [root@master01 ~]#
提示:能夠看到如今tom用戶只能查看ingress-nginx名稱空間下的資源,不能查看default名稱空間下的資源,其次對ingress-nginx名稱空間下的pod資源沒有刪除權限;
- 1. 容器編排系統K8s之訪問控制--准入控制
- 2. 容器編排系統K8s之訪問控制--用戶認證
- 3. k8s基於RBAC的訪問控制(用戶受權)
- 4. 容器編排系統K8s之StatefulSet控制器
- 5. 容器編排系統k8s之DaemonSet、Job和CronJob控制器
- 6. 容器編排系統K8s之Prometheus監控系統+Grafana部署
- 7. RBAC權限控制系統
- 8. 容器編排系統K8s之Pod Affinity
- 9. k8s-RBAC受權-十六
- 10. K8S認證、受權與准入控制(RBAC)詳解
- 更多相關文章...
- • Swift 訪問控制 - Swift 教程
- • ASP.NET MVC - 控制器 - ASP.NET 教程
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • Docker容器實戰(六) - 容器的隔離與限制
-
每一个你不满意的现在,都有一个你没有努力的曾经。