權限控制-經過實例理解Kubernetes的受權

這一系列文檔都是關於Kubernetes集羣內部pods等資源對外部請求的認證與受權的管以及如何使用roles和role binding控制Kubernetes內部資源的訪問權限。node

咱們回顧下實驗場景:線上的集羣須要經過不一樣的namespaces隔離不一樣部門的員工。DevOps團隊來了一位新員工Bob,他主要管理engineering namespace下的資源。他已經提交了私鑰和證書,Kubetnets admin管理員也已經作好了Bob訪問Kubernetes集羣的認證工做。api

若是你還沒完成上面的實驗環境,請參照上一篇文章bash

接下來,我將受權Bob訪問engineering namespace下的資源。app

1. 爲了方便切換不一樣的用戶環境,首先爲Kubectl配置contextpost

kubectl config set-context eng-context \
	--cluster=minikube \
	--namespace=engineering \
	--user=bob
複製代碼

上面的命令將會使用Bob的認證建立能夠訪問集羣engineering namespace的上下文環境。上面命令執行的最終將寫到~/.kube/config file中。ui

cat ~/.kube/config | grep bob
複製代碼

2. 在engineering namespace下建立podthis

cat >> myapp.yaml <<EOF
heredoc> apiVersion: v1
kind: Pod
metadata:
  name: myapp
  namespace: engineering
  labels:
    app: myapp
spec:
  containers:
  - name: myapp
    image: busybox
    command: ["/bin/sh", "-ec", "while :; do echo '.'; sleep 5 ; done"]
heredoc> EOF
複製代碼
kubectl create -f myapp.yaml

kubectl get pods -n engineering
複製代碼

3. 上面的命令咱們使用是admin的用戶,Bob用戶並無list engineering namespace pods的權限spa

kubectl get pods -n engineering --as bob
複製代碼

4. 對bob進行受權翻譯

爲了讓Bob能夠訪問engineering namespace下的資源,咱們須要對Bob進行受權操做。主要是經過建立具備相關權限的role,而後將role綁定到Bob上。本質上,使用Role Based Access Control(RBAC)使的Bob具備對engineer namespace下資源特定操做的權限。code

  • 在eng-reader的role中設置list engineering namespace下pods的權限
cat >> eng_role.yaml <<EOF
heredoc> kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: engineering
  name: eng-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods", "services", "nodes"]
  verbs: ["get", "watch", "list"]
heredoc> EOF
複製代碼
kubectl create -f eng_role.yaml
複製代碼

驗證

kubectl get roles --namespace=engineering
複製代碼

接下來,咱們將經過role binding將描述特殊權限的role受權給Bob用戶。

cat >> role_binding_bob.yaml <<EOF
heredoc> kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: eng-read-access
  namespace: engineering
subjects:
- kind: User
  name: bob # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: eng-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
heredoc> EOF
複製代碼
kubectl apply -f role_binding_bob.yaml

kubectl get rolebindings -n engineering
複製代碼

5. 驗證Bob是否具備訪問engineering namespace下資源的權限

kubectl get pods --namespace engineering --as bob
複製代碼

可見在bob綁定eng-reader權限後便具備list engineering namespace下資源的權限。

經過上面的例子能夠完美演示如何經過權限限制bob訪問集羣,如今bob所能作的只是list engineering namspace下的pods。當好奇的咱們使用bob查看集羣的節點個數時,咱們將會遇到下面的拒絕提示:

kubectl get nodes --as bob
複製代碼

6. 使用集羣層級的cluster role和cluster role binding

不但能夠使用namespace級別的Roles和role binding,還能夠使用集羣級別的。接下來咱們建立集羣級別的cluster role並將它綁定到用戶bob,從而實現bob list 集羣nodes個數的行爲。

cat >> cluster_node_reader.yaml <<EOF
heredoc> kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: cluster-node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]
heredoc> EOF
複製代碼
kubectl apply -f cluster_node_reader.yaml

kubectl get clusterroles cluster-node-reader
複製代碼

接下來經過 cluster role binding 將 cluster role綁定到bob上

cat >> cluster_node_reader_binding_bob.yaml <<EOF
heredoc> kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-cluster-nodes
subjects:
- kind: User
  name: bob # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-node-reader
  apiGroup: rbac.authorization.k8s.io
heredoc> EOF
複製代碼
kubectl apply -f cluster_node_reader_binding_bob.yaml

kubectl get clusterrolebinding   read-cluster-nodes
複製代碼

7. 驗證bob是否具備list node的權限

kubectl get nodes --as bob
複製代碼

本篇文章我主要講解role和role binding受權用戶已特定的行爲訪問集羣中的特定資源,在這個系列的最後一篇文章中我將詳細講解service accounts。

文章翻譯自thenewstack.io/a-practical…,行文時略有刪減

相關文章
相關標籤/搜索