前言
现在RBAC主要解决的一个问题,就是:所有人都拿的是admin的config文件,因此所有人都拥有最高权限,他可以为所欲为,从而很有可能在不知情的情况下,破坏k8s集群。因此我们需要对其进行控制,给他创建admin之外的账号,让他无法操作k8s系统重要部分的namespace。
先不说原理,直接说操作步骤
一、创建证书
创建user私钥
[root@node-01 ~]cd /etc/kubernetes/pki/
[root@node-01 pki](umask 077;openssl genrsa -out aideveloper.key 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................+++
..................+++
e is 65537 (0x10001)
创建证书签署请求
O=组织信息,CN=用户名
[root@node-01 pki]openssl req -new -key aideveloper.key -out aideveloper.csr -subj "/O=jbt/CN=aideveloper"
签署证书
[root@node-01 pki]openssl x509 -req -in aideveloper.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out aideveloper.crt -days 365
Signature ok
subject=/O=jbt/CN=aideveloper
Getting CA Private Key
二、创建配置文件
创建配置文件主要有以下几个步骤:
* kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE #集群配置
*
* kubectl config set-credentials NAME --kubeconfig=/PATH/TO/SOMEFILE #用户配置
*
* kubectl config set-context #context配置
*
* kubectl config use-context #切换context
一些说明:
* --embed-certs=true的作用是不在配置文件中显示证书信息。
* --kubeconfig=/root/aideveloper.conf用于创建新的配置文件,如果不加此选项,则内容会添加到家目录下.kube/config文件中,可以使用use-context来切换不同的用户管理k8s集群。
* context简单的理解就是用什么用户来管理哪个集群,即用户和集群的结合。
创建集群配置
[root@node-01 pki] kubectl config set-cluster kubernetes --server=https://tw-master.senses-ai.com:6443 --certificate-authority=ca.crt --embed-certs=true --kubeconfig=/root/aideveloper.conf
Cluster "kubernetes" set.
[root@node-01 pki]# kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://tw-master.senses-ai.com:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
创建用户配置
[root@node-01 pki] kubectl config set-credentials aideveloper --client-certificate=aideveloper.crt --client-key=aideveloper.key --embed-certs=true --kubeconfig=/root/aideveloper.conf User "aideveloper" set.
[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://tw-master.senses-ai.com:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: aideveloper
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
创建context配置
[root@node-01 pki] kubectl config set-context aideveloper@kubernetes --cluster=kubernetes --user=aideveloper --kubeconfig=/root/aideveloper.conf
Context "aideveloper@kubernetes" created.
[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://tw-master.senses-ai.com:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aideveloper
name: aideveloper@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: aideveloper
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
切换context
[root@node-01 pki] kubectl config use-context aideveloper@kubernetes --kubeconfig=/root/aideveloper.conf
Switched to context "aideveloper@kubernetes".
[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://tw-master.senses-ai.com:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aideveloper
name: aideveloper@kubernetes
current-context: aideveloper@kubernetes
kind: Config
preferences: {}
users:
- name: aideveloper
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
创建系统用户及k8s验证文件
[root@node-01 ~] useradd test #创建什么用户名都可以
[root@node-01 ~] mkdir /home/test/.kube
[root@node-01 ~] cp /root/aideveloper.conf /home/test/.kube/config [root@node-01 ~]# chown test.test -R /home/test/.kube/
[root@node-01 ~] su - test
[billy@node-01 ~]$ kubectl get pod
Error from server (Forbidden): pods is forbidden: User "aideveloper" cannot list resource "pods" in API group "" in the namespace "default"
默认新用户是没有任何权限的。
创建Role
此role只有pod的get、list、watch权限
[root@node-01 rbac] vim aideveloper-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: aideveloper-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@node-01 rbac] kubectl apply -f aideveloper-role.yaml
role.rbac.authorization.k8s.io/aideveloper-role created
创建Rolebinding
用户aideveloper和role aideveloper-role的绑定
[root@node-01 rbac]# vim aideveloper-roleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: aideveloper-roleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: aideveloper-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: aideveloper
[root@node-01 rbac]# kubectl apply -f aideveloper-roleBinding.yaml
rolebinding.rbac.authorization.k8s.io/aideveloper-roleBinding created
验证结果
如果没有指定命名空间的话,默认就是default命名空间。
[billy@node-01 ~]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-demo-95bd675d5-66xrm 1/1 Running 0 18d
tomcat-5c5dcbc885-7vr68 1/1 Running 0 18d
[billy@node-01 ~]$ kubectl -n kube-system get pod
Error from server (Forbidden): pods is forbidden: User "billy" cannot list resource "pods" in API group "" in the namespace "kube-system"
所以我们是可以查看查看default命名空间的pod,但是其他空间的pod是无法查看的。
创建ClusterRole
[root@node-01 rbac]# cat cluster-reader.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@node-01 rbac]# kubectl apply -f cluster-reader.yaml
clusterrole.rbac.authorization.k8s.io/cluster-reader created
创建ClusterRoleBinding
[root@node-01 rbac]# cat billy-read-all-pods.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: billy-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: billy
[root@node-01 rbac]# kubectl apply -f billy-read-all-pods.yaml
clusterrolebinding.rbac.authorization.k8s.io/billy-read-all-pods created
创建了ClusterRole和ClusterRoleBinding后就可以看到所有命名空间的pod了。
RBAC的补充
RBAC相关的内容
rule下verbs有:
"get", "list", "watch", "create", "update", "patch", "delete", "exec"
rule下resource有:
"services", "endpoints", "pods","secrets","configmaps","crontabs","deployments",
"jobs","nodes","rolebindings","clusterroles","daemonsets","replicasets","statefulsets",
"horizontalpodautoscalers","replicationcontrollers","cronjobs"
rule下apiGroups有:
"","apps", "autoscaling", "batch"
注意:
cluserRoleBinding只能绑定clusterRole
roleBinding既能绑定role,也能绑定clusterRole
想让一个Bingding绑定多个角色,那就多写几个文件
来源:oschina
链接:https://my.oschina.net/u/4287236/blog/4913379