k8s 許可權控制之rbac
許可權控制
此處要介紹的是基於rbac 的許可權控制,主要涉及四個概念,角色(role,clusterrole),角色繫結(rolebinding,clusterrolebinding),授權物件(serviceaccount, user),許可權(apiGroups,resources,verbs)
serviceaccount 與 user 區別
sa 通常都是用於pod 中的應用授權,例如pod 中的程式要訪問叢集做一些操作就可以使用sa ,預設pod 都都有一個default sa
user 通常是給人使用的,標記的是個人,例如在kubectl 配置檔案中的多使用者就是用user 定義的。
但是兩者的使用沒有嚴格限制
基於serviceaccount 的許可權分配
名稱空間的角色授權
###角色就是綁定了一些許可權,角色是基於名稱空間的,叢集角色才是全域性的,也就是角色繫結給使用者或者sa都是作用在固定名稱空間的。 apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ .Release.Name }} rules: - apiGroups: - "*" resources: - "*" verbs: - list - getView Code- create ###RoleBinding 是名稱空間資源物件,把serviceaccount 與role 繫結在一起 apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ .Release.Name }}-binding RoleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ .Release.Name }} subjects: - kind: ServiceAccount name: {{ .Release.Name }} ###serviceaccount 是基於名稱空間的,伴隨著它的建立,名稱空間內會自動生成與它同名的token apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}
叢集許可權控制
###叢集角色與普通角色區別就一點,叢集角色對應許可權是整個叢集的,所有名稱空間資源以及不屬於名稱空間的叢集物件 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: langkai-u-all rules: - apiGroups: - "*" resources: - "*" verbs: - list - get - watch ###角色繫結 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: langkai-u-all-cluster-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: langkai-u-all subjects: - kind: ServiceAccount name: langkai-u-all ServiceAccount 與上面的是同一個,通過serviceaccount 對應的token 就可以登陸kuboard 進行相應操作View Code
基於user 的許可權分配在kubectl 配置檔案中的使用
kubectl 訪問apiserver 是基於使用者家目錄下面的.kube/config 裡面配置來完成驗證的。
應用場景:
有兩個叢集,prd 和 dev ,通過同一個kubectl 訪問兩個叢集,通過使用者user1 訪問prd 叢集的 frontend 名稱空間,通過使用者user2 訪問 dev 的backend 名稱空間,此時就需要在config 裡面配置不同的上下文來實現兩種訪問。
介紹幾個概念 叢集 使用者 上下文
1、叢集就是k8s 叢集,裡面配置了叢集證書,地址等資訊;
2、使用者就是授權物件,配置認證資訊,後面是通過rbac 對使用者授權才能訪問叢集;
3、上下文就是把叢集+使用者+名稱空間 聯絡在一起,例如使用者tom+叢集k8s-new+名稱空間dev 的意思是在此上下文中通過kubectl 命令執行的操作都是在叢集k8s-new 的空間dev 的操作,以tom 身份執行的
config 配置檔案
apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlDeURDQ0FiQ2dBd0lCQWdJQkFEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHJkV0psDQpjbTVsZEdWek1CNFhEVEl3TURreE5UQTVNekl3TUZvWERUTXdNRGt4TXpBNU16SXdNRm93RlRFVE1CRUdBMVVFDQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHE1DQpmVVpWT3RTRzhocTV2Tk8xUzJmTkQrVnd5TjFYb25lT1JrbXV5ZHRPMHJSQ0VwSWdjZFg1d3pvek40L0s3Rld1DQp6MzZmWm9yV3JTWjFyMzNWcUNzdzZlUFVQcmJQaU5ZSStQdEszU29icHh4ZVQ5KzlUSVpxVmc2UTJhcEExckM5DQpObTBuMCswdmh0SUxjeGs3amRXM3QrSkhiWWhlNE4zZ2tCUUVoaS9OVDNyZDJUNzQ3SFk5L1ZmUFdHZStNTEZwDQo1V056T2ZyL0ZqWUhVMmR5dnRZMnl6VlVaeFBPRitaTjlENGpHWmpDbzR5MFdhTVBOeUxGV056dnQ4NkM1dmYrDQppUUZTN2E4bVo1emwybWFabldtZ204bjVLNUd0QWdNM3VVZXh1QlZpOXZ5OCt3K3kralcyYnR6QmkwRUgxYUQ2DQppbW1UUVZsaHdscEhpWU1STEIwQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCDQovd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRjRhTElSRm10R210NDd6UVFZKy9yb2FEK3pIDQoxUnZnMStDYjk4NnZkbENtc08ybVNadldyb2tYUTFtL2pyMzUxeW1xUzNwU3FId05kOUdFaWg5cWJpYmpTQXhCDQo4RU1vUmxhclBRUDBRemlNcytIR1N1RHRYYW95RzZvN3RnQVErV1R1NUdBazBPWnRlcVdhdzVKK2FQZGIydEluDQpqSWVyUW1BMmhnYlRoVFdDbjIwL2lrUUVWSm44OFQvYU1YUG01TGdPbXQ2RGdpbHZEKzdySFBONk5WY1NvcmFXDQoydE9qd3VJa0tMSFhUcFZwb213UDU3UGl1VWNxSTV0NjVuaTQ1WEhoVDBnS0F2ZUZCa2wxZzJ0M00veTdvTU9yDQp6R2Q4MW1ORTMrQzV6WWdHL2ZsTWREeVVLTzcvNXhDbVYvNVRkWkIxWTVEWm1DYkNaUDJhazBnMnVaZz0NCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= server: https://192.168.1.200:8443 name: k8s-new - cluster: server: https://192.168.1.210:8443 name: k8s-old contexts: - context: cluster: k8s-new user: langkai name: k8s-new-all - context: cluster: k8s-new namespace: langkai user: langkai name: k8s-new-langkai - context: cluster: k8s-old namespace: default user: kzf name: k8s-old-default current-context: k8s-new-langkai kind: Config preferences: {} users: - name: kzf user: password: 1qaz2wsx username: kouzhenfang - name: langkai user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvekNDQVlzQ0NRQ0Jwa2dGSUhoTGx6QU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXdNVEF4TWpBek5EUXlNbG9YRFRJeE1UQXhNakF6TkRReU1sb3dFakVRTUE0RwpBMVVFQXd3SGJHRnVaMnRoYVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTROClN6ZUZkVjNIT2FWR1FVbmpSUFFrS2h4Z2ZkT2xJdVFlb243UGtEeHhwb0d5SkE4UkNqbUpXcVhDT2lhbWtma2QKMWhPT3k0Z2M5K2F0M2JDZkRjMjI2VENyUUg5RVUyL1R3ejhvd3FRdWoyTG1EdnB1ZVBGWUNsRlNLeU1GMTYzMApaL3FpamU1YnlWK1p3TklKaC92bzVNbStPZlV3QjRzWmJIeFJxb1pOb3I3dytjbEk1M3VYMm5uNEVobEFxL3hLCmwxcXhmeFRXNEJ4RVZ3cWx2Z2Q2aFBlVS90SUJDbjJ5YVhCVW52WkF0aEhjRjV3aDdpcW9OYUF1Yi9zR1c4elEKdURMYUxNOHFnd3pVZDd6ZVhuNTc1K1hLcGU3UEVuKzFOVjZSTkg1bUNtdkI0VDUrcXl1VFBCWW9lTXV6eS84UQpya2pQREZNZ1A5TmUyK25sK1hzQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBYjdGL1BUZnlTK3ovClp6eGZ2Y2g2YmxGVGZXaTFiZGRXemdWd1pOVWlrMUxiUEFmMGxsM2hDMjJoRUlvNm5CUXRnMG1XNzVNY3VlZWwKMXZ1VldMaVN2ZGd6aWRZcmtseFgwY2d3d3p6MjNwSWhJM0dVUjU3QU55N212ZTBIMjM2eWNsZi9SNkFTdE9BcAo5eUlkYWkwWjk2ejRzK1FDaldNOWw2Y2JDNnhDbUlEMEhGTHRMNHhmTXlnSHd2YmRtQTNxbGl2alRwVUEzMEZTCjl2M2tiRXpvRDAvbE1HQ1hZZlJpb1FlV0w0TjJVOExMeldFT2NmSTg2Tm4xVFdtRGZXcmVhSExFSHU2NTZlWkQKUy9ucjMrRVVHL09YUndaVnc0V0QrL3VoZlFIbkNvdjZWUEN3bXR3TXNOM1NlVE5MWk1vU3BKVWlyN1VtTlJNVQpLYjZla3VQNU1RPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBemcxTE40VjFYY2M1cFVaQlNlTkU5Q1FxSEdCOTA2VWk1QjZpZnMrUVBIR21nYklrCkR4RUtPWWxhcGNJNkpxYVIrUjNXRTQ3TGlCejM1cTNkc0o4TnpiYnBNS3RBZjBSVGI5UERQeWpDcEM2UFl1WU8KK201NDhWZ0tVVklySXdYWHJmUm4rcUtON2x2Slg1bkEwZ21IKytqa3liNDU5VEFIaXhsc2ZGR3FoazJpdnZENQp5VWpuZTVmYWVmZ1NHVUNyL0VxWFdyRi9GTmJnSEVSWENxVytCM3FFOTVUKzBnRUtmYkpwY0ZTZTlrQzJFZHdYCm5DSHVLcWcxb0M1dit3WmJ6TkM0TXRvc3p5cURETlIzdk41ZWZudm41Y3FsN3M4U2Y3VTFYcEUwZm1ZS2E4SGgKUG42cks1TThGaWg0eTdQTC94Q3VTTThNVXlBLzAxN2I2ZVg1ZXdJREFRQUJBb0lCQVFES3NhOGRWZTdIcXBTZApiY2dKL0VTM2VkL20vRkNxNDFhNFd4NTBhcEN6dFFVYnJuYmtUMW5ra2FhWFNzSlRoU1l4amxVcDloMW5yejk2CkwrelZzeEVzSFZPMWFiRlB3SkhuZnNRaG5HSWtpaHpKS0JEeDc3eVBoWkRZd0dEbzJmVjZET1JBWEtvTUlVU3UKQTV6M3dTS0EvM0FZdVVWZ1diZ0I4S2VVZisya29IS0ZjQUM1N1VJUklDcy9qSDV3SGJBSFdFR0NNRWRQdUdrUgpBZXBSQkxXdERURjduSFBLSk02VEJrMnc2c2lwMFpyWkpKbFZycDd1UzFYcHNkbmtLOEVRY3BLK3ZoT1NUUlVaCjB0d2lwNEVZand1Rks1bTIySVlHQlBVaEFWY2VOMExsekFKUk5vUFNsWkREWGYyMVZtS3RaM3VWTEs5T3BkNGcKNXYrazRuUlpBb0dCQVAwd3NGYitseUV4a1ZWbnF2ZVBzZ3o5S3ZvUmVLQ09oOHEvNUZKR2VhYWN1ZFpJeGVOUgpPN3FHa1VYNFB1K21kZVhKRXFoOVBhRzQ0Uy9HcGUvTjFFR3dIUVJiWU1kSXNoT2RqUUJ6TWF6TWo3N0ZCcVRqCm8zUzVTNVlrOFgrN2d0NElmeTNtWDVQNDdnZkN4aDZuc1RkbTY1dVpDMlluQ1lpZ3k2bi9aaEgvQW9HQkFOQlcKcjRMQU9DRkk2S0VkZCtmekdXUStOVU9yUWEvR2RiMnlsRlY5c2xNMExseElrUWRjT0YvU1l4N0RQM3ozV2UwYgpLdGluZUpuejZpb2NwSElRV2owcW13UEFONlFsRnVhQ3JWc0FReEs0UVdwamprTXFVVEtLN2JhaE5mditPUnB0ClY5RStoWTgvNnlOMktZMVRBMlQ0M2d5dERoYjAxa0MrRm8zZTRXQ0ZBb0dBUjQ5cVY3d3ZSTjk0bnpYa3VZR3cKcGtFcjAyLzZzdzUxek5VOW1BOTVOS0VaV1RwS1MveGFzRloyV3R0V0ZtL3E1SjVYR3E0RExHRlByQ3d1SEVBRgpuT2RFM0VWamJnL2EzUFpyc3RQY0YyWGR2dUo3QlVHZG9sRDR6eC96N2RFMnBNQ3NDWElTVTRWSTZZS2djbXVkCkIvYWI0dWQzdEZDV1BqcU1OYWtNMVVzQ2dZQitmWU1HRVlxQ3V1OXlrcCt3VmlwK2NENktuVG0rYlBJamdIOEwKQU12Nk5GNUpiVTJRZUc5SnprU2I4dE5qSGhLZElMZDgzd0VjQjdtT1krRjcxMjNTWVVISW56V3BGVk80RkhNSQpJenFWN1FUYWdTTm9xQkt3YXlVMGt1Qmg1TkhxdDZSdnlGUHl5MDRLTTcyNnJrSUxWZ1lMRUM3VHhVY24rOEZaCjFZNWt1UUtCZ0ZUMXFjakF4ME9NaGF3dVI4ODJycmNnMTFWR2hBQU5uZGtMa3ZIUVN0bEc0Zyt3Tkg3ZHB6MTkKbzJhdjUrcHdONlhWQVBBR2k2SzM0MFVlNkt6NGVTUzNWR3Flb0RNSXJrcVdtby9qV1lxM1hoWXowU29VRkFORgpyNkZSZy9YREo5SXhkUWZyMXpBaEM1UytmbjJ1Q3F4V1NPV0FlMEFJRGZ4Ym9uTVlIeUxTCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==View Code
注意要點:
1、 使用者的認證資訊只能是金鑰對,使用者密碼形式不生效
2、叢集也必須配置他的證書否則訪問的時候會報錯: 沒有相關資源
使用者證書生成:
###建立一個私鑰 umask 077; openssl genrsa -out langkai.key 2048 ###建立證書請求 openssl req -new -key langkai.key -out langkai.csr -subj "/CN=langkai" ###基於證書請求和叢集的ca公私鑰建立證書 openssl x509 -req -in langkai.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out langkai.crt -days 365 把公私鑰資訊配置到config中client-certificate-data 和client-key-data 處 kubectl config set-credentials langkai --client-certificate=./langkai.crt --client-key=./langkai.key --embed-certs=true 或者 cat langkai.crt | base64 把編碼後的資訊配置在config 中 client-key-data 和 client-certificate-data 處View Code
切換上下文
kubectl config --kubeconfig=config-demo use-context dev-frontend #--kubeconfig 指定了配置檔案路徑,如果不指定就是預設的~/.kube/config #實際此操作就是更改的config 檔案也可以手動在配置檔案中指定上下文 current-context: k8s-new-langkaiView Code
授權
只有對使用者授權kubectl 才能使用否則無法操作叢集,授權分為兩部分:叢集+名稱空間資源 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: langkai-u-all rules: - apiGroups: - "*" resources: - "*" verbs: - list - get - watch --- # Source: fengmi-frontend/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: langkai-u-all-cluster-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: langkai-u-all subjects: - kind: User name: langkai-u-all --- # Source: fengmi-frontend/templates/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: langkai-u-all rules: - apiGroups: - "*" resources: - "*" verbs: - "*" --- # Source: fengmi-frontend/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: langkai-u-all-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: langkai-u-all subjects: - kind: User name: langkai-u-allView Code
關於使用者:
使用者不是一個叢集裡面的資源物件,也就是說使用者不用額外建立,而serviceaccount 是需要建立的,使用者只需要在config 定義即可,而sa 必須通過yaml 或者命令建立的。