2. 程式人生 > 其它 >Kubernetes RBAC 為指定使用者授權訪問不同名稱空間許可權

Kubernetes RBAC 為指定使用者授權訪問不同名稱空間許可權

阿新 發佈:2021-01-20

技術標籤:k8skubernetes

在開啟了 TLS 的叢集中,每當與叢集互動的時候少不了的是身份認證,使用 kubeconfig(即證書) 和 token 兩種認證方式是最簡單也最通用的認證方式。

以kubectl為例介紹kubeconfig的配置。kubectl只是個go編寫的可執行程式,只要為kubectl配置合適的kubeconfig,就可以在叢集中的任意節點使用。kubectl預設會從$HOME/.kube目錄下查詢檔名為config的檔案,也可以通過設定環境變數KUBECONFIG或者通過設定--kubeconfig去指定其它 kubeconfig 檔案。

總之kubeconfig就是為訪問叢集所作的配置。

生成的 kubeconfig 被儲存到~/.kube/config檔案;配置檔案描述了叢集、使用者和上下文

案例:為指定使用者授權訪問不同名稱空間許可權

示例:為lulei使用者授權default名稱空間Pod讀取許可權(只能檢視,不能刪除)

1. 用K8S CA簽發客戶端證書基於證書的客戶端認證方式

2. 生成kubeconfig授權檔案kubectl使用kubeconfig連線叢集

3. 建立RBAC許可權策略做一定的許可權分配

也就是生成一個kubeconfig檔案,讓指定使用者拿著這個檔案去訪問叢集,如何檢視資源

CA簽發客戶端證書

(1)生成k8s客戶端證書,這裡面準備了CA的配置檔案

cat > lulei-csr.json <<EOF
{
  "CN": "lulei",
這個欄位相當於客戶端使用者資訊的標識

[[email protected] ~]# ls /etc/kubernetes/pki/ca.crt 
/etc/kubernetes/pki/ca.crt

cfssl使用根證書來簽發lulei客戶端的證書

[[email protected] rbac]# cat cfssl.sh 
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl*
mv cfssl_linux-amd64 /usr/bin/cfssl
mv cfssljson_linux-amd64 /usr/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
 
[[email protected] rbac]# cat cert.sh 
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF

cat > lulei-csr.json <<EOF
{
  "CN": "lulei",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes lulei-csr.json | cfssljson -bare lulei

API Server會把客戶端證書的CN欄位作為User,把names.O欄位作為Group。kubelet 使用 TLS Bootstaping 認證時,API Server 可以使用 Bootstrap Tokens 或者 Token authenticationfile 驗證=token,無論哪一種,Kubenetes 都會為 token 繫結一個預設的 User 和 GroupPod使用 ServiceAccount 認證時,service-account-token 中的 JWT 會儲存 User 資訊有了使用者資訊,再建立一對角色/角色繫結(叢集角色/叢集角色繫結)資源物件,就可以完成許可權綁定了

[[email protected] rbac]# ls
lulei-key.pem  lulei.pem

注意這裡要指定k8s根證書的,jubeadm部署的話根證書預設在/etc/kubernetes/pki/

[[email protected] rbac]# ls /etc/kubernetes/pki/
apiserver.crt              apiserver-kubelet-client.crt  etcd                    front-proxy-client.key
apiserver-etcd-client.crt  apiserver-kubelet-client.key  front-proxy-ca.crt      sa.key
apiserver-etcd-client.key  ca.crt                        front-proxy-ca.key      sa.pub
apiserver.key              ca.key                        front-proxy-client.crt

生成kubeconfig授權檔案

叢集引數設定

使用kubectl config這條命令生成kubeconfig證書,逐步生成kubeconfig裡面的資訊

生成證書的格式和家目錄的config內容是一樣的

[[email protected] ~]# cd .kube/
[[email protected] .kube]# ls
cache  config

這裡填充了cluster的資訊

kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/pki/ca.crt \
  --embed-certs=true \
  --server=https://192.168.179.102:6443 \
  --kubeconfig=lulei.kubeconfig


[[email protected] rbac]# kubectl config set-cluster kubernetes \
>   --certificate-authority=/etc/kubernetes/pki/ca.crt \
>   --embed-certs=true \
>   --server=https://192.168.179.102:6443 \
>   --kubeconfig=lulei.kubeconfig
Cluster "kubernetes" set.


這裡生成了檔案
[[email protected] rbac]# cat lulei.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01URXhOVEEyTlRZeU5sb1hEVE13TVRFeE16QTJOVFl5Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSmZsCmtaVVhUcVJ3ZjJVeDdqS1pjQURvaHV1aHNXcHAvK2NIOEF1MVpmR3JqN0lTb3VoelVISkZ5cGR5ekdoTDFBRHgKMTkxVlVCN1ZCWlk4cXBDRHYyRnZvWkRFbFVYR1JrTFFDT0lxc1hOVUt3ZU0xdnJqZnpZVW5ZNGN6NDhKNDdpTgpnUjJHRGtsWUlrZFpGZEU1ekN2eitldEtEVVUzdE5GV0djL00yZFE0NUIxNGZlTldpTUR3T0l3dTBSSWRvYmpnCndmSnhoVlJHMmgzdEplL0RpUjQ2cXI1NEdMVUU2VXNDUGJvZ0JxNTVBakt2c2NiOWUzeGdzMVJhZW1BdFZhd08KSFNjRkRDYWhBZDVPUlgzMlIzSGNoRnY2QmFwczgyb0dqUDBLOEY1RXNQWkFYQXFoK3c0UTFMRWQ2aHRuQWhyWAoxcmJ5cTF4eUNESnhhbENaSHBjQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPZXFad29TeUxrVDVKWXlRNURMamUzRFRHUjJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCemtMRXMzUGhIN08wYWs5VWlTbFhDVTljK1RoYlZaTmZVUStKS1JpQU5KQys5Qm8vZApLdUlLYWhxQlE5UkprSk53TmVwT0NJOWxzcGJ4TGtHK3ArYktHV29Yb25CME5RdnZoZTRQd0p0dmdUcGlhVmVYCmNLejhUMDBRT1YyRzR0WEtmaTViK0dvZDA3NktlZm4zbm00U0l1VDh6bmNDclUxeHRpQTRSU3RQRVZZZTRQalAKY2p6MHJVS3BnTmhJL0lYc2JPVDNYV0hFNE4vU0VLcmtIYkRJNFpEUGRYa2gxd3piM1FZODFuZTh1enBNQVJ5VwpLbkx6R1NRaGJ0WTlWRUZkdlhGK0wreWFrQjcrR29xa1lJa1BNdURveFRoeTBuMFJjZStSTUhtZkFQSEh2RDFyCjdSNC9xdlpBLzA4Q0hxb3ZDcCsxUzNXbFE5WE5MRzE3TWExTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.179.102:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

本段設定了所需要訪問的叢集的資訊。

  • 使用set-cluster設定了需要訪問的叢集,如上為kubernetes,這只是個名稱,實際為--server指向的apiserver
  • --certificate-authority設定了該叢集的公鑰
  • --embed-certs為true表示將--certificate-authority證書寫入到kubeconfig中
  • --server則表示該叢集的kube-apiserver地址

生成的kubeconfig 被儲存到lulei.kubeconfig檔案

使用者引數設定

kubectl config set-credentials lulei \
  --client-key=lulei-key.pem \
  --client-certificate=lulei.pem \
  --embed-certs=true \
  --kubeconfig=lulei.kubeconfig

[[email protected] rbac]# kubectl config set-credentials lulei \
>   --client-key=lulei-key.pem \
>   --client-certificate=lulei.pem \
>   --embed-certs=true \
>   --kubeconfig=lulei.kubeconfig
User "lulei" set.


[[email protected] rbac]# cat lulei.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01URXhOVEEyTlRZeU5sb1hEVE13TVRFeE16QTJOVFl5Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSmZsCmtaVVhUcVJ3ZjJVeDdqS1pjQURvaHV1aHNXcHAvK2NIOEF1MVpmR3JqN0lTb3VoelVISkZ5cGR5ekdoTDFBRHgKMTkxVlVCN1ZCWlk4cXBDRHYyRnZvWkRFbFVYR1JrTFFDT0lxc1hOVUt3ZU0xdnJqZnpZVW5ZNGN6NDhKNDdpTgpnUjJHRGtsWUlrZFpGZEU1ekN2eitldEtEVVUzdE5GV0djL00yZFE0NUIxNGZlTldpTUR3T0l3dTBSSWRvYmpnCndmSnhoVlJHMmgzdEplL0RpUjQ2cXI1NEdMVUU2VXNDUGJvZ0JxNTVBakt2c2NiOWUzeGdzMVJhZW1BdFZhd08KSFNjRkRDYWhBZDVPUlgzMlIzSGNoRnY2QmFwczgyb0dqUDBLOEY1RXNQWkFYQXFoK3c0UTFMRWQ2aHRuQWhyWAoxcmJ5cTF4eUNESnhhbENaSHBjQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPZXFad29TeUxrVDVKWXlRNURMamUzRFRHUjJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCemtMRXMzUGhIN08wYWs5VWlTbFhDVTljK1RoYlZaTmZVUStKS1JpQU5KQys5Qm8vZApLdUlLYWhxQlE5UkprSk53TmVwT0NJOWxzcGJ4TGtHK3ArYktHV29Yb25CME5RdnZoZTRQd0p0dmdUcGlhVmVYCmNLejhUMDBRT1YyRzR0WEtmaTViK0dvZDA3NktlZm4zbm00U0l1VDh6bmNDclUxeHRpQTRSU3RQRVZZZTRQalAKY2p6MHJVS3BnTmhJL0lYc2JPVDNYV0hFNE4vU0VLcmtIYkRJNFpEUGRYa2gxd3piM1FZODFuZTh1enBNQVJ5VwpLbkx6R1NRaGJ0WTlWRUZkdlhGK0wreWFrQjcrR29xa1lJa1BNdURveFRoeTBuMFJjZStSTUhtZkFQSEh2RDFyCjdSNC9xdlpBLzA4Q0hxb3ZDcCsxUzNXbFE5WE5MRzE3TWExTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.179.102:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: lulei
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnakNDQW1xZ0F3SUJBZ0lVYVVuc3VhVnA1WkxVRnNmcXk2TWRaNGRQR0pFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1UQXhNVGd3T0RRd01EQmFGdzB6TVRBeApNVFl3T0RRd01EQmFNR0F4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFT01Bd0cKQTFVRUF4TUZiSFZzWldrd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNZNWM2Kwo0bFZIbTJvMXR6bHcyd3dncFp1Sjd2RnJ3TWVtMUlqSkg2c1ZTSE92NnJBOStjUUFmYk50N0swM0NHa2JhVlh5ClJ0ejh6RitYL3BhZUNmZW8wNnFKcU5RZkVhMllQc1lyREZkdXRRdUNGSmpxdlBrbWN3TDdGdnVGcGlsNDZ4TkoKQ2s2QWpXNzh2TUNKQWx2dEtWcWdQdXFyd1lDTkNvZ0NWUEF0cTZMZ2x6b0UwOU9jL05wY2hzdHZwdzR5QTVPcwp0SkkzcDRXbUZQSWNYZUNvR3BlMzk3WUJ3b1JnVDlMVHlnTzhXUkpBeEpQRUFsRnc1KzJqcEZnaU5BdC9tMmFICkFNcXc1MjZRVnVsMnFWYjJyOXViU1drRzFLWS9Va09jOW4zbFgyYnRPWTN2NWxFVUx3cHozYmZwY2lDTE1yN3EKZTB4Sml1TWpicEVNTnpTVkFnTUJBQUdqZnpCOU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVQpCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVhc0orCmw2ai9JdGxObytrOGVRRDVlSzNTNWN3d0h3WURWUjBqQkJnd0ZvQVU1NnBuQ2hMSXVSUGtsakpEa011TjdjTk0KWkhZd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCNjdSVm00U0c4MUZtMnZqSmQ4S1crdk5CMzZESC9tZGZCQwpWRUovdmRiS09JL0dmalc1bXdvckhtVHZyNmJRVE15U1NWMUFZd3RDZzRzNVZhUWJqOXJzUU1TNmZVcnlnaGdqCi9YZkxVVTBkOE1jTTZkMEZpM1h1c3FnVTZjNDBTcHozRkxUZ3BBUUU4Z2Z3aTdUbmRUcHJjU3hMaHV3S0RtVEIKMG5jK0U5TCtlOW5meTliVUp2akZSUGpKV1Q2Z3hEamhJZi9CK0g1andiY1NCM0x6KzBoQzkzaUVkbDdocWlLUwpiMExNSmIvYjZaN1Vya0FEQlR0WlVJWFFWb2lSdnRXWmhCUktKZC9PVWlZWW5CbEpmYnJmYUM4UFNtTHpPak53CnBhaFBzaWZCekplZnRlU1BPZmFZZXhKNUVGSVdLV1lLWnYzY09jQjViSFlYS3p2dWlXUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbU9YT3Z1SlZSNXRxTmJjNWNOc01JS1diaWU3eGE4REhwdFNJeVIrckZVaHpyK3F3ClBmbkVBSDJ6YmV5dE53aHBHMmxWOGtiYy9NeGZsLzZXbmduM3FOT3FpYWpVSHhHdG1EN0dLd3hYYnJVTGdoU1kKNnJ6NUpuTUMreGI3aGFZcGVPc1RTUXBPZ0kxdS9MekFpUUpiN1NsYW9EN3FxOEdBalFxSUFsVHdMYXv*nEpjNgpCTlBUblB6YVhJYkxiNmNPTWdPVHJMU1NONmVGcGhUeUhGM2dxQnFYdC9lMkFjS0VZRS9TMDhvRHZGa1NRTVNUCnhBSlJjT2Z0bzZSWUlqUUxmNXRtaHdES3NPZHVrRmJwZHFsVzlxL2JtMGxwQnRTbVAxSkRuUFo5NVY5bTdUbU4KNytaUkZDOEtjOTIzNlhJZ2l6Sys2bnRNU1lyakkyNlJERGMwbFFJREFRQUJBb0lCQUZFMC9YSDAxRWFNRFFVcQpvNStGT0JPKzRiV0k2MERIeTBLWWIyNGpHOExhRUZmRzFvU1v*nzNuQlgzRXp0c0Q1STlpaXZ0N0Y3Uk0rQmpLClowVFpGbWpjd3g4S1JGK2NEQTlvaCtnbFRlckd6YTN4TXFhNlo3bzhLOEVnbThhSVVrNmV6RWRtNmZydEk1Mm8Kd3JvQ1BzRGZ6ZnArY0RWNU9NV3dhanlTMEYzd2tRYmloVmdmckxLdCtkUEJrV2ZMWjljd3FUYmFZMzZSb202eApHdGY1eWM1ZnZnZ0E0Z3FndjBaSW9OelMzQytNK0JBdGpzWDRUOVFJL09ZcmxsWHJXVksvRVRDTFRYUGhIS1cvCnk5OUNrU3I2ZWR2ODJsbmQ0VGFPVE9pRWp1eVhMVkFCOWVFeWZnUXhLNmJTck1JaFNINTl3M0liaEpWZkU0S3oKVEZsd0V3RUNnWUVBeWF0bW1ESXAyLzhaNHJtcjkvc2RlNUF3Y0d3Q3BxNGdKRkVaR3BoallpMlFPVVRsNnNMNApDNFpjMER6YWN4VzFuUzZHSWF6cTFrdVAwcWVhNVlpV1lPWmFmekdKeXp6L083VGRyRUF6bTcxaDdHL1FSS1gwCllhSGxsYTNGY0FYTEdmZ3ZOeW8xTTJmZUEzOUZiWDczWUF6OGlRa05KUXpnUlFuRzFJN1I2SjBDZ1lFQXdoYSsKd0ZjQ3FIYXVjNWZUeVZOQ1V1Ujd3disyWDluY3plSkl5aGUrTzFnckZGRVIxblVUdGRCTSttNFRWSjZSd0F6MwpVY05CY3JOQXpJK1l2ZGR3OUxCQmhadTkrRmJwTWV5ZkR6V0hyR282NVBHSE4yUm5raElhR3dia1pNUnBHYWhECmJTcDZHK3JzMUMzYkMxMjU3SElwdVFlQlp4R1NJb2VEUTZtYnpsa0NnWUJ3UHh0YWFNbE5ycDQ4eUhWRUVCdm4KMDJoeW1sdWJaRjExZVVJTXdIYkloVzI1d25ScUIxekNKV1h4YlgxMUFzZFVGam9IOGxPL05NMTNSVng4bDFxRAowcExhS3J0MFNKNFRJR2NsWVpLWUEzL0dkckdvRStxQ2tQYlZLYVF6NXJXVjNjS0I1TmM1cG4wMjJ4Yk1qQmVwCitYQng0WHpVZTJjMFplMnFEMWdjTFFLQmdDNy9ETzlMNGxQaWNQbUNjUURWelVCL0hNeXAySUk3SWJFa3N0VmsKakdhWVFjNG9sellqb1VNc0RnZXhzYktTdHQ0WEJhZmhySzVXWTBGbEgrb1FDY1RtRE9lS1A2U3Jmc25jN3VMaQo1bGhFWE1CbEQ0WEZKU01FaVJlMFFvZDMyNjhmeER2aHhqR09ZQXc4a2thZFNsRExqL2pDclgzRWptc1gveHZhCkxPVDVBb0dCQUw0azE0NVdnQlRCOWZRY05iOE01SXNNZmx1QzhHc2FNbDgzQnU3T2x6T3lLanFMbGxSdzlIc2QKbXVEZVJwNmxIRmlDWHhZdXRQWTRPd2NFbndBWDcyRHRlUzJ5bnBjSUNYTTVTbkEvWlJEeDZOZnlWMWNsb1Zlagprd3grc09mT3pBeXNnN21TS1ZxMkVEZThKU1pFOUpEVCswbm5zaHd5bm5hdXZpbk8zZEF4Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

本段主要設定使用者的相關資訊,主要是使用者證書。如上的使用者名稱為lulei,證書為:lulei.pem,私鑰為:lulei-key.pem。注意客戶端的證書首先要經過叢集CA的簽署,否則不會被叢集認可。此處使用的是ca認證方式,也可以使用token認證,如kubelet的TLS Boostrap機制下的bootstrapping使用的就是token認證方式。上述kubectl使用的是ca認證,不需要token欄位

上下文引數

kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=lulei \
  --kubeconfig=lulei.kubeconfig



# 設定上下文引數
[[email protected] rbac]# kubectl config set-context kubernetes \
>   --cluster=kubernetes \
>   --user=lulei \
>   --kubeconfig=lulei.kubeconfig
Context "kubernetes" created.


[[email protected] rbac]# cat lulei.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01URXhOVEEyTlRZeU5sb1hEVE13TVRFeE16QTJOVFl5Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSmZsCmtaVVhUcVJ3ZjJVeDdqS1pjQURvaHV1aHNXcHAvK2NIOEF1MVpmR3JqN0lTb3VoelVISkZ5cGR5ekdoTDFBRHgKMTkxVlVCN1ZCWlk4cXBDRHYyRnZvWkRFbFVYR1JrTFFDT0lxc1hOVUt3ZU0xdnJqZnpZVW5ZNGN6NDhKNDdpTgpnUjJHRGtsWUlrZFpGZEU1ekN2eitldEtEVVUzdE5GV0djL00yZFE0NUIxNGZlTldpTUR3T0l3dTBSSWRvYmpnCndmSnhoVlJHMmgzdEplL0RpUjQ2cXI1NEdMVUU2VXNDUGJvZ0JxNTVBakt2c2NiOWUzeGdzMVJhZW1BdFZhd08KSFNjRkRDYWhBZDVPUlgzMlIzSGNoRnY2QmFwczgyb0dqUDBLOEY1RXNQWkFYQXFoK3c0UTFMRWQ2aHRuQWhyWAoxcmJ5cTF4eUNESnhhbENaSHBjQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPZXFad29TeUxrVDVKWXlRNURMamUzRFRHUjJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCemtMRXMzUGhIN08wYWs5VWlTbFhDVTljK1RoYlZaTmZVUStKS1JpQU5KQys5Qm8vZApLdUlLYWhxQlE5UkprSk53TmVwT0NJOWxzcGJ4TGtHK3ArYktHV29Yb25CME5RdnZoZTRQd0p0dmdUcGlhVmVYCmNLejhUMDBRT1YyRzR0WEtmaTViK0dvZDA3NktlZm4zbm00U0l1VDh6bmNDclUxeHRpQTRSU3RQRVZZZTRQalAKY2p6MHJVS3BnTmhJL0lYc2JPVDNYV0hFNE4vU0VLcmtIYkRJNFpEUGRYa2gxd3piM1FZODFuZTh1enBNQVJ5VwpLbkx6R1NRaGJ0WTlWRUZkdlhGK0wreWFrQjcrR29xa1lJa1BNdURveFRoeTBuMFJjZStSTUhtZkFQSEh2RDFyCjdSNC9xdlpBLzA4Q0hxb3ZDcCsxUzNXbFE5WE5MRzE3TWExTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.179.102:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: lulei
  name: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: lulei
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnakNDQW1xZ0F3SUJBZ0lVYVVuc3VhVnA1WkxVRnNmcXk2TWRaNGRQR0pFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1UQXhNVGd3T0RRd01EQmFGdzB6TVRBeApNVFl3T0RRd01EQmFNR0F4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFT01Bd0cKQTFVRUF4TUZiSFZzWldrd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNZNWM2Kwo0bFZIbTJvMXR6bHcyd3dncFp1Sjd2RnJ3TWVtMUlqSkg2c1ZTSE92NnJBOStjUUFmYk50N0swM0NHa2JhVlh5ClJ0ejh6RitYL3BhZUNmZW8wNnFKcU5RZkVhMllQc1lyREZkdXRRdUNGSmpxdlBrbWN3TDdGdnVGcGlsNDZ4TkoKQ2s2QWpXNzh2TUNKQWx2dEtWcWdQdXFyd1lDTkNvZ0NWUEF0cTZMZ2x6b0UwOU9jL05wY2hzdHZwdzR5QTVPcwp0SkkzcDRXbUZQSWNYZUNvR3BlMzk3WUJ3b1JnVDlMVHlnTzhXUkpBeEpQRUFsRnc1KzJqcEZnaU5BdC9tMmFICkFNcXc1MjZRVnVsMnFWYjJyOXViU1drRzFLWS9Va09jOW4zbFgyYnRPWTN2NWxFVUx3cHozYmZwY2lDTE1yN3EKZTB4Sml1TWpicEVNTnpTVkFnTUJBQUdqZnpCOU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVQpCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVhc0orCmw2ai9JdGxObytrOGVRRDVlSzNTNWN3d0h3WURWUjBqQkJnd0ZvQVU1NnBuQ2hMSXVSUGtsakpEa011TjdjTk0KWkhZd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCNjdSVm00U0c4MUZtMnZqSmQ4S1crdk5CMzZESC9tZGZCQwpWRUovdmRiS09JL0dmalc1bXdvckhtVHZyNmJRVE15U1NWMUFZd3RDZzRzNVZhUWJqOXJzUU1TNmZVcnlnaGdqCi9YZkxVVTBkOE1jTTZkMEZpM1h1c3FnVTZjNDBTcHozRkxUZ3BBUUU4Z2Z3aTdUbmRUcHJjU3hMaHV3S0RtVEIKMG5jK0U5TCtlOW5meTliVUp2akZSUGpKV1Q2Z3hEamhJZi9CK0g1andiY1NCM0x6KzBoQzkzaUVkbDdocWlLUwpiMExNSmIvYjZaN1Vya0FEQlR0WlVJWFFWb2lSdnRXWmhCUktKZC9PVWlZWW5CbEpmYnJmYUM4UFNtTHpPak53CnBhaFBzaWZCekplZnRlU1BPZmFZZXhKNUVGSVdLV1lLWnYzY09jQjViSFlYS3p2dWlXUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbU9YT3Z1SlZSNXRxTmJjNWNOc01JS1diaWU3eGE4REhwdFNJeVIrckZVaHpyK3F3ClBmbkVBSDJ6YmV5dE53aHBHMmxWOGtiYy9NeGZsLzZXbmduM3FOT3FpYWpVSHhHdG1EN0dLd3hYYnJVTGdoU1kKNnJ6NUpuTUMreGI3aGFZcGVPc1RTUXBPZ0kxdS9MekFpUUpiN1NsYW9EN3FxOEdBalFxSUFsVHdMYXv*nEpjNgpCTlBUblB6YVhJYkxiNmNPTWdPVHJMU1NONmVGcGhUeUhGM2dxQnFYdC9lMkFjS0VZRS9TMDhvRHZGa1NRTVNUCnhBSlJjT2Z0bzZSWUlqUUxmNXRtaHdES3NPZHVrRmJwZHFsVzlxL2JtMGxwQnRTbVAxSkRuUFo5NVY5bTdUbU4KNytaUkZDOEtjOTIzNlhJZ2l6Sys2bnRNU1lyakkyNlJERGMwbFFJREFRQUJBb0lCQUZFMC9YSDAxRWFNRFFVcQpvNStGT0JPKzRiV0k2MERIeTBLWWIyNGpHOExhRUZmRzFvU1v*nzNuQlgzRXp0c0Q1STlpaXZ0N0Y3Uk0rQmpLClowVFpGbWpjd3g4S1JGK2NEQTlvaCtnbFRlckd6YTN4TXFhNlo3bzhLOEVnbThhSVVrNmV6RWRtNmZydEk1Mm8Kd3JvQ1BzRGZ6ZnArY0RWNU9NV3dhanlTMEYzd2tRYmloVmdmckxLdCtkUEJrV2ZMWjljd3FUYmFZMzZSb202eApHdGY1eWM1ZnZnZ0E0Z3FndjBaSW9OelMzQytNK0JBdGpzWDRUOVFJL09ZcmxsWHJXVksvRVRDTFRYUGhIS1cvCnk5OUNrU3I2ZWR2ODJsbmQ0VGFPVE9pRWp1eVhMVkFCOWVFeWZnUXhLNmJTck1JaFNINTl3M0liaEpWZkU0S3oKVEZsd0V3RUNnWUVBeWF0bW1ESXAyLzhaNHJtcjkvc2RlNUF3Y0d3Q3BxNGdKRkVaR3BoallpMlFPVVRsNnNMNApDNFpjMER6YWN4VzFuUzZHSWF6cTFrdVAwcWVhNVlpV1lPWmFmekdKeXp6L083VGRyRUF6bTcxaDdHL1FSS1gwCllhSGxsYTNGY0FYTEdmZ3ZOeW8xTTJmZUEzOUZiWDczWUF6OGlRa05KUXpnUlFuRzFJN1I2SjBDZ1lFQXdoYSsKd0ZjQ3FIYXVjNWZUeVZOQ1V1Ujd3disyWDluY3plSkl5aGUrTzFnckZGRVIxblVUdGRCTSttNFRWSjZSd0F6MwpVY05CY3JOQXpJK1l2ZGR3OUxCQmhadTkrRmJwTWV5ZkR6V0hyR282NVBHSE4yUm5raElhR3dia1pNUnBHYWhECmJTcDZHK3JzMUMzYkMxMjU3SElwdVFlQlp4R1NJb2VEUTZtYnpsa0NnWUJ3UHh0YWFNbE5ycDQ4eUhWRUVCdm4KMDJoeW1sdWJaRjExZVVJTXdIYkloVzI1d25ScUIxekNKV1h4YlgxMUFzZFVGam9IOGxPL05NMTNSVng4bDFxRAowcExhS3J0MFNKNFRJR2NsWVpLWUEzL0dkckdvRStxQ2tQYlZLYVF6NXJXVjNjS0I1TmM1cG4wMjJ4Yk1qQmVwCitYQng0WHpVZTJjMFplMnFEMWdjTFFLQmdDNy9ETzlMNGxQaWNQbUNjUURWelVCL0hNeXAySUk3SWJFa3N0VmsKakdhWVFjNG9sellqb1VNc0RnZXhzYktTdHQ0WEJhZmhySzVXWTBGbEgrb1FDY1RtRE9lS1A2U3Jmc25jN3VMaQo1bGhFWE1CbEQ0WEZKU01FaVJlMFFvZDMyNjhmeER2aHhqR09ZQXc4a2thZFNsRExqL2pDclgzRWptc1gveHZhCkxPVDVBb0dCQUw0azE0NVdnQlRCOWZRY05iOE01SXNNZmx1QzhHc2FNbDgzQnU3T2x6T3lLanFMbGxSdzlIc2QKbXVEZVJwNmxIRmlDWHhZdXRQWTRPd2NFbndBWDcyRHRlUzJ5bnBjSUNYTTVTbkEvWlJEeDZOZnlWMWNsb1Zlagprd3grc09mT3pBeXNnN21TS1ZxMkVEZThKU1pFOUpEVCswbm5zaHd5bm5hdXZpbk8zZEF4Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

叢集引數使用者引數可以同時設定多對,在上下文引數中將叢集引數和使用者引數關聯起來。上面的上下文名稱為kubenetes,叢集為kubenetes,使用者為lulei,表示使用lulei的使用者憑證來訪問kubenetes叢集的default名稱空間,也可以增加--namspace來指定訪問的名稱空間。

最後使用kubectl config use-context kubernetes來使用名為kubenetes的環境項來作為配置。如果配置了多個環境項,可以通過切換不同的環境項名字來訪問到不同的叢集環境。

# 設定當前使用配置

kubectl config use-context kubernetes --kubeconfig=lulei.kubeconfig
[[email protected] rbac]# kubectl config use-context kubernetes --kubeconfig=lulei.kubeconfig
Switched to context "kubernetes".

contexts:
- context:
    cluster: kubernetes
    user: lulei
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}

可以看到上面配置是沒有問題的,給出的提示是使用者lulei是不能列出這方面資源的

[[email protected] rbac]# kubectl --kubeconfig=lulei.kubeconfig get pod
Error from server (Forbidden): pods is forbidden: User "lulei" cannot list resource "pods" in API group "" in the namespace "default"

可以看到通過管理員的配置檔案是可以訪問到的

[[email protected] rbac]# kubectl --kubeconfig=/root/.kube/config  get pod
NAME                     READY   STATUS    RESTARTS   AGE
nginx-6799fc88d8-drb2s   1/1     Running   3          64d

上面說明了配置檔案是沒有問題的,只是缺少相應的許可權

建立RBAC許可權策略

需要建立role和rolebinding,role是許可權的集合,rolebinding是要將role裡面許可權繫結到指定的使用者,也就是我們上面的lulei使用者

比較常見的授權維度:

• user:使用者名稱

• group:使用者分組

• 資源,例如pod、deployment

• 資源操作方法:get,list,create,update,patch,watch,delete

• 名稱空間

• API組

[[email protected] rbac]# cat rbac.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:            #配置授權維度
- apiGroups: [""]   #裡面為空,為核心的api組,常用的資源都在核心組裡面
  resources: ["pods"]
  verbs: ["get", "watch", "list"]  #資源操作方法

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: lulei
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io


[[email protected] rbac]# kubectl apply -f rbac.yaml 
role.rbac.authorization.k8s.io/pod-reader created
rolebinding.rbac.authorization.k8s.io/read-pods created

name: lulei和CN裡面名字對應,上面繫結有兩塊,主題即繫結誰,另外和哪個role繫結

[[email protected] rbac]#  kubectl --kubeconfig=lulei.kubeconfig get pod
NAME                     READY   STATUS    RESTARTS   AGE
nginx-6799fc88d8-drb2s   1/1     Running   3          64d
[[email protected] rbac]#  kubectl --kubeconfig=lulei.kubeconfig get deployment
Error from server (Forbidden): deployments.apps is forbidden: User "lulei" cannot list resource "deployments" in API group "apps" in the namespace "default"

現在準確授權了,只能檢視Pod,其他資源不能檢視

刪除也不行

[[email protected] rbac]#  kubectl --kubeconfig=lulei.kubeconfig delete pod nginx-6799fc88d8-drb2s
Error from server (Forbidden): pods "nginx-6799fc88d8-drb2s" is forbidden: User "lulei" cannot delete resource "pods" in API group "" in the namespace "default"

現在要放開許可權

授權的時候還要考慮資源在不在這個組裡面,apps裡面包含了deployment

[[email protected] rbac]# cat rbac.yml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:        
- apiGroups: ["","apps"]
  resources: ["pods","deployments","services"]
  verbs: ["get", "watch", "list"] 
[[email protected] rbac]# kubectl apply -f rbac.yml 
role.rbac.authorization.k8s.io/pod-reader configured
rolebinding.rbac.authorization.k8s.io/read-pods unchanged
[[email protected] rbac]#  kubectl --kubeconfig=lulei.kubeconfig get deploy
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
nginx   1/1     1            1           64d
[[email protected] rbac]#  kubectl --kubeconfig=lulei.kubeconfig get svc
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP        64d
nginx        NodePort    10.99.50.2   <none>        80:31332/TCP   64d
[[email protected] rbac]# kubectl api-versions  檢視哪些資源組
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1
apiextensions.k8s.io/v1
apiextensions.k8s.io/v1beta1
apiregistration.k8s.io/v1
apiregistration.k8s.io/v1beta1
apps/v1

拿著上面lulei.kubeconfig就可以使用kubectl命令連線叢集了

總結

當使用kucetl呼叫其api或者使用ui其實都是向api server元件傳送的請求。

提取出證書裡面的CN欄位,該欄位作為你的使用者名稱。也就是從證書當中提取出使用者名稱 "CN": "lulei",

也可以基於組 "O": "k8s",

- kind: User

name: lulei

去驗證你的身份是不是有效的,也就是你的證書是不是CA頒發的,驗證客戶端證書沒問題進行下一個階段的授權,也就是建立RBAC,授權之後可以訪問。

使用kubeconfig還需要注意使用者已經經過授權(如RBAC授權),上述例子中使用者的證書中CN欄位為"CN": "lulei"kube-apiserver預定義的 RoleBindingread-pods將User lulei與 Rolepod-reader繫結,該 Role 授予了呼叫kube-apiserver相關 API 的許可權。

相關推薦

Kubernetes RBAC 指定使用者授權訪問不同名稱空間許可權

技術標籤:k8skubernetes 在開啟了 TLS 的叢集中,每當與叢集互動的時候少不了的是身份認證,使用 kubeconfig(即證書) 和 token 兩種認證方式是最簡單也最通用的認證方式。

kubernets中不同名稱空間的服務相互訪問

技術標籤:kubernetes(k8s)kubernetesservice mesh Pod {pod-ip}.{namespace}.pod.cluster.local //例如某pod的ip 1.2.3.4,在名稱空間default與DNS名稱cluster.local將有一個域名:1-2-3-4.default.pod.cluste

從redis未授權訪問到獲取伺服器許可權

從redis未授權訪問到獲取伺服器許可權 好久沒寫部落格了,部落格園快荒蕪了。趕緊再寫一篇,算是一個關於自己學習的簡要的記錄把。

Kubernetes ---- RBAC授權管理

RBAC(授權外掛) RBAC基於角色訪問控制:   許可: 對於任何一個被訪問的物件(k8s元件),對於物件能施加的操作組合,將某些操作許可權賦給角色,就完成了授權;  角色: 可以讓一個使用者扮演一個角色,而這個角色擁有些

阿里雲安全組規則授權物件設定固定IP段訪問

阿里雲的ESC建站需要在安全組放通一些端口才能正常訪問,所以我們在開放埠的時候就直接設定了全部ip可訪問,授權物件填入0.0.0.0/0,意味著允許全部ip訪問或者禁止全部ip訪問

Redis未授權訪問配合SSH key檔案利用詳解

前言 Redis是一個開源的使用ANSI C語言編寫、支援網路、可基於記憶體亦可持久化的日誌型、Key-Value資料庫,並提供多種語言的API。

Python實現列表中非負數保留,負數轉化指定的數值方式

簡單的小練習,實現將一個指定列表中的數值進行轉化,對於其中的非負數不作處理,對於負數需要轉化制定的數值,很簡單就不多說了,下面是具體的實現:

Redis 4.x/5.x 未授權訪問漏洞

0x01 Redis是什麼? Redis是資料庫,一個高效能的key-value儲存系統,是使用ANSI C語言編寫的。

Redis未授權訪問

Redis redis是一個key-value儲存系統, 是一個高效能的key-value資料庫 ,預設使用 6379 埠

Redis未授權訪問漏洞分析

Redis因配置不當和未授權訪問。導致無需認證就可以訪問到內部資料,可導致敏感資訊洩露,也可以通過config 命令,可以進行寫檔案操作。

redis未授權訪問簡單總結

redis環境搭建 下載有漏洞的redis版本 wget http://download.redis.io/releases/redis-3.2.11.tar.gz

Redis未授權訪問利用

Redis介紹 Redis是一個開源的使用ANSI C語言編寫、支援網路、可基於記憶體亦可持久化的日誌型、 Key-Value資料庫。和Memcached類似,它支援儲存的value 型別相對更多,包括 string(字串)、list ( 連結串列)、 set(集

常見未授權訪問漏洞總結

原創公眾號:Bypass 本文詳細地介紹了常見未授權訪問漏洞及其利用,具體漏洞列表如下:

jenkins未授權訪問漏洞復現

0x00 漏洞描述 未授權訪問管理控制檯,可以通過指令碼命令列執行系統命令。通過該漏洞,可以後臺管理服務,通過指令碼命令列功能執行系統命令,如反彈shell,wget寫webshell檔案。

MyBatis中針對if-test的引數指定值的xml寫法

場景 在篩選查詢資料時,需要根據人員型別下拉框選擇結果去資料庫中進行篩選查詢。

Kubernetes RBAC

一、簡介 RBAC(Role-Based Access Control,基於角色的訪問控制),作為Kubernetes安裝方式的預設選項,足見其重要程度,相對於其他訪問控制方式,RBAC具有以下優勢:

使用Spring Security登入認證,通過Oauth2.0開發第三方授授權訪問資源專案詳解

1.OAuth 2.0簡介 OAuth 2.0提供者機制負責公開OAuth 2.0受保護的資源。該配置包括建立可獨立或代表使用者訪問其受保護資源的OAuth 2.0客戶端。提供者通過管理和驗證用於訪問受保護資源的OAuth 2.0令牌來實現。在適用

Zookeeper的未授權訪問漏洞解決

這裡用的是使用者名稱密碼的方式,需用別的方式請參考下面地址附大佬連結:(有三種解決方法)https://www.cnblogs.com/ilovena/p/9484522.html首先介紹下znode的5種操作許可權

JBOSS未授權訪問漏洞復現

目錄1.JBOSS是什麼2.JBOSS未授權訪問是什麼3.漏洞環境搭建4.漏洞復現進入控制檯進入應用部署頁面上馬5.jexboss工具安裝方法:

Elasticsearch未授權訪問漏洞

漏洞描述 Elasticsearch是一款java編寫的企業級搜尋服務。越來越多的公司使用ELK作為日誌分析,啟動此服務預設會開放9200埠或者9300埠,可被非法操作資料