k8s rbac增加user用戶配置roles
阿新 • • 發佈:2018-09-05
als 它的 bar rem ive app 文件 you min 1.
k8s增加普通用戶User
k8s增加普通用戶User
普通用戶並不是通過k8s來創建和維護,是通過創建證書和切換上下文環境的方式來創建和切換用戶。
其實創建用戶的步驟,就是手動部署k8s集群裏的一個步驟。
創建過程見下:
創建用戶證書:
[root@k8s-master1 quanxian]# cat jane-csr.json { ? "CN": "jane", ? "key": { ? ? "algo": "rsa", ? ? "size": 2048 ? }, ? "names": [ ? ? { ? ? ? "C": "CN", ? ? ? "ST": "SZ", ? ? ? "L": "SZ", ? ? ? "O": "k8s", ? ? ? "OU": "4Paradigm" ? ? } ? ] }
生成user證書
[root@k8s-master1 jane]#? cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes jane-csr.json | cfssljson -bare jane 2018/09/05 01:51:01 [INFO] generate received request 2018/09/05 01:51:01 [INFO] received CSR 2018/09/05 01:51:01 [INFO] generating key: rsa-2048 2018/09/05 01:51:01 [INFO] encoded CSR 2018/09/05 01:51:01 [INFO] signed certificate with serial number 520899621423670329054136035003302903598818113990 2018/09/05 01:51:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@k8s-master1 jane]# ls jane.csr? jane-csr.json? jane-key.pem? jane.pem [root@k8s-master1 jane]#
設置集群參數
[root@k8s-master1 jane]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.211.127:8443 --kubeconfig=kubectl.kubeconfig
Cluster "kubernetes" set.
設置客戶端認證參數
[root@k8s-master1 jane]# kubectl config set-credentials jane --client-certificate=jane.pem --client-key=jane-key.pem --embed-certs=true --kubeconfig=jane.kubeconfig User "jane" set.
設置上下文參數
[root@k8s-master1 jane]# kubectl config set-context kubernetes --cluster=kubernetes --user=jane --kubeconfig=jane.kubeconfig
Context "kubernetes" created.
設置當前用戶環境為新建的jane
[root@k8s-master1 jane]#? kubectl config use-context kubernetes --kubeconfig=jane.kubeconfig
Switched to context "kubernetes".
到這裏用戶已經生成
下面用這個用戶來測試role和clusterrole
2.
role
只能授予單個namespace空間資源的權限
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
? namespace: default
? name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
? resources: ["pods"]
? verbs: ["get", "watch", "list"]
?
##apiVersion ? 指定api版本 ? ? 可以用命令 ?kubectl ?api-versions ?查看
##kind ? ? ? ? ? ?指定資源類型
##metadata ? ?元數據
##name ? ? ? ? ?這個資源的名字
##namespace 指定namespace ??
##rules ? ? ? ? ? 定義規則
##apiGroups ? [" "] ? 所有核心api
##resources ? ?指定可以操作的資源 ? 比如pod ??
##verbs ? ? ? ? ? 操作權限,這個權限就是操作上面資源的權限
3.
clusterrole
可以授予整個集群的資源的權限。
也可也授予單個namespace空間資源的權限
取決於它的binding方式
不同的binding方式,授予的權限就不同。
4.
rolebinding
針對單個namespace使用rolebinding
將role權限綁定給用戶
就用上面的做示例
先創建role
[root@k8s-master1 quanxian]# cat role1.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
? namespace: default
? name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
? resources: ["pods"]
? verbs: ["get", "watch", "list"]
[root@k8s-master1 quanxian]#
[root@k8s-master1 quanxian]# kubectl apply -f role1.yaml
role.rbac.authorization.k8s.io "pod-reader" created
[root@k8s-master1 quanxian]#
綁定
[root@k8s-master1 quanxian]# cat rolebinding1.yaml
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
? name: read-pods
? namespace: default
subjects:
- kind: User
? name: jane?
? apiGroup: rbac.authorization.k8s.io
roleRef:
? kind: Role #this must be Role or ClusterRole
? name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
? apiGroup: rbac.authorization.k8s.io
[root@k8s-master1 quanxian]#
[root@k8s-master1 quanxian]# kubectl apply -f rolebinding1.yaml
rolebinding.rbac.authorization.k8s.io "read-pods" created
參數說明:
kind: RoleBinding ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ##指定類型是rolebinding?
apiVersion: rbac.authorization.k8s.io/v1 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?##api接口版本
metadata: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ##元數據
name: read-pods ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?##指定這個rolebinding的名稱
namespace: default ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?##指定操作的namespace 這裏是默認 ?可以用kubectl get namespace 查看
subjects: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ##我們要增加的用戶
- kind: User ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?##kind可以是User或者serviceaccount
name: jane ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ##新加的用戶名
apiGroup: rbac.authorization.k8s.io ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?##用到的api接口
roleRef: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?##綁定role
kind: Role ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ##綁定的role類型
name: pod-reader ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?##綁定role的名字
apiGroup: rbac.authorization.k8s.io ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?##用到的api接口 ? ??
查看權限
[root@k8s-master1 jane]# kubectl describe role
Name:? ? ? ?? pod-reader
Labels:? ? ?? <none>
Annotations:? kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pod-reader","namespace":"default"},"rules":[{"apiGroups...
PolicyRule:
? Resources? Non-Resource URLs? Resource Names? Verbs
? ---------? -----------------? --------------? -----
? pods? ? ?? []? ? ? ? ? ? ? ?? []? ? ? ? ? ? ? [get watch list]
[root@k8s-master1 jane]#
jane用戶只有pod的權限
5.
檢查用戶jane的role是否配置成功
記得保存原來的config文件(切記切記切記)
使用前面jane用戶生成的jane.kubeconfig配置文件
重新命名原config文件
[root@k8s-master1 .kube]# mv config config.admin
[root@k8s-master1 .kube]# ls
cache? config.admin? http-cache
把jane.kubeconfig移到目錄
[root@k8s-master1 .kube]# mv /root/k8s/jane/jane.kubeconfig? .
[root@k8s-master1 .kube]# ls
cache? config.admin? http-cache? jane.kubeconfig
改名
[root@k8s-master1 .kube]# mv jane.kubeconfig config
[root@k8s-master1 .kube]# ll
total 20
drwxr-xr-x 3 root root?? 23 Aug 28 22:34 cache
-rw------- 1 root root 6193 Sep? 5 02:47 config
-rw------- 1 root root 6215 Aug 28 22:31 config.admin ? ? ? ? ? ? ? ? ? ?
drwxr-xr-x 3 root root 4096 Sep? 5 02:52 http-cache
執行命令看看
[root@k8s-master1 .kube]# kubectl get all
NAME? ? ? ? ? ? ? ? ? ? ? ? ? ?? READY? ?? STATUS? ? RESTARTS?? AGE
pod/httpd-app-6dc78c4869-8dmmq?? 1/1? ? ?? Running?? 5? ? ? ? ? 5d
pod/httpd-app-6dc78c4869-dbpxc?? 1/1? ? ?? Running?? 4? ? ? ? ? 5d
pod/httpd-app-6dc78c4869-hs59j?? 1/1? ? ?? Running?? 5? ? ? ? ? 5d
pod/httpd-app-6dc78c4869-lp4hs?? 1/1? ? ?? Running?? 5? ? ? ? ? 5d
pod/httpd-app-6dc78c4869-z9mc9?? 1/1? ? ?? Running?? 5? ? ? ? ? 5d
Error from server (Forbidden): replicationcontrollers is forbidden: User "jane" cannot list replicationcontrollers in the namespace "default"
Error from server (Forbidden): services is forbidden: User "jane" cannot list services in the namespace "default"
Error from server (Forbidden): daemonsets.apps is forbidden: User "jane" cannot list daemonsets.apps in the namespace "default"
Error from server (Forbidden): deployments.apps is forbidden: User "jane" cannot list deployments.apps in the namespace "default"
Error from server (Forbidden): replicasets.apps is forbidden: User "jane" cannot list replicasets.apps in the namespace "default"
Error from server (Forbidden): statefulsets.apps is forbidden: User "jane" cannot list statefulsets.apps in the namespace "default"
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "jane" cannot list horizontalpodautoscalers.autoscaling in the namespace "default"
Error from server (Forbidden): jobs.batch is forbidden: User "jane" cannot list jobs.batch in the namespace "default"
Error from server (Forbidden): cronjobs.batch is forbidden: User "jane" cannot list cronjobs.batch in the namespace "default"
[root@k8s-master1 .kube]#
[root@k8s-master1 .kube]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "jane" cannot list services in the namespace "default"
[root@k8s-master1 .kube]#
[root@k8s-master1 .kube]# kubectl get roles
Error from server (Forbidden): roles.rbac.authorization.k8s.io is forbidden: User "jane" cannot list roles.rbac.authorization.k8s.io in the namespace "default"
[root@k8s-master1 .kube]#
[root@k8s-master1 .kube]# kubectl get pod
NAME? ? ? ? ? ? ? ? ? ? ? ?? READY? ?? STATUS? ? RESTARTS?? AGE
httpd-app-6dc78c4869-8dmmq?? 1/1? ? ?? Running?? 5? ? ? ? ? 5d
httpd-app-6dc78c4869-dbpxc?? 1/1? ? ?? Running?? 4? ? ? ? ? 5d
httpd-app-6dc78c4869-hs59j?? 1/1? ? ?? Running?? 5? ? ? ? ? 5d
httpd-app-6dc78c4869-lp4hs?? 1/1? ? ?? Running?? 5? ? ? ? ? 5d
httpd-app-6dc78c4869-z9mc9?? 1/1? ? ?? Running?? 5? ? ? ? ? 5d
[root@k8s-master1 .kube]#
[root@k8s-master1 .kube]# kubectl config view
apiVersion: v1
clusters:
- cluster:
? ? certificate-authority-data: REDACTED
? ? server: https://192.168.211.127:8443
? name: kubernetes
contexts:
- context:
? ? cluster: kubernetes
? ? user: jane
? name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: jane
? user:
? ? client-certificate-data: REDACTED
? ? client-key-data: REDACTED
[root@k8s-master1 .kube]#
可以看到User jane只有pods的權限
還記得前面遇到的問題嗎?
?[root@k8s-master1?.kube]#?kubectl?logs?httpd-app-6dc78c4869-z9mc9
Error?from?server?(Forbidden):?pods?"httpd-app-6dc78c4869-z9mc9"?is?forbidden:?User?"jane"?cannot?get?pods/log?in?the?namespace?"default"
[root@k8s-master1?.kube]#?
這個問題在這裏模擬出來了
?
6.
深入點思考,這個操作實現了k8s集群不同用戶不同操作權限的設定。
k8s rbac增加user用戶配置roles