k8s rbac 權限認證實踐操作1
概述:
使用前面新加的User/jane
分別測試role和clusterrole還有rolebinding和clusterrolebinding的各種不同組合情況。
2.
前面授予jane的role和rolebinding詳情
role信息
[root@k8s-master1 quanxian]# cat role1.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: ? namespace: default ? name: pod-reader rules: - apiGroups: [""] # "" indicates the core API group ? resources: ["pods"] ? verbs: ["get", "watch", "list"]
[root@k8s-master1 quanxian]# kubectl describe roles Name:? ? ? ? pod-reader Labels:? ? ? <none> Annotations:? kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pod-reader","namespace":"default"},"rules":[{"apiGroups... PolicyRule: ? Resources? Non-Resource URLs? Resource Names? Verbs ? ---------? -----------------? --------------? ----- ? pods? ? ? []? ? ? ? ? ? ? ? []? ? ? ? ? ? ? [get watch list]
rolebinding信息
[root@k8s-master1 quanxian]# cat rolebinding1.yaml # This role binding allows "jane" to read pods in the "default" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: ? name: read-pods ? namespace: default subjects: - kind: User ? name: jane # Name is case sensitive ? apiGroup: rbac.authorization.k8s.io roleRef: ? kind: Role #this must be Role or ClusterRole ? name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to ? apiGroup: rbac.authorization.k8s.io [root@k8s-master1 quanxian]#
[root@k8s-master1 quanxian]# kubectl describe rolebinding
Name:? ? ? ?? read-pods
Labels:? ? ?? <none>
Annotations:? kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"read-pods","namespace":"default"},"roleRef":{"ap...
Role:
? Kind:? Role
? Name:? pod-reader
Subjects:
? Kind? Name? Namespace
? ----? ----? ---------
? User? jane?
jane rbac詳情
role
rolebinding ? ? ? ?
roleRef:
? kind: Role?
? name: pod-reader?
jane只有在namaspace default下有權限操作pod
[root@k8s-master1 .kube]# kubectl get po
NAME? ? ? ? ? ? ? ? ? ? ? ?? READY? ?? STATUS? ? RESTARTS?? AGE
httpd-app-6dc78c4869-8dmmq?? 1/1? ? ?? Running?? 6? ? ? ? ? 6d
httpd-app-6dc78c4869-dbpxc?? 1/1? ? ?? Running?? 5? ? ? ? ? 6d
httpd-app-6dc78c4869-hs59j?? 1/1? ? ?? Running?? 6? ? ? ? ? 6d
httpd-app-6dc78c4869-lp4hs?? 1/1? ? ?? Running?? 6? ? ? ? ? 6d
httpd-app-6dc78c4869-z9mc9?? 1/1? ? ?? Running?? 6? ? ? ? ? 6d
[root@k8s-master1 .kube]# kubectl get po -n kube-system
Error from server (Forbidden): pods is forbidden: User "jane" cannot list pods in the namespace "kube-system"
[root@k8s-master1 .kube]#
3.
如果把roleRef 改成ClusterRole 會如何呢?
role修改具體見下:
role
rolebinding ? ? ? ?
roleRef:
? kind: ClusterRole?
? name: pod-reader ??
刪除前面配置的rolebinding
[root@k8s-master1 quanxian]# kubectl delete -f rolebinding1.yaml
rolebinding.rbac.authorization.k8s.io "read-pods" deleted
[root@k8s-master1 quanxian]#
[root@k8s-master1 quanxian]# kubectl get rolebinding
No resources found.
修改下rolebinding文件
[root@k8s-master1 quanxian]# cat rolebinding1.yaml
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
? name: read-pods
? namespace: default
subjects:
- kind: User
? name: jane # Name is case sensitive
? apiGroup: rbac.authorization.k8s.io
roleRef:
? kind: ClusterRole #this must be Role or ClusterRole
? name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
? apiGroup: rbac.authorization.k8s.io
[root@k8s-master1 quanxian]#
執行生成rolebinding
[root@k8s-master1 quanxian]# kubectl apply -f rolebinding1.yaml
rolebinding.rbac.authorization.k8s.io "read-pods" created
[root@k8s-master1 quanxian]#
檢查權限看看
[root@k8s-master1 quanxian]# kubectl get rolebinding
NAME? ? ? ? AGE
read-pods?? 24s
[root@k8s-master1 quanxian]#
[root@k8s-master1 quanxian]# kubectl describe role
Name:? ? ? ?? pod-reader
Labels:? ? ?? <none>
Annotations:? kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pod-reader","namespace":"default"},"rules":[{"apiGroups...
PolicyRule:
? Resources? Non-Resource URLs? Resource Names? Verbs
? ---------? -----------------? --------------? -----
? pods? ? ?? []? ? ? ? ? ? ? ?? []? ? ? ? ? ? ? [get watch list]
[root@k8s-master1 quanxian]#
[root@k8s-master1 quanxian]# kubectl describe rolebinding
Name:? ? ? ?? read-pods
Labels:? ? ?? <none>
Annotations:? kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"read-pods","namespace":"default"},"roleRef":{"ap...
Role:
? Kind:? ClusterRole
? Name:? pod-reader
Subjects:
? Kind? Name? Namespace
? ----? ----? ---------
? User? jane?
[root@k8s-master1 quanxian]#
註意:全部報錯了
[root@k8s-master1 .kube]# kubectl get pod -n kube-system
Error from server (Forbidden): pods is forbidden: User "jane" cannot list pods in the namespace "kube-system"
[root@k8s-master1 .kube]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "jane" cannot list pods in the namespace "default": clusterrole.rbac.authorization.k8s.io "pod-reader" not found
[root@k8s-master1 .kube]# kubectl get pod -n default
由此可見:
roleRef:
? kind: ClusterRole #this must be Role or ClusterRole
? name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
? apiGroup: rbac.authorization.k8s.io
kind和name必須是相對應的.
pod-reader是Role,而在這裏kind配置了ClusterRole所以報錯,沒有任何權限了。
4.
跟著報錯解決問題:
把pod-reader改成ClusterRole,read-pods改成ClusterRoleBinding
權限情況會如何呢?
刪除role
[root@k8s-master1 quanxian]#? kubectl delete -f role1.yaml
role.rbac.authorization.k8s.io "pod-reader" deleted
[root@k8s-master1 quanxian]#
刪除
[root@k8s-master1 quanxian]# kubectl delete -f rolebinding1.yaml
rolebinding.rbac.authorization.k8s.io "read-pods" deleted
修改成ClusterRole
[root@k8s-master1 quanxian]# cat role1.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
? namespace: default
? name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
? resources: ["pods"]
? verbs: ["get", "watch", "list"]
[root@k8s-master1 quanxian]#
修改
[root@k8s-master1 quanxian]# cat rolebinding1.yaml
# This role binding allows "jane" to read pods in the "default" namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
? name: read-pods
? namespace: default
subjects:
- kind: User
? name: jane # Name is case sensitive
? apiGroup: rbac.authorization.k8s.io
roleRef:
? kind: ClusterRole #this must be Role or ClusterRole
? name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
? apiGroup: rbac.authorization.k8s.io
[root@k8s-master1 quanxian]#
生成ClusterRole
[root@k8s-master1 quanxian]# kubectl apply -f role1.yaml
clusterrole.rbac.authorization.k8s.io "pod-reader" created
[root@k8s-master1 quanxian]#
生成
[root@k8s-master1 quanxian]# kubectl apply -f rolebinding1.yaml
clusterrolebinding.rbac.authorization.k8s.io "read-pods" created
執行情況見下:
[root@k8s-master1 quanxian]# kubectl get pod
NAME? ? ? ? ? ? ? ? ? ? ? ? READY? ? STATUS? ? RESTARTS? AGE
httpd-app-6dc78c4869-8dmmq? 1/1? ? ? Running? 6? ? ? ? ? 6d
httpd-app-6dc78c4869-dbpxc? 1/1? ? ? Running? 5? ? ? ? ? 6d
httpd-app-6dc78c4869-hs59j? 1/1? ? ? Running? 6? ? ? ? ? 6d
httpd-app-6dc78c4869-lp4hs? 1/1? ? ? Running? 6? ? ? ? ? 6d
httpd-app-6dc78c4869-z9mc9? 1/1? ? ? Running? 6? ? ? ? ? 6d
[root@k8s-master1 quanxian]# kubectl get pod -n svc
No resources found.
[root@k8s-master1 quanxian]# kubectl get pod -n public
No resources found.
[root@k8s-master1 quanxian]#
[root@k8s-master1 quanxian]# kubectl get namespace
Error from server (Forbidden): namespaces is forbidden: User "jane" cannot list namespaces at the cluster scope
[root@k8s-master1 quanxian]#
No resources found. 這是因為沒有生成pod。並不是沒有權限。
發現jane 可以讀取所有namespace下的pod信息了。
clusterrole指定了namespace並沒有在這裏限制住jane只能在單個namespace讀取pod。
5.
如果只把pod-reader改成ClusterRole,read-pods繼續用以前的rolebinding
權限情況會如何呢??
[root@k8s-master1 quanxian]# kubectl delete -f rolebinding1.yaml
clusterrolebinding.rbac.authorization.k8s.io "read-pods" deleted
[root@k8s-master1 quanxian]#
[root@k8s-master1 quanxian]# cat rolebinding1.yaml
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
? name: read-pods
? namespace: default
subjects:
- kind: User
? name: jane # Name is case sensitive
? apiGroup: rbac.authorization.k8s.io
roleRef:
? kind: ClusterRole #this must be Role or ClusterRole
? name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
? apiGroup: rbac.authorization.k8s.io
[root@k8s-master1 quanxian]#
[root@k8s-master1 quanxian]# kubectl apply -f rolebinding1.yaml
rolebinding.rbac.authorization.k8s.io "read-pods" created
權限執行情況
[root@k8s-master1 quanxian]# kubectl get pod
NAME? ? ? ? ? ? ? ? ? ? ? ? READY? ? STATUS? ? RESTARTS? AGE
httpd-app-6dc78c4869-8dmmq? 1/1? ? ? Running? 6? ? ? ? ? 6d
httpd-app-6dc78c4869-dbpxc? 1/1? ? ? Running? 5? ? ? ? ? 6d
httpd-app-6dc78c4869-hs59j? 1/1? ? ? Running? 6? ? ? ? ? 6d
httpd-app-6dc78c4869-lp4hs? 1/1? ? ? Running? 6? ? ? ? ? 6d
httpd-app-6dc78c4869-z9mc9? 1/1? ? ? Running? 6? ? ? ? ? 6d
[root@k8s-master1 quanxian]# kubectl get pod -n kube-system
Error from server (Forbidden): pods is forbidden: User "jane" cannot list pods in the namespace "kube-system"
[root@k8s-master1 quanxian]# kubectl get pod -n public
Error from server (Forbidden): pods is forbidden: User "jane" cannot list pods in the namespace "public"
[root@k8s-master1 quanxian]#
可以看到如果使用rolebinding,權限還是限制在指定的namespace。
6.
總結
使用clusterrole時,
如果綁定方式是rolebinding,權限只在指定的namespace生效
如果綁定方式是clusterbinding,權限將在整個cluster所有的namespace生效
k8s rbac 權限認證實踐操作1