1. 程式人生 > >kubernetes RBAC實戰 kubernetes 使用者角色訪問控制,dashboard訪問,kubectl配置生成

kubernetes RBAC實戰 kubernetes 使用者角色訪問控制,dashboard訪問,kubectl配置生成

kubernetes RBAC實戰

環境準備

先用kubeadm安裝好kubernetes叢集,[包地址在此](https://market.aliyun.com/products/56014009/cmxz022571.html#sku=yuncode1657100000) 好用又方便,服務周到,童叟無欺

本文目的,讓名為devuser的使用者只能有許可權訪問特定namespace下的pod

命令列kubectl訪問

安裝cfssl

此工具生成證書非常方便, pem證書與crt證書,編碼一致可直接使用

 wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
 chmod 
+x cfssl_linux-amd64 mv cfssl_linux-amd64 /bin/cfssl wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 chmod +x cfssljson_linux-amd64 mv cfssljson_linux-amd64 /bin/cfssljson wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl-certinfo_linux-amd64 mv cfssl-certinfo_linux-amd64 /bin
/cfssl-certinfo

簽發客戶端證書

根據ca證書與麼鑰簽發使用者證書

根證書已經在/etc/kubernetes/pki目錄下了

[[email protected] ~]# ls /etc/kubernetes/pki/
 apiserver.crt ca-config.json devuser-csr.json front-proxy-ca.key sa.pub
 apiserver.key ca.crt devuser-key.pem front-proxy-client.crt
 apiserver-kubelet-client.crt ca.key devuser.pem front
-proxy-client.key apiserver-kubelet-client.key devuser.csr front-proxy-ca.crt sa.key

注意以下幾個檔案: `ca.crt ca.key ca-config.json devuser-csr.json`

建立ca-config.json檔案

cat > ca-config.json < devuser-csr.json <校驗證書
cfssl-certinfo -cert kubernetes.pem

生成config檔案

kubeadm已經生成了admin.conf,我們可以直接利用這個檔案,省的自己再去配置叢集引數

$ cp /etc/kubernetes/admin.conf devuser.kubeconfig

設定客戶端認證引數:

kubectl config set-credentials devuser \
 --client-certificate=/etc/kubernetes/ssl/devuser.pem \
 --client-key=/etc/kubernetes/ssl/devuser-key.pem \
 --embed-certs=true \
 --kubeconfig=devuser.kubeconfig

設定上下文引數:

kubectl config set-context kubernetes \
 --cluster=kubernetes \
 --user=devuser \
 --namespace=kube-system \
 --kubeconfig=devuser.kubeconfig

設定莫認上下文:

kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig

以上執行一個步驟就可以看一下 devuser.kubeconfig的變化。裡面最主要的三個東西

  • cluster: 叢集資訊,包含叢集地址與公鑰
  • user: 使用者資訊,客戶端證書與私鑰,正真的資訊是從證書裡讀取出來的,人能看到的只是給人看的。
  • context: 維護一個三元組,namespace cluster 與 user

建立角色

建立一個叫pod-reader的角色

[[email protected] ~]# cat pod-reader.yaml
 kind:Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:namespace: kube-system
 name: pod-reader
 rules:- apiGroups:[""]# "" indicates the core API group
 resources:["pods"]
 verbs:["get","watch","list"]
kubectl create -f pod-reader.yaml

繫結使用者

建立一個角色繫結,把pod-reader角色繫結到 devuser上

[[email protected] ~]# cat devuser-role-bind.yaml
 kind:RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
 name: read-pods
 namespace: kube-system
 subjects:- kind:User
 name: devuser # 目標使用者
 apiGroup: rbac.authorization.k8s.io
 roleRef:
 kind:Role
 name: pod-reader # 角色資訊
 apiGroup: rbac.authorization.k8s.io
kubectl create -f devuser-role-bind.yaml

使用新的config檔案

$ rm .kube/config && cp devuser.kubeconfig .kube/config

效果, 已經沒有別的namespace的許可權了,也不能訪問node資訊了:

[[email protected] ~]# kubectl get nodeErrorfrom server (Forbidden): nodes is forbidden:User"devuser" cannot list nodes at the cluster scope

[[email protected] ~]# kubectl get pod -n kube-system
 NAME READY STATUS RESTARTS AGE
 calico-kube-controllers-55449f8d88-74x8f1/1Running08d
 calico-node-clpqr 2/2Running08d
 kube-apiserver-master1 1/1Running28d
 kube-controller-manager-master1 1/1Running18d
 kube-dns-545bc4bfd4-p6trj 3/3Running08d
 kube-proxy-tln54 1/1Running08d
 kube-scheduler-master1 1/1Running18d[[email protected] ~]# kubectl get pod -n defaultErrorfrom server (Forbidden): pods is forbidden:User"devuser" cannot list pods in the namespace"default": role.rbac.authorization.k8s.io "pod-reader"not found

dashboard訪問

service account原理

k8s裡面有兩種使用者,一種是User,一種就是service account,User給人用的,service account給程序用的,讓程序有相關的許可權。

如dasboard就是一個程序,我們就可以建立一個service account給它,讓它去訪問k8s。

我們看一下是如何把admin許可權賦給dashboard的:

╰─➤ cat dashboard-admin.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind:ClusterRoleBinding
 metadata:
 name: kubernetes-dashboard
 labels:
 k8s-app: kubernetes-dashboard
 roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind:ClusterRole
 name: cluster-admin
 subjects:- kind:ServiceAccount
 name: kubernetes-dashboard
 namespace: kube-system

把 kubernetes-dashboard 這個ServiceAccount繫結到cluster-admin這個ClusterRole上,這個cluster role非常牛逼,啥許可權都有

[[email protected] ~]# kubectl describe clusterrole cluster-admin -n kube-systemName: cluster-admin
 Labels: kubernetes.io/bootstrapping=rbac-defaults
 Annotations: rbac.authorization.kubernetes.io/autoupdate=truePolicyRule:ResourcesNon-ResourceURLsResourceNamesVerbs---------------------------------------------[*][][*]*.*[][][*]

而建立dashboard時建立了這個service account:

apiVersion: v1
 kind:ServiceAccount
 metadata:
 labels:
 k8s-app: kubernetes-dashboard
 name: kubernetes-dashboard
 namespace: kube-system

然後deployment裡指定service account

volumes:- name: kubernetes-dashboard-certs
 secret:
 secretName: kubernetes-dashboard-certs
 - name: tmp-volume
 emptyDir:{}
 serviceAccountName: kubernetes-dashboard

更安全的做法

[[email protected] ~]# cat admin-token.yaml
 kind:ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
 name: admin
 annotations:
 rbac.authorization.kubernetes.io/autoupdate:"true"
 roleRef:
 kind:ClusterRole
 name: cluster-admin
 apiGroup: rbac.authorization.k8s.io
 subjects:- kind:ServiceAccount
 name: admin
 namespace: kube-system
 ---
 apiVersion: v1
 kind:ServiceAccount
 metadata:
 name: admin
 namespace: kube-system
 labels:
 kubernetes.io/cluster-service:"true"
 addonmanager.kubernetes.io/mode:Reconcile
[[email protected] ~]# kubectl get secret -n kube-system|grep admin
 admin-token-7rdhf kubernetes.io/service-account-token 314m
[[email protected] ~]# kubectl describe secret admin-token-7rdhf -n kube-systemName: admin-token-7rdhfNamespace: kube-system
 Labels:Annotations: kubernetes.io/service-account.name=admin
 kubernetes.io/service-account.uid=affe82d4-d10b-11e7-ad03-00163e01d684Type: kubernetes.io/service-account-token

Data====
 ca.crt:1025 bytes
 namespace:11 bytes
 token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi03cmRoZiIsImt1YmVybmV0ZXMuaW8vc2V