Kebernetes 学习总结(9)认证-授权-RBAC
本文共 26456 字,大约阅读时间需要 88 分钟。
一、概述
Kubernetes集群的所有操作基本上都是通过kube-apiserver这个组件进行的,它提供HTTP RESTful形式的API供集群内外客户端调用。这就引发了安全问题:假如别人知道你的API地址,那么你的服务器就很容易遭到恶意破坏。所以k8s 认证授权过程不支持HTTP连接到kube-apiserver。使用kubectl cluster-info 可以看到API server的Endpoint地址,如下:[root@k8s-master-dev ~]# kubectl cluster-infoKubernetes master is running at https://192.168.20.79:6443KubeDNS is running at https://192.168.20.79:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxyTo further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.[root@k8s-master-dev ~]#
对APIServer的访问要经过的三个步骤,前面两个是认证和授权,第三个是 Admission Control,它也能在一定程度上提高安全性,不过更多是资源管理方面的作用。
client --> | authentication(认证 验证用户名与密码是否正确) | authorization (授权 控制当前用户的权限) | admissionControl (资源依赖、关联及环境检查) --> Resources
k8s模块化程度非常高,认证、授权、准入控制都是由用户指定某种插件实现相应功能。
Authentication
kubernetes提供了多种认证方式,比如客户端证书、静态token、静态密码文件、ServiceAccountTokens等等,都是以插件(plugin)的形式由用户指定。可以同时指定使用一种或多种认证方式。client 经过任何一种plugin的成功认证 即表示认证成功,无需再经过其它额外认证。常见如下两种:1) token(例预共享密钥,是通过http首部Restful方式传递密钥) 2) SSL/TLS(authentication、双向身份验证、https通信)Authorization
k8s 1.6之后支持 RBAC、node、ABAC、webhook等plugins。 RBAC(Role-Based Access)只有许可授权(默认拒绝所有),kubeadm安装的k8s默认都是使用RBAC的授权。 RBAC让集群管理员可以针对特定使用者或服务账号的角色,进行更精确的资源访问控制。在RBAC中,权限与角色相关联,用户通过成为适当角色的成员而得到这些角色的权限。这就极大地简化了权限的管理。在一个组织中,角色是为了完成各种工作而创造,用户则依据它的责任和资格来被指派相应的角色,用户可以很容易地从一个角色被指派到另一个角色。AdmissionControl
准入控制:本质上为一段准入代码,在对kubernetes api的请求过程中,顺序为:先经过认证 & 授权,然后执行准入操作,最后对目标对象进行操作。这个准入代码在api-server中,而且必须被编译到二进制文件中才能被执行。在对集群进行请求时,每个准入控制代码都按照一定顺序执行。如果有一个准入控制拒绝了此次请求,那么整个请求的结果将会立即返回,并提示用户相应的error信息。常用组件(控制代码)如下:- AlwaysAdmit:允许所有请求
- AlwaysDeny:禁止所有请求,多用于测试环境
- ServiceAccount:它将serviceAccounts实现了自动化,它会辅助serviceAccount做一些事情,比如如果pod没有serviceAccount属性,它会自动添加一个default,并确保pod的serviceAccount始终存在
- LimitRanger:他会观察所有的请求,确保没有违反已经定义好的约束条件,这些条件定义在namespace中LimitRange对象中。如果在kubernetes中使用LimitRange对象,则必须使用这个插件。
- NamespaceExists:它会观察所有的请求,如果请求尝试创建一个不存在的namespace,则这个请求被拒绝
二、访问API server的方式
k8s API server 提供了丰富的Restful接口 提用户访问 。REST request path: )API request verb : get/list/create/update/patch/watch/proxy/redirect/delete/deletecollection/使用kubectl 命令时默认调用${HOME}/.kube/目录中的认证信息,但其它访问方式则不能调用这些认证信息(例curl),如果希望通过curl方式访问API server,可以使用代理功能。
在本地启用代理:[root@k8s-master-dev ~]# ls .kube/cache config http-cache[root@k8s-master-dev ~]# kubectl proxy --port=8080Starting to serve on 127.0.0.1:8080
然后在另一个终端使用curl 的方式访问,如下所示:
[root@k8s-master-dev ~]# curl http://localhost:8080/api/v1/namespaces{ "kind": "NamespaceList", "apiVersion": "v1", "metadata": { "selfLink": "/api/v1/namespaces", "resourceVersion": "768383" } ...[root@k8s-master-dev ~]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments{ "kind": "DeploymentList", "apiVersion": "apps/v1", "metadata": { "selfLink": "/apis/apps/v1/namespaces/kube-system/deployments", "resourceVersion": "768654" }, ... 三、Authentication
哪些client需要与API server 交互?cluster 外部的client (kubectl)和cluster内部的 client(Pod)都需要与API server交互。[root@k8s-master-dev ~]# kubectl get svcNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEkubernetes ClusterIP 10.96.0.1443/TCP 5dmongo ClusterIP None 27017/TCP 1d[root@k8s-master-dev ~]# kubectl describe svc kubernetesName: kubernetesNamespace: defaultLabels: component=apiserver provider=kubernetesAnnotations: Selector: Type: ClusterIPIP: 10.96.0.1Port: https 443/TCPTargetPort: 6443/TCPEndpoints: 192.168.20.79:6443Session Affinity: NoneEvents: [root@k8s-master-dev ~]#
以上显示 cluster内部的各pods 、及其它组件访问API server时使用 10.96.0.1; 而 kubectl 命令及外部访问API server时使用 172.16.20.79:6443 。
访问API server 时的认证用户也分为两类:
1) serviceAccountName (cluster内部pod客户端) 2) UserAccount (cluster外部访问)1、serviceAccountName
ServiceAccount(服务帐户)是由Kubernetes API管理的用户。它们绑定到特定的命名空间,并由API服务器自动创建或通过API调用手动创建。服务帐户与存储为Secrets的一组证书相关联,这些凭据被挂载到pod中,以便集群进程与Kubernetes API通信。(登录dashboard时我们使用的就是ServiceAccount)当kubernetes集群搭建好后,系统中就存在多个ServiceAccount,它们隶属于不同的名称空间,不同名称空间之间的ServiceAccount名称可以相同。通过下面的命令查看当前系统的ServiceAccount[root@k8s-master-dev ~]# kubectl get saNAME SECRETS AGEdefault 1 5d[root@k8s-master-dev ~]#
使用kubectl get sa --all-namespaces 查看所有名称空间的sa 。
手工创建ServiceAccount,语法如下:kubectl create serviceaccount my-service-account例:[root@k8s-master-dev ~]# kubectl create sa adminserviceaccount/admin created[root@k8s-master-dev ~]# kubectl get saNAME SECRETS AGEadmin 1 23hdefault 1 5d
ServiceAccount创建的同时会自动创建secrets,名称以account的名称为前缀。例:
[root@k8s-master-dev ~]# kubectl get secretsNAME TYPE DATA AGEadmin-token-q99pz kubernetes.io/service-account-token 3 23hdefault-token-m66jg kubernetes.io/service-account-token 3 5d[root@k8s-master-dev ~]#
ServiceAccount中主要用于保存token,而token又属于 secrets 资源,如下:
[root@k8s-master-dev ~]# kubectl describe sa adminName: adminNamespace: defaultLabels:Annotations: Image pull secrets: Mountable secrets: admin-token-q99pzTokens: admin-token-q99pzEvents: [root@k8s-master-dev ~]#
可以使用 kubectl describe secrets admin-token-q99pz 命令查看该token的信息。例:
[root@k8s-master-dev ~]# kubectl describe secrets/admin-token-q99pzName: admin-token-q99pzNamespace: defaultLabels:Annotations: kubernetes.io/service-account.name=admin kubernetes.io/service-account.uid=3f0f0199-4539-11e9-ac19-000c295011ceType: kubernetes.io/service-account-tokenData====ca.crt: 1025 bytesnamespace: 7 bytestoken: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJ..............[root@k8s-master-dev ~]#
每一个Pod创建的时候,都会被分配到指定的ServiceAccount下面,通常是default,也可以在编写Pod的manifest文件的时候指定。例:
[root@k8s-master-dev ~]# vim pod-sa-demo.yaml[root@k8s-master-dev ~]# cat pod-sa-demo.yamlapiVersion: v1kind: Podmetadata: name: pod-sa-demo namespace: default labels: app: myapp tier: frontend annotations: inspiry.com/author: "cluster admin"spec: containers: - name: myapp image: ikubernetes/myapp:v1 ports: - name: http containerPort: 80 serviceAccountName: admin[root@k8s-master-dev ~]# kubectl apply -f pod-sa-demo.yamlpod/pod-sa-demo created[root@k8s-master-dev ~]#
在Pod创建时,相关的认证文件会被以volume的形式挂载进Pod,目的是方便在Pod里访问API SERVER(例如kubernetes的dashboard)。例:
[root@k8s-master-dev ~]# kubectl describe pods pod-sa-demoName: pod-sa-demoNamespace: defaultPriority: 0PriorityClassName:Node: k8s-node1-dev/192.168.20.78Start Time: Wed, 13 Mar 2019 10:41:59 +0800Labels: app=myapp tier=frontendAnnotations: inspiry.com/author=cluster admin kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"inspiry.com/author":"cluster admin"},"labels":{"app":"myapp","tier":"frontend"},"name":"pod..."Status: RunningIP: 10.244.1.107Containers: myapp: Container ID: docker://729b24ee03040b09a0d93a977e65e206bd434b6c35003f0fea953b661c635af2 Image: ikubernetes/myapp:v1 Image ID: docker-pullable://ikubernetes/myapp@sha256:9c3dc30b5219788b2b8a4b065f548b922a34479577befb54b03330999d30d513 Port: 80/TCP Host Port: 0/TCP State: Running Started: Wed, 13 Mar 2019 10:42:00 +0800 Ready: True Restart Count: 0 Environment: Mounts: /var/run/secrets/kubernetes.io/serviceaccount from admin-token-q99pz (ro)Conditions: Type Status Initialized True Ready True ContainersReady True PodScheduled TrueVolumes: admin-token-q99pz: Type: Secret (a volume populated by a Secret) SecretName: admin-token-q99pz Optional: falseQoS Class: BestEffortNode-Selectors: Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300sEvents: [root@k8s-master-dev ~]#
2、UserAccount
是用于 k8s集群 外部或独立服务 管理访问集群使用的,由管理员分配私钥。平时常用的kubectl命令就是UserAccount执行的。kubeconfig 称为认证配置,就是为集群外部client访问k8s集群所作的认证配置。外部用户访问k8s集群(例使用kubectl命令)时,需要配置用户访问k8s集群所用到的账户、证书、私钥、集群名、API server地址等,这些信息被存放在kubeconfig 中。 可以使用kubectl config 命令对 访问k8s集群的认证配置文件 进行各种操作。具体可参考:kubectl config --help 。使用kubectl config view 可查看认证配置,如下所示:[root@k8s-master-dev ~]# kubectl config viewapiVersion: v1clusters:- cluster: certificate-authority-data: REDACTED server: https://192.168.20.79:6443 name: kubernetescontexts:- context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetescurrent-context: kubernetes-admin@kuberneteskind: Configpreferences: {}users:- name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED[root@k8s-master-dev ~]# 说明:
apiVersion: v1clusters: [] #配置要访问的kubernetes集群名称列表。contexts: [] #配置访问kubernetes集群的具体上下文列表。定义哪个集群被哪个用户访问current-context: "" #配置当前使用的上下文环境kind: Configpreferences: {}users: [] #配置访问的用户信息列表,用户名以及证书信息 (其中REDACTED表示私密数据)创建UserAccount所需要的访问密钥及证书,利用当前k8s的CA证书进行签名
[root@k8s-master-dev ~]# cd /etc/kubernetes/pki/[root@k8s-master-dev pki]# lsapiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.keyapiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.keyapiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub[root@k8s-master-dev pki]# (umask 077; openssl genrsa -out meteor.key 2048)Generating RSA private key, 2048 bit long modulus.......................................................+++.............+++e is 65537 (0x10001)[root@k8s-master-dev pki]# openssl req -new -key meteor.key -out meteor.csr -subj "/CN=meteor"[root@k8s-master-dev pki]# openssl x509 -req -in meteor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out meteor.crt -days 365Signature oksubject=/CN=meteorGetting CA Private Key[root@k8s-master-dev pki]# openssl x509 -in meteor.crt -text -nooutCertificate: Data: Version: 1 (0x0) Serial Number: b2:d2:50:2a:92:52:e0:63 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kubernetes Validity Not Before: Mar 13 07:35:17 2019 GMT Not After : Mar 12 07:35:17 2020 GMT Subject: CN=meteor Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d0:69:52:bd:c8:f2:43:39:3c:5e:b3:49:f7:5a: 29:17:1d:80:f9:b8:b1:f5:dc:1a:72:d9:96:7b:96: 77:bd:cc:73:ac:88:dd:be:8f:32:d5:7f:37:f7:57: d8:c1:ae:bd:04:1a:5f:9f:64:8a:34:49:9b:06:96: 91:16:2e:1e:af:b7:9a:e0:c8:ca:1f:73:12:54:0d: ff:95:c1:c0:b0:8c:e5:0c:fe:c1:20:9d:32:fb:2b: 09:59:7e:9b:39:17:9c:83:4f:a5:34:4a:4c:4f:e4: 22:ef:ee:ba:ee:80:21:49:ca:62:6c:3b:46:45:a5: 98:bd:37:4b:3b:b0:eb:4b:63:1a:f2:9d:1a:f9:19: 9d:22:43:70:83:1b:c9:a8:70:de:45:e1:9c:89:e3: db:a9:41:47:83:cc:38:1e:f3:16:17:4d:91:b1:44: b3:8a:ee:5f:77:aa:db:9c:de:50:c7:c2:be:9e:9d: a9:ff:a6:a7:e1:0a:8d:b3:48:c5:34:e2:c3:2d:ac: 8c:e0:ed:fa:2c:03:7e:05:ce:df:ba:66:24:bc:4c: 8b:36:a1:1a:90:7b:11:3d:54:ba:22:c9:58:ce:de: 8a:07:3c:ca:50:df:4e:6b:e3:3b:62:77:88:99:c2: a8:b5:48:f2:cd:93:20:3b:7e:46:e4:ba:ef:8d:86: ac:a9 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 1c:02:98:15:57:e1:60:c7:90:7f:6d:c0:d4:2c:f5:5e:33:9e: c1:23:48:91:9f:8d:d1:20:4c:17:8d:c6:b5:fe:09:e7:92:5f: 7f:5a:5a:c0:13:d7:03:4e:a9:03:be:a2:09:56:90:06:ef:47: 94:29:13:81:61:f0:c7:9b:de:c6:89:7d:c6:43:8a:9b:89:d6: 10:b5:cb:1e:46:16:3f:89:8f:70:4a:28:33:05:84:61:d3:ed: 88:fd:ab:63:d4:33:c8:1b:b5:bf:36:b1:84:a4:a0:24:20:ec: cd:35:d1:82:57:fa:09:ff:48:07:a2:04:c3:90:2b:ba:c0:f9: 4b:ea:2e:55:45:79:f3:d9:7c:8c:e5:08:f8:0a:b2:51:3e:11: 16:6d:e1:ec:8c:03:f0:b6:c4:a1:77:80:22:aa:48:b1:40:e5: 61:3d:3c:9f:cf:d3:d0:3e:e3:73:46:84:96:0d:f8:3a:4e:6f: cf:cd:97:ea:d6:25:98:af:3e:b7:15:f1:17:30:56:be:32:a5: 45:bb:8d:53:bb:4c:00:ef:b2:94:5f:da:da:72:f7:da:81:09: 3e:47:15:a0:d8:ff:79:af:9c:42:8d:da:e4:44:6f:a9:38:e0: b4:8d:58:fb:15:7a:39:cb:87:b7:db:fe:4a:af:8e:b7:7c:fc: ab:77:eb:c0[root@k8s-master-dev pki]# lsapiserver.crt apiserver-kubelet-client.crt ca.srl front-proxy-client.crt meteor.keyapiserver-etcd-client.crt apiserver-kubelet-client.key etcd front-proxy-client.key sa.keyapiserver-etcd-client.key ca.crt front-proxy-ca.crt meteor.crt sa.pubapiserver.key ca.key front-proxy-ca.key meteor.csr[root@k8s-master-dev pki]#
创建一个访问凭证(UserAccount),并指定相应的证书及私钥
如果指定了一个已存在的名字,将合并新字段并覆盖旧字段[root@k8s-master-dev pki]# kubectl config set-credentials meteor --client-certificate=meteor.crt --client-key=meteor.key --embed-certs=trueUser "meteor" set.
修改kubeconfig(认证配置),创建一个新的Context及指定访问凭据(UserAccount)
[root@k8s-master-dev pki]# kubectl config set-context meteor@kubernetes --cluster=kubernetes --user=meteorContext "meteor@kubernetes" created.[root@k8s-master-dev pki]# kubectl config viewapiVersion: v1clusters:- cluster: certificate-authority-data: REDACTED server: https://192.168.20.79:6443 name: kubernetescontexts:- context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes- context: #上下文创建成功 cluster: kubernetes user: meteor name: meteor@kubernetescurrent-context: kubernetes-admin@kuberneteskind: Configpreferences: {}users:- name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED- name: meteor user: #meteor用户凭据(证书)成功 client-certificate-data: REDACTED client-key-data: REDACTED[root@k8s-master-dev pki]# 切换并测试新的上下文配置
[root@k8s-master-dev pki]# kubectl config use-context meteor@kubernetesSwitched to context "meteor@kubernetes".[root@k8s-master-dev pki]# kubectl config viewapiVersion: v1clusters:- cluster: certificate-authority-data: REDACTED server: https://192.168.20.79:6443 name: kubernetescontexts:- context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes- context: cluster: kubernetes user: meteor name: meteor@kubernetescurrent-context: meteor@kuberneteskind: Configpreferences: {}users:- name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED- name: meteor user: client-certificate-data: REDACTED client-key-data: REDACTED[root@k8s-master-dev pki]#[root@k8s-master-dev pki]# kubectl get podsNo resources found.Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "default"[root@k8s-master-dev pki]# 当然也可以在当前新定义一个集群的认证配置(kubeconfig),例:
需要指定ca的证书、API service地址、隐藏证书选项、配置文件的路径(不指定默认在当前家目录),如下所示:[root@k8s-master-dev pki]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://192.168.20.79:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=trueCluster "mycluster" set.[root@k8s-master-dev pki]# kubectl config view --kubeconfig=/tmp/test.confapiVersion: v1clusters:- cluster: certificate-authority-data: REDACTED server: https://192.168.20.79:6443 name: myclustercontexts: []current-context: ""kind: Configpreferences: {}users: [][root@k8s-master-dev pki]# cd 四、Authorization
当认证通过,下一步要做的就是授权,授权决定一个用户可以干什么。Kubernetes可以配置多种授权方式,其中目前使用的是RBAC(Role Based Access Control)。RBAC涉及几个重要概念,它们是: Role/ RoleBinding / ClusterRole / ClusterRoleBinding首先必须清楚一点:授权离不开认证,授权是基于ServiceAccount/UserAccount的。Role可以理解为权限(例如get,list,update,delete,add),它决定了ServiceAccount可以干什么,RoleBinding用于把Role绑定到指定的ServiceAccount。下图是Role的绑定
ClusterRole和ClusterRoleBinding的作用一样,不同的是,它们的作用域是整个集群,而Role和RoleBinding的作用域是namespace。
创建角色role
[root@k8s-master-dev ~]# kubectl config use-context kubernetes-admin@kubernetesSwitched to context "kubernetes-admin@kubernetes".[root@k8s-master-dev ~]#[root@k8s-master-dev ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > manifests/role-demo.yaml[root@k8s-master-dev ~]# vim manifests/role-demo.yaml[root@k8s-master-dev ~]# cat manifests/role-demo.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: pods-reader namespace: defaultrules:- apiGroups: - "" resources: - pods verbs: - get - list - watch[root@k8s-master-dev ~]# kubectl apply -f manifests/role-demo.yamlrole.rbac.authorization.k8s.io/pods-reader created[root@k8s-master-dev ~]#[root@k8s-master-dev ~]# kubectl get rolesNAME AGEpods-reader 14m[root@k8s-master-dev ~]# kubectl describe roles/pods-readerName: pods-readerLabels:Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroup..."PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch][root@k8s-master-dev ~]#
创建角色绑定rolebinding,并绑定用户到角色
[root@k8s-master-dev ~]# kubectl create rolebinding meteor-read-pods --role=pods-reader --user=meteor --dry-run -o yaml > manifests/rolebinding-demo.yaml[root@k8s-master-dev ~]# vim manifests/rolebinding-demo.yaml[root@k8s-master-dev ~]# cat manifests/rolebinding-demo.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: meteor-read-pods namespace: defaultroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-readersubjects:- apiGroup: rbac.authorization.k8s.io kind: User name: meteor[root@k8s-master-dev ~]# kubectl apply -f manifests/rolebinding-demo.yamlrolebinding.rbac.authorization.k8s.io/meteor-read-pods created[root@k8s-master-dev ~]# kubectl get rolebindingNAME AGEmeteor-read-pods 13s[root@k8s-master-dev ~]# kubectl describe rolebinding/meteor-read-podsName: meteor-read-podsLabels:Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"meteor-read-pods","namespace":"default"},"roleRe..."Role: Kind: Role Name: pods-readerSubjects: Kind Name Namespace ---- ---- --------- User meteor[root@k8s-master-dev ~]#
创建新用户,测试新的配置
[root@k8s-master-dev ~]# useradd k8suser01[root@k8s-master-dev ~]# cp -rp .kube ~k8suser01/[root@k8s-master-dev ~]# chown -R k8suser01.k8suser01 ~k8suser01/.kube[root@k8s-master-dev ~]# su - k8suser01[k8suser01@k8s-master-dev ~]$ kubectl config use-context meteor@kubernetesSwitched to context "meteor@kubernetes".[k8suser01@k8s-master-dev ~]$ kubectl get podsNAME READY STATUS RESTARTS AGEmongo-0 2/2 Running 0 6hmongo-1 2/2 Running 0 6hmongo-2 2/2 Running 0 6hpod-sa-demo 1/1 Running 0 5h[k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-systemNo resources found.Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "kube-system"[k8suser01@k8s-master-dev ~]$ logout
由于Role和RoleBinding的作用域namespace 为default,所以meteor@kubernetes上下文无法访问kube-system 名称空间中的资源。如果希望该上下文可以访问kube-system名称空间内的资源 ,需要使用ClusterRole和ClusterRoleBinding。如下所示:
[root@k8s-master-dev ~]# kubectl get rolebindingNAME AGEmeteor-read-pods 4m[root@k8s-master-dev ~]# kubectl delete rolebinding meteor-read-podsrolebinding.rbac.authorization.k8s.io "meteor-read-pods" deleted[root@k8s-master-dev ~]#[root@k8s-master-dev ~]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run > manifests/clusterRole-demo.yaml[root@k8s-master-dev ~]# vim manifests/clusterRole-demo.yaml[root@k8s-master-dev ~]# cat manifests/clusterRole-demo.yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: name: cluster-readerrules:- apiGroups: - "" resources: - pods verbs: - get - list - watch[root@k8s-master-dev ~]# kubectl apply -f manifests/clusterRole-demo.yamlclusterrole.rbac.authorization.k8s.io/cluster-reader created[root@k8s-master-dev ~]# kubectl get clusterroleNAME AGEadmin 5dcluster-admin 5dcluster-reader 8sedit 5dflannel 5d......[root@k8s-master-dev ~]# kubectl describe clusterrole cluster-readerName: cluster-readerLabels:Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-reader","namespace":""},"rules":[{"apiGr..."PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch][root@k8s-master-dev ~]#[root@k8s-master-dev ~]# kubectl create clusterrolebinding meteor-read-all-pods --clusterrole=cluster-reader --user=meteor --dry-run -o yaml >> manifests/clusterRoleBinding-demo.yaml[root@k8s-master-dev ~]# vim manifests/clusterRoleBinding-demo.yaml[root@k8s-master-dev ~]# cat manifests/clusterRoleBinding-demo.yamlapiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: name: meteor-read-all-podsroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-readersubjects:- apiGroup: rbac.authorization.k8s.io kind: User name: meteor[root@k8s-master-dev ~]# kubectl apply -f manifests/clusterRoleBinding-demo.yamlclusterrolebinding.rbac.authorization.k8s.io/meteor-read-all-pods created[root@k8s-master-dev ~]# kubectl get clusterrolebinding meteor-read-all-podsNAME AGEmeteor-read-all-pods 16s[root@k8s-master-dev ~]#
再次测试meteor@kubernetes 上下文 ,如下所示:
[root@k8s-master-dev ~]# su - k8suser01上一次登录:三 3月 13 16:09:07 CST 2019pts/0 上[k8suser01@k8s-master-dev ~]$ kubectl get podsNAME READY STATUS RESTARTS AGEmongo-0 2/2 Running 0 1dmongo-1 2/2 Running 0 1dmongo-2 2/2 Running 0 1dpod-sa-demo 1/1 Running 0 1d[k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-systemNAME READY STATUS RESTARTS AGEcoredns-78fcdf6894-9t2x5 1/1 Running 0 5dcoredns-78fcdf6894-tvbtd 1/1 Running 0 5detcd-k8s-master-dev 1/1 Running 0 5dkube-apiserver-k8s-master-dev 1/1 Running 0 5dkube-controller-manager-k8s-master-dev 1/1 Running 1 5dkube-flannel-ds-amd64-9tmns 1/1 Running 0 5dkube-flannel-ds-amd64-cn8v5 1/1 Running 0 5dkube-flannel-ds-amd64-gwf76 1/1 Running 0 5dkube-flannel-ds-amd64-v4g6w 1/1 Running 0 5dkube-proxy-4ks89 1/1 Running 0 5dkube-proxy-b47qm 1/1 Running 0 5dkube-proxy-dz778 1/1 Running 0 5dkube-proxy-mg5rr 1/1 Running 0 5dkube-scheduler-k8s-master-dev 1/1 Running 1 5d[k8suser01@k8s-master-dev ~]$ logout[root@k8s-master-dev ~]#
RoleBinding也可以引用ClusterRole,对属于同一命名空间内ClusterRole定义的资源主体进行授权。但ClusterRoleBinding中的角色只能是ClusterRole。如下meter用户仅能对它所在的名称空间进行操作。
[root@k8s-master-dev rbac]# kubectl delete -f clusterRoleBinding-demo.yamlclusterrolebinding.rbac.authorization.k8s.io "meteor-read-all-pods" deleted[root@k8s-master-dev rbac]# kubectl create rolebinding meteor-read-pods --clusterrole=cluster-reader --user=meteor --dry-run -o yaml > rolebinding-clusterrole-demo.yaml[root@k8s-master-dev rbac]# vim rolebinding-clusterrole-demo.yaml[root@k8s-master-dev rbac]# cat rolebinding-clusterrole-demo.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: meteor-read-podsroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-readersubjects:- apiGroup: rbac.authorization.k8s.io kind: User name: meteor[root@k8s-master-dev rbac]# kubectl apply -f rolebinding-clusterrole-demo.yamlrolebinding.rbac.authorization.k8s.io/meteor-read-pods created[root@k8s-master-dev rbac]# kubectl get rolebindingNAME AGEmeteor-read-pods 10s[root@k8s-master-dev rbac]#[root@k8s-master-dev rbac]# su - k8suser01上一次登录:四 3月 14 15:33:42 CST 2019pts/0 上[k8suser01@k8s-master-dev ~]$ kubectl get podsNAME READY STATUS RESTARTS AGEmongo-0 2/2 Running 0 1dmongo-1 2/2 Running 0 1dmongo-2 2/2 Running 0 1dpod-sa-demo 1/1 Running 0 1d[k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-systemNo resources found.Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "kube-system"[k8suser01@k8s-master-dev ~]$ logout[root@k8s-master-dev rbac]#
k8s集群内置了一些clusterRole ,可以利用上述方法为某个名称空间指定特定管理员。操作如下:
kubectl create rolebinding default-ns-admin --clusterrole=admin --user=meteor
转载于:https://blog.51cto.com/caiyuanji/2362416
你可能感兴趣的文章
smb服务器配置过程遇到错误及解决
查看>>
java杂乱
查看>>
在Linux上安装Python3.6.1
查看>>
[基础]iOS 可视化编程(全系列)
查看>>
我的友情链接
查看>>
LVS之NAT模型配置实验
查看>>
nginx 报错 99: Cannot assign requested address
查看>>
几种流行的AJAX框架:jQuery,Mootools,Dojo,Ext JS的对比
查看>>
Socket-Client通信
查看>>
Maven搭建简单的SS项目
查看>>
#我要上首页# 新版博客首页来了,做明星博主还会远吗?
查看>>
PHP缓存技术
查看>>
关于SOCKET资源堆栈
查看>>
笔记 百度搜索
查看>>
控制台 - 网络管理之华为交换机 S系列端口限速
查看>>
我的友情链接
查看>>
linux为启动菜单加密码
查看>>
MySQL5.5编译方式安装实战
查看>>
细谈Ehcache页面缓存的使用
查看>>
GridView如何设置View的初始样式
查看>>