k8s(九)—访问控制(创建serviceaccount账号、创建useraccount账号)
1.访问控制简介2.创建sa账号[root@server2 ~]# kubectl create serviceaccount admin创建sa账号为adminserviceaccount/admin created[root@server2 ~]# kubectl get saNAMESECRETSAGEadmin160sadmin创建成功default15d19h[root@se
·
1.访问控制简介
2.创建sa账号
[root@server2 ~]# kubectl create serviceaccount admin 创建sa账号为admin
serviceaccount/admin created
[root@server2 ~]# kubectl get sa
NAME SECRETS AGE
admin 1 60s admin创建成功
default 1 5d19h
[root@server2 ~]# kubectl describe sa admin 查看admin账号详细信息
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: admin-token-fqlpn
Tokens: admin-token-fqlpn 生成sa时会生成对应的token
Events: <none>
[root@server2 secrets]# kubectl get secrets 查看secrets
NAME TYPE DATA AGE
admin-token-fqlpn kubernetes.io/service-account-token 3 78m
default-token-zjzbf kubernetes.io/service-account-token 3 5d21h
myregistrykey kubernetes.io/dockerconfigjson 1 34s myregistrykey为创建的secrets,里面存储的是镜像拉取认证信息
mysecret Opaque 2 57m
[root@server2 secrets]# kubectl patch serviceaccount admin -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'
serviceaccount/admin patched 把myregistrykey放到了admin的sa账号,将myregistrykey和admin账号绑定,当admin账号创建pod时,会直接加载myregistrykey 里面的镜像拉取密钥信息
[root@server2 ~]# vim pod.yaml 创建pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-server
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: reg.westos.org/westos/game2048:latest 指定私有仓库镜像
[root@server2 ~]# kubectl apply -f pod.yaml 创建
deployment.apps/web-server created
[root@server2 ~]# kubectl get pod 查看pod,运行pod失败
NAME READY STATUS RESTARTS AGE
web-server-5bfd9b447f-7dz45 0/1 ImagePullBackOff 0 26s
[root@server2 ~]# kubectl describe pod web-server-5bfd9b447f-7dz45 查看pod详细信息
[root@server2 ~]# vim pod.yaml
[root@server2 ~]# kubectl apply -f pod.yaml 创建
deployment.apps/web-server configured
[root@server2 ~]# kubectl get pod 查看pod,此时pod运行成功
NAME READY STATUS RESTARTS AGE
web-server-5db5bbdc9-jpp2v 1/1 Running 0 59s
3.创建useraccount账号(用于登陆集群)
3.1 认证
[root@server2 ~]# kubectl delete -f pod.yaml 回收之前的
deployment.apps "web-server" deleted
[root@server2 ~]# kubectl config view 查看当前认证配置
[root@server2 ~]# cd /etc/kubernetes/
[root@server2 kubernetes]# cd pki/ 这里面有很多的key和crt证书,创建自己生成的用户,需要相应的key和证书
apiserver.crt etcd
apiserver-etcd-client.crt front-proxy-ca.crt
apiserver-etcd-client.key front-proxy-ca.key
apiserver.key front-proxy-client.crt
apiserver-kubelet-client.crt front-proxy-client.key
apiserver-kubelet-client.key sa.key
ca.crt sa.pub
ca.key
[root@server2 pki]# openssl genrsa -out test.key 2048 创建test用户,需要生成test.key
Generating RSA private key, 2048 bit long modulus
......................................................................................................................................+++
..................................................+++
e is 65537 (0x10001)
[root@server2 pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test" 生成证书请求
[root@server2 pki]# ll test.csr
-rw-r--r-- 1 root root 883 Apr 17 06:57 test.csr 证书请求已经生成
[root@server2 pki]# openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 365 拿着证书请求去申请证书,生成证书,有效期为365天
Signature ok
subject=/CN=test
Getting CA Private Key
[root@server2 pki]# ll test.crt crt证书已经生成
-rw-r--r-- 1 root root 973 Apr 17 07:00 test.crt
[root@server2 pki]# openssl genrsa -out test.key 2048 查看证书信息
[root@server2 pki]# kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true 需要把这些认证信息告诉k8s集群, 通过k8s客户端配置认证信息 ,用户test已经生成
User "test" set.
[root@server2 pki]# kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
Context "test@kubernetes" created.
[root@server2 pki]# kubectl config set-context test@kubernetes --cluster=kubernetes --user=test 将test账号添加到 context里
[root@server2 pki]# kubectl config view 查看当前认证配置,可以发现test账号已经添加在context下
[root@server2 pki]# kubectl config use-context test@kubernetes 切换到test账号
Switched to context "test@kubernetes".
[root@server2 pki]# kubectl config view 查看认证配置
[root@server2 pki]# kubectl get pod 查看pod,发现列出pod资源没有权限,虽然认证通过了,但是没有任何权限
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
3.2 授权:
RBAC(Role Based Access Control):基于角色访问控制授权。
允许管理员通过Kubernetes API动态配置授权策略。RBAC就是用户通过角色与权限进行关联。
RBAC只有授权,没有拒绝授权,所以只需要定义允许该用户做什么即可。
RBAC包括四种类型:Role、ClusterRole、RoleBinding、ClusterRoleBinding。
角色有很多规则,相当于有很多权限,将用户和角色绑定,相当与给用户赋予了角色上的权限
3.2.1 创建角色
[root@server2 pki]# kubectl config use-context kubernetes-admin@kubernetes 先将用户切换到kubernetes-admin
[root@server2 ~]# mkdir rbac
[root@server2 ~]# cd rbac/
[root@server2 rbac]# vim role.yaml 创建角色
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: myrole
rules:
- apiGroups: [""]
resources: ["pods"] 表示给了pod资源权限
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
[root@server2 rbac]# kubectl apply -f role.yaml 创建
role.rbac.authorization.k8s.io/myrole created
[root@server2 rbac]# kubectl get role 查看角色,创建成功
NAME CREATED AT
myrole 2022-04-16T23:48:30Z
3.2.2 绑定角色
[root@server2 rbac]# vim role.yaml
---
kind: RoleBinding 用户绑定角色
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-read-pods
namespace: default
subjects:
- kind: User
name: test
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: myrole 表示把myrole角色赋予test用户
apiGroup: rbac.authorization.k8s.io
[root@server2 rbac]# kubectl apply -f role.yaml 创建
role.rbac.authorization.k8s.io/myrole unchanged
rolebinding.rbac.authorization.k8s.io/test-read-pods created
[root@server2 rbac]# kubectl get rolebindings.rbac.authorization.k8s.io
NAME ROLE AGE
test-read-pods Role/myrole 49s 可以发现test已经绑定了myrole这个角色
[root@server2 rbac]# kubectl config use-context test@kubernetes 切换到test用户
Switched to context "test@kubernetes".
[root@server2 rbac]# kubectl get pod 此时test用户访问pod资源是可以的
No resources found in default namespace.
[root@server2 rbac]# kubectl get sc 但是test用户访问别的资源是不可以的
Error from server (Forbidden): storageclasses.storage.k8s.io is forbidden: User "test" cannot list resource "storageclasses" in API group "storage.k8s.io" at the cluster scope
[root@server2 rbac]# kubectl get pod -n kube-system 指定别的kube-system namespace 也不能访问,因为角色设置了指定的namespace为default
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "kube-system"
[root@server2 rbac]# kubectl run demo --image=nginx 可以运行pod
pod/demo created
[root@server2 rbac]# kubectl get pod 可以查看pod
NAME READY STATUS RESTARTS AGE
demo 1/1 Running 0 26s
[root@server2 rbac]# kubectl delete pod demo 可以删除pod
pod "demo" deleted
3.2.3 设置集群角色以及集群角色绑定
[root@server2 rbac]# kubectl config use-context kubernetes-admin@kubernetes 切换到kubernetes-admin用户
[root@server2 rbac]# vim role.yaml
--- 创建集群角色
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myclusterrole
rules:
- apiGroups: [""]
resources: ["pods"] 有pod资源权限
verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"] 还有设置了deployments控制器权限
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
--- 集群角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rolebind-myclusterrole
namespace: default 必须指定namespace,只针对指定的namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole 将集群角色赋予test用户
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
[root@server2 rbac]# kubectl apply -f role.yaml 创建
role.rbac.authorization.k8s.io/myrole unchanged
rolebinding.rbac.authorization.k8s.io/test-read-pods unchanged
clusterrole.rbac.authorization.k8s.io/myclusterrole created
rolebinding.rbac.authorization.k8s.io/rolebind-myclusterrole created
[root@server2 rbac]# kubectl get rolebindings.rbac.authorization.k8s.io 查看角色绑定
NAME ROLE AGE
rolebind-myclusterrole ClusterRole/myclusterrole 95s
test-read-pods Role/myrole 15h
测试:
[root@server2 rbac]# kubectl config use-context test@kubernetes 切换到test账号
Switched to context "test@kubernetes".
[root@server2 rbac]# kubectl get pod -n kube-system 查看kube-system下的pod没有权限,因为指定的namespace是default
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "kube-system"
[root@server2 rbac]# kubectl get deployments.apps 有查看控制器权限
No resources found in default namespace.
如何让用户操作整个集群的namespace
[root@server2 rbac]# kubectl config use-context kubernetes-admin@kubernetes 切换到kubernetes-admin
Switched to context "kubernetes-admin@kubernetes".
[root@server2 rbac]# vim role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding 通过ClusterRoleBinding绑定
metadata:
name: clusterrolebinding-myclusterrole
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole 通过ClusterRoleBinding这种方式绑定不需要指定namespace
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
[root@server2 rbac]# kubectl apply -f role.yaml 再次创建
role.rbac.authorization.k8s.io/myrole unchanged
rolebinding.rbac.authorization.k8s.io/test-read-pods unchanged
clusterrole.rbac.authorization.k8s.io/myclusterrole unchanged
rolebinding.rbac.authorization.k8s.io/rolebind-myclusterrole unchanged
clusterrolebinding.rbac.authorization.k8s.io/clusterrolebinding-myclusterrole created
[root@server2 rbac]# kubectl config use-context test@kubernetes 切换到test用户
Switched to context "test@kubernetes".
[root@server2 rbac]# kubectl get pod -n kube-system 此时任何namespace下的pod都可以查看
NAME READY STATUS RESTARTS AGE
coredns-7b56f6bc55-85s7v 1/1 Running 14 (29h ago) 7d2h
coredns-7b56f6bc55-b6n5x 1/1 Running 14 (29h ago) 7d2h
etcd-server2 1/1 Running 11 (29h ago) 7d2h
kube-apiserver-server2 1/1 Running 11 (29h ago) 7d2h
kube-controller-manager-server2 1/1 Running 21 (29h ago) 7d2h
kube-flannel-ds-4hjs4 1/1 Running 0 31h
[root@server2 rbac]# kubectl get deployments.apps -n kube-system 可以任何namespace下的deployments控制器都可以查看
NAME READY UP-TO-DATE AVAILABLE AGE
coredns 2/2 2 2 7d2h
4. 补充
4.1 服务账户自动化
4.2 用户组的概念
4.3 集群预制角色
[root@server2 rbac]# kubectl get clusterrole 查看集群中有哪些角色
[root@server2 rbac]# kubectl describe clusterrole view view表示集群中所有查看权限
[root@server2 rbac]# kubectl describe clusterrole edit 查看集群中的编辑权限
[root@server2 rbac]# kubectl describe clusterrole cluster-admin 查看集群管理员权限,比admin权限还大,可以操作所有资源
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
注:这四个是集群预制的,可以直接使用
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
6
0- 0
已为社区贡献9条内容
所有评论(0)