k8s:UserAccount、ServiceAccount、Role、ClusterRole
UserAccount是给kubernetes集群外部用户使用的,如kubectl访问k8s集群要用Useraccount用户, kubeadm安装的k8s,默认的useraccount用户是kubernetes-admin;–>k8s客户端(一般用:kubectl) ------>API Server(APIServer需要对客户端的请求做认证,认证成功才会执行)ServiceAccount是P
·
1、一些概念
Rule:规则,一组属于不同 API Group 的操作集合;
Role:角色,用于定义一组对 Kubernetes API 对象操作的一组规则,范围限定在 namespace;
ClusterRole:集群角色,该角色不受 namespace 的限制;
Subject:对象,也就是规则作用的对象;
RoleBinding:将角色和对象进行绑定,范围限定在 namespace;
ClusterRoleBinding:将集群角色和对象进行绑定,不受 namespace 限制
ServiceAccount: 服务账户
2、Useraccount和ServiceAccount介绍
kubernetes中账户分为:UserAccounts(用户账户) 和 ServiceAccounts(服务账户) 两种:
UserAccount是给kubernetes集群外部用户使用的,如kubectl访问k8s集群要用Useraccount用户, kubeadm安装的k8s,默认的useraccount用户是kubernetes-admin;
k8s客户端(一般用:kubectl) 请求API Server(APIServer需要对客户端的请求做认证,认证成功才会执行)
使用kubeadm安装的K8s,会在用户家目录下创建一个认证配置文件 .kube/config 这里面保存了客户端访问API Server的密钥相关信息,这样当用kubectl访问k8s时,它就会自动读取该配置文件,向API Server发起认证,然后完成操作请求。
ServiceAccount是Pod使用的账号,Pod容器的进程需要访问API Server时用的就ServiceAccount账户;
ServiceAccount仅局限它所在的namespace,每个namespace创建时都会自动创建一个default service account;创建Pod时,如果没有指定Service Account,Pod则会使用default Service Account。
3、ServiceAccount使用案例
3.1 创建sa,并绑定到pod
1、创建sa
[root@master ~]# kubectl create sa sa-lihaihui
serviceaccount/sa-lihaihui created
[root@master ~]# kubectl get sa
NAME SECRETS AGE
default 1 21d
sa-lihaihui 1 13s
[root@master ~]#
2、创建pod
[root@master ~]# mkdir /RBAC
[root@master ~]# cd /RBAC/
[root@master RBAC]# ls
[root@master RBAC]#
[root@master RBAC]# cat sa-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: sa-lihaihui
namespace: default
labels:
app: sa-lihaihui
spec:
serviceAccountName: sa-lihaihui # pod use service accout
containers:
- name: sa-nginx
ports:
- containerPort: 80
image: nginx
imagePullPolicy: IfNotPresent
[root@master RBAC]#
[root@master RBAC]# kubectl apply -f sa-pod.yaml
pod/sa-lihaihui created
[root@master RBAC]# kubectl get pod
NAME READY STATUS RESTARTS AGE
sa-lihaihui 1/1 Running 0 4s
因为pod 会去访问k8s集群的apiserver,所以需要进入到pod里
[root@master RBAC]# kubectl exec -it sa-lihaihui -- bash
root@sa-lihaihui:/#
root@sa-lihaihui:/var/run/secrets/kubernetes.io/serviceaccount# ls
ca.crt namespace token
root@sa-lihaihui:/var/run/secrets/kubernetes.io/serviceaccount#
执行下面的命令去访问我们的apiserver
root@sa-lihaihui:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/kube-system
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:default:sa-lihaihui\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "kube-system",
"kind": "namespaces"
},
"code": 403
}root@sa-lihaihui:/var/run/secrets/kubernetes.io/serviceaccount#
3、对sa做授权
cluster-admin 这是一个权力非常大的clusterrole 集群角色
将default命名空间里的ss-gaoshuo服务账号绑定到 集群角色 cluster-admin 上
root@master RBAC]# kubectl create clusterrolebinding sa-test-lihaihui --clusterrole=cluster-admin --serviceaccount=default:sa-lihaihui
clusterrolebinding.rbac.authorization.k8s.io/sa-test-lihaihui created
[root@master RBAC]#
查看有哪些服务账号进行了集群角色绑定
[root@master RBAC]# kubectl get clusterrolebinding |grep lihaihui
sa-test-lihaihui ClusterRole/cluster-admin 2m35s
[root@master RBAC]#
4、再次请求,使用绑定好的集群角色
[root@master RBAC]# kubectl exec -it sa-lihaihui -- bash
root@sa-lihaihui:/# cd /var/run/secrets/kubernetes.io/serviceaccount/
root@sa-lihaihui:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/kube-system
{
"kind": "Namespace",
"apiVersion": "v1",
"metadata": {
"name": "kube-system",
"uid": "b1b4554f-2ab4-4b88-afac-1eb3a8427607",
"resourceVersion": "10",
"creationTimestamp": "2023-08-16T07:25:47Z",
"managedFields": [
{
"manager": "kube-apiserver",
"operation": "Update",
"apiVersion": "v1",
"time": "2023-08-16T07:25:47Z",
"fieldsType": "FieldsV1",
"fieldsV1": {"f:status":{"f:phase":{}}}
}
]
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
}
root@sa-lihaihui:/var/run/secrets/kubernetes.io/serviceaccount#
可以看到"phase": “Active”,访问成功!
4、自己创建role和clusterrole
1、自己创建一个role
自己赋予role的访问权限
[root@master RBAC]# vim role.yaml
[root@master RBAC]# cat role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" 标明 core API 组
resources: ["pods"]
verbs: ["get", "watch", "list"]
[root@master RBAC]#
[root@master RBAC]# kubectl apply -f role.yaml
role.rbac.authorization.k8s.io/pod-reader created
[root@master RBAC]# kubectl get role
NAME CREATED AT
pod-reader 2023-09-07T03:47:00Z
[root@master RBAC]#
2、sa绑定role
[root@master RBAC]# kubectl create rolebinding sa-test-lihaihui --role=pod-reader --serviceaccount=default:sa-lihaihui
rolebinding.rbac.authorization.k8s.io/sa-test-lihaihui created
查看已经绑定的rolebinding
[root@master RBAC]# kubectl get rolebinding
NAME ROLE AGE
sa-test-lihaihui Role/pod-reader 28s
[root@master RBAC]#
3、创建一个clusterrole
[root@k8smaster sa]# cat clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" 被忽略,因为 ClusterRoles 不受名字空间限制
name: secret-reader
rules:
- apiGroups: [""]
# 在 HTTP 层面,用来访问 Secret 资源的名称为 "secrets"
resources: ["secrets"] #具体的资源对象
verbs: ["get", "watch", "list"] #动作
[root@k8smaster sa]# kubectl apply -f clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/secret-reader created
[root@k8smaster sa]#
[root@k8smaster sa]# kubectl get clusterrole
secret-reader
4、将sa绑定到clusterrole
[root@master RBAC]# kubectl create clusterrolebinding sa-test-lihaihui-2 --clusterrole=secret-reader --serviceaccount=default:sa-lihaihui
clusterrolebinding.rbac.authorization.k8s.io/sa-test-lihaihui-2 created
[root@k8smaster sa]# kubectl get clusterrolebinding
NAME ROLE AGE
sa-test-lihaihui ClusterRole/cluster-admin 15m
sa-test-lihaihui-2 ClusterRole/secret-reader
5、验证
进入sa-lihaihui启动的pod,去访问apiserver里的pod资源和secret资源
[root@master RBAC]# kubectl get pod
NAME READY STATUS RESTARTS AGE
configmap-demo-pod 1/1 Running 5 19h
configmap-nginx 1/1 Running 1 19h
mysql 1/1 Running 4 2d18h
nginx 1/1 Running 3 2d
nginx-configmap-test 1/1 Running 1 19h
sa-lihaihui 1/1 Running 0 30m
[root@master RBAC]# kubectl exec -it sa-lihaihui -- bash
root@sa-lihaihui:
root@sa-lihaihui:~# cd /var/run/secrets/kubernetes.io/serviceaccount/
root@sa-lihaihui:/var/run/secrets/kubernetes.io/serviceaccount#
root@sa-lihaihui:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/pods
root@sa-lihaihui:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat .token)" https://kubernetes/api/v1/secrets
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献2条内容
所有评论(0)