前言
现在RBAC主要解决的一个问题,就是:所有人都拿的是admin的config文件,因此所有人都拥有最高权限,他可以为所欲为,从而很有可能在不知情的情况下,破坏k8s集群。因此我们需要对其进行控制,给他创建admin之外的账号,让他无法操作k8s系统重要部分的namespace。

先不说原理,直接说操作步骤

一、创建证书
创建user私钥

[root@node-01 ~]cd /etc/kubernetes/pki/
[root@node-01 pki](umask 077;openssl genrsa -out aideveloper.key 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................+++
..................+++
e is 65537 (0x10001)

创建证书签署请求
O=组织信息,CN=用户名

[root@node-01 pki]openssl req -new -key aideveloper.key -out aideveloper.csr -subj "/O=jbt/CN=aideveloper"

签署证书

[root@node-01 pki]openssl  x509 -req -in aideveloper.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out aideveloper.crt -days 365
Signature ok
subject=/O=jbt/CN=aideveloper
Getting CA Private Key

二、创建配置文件
创建配置文件主要有以下几个步骤:

* kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE #集群配置
* 
* kubectl config set-credentials NAME --kubeconfig=/PATH/TO/SOMEFILE #用户配置
* 
* kubectl config set-context #context配置
* 
* kubectl config use-context #切换context

一些说明:

* --embed-certs=true的作用是不在配置文件中显示证书信息。

* --kubeconfig=/root/aideveloper.conf用于创建新的配置文件,如果不加此选项,则内容会添加到家目录下.kube/config文件中,可以使用use-context来切换不同的用户管理k8s集群。

* context简单的理解就是用什么用户来管理哪个集群,即用户和集群的结合。

创建集群配置

[root@node-01 pki] kubectl config set-cluster kubernetes --server=https://tw-master.senses-ai.com:6443 --certificate-authority=ca.crt --embed-certs=true --kubeconfig=/root/aideveloper.conf
Cluster "kubernetes" set.

[root@node-01 pki]# kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://tw-master.senses-ai.com:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

创建用户配置

[root@node-01 pki] kubectl config set-credentials aideveloper --client-certificate=aideveloper.crt --client-key=aideveloper.key --embed-certs=true --kubeconfig=/root/aideveloper.conf User "aideveloper" set.

[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
 certificate-authority-data: DATA+OMITTED
 server: https://tw-master.senses-ai.com:6443
 name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: aideveloper
 user:
 client-certificate-data: REDACTED
 client-key-data: REDACTED

创建context配置

[root@node-01 pki] kubectl config set-context aideveloper@kubernetes --cluster=kubernetes --user=aideveloper --kubeconfig=/root/aideveloper.conf
Context "aideveloper@kubernetes" created.

[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
 certificate-authority-data: DATA+OMITTED
 server: https://tw-master.senses-ai.com:6443
 name: kubernetes
contexts:
- context:
 cluster: kubernetes
 user: aideveloper
 name: aideveloper@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: aideveloper
 user:
 client-certificate-data: REDACTED
 client-key-data: REDACTED

切换context

[root@node-01 pki] kubectl config use-context aideveloper@kubernetes --kubeconfig=/root/aideveloper.conf
Switched to context "aideveloper@kubernetes".

[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.conf
apiVersion: v1
clusters:
- cluster:
 certificate-authority-data: DATA+OMITTED
 server: https://tw-master.senses-ai.com:6443
 name: kubernetes
contexts:
- context:
 cluster: kubernetes
 user: aideveloper
 name: aideveloper@kubernetes
current-context: aideveloper@kubernetes
kind: Config
preferences: {}
users:
- name: aideveloper
 user:
 client-certificate-data: REDACTED
 client-key-data: REDACTED

创建系统用户及k8s验证文件

[root@node-01 ~] useradd test     #创建什么用户名都可以
[root@node-01 ~] mkdir /home/test/.kube
[root@node-01 ~] cp /root/aideveloper.conf /home/test/.kube/config [root@node-01 ~]# chown test.test -R /home/test/.kube/
[root@node-01 ~] su - test
[billy@node-01 ~]$ kubectl get pod
Error from server (Forbidden): pods is forbidden: User "aideveloper" cannot list resource "pods" in API group "" in the namespace "default"

切换到k8s admin用户
kubectl config use-context kubernetes-admin@kubernetes

默认新用户是没有任何权限的。

创建Role
此role只有pod的get、list、watch权限

[root@node-01 rbac] vim aideveloper-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: aideveloper-role
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

[root@node-01 rbac] kubectl apply -f aideveloper-role.yaml
role.rbac.authorization.k8s.io/aideveloper-role created

创建Rolebinding
用户aideveloper和role aideveloper-role的绑定

[root@node-01 rbac]# vim aideveloper-roleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: aideveloper-roleBinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: aideveloper-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: aideveloper

[root@node-01 rbac]# kubectl apply -f aideveloper-roleBinding.yaml
rolebinding.rbac.authorization.k8s.io/aideveloper-roleBinding created

验证结果
如果没有指定命名空间的话,默认就是default命名空间。

[billy@node-01 ~]$ kubectl get pod
NAME                         READY   STATUS    RESTARTS   AGE
nginx-demo-95bd675d5-66xrm   1/1     Running   0          18d
tomcat-5c5dcbc885-7vr68      1/1     Running   0          18d

[billy@node-01 ~]$ kubectl -n kube-system get pod
Error from server (Forbidden): pods is forbidden: User "billy" cannot list resource "pods" in API group "" in the namespace "kube-system"

所以我们是可以查看查看default命名空间的pod,但是其他空间的pod是无法查看的。

创建ClusterRole

[root@node-01 rbac]# cat cluster-reader.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

[root@node-01 rbac]# kubectl apply -f cluster-reader.yaml
clusterrole.rbac.authorization.k8s.io/cluster-reader created

创建ClusterRoleBinding

[root@node-01 rbac]# cat billy-read-all-pods.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: billy-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: billy

[root@node-01 rbac]# kubectl apply -f billy-read-all-pods.yaml
clusterrolebinding.rbac.authorization.k8s.io/billy-read-all-pods created

创建了ClusterRole和ClusterRoleBinding后就可以看到所有命名空间的pod了。

RBAC的补充

RBAC相关的内容
rule下verbs有:

"get", "list", "watch", "create", "update", "patch", "delete", "exec"
rule下resource有:

"services", "endpoints", "pods","secrets","configmaps","crontabs","deployments",
"jobs","nodes","rolebindings","clusterroles","daemonsets","replicasets","statefulsets",
"horizontalpodautoscalers","replicationcontrollers","cronjobs"
rule下apiGroups有:

"","apps", "autoscaling", "batch"

注意:
cluserRoleBinding只能绑定clusterRole
roleBinding既能绑定role,也能绑定clusterRole
想让一个Bingding绑定多个角色,那就多写几个文件

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐