【深入分析】Kubernetes RBAC角色权限控制
一、文件示例: kubernetes-dashboard.yaml# ------------------- Dashboard Secret ------------------- #apiVersion: v1kind: Secretmetadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dash...
一、讲解示例 kubernetes-dashboard.yaml
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: registry.cn-hangzhou.aliyuncs.com/kube_containers/kubernetes-dashboard-amd64
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
二、文件资源对象
2.0 该文件主要有如下资源(倒序)
- Service: 暴露容器中的服务
- Deployment: 创建容器的控制器的控制器
- RoleBinding: 角色绑定,绑定角色和服务账户
- Role: 角色,指定角色权限
- ServiceAccount: 创建服务账户
- Secret: 提供令牌,访问API服务器所用
2.1 Deployment:
spec.template.spec.serviceAccountName:kubernetes-dashboard
,意思是产生的容器归属于kubernetes-dashboard服务账户。spec.template.spec.volumes.secret.secret:kubernetes-dashboard-certs
,意思是产生的容器默认挂载该令牌访问API服务资源。- 简单的说:Web UI容器属于kubernetes-dashboard服务账户,该容器访问API服务器令牌为kubernetes-dashboard-certs
2.2 Role:
- 规定了 kubernetes-dashboard-minimal该角色的权限,比如rules[0],对于URL资源型的secret,该角色可以创建,不可删该查。
2.3 RoleBinding:
- 声明了服务账户kubernetes-dashboard享有 kubernetes-dashboard-minimal该角色的权限
2.4 综上所述:
- Web UI容器绑定了如下两个资源:
- Secret:让dashboard容器访问API能够认证通过,
- ServiceAccount: 认证通过后dashboard容器会有什么权限
三.《实验》权限验证
我们来看一下kubernetes-dashboard该服务账户的认证令牌
[root@k8s-master k8s]# kubectl describe sa kubernetes-dashboard -n kube-system | grep Token
Tokens: kubernetes-dashboard-token-gthpd
查看该令牌
[root@k8s-master k8s]# kubectl describe secret kubernetes-dashboard-token-gthpd -n kube-system | grep ^token
token: eyJhbGciOiJSUzI1NiI......htI0PbXnmUG6HHL-KAtR4nw
如果使用该令牌登录Web UI会如何?答案是啥资源信息也看不了
为什么呢?如上图,集群下有命名空间namespaces、节点nodes、持久化存储卷pv、角色Role、存储类Store class,叫做集群资源,也叫全局资源;
命名空间下有Jobpod、DaemonSet、Deployment、Pods、RS、RC、Service、Secret等等局部资源
如果要查看他们,必须有权限访问这些资源信息,回头看看Role部署文件声明的Rule,的确有部分访问权限,例如secrets的删改查,很遗憾该令牌所对应的服务账户被绑定的并非集群角色,绑定的方式并非集群绑定,WebUI的集群资源必须被ClusterBinding,角色必须为ClusterRole,所以也就啥都没,还报一堆警告。
那我们从系统中找个有集群角色的服务账户实验一下
集群绑定资源可以查询绑定的角色和服务账户
1.我们先找一个集群角色绑定资源
[root@k8s-master k8s]# kubectl get clusterrolebinding system:controller:namespace-controller
找打了namespace-controller服务账户和system:controller:namespace-controller集群角色
2.看下集群角色有什么权限,并验证
[root@k8s-master k8s]# kubectl get clusterrole system:controller:namespace-controller -o yaml
rules:
- apiGroups:
- ""
resources:
- namespaces !对命名空间只有查删,没有增改
verbs:
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces/finalize
- namespaces/status
verbs:
- update
- apiGroups:
- '*'
resources:
- '*'
verbs: !对所有资源只有查删,没有增改
- delete
- deletecollection
- get
- list
从上面可知,这个角色对所有资源只有查删,不能增改!!!
,来验证一下…
3获取密钥
[root@m ~]# kubectl get sa namespace-controller -n kube-system -o yaml
secret: namespace-controller-token-gb4hf
[root@k8s-master k8s]# kubectl describe secret namespace-controller-token-gb4hf -n kube-system
4.web登录,选择令牌登录
很好,可以查到所有资源,跟预期一致
4.1试试创建新命名空间
很好,果然不能创建(增)资源
4.2 试试删除资源
[root@k8s-master k8s]# kubectl get pods --watch
NAME READY STATUS RESTARTS AGE
test-c478db4fb-w6c68 1/1 Running 0 16m
可以看到有一个容器test-c478db4fb-w6c68正在运行,那么我们现在在Web删除他,–watch参数是实时监控
回到黑屏终端,可以见到命令行实时监控输出的信息
[root@k8s-master k8s]# kubectl get pods --watch
NAME READY STATUS RESTARTS AGE
test-c478db4fb-w6c68 1/1 Running 0 16m
test-c478db4fb-w6c68 1/1 Terminating 0 19m
test-c478db4fb-sqs9q 0/1 Pending 0 0s
test-c478db4fb-sqs9q 0/1 Pending 0 0s
test-c478db4fb-w6c68 1/1 Terminating 0 19m
test-c478db4fb-sqs9q 0/1 ContainerCreating 0 1s
test-c478db4fb-w6c68 0/1 Terminating 0 19m
test-c478db4fb-sqs9q 1/1 Running 0 9s
test-c478db4fb-w6c68 0/1 Terminating 0 19m
test-c478db4fb-w6c68 0/1 Terminating 0 19m
很好,test-c478db4fb-w6c68被结束,就是删除成功,其他资源类似,不再举例。
那么有一个问题,test-c478db4fb-sqs9q这个是什么?因为这个容器我是通过RS部署的,所以被删除会有一个替代它。
验证结束: 确实只有查删、不能增改
四、超级权限
那么最后一个问题,我想要root权限,不想受那么多限制咋办?
同样,我们也在clusterrolebinding找,但你不用找了,我直接告诉你,集群角色:cluster-admin拥有超级权限,但是很遗憾这个集群绑定没有指定服务账户,所以现在我们需要创建ClusterRoleBinding和ServiceAccount
[root@k8s-master ~]# vi k8s-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: dashboard-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
[root@k8s-master ~]# kubectl create -f k8s-admin.yaml
!1.查看服务账户对应的secret
[root@k8s-master k8s]# kubectl describe sa -n kube-system dashboard-admin | greo ^Tokens
Tokens: dashboard-admin-token-xxxxx
!2.获取令牌
[root@k8s-master k8s]# kubectl describe secret dashboard-admin-token-np46j -n kube-system | grep ^token
token: eyJhbGciOiJSUzI1NiIsI......f2NkjH0YsBD7QEjRiQxp0Cv35rHC0pXuyRtDDKM7VE_RppJoY06WCRzAwZGCOBE1H6A
!3.接下来令牌登录即可获取k8s资源所有权,你就是集群最靓的仔
五、回顾
很好,相信你已经有了比较清晰思路
更多推荐
所有评论(0)