访问控制需要如下三点
1.认证,针对用户,分别可以进入的用户,认证方式有8种,只要通过一种就不再进行其他方式认证。
2.授权 ** <-决定可以使用哪些东西
3.准入控制

认证

认证信息我们一般会写在yaml文件中,但是这种方法是很不安全的,因为普通用户可以直接查看到这个文件,

kubectl create secret docker-registry myregistrykey --docker-server=passyt.com --docker-username=admin --docker-password=aekhg777 --docker-email=passyt@passyt.com  ##首先创建一个secret
kubectl describe sa admin  ##接着创建一个用户
kubectl edit sa admin ##修改这个用户的Image pull secrets的信息。
imagePullSecrets:##将这个加入
- name: myregistrykey
##在需要认证信息的yaml文件中加入sa的名字即可。
  serviceAccountName: admin

创建这个admin也会生成一个文件。文件位置在*/etc/kubernetes/admin.conf*,直接使用这个saName就可以进行认证,说白了就是直接拷贝了这个文件到部署的节点。

用户认证

进入/etc/kubernetes/pki目录,这个目录存在所有的证书,在这个目录中创建一个证书。

[root@server1 pki]# openssl genrsa -out test.key 2048
[root@server1 pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test" ##创建一个证书请求
[root@server1 pki]# openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 365  ##通过证书请求让k8s搬一个有效期一年的证书
[root@server1 pki]# openssl x509 -in test.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            f8:f8:8a:45:a7:80:d5:f5
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Mar  2 15:00:45 2020 GMT
            Not After : Mar  2 15:00:45 2021 GMT
        Subject: CN=test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c1:fc:ee:07:b8:0f:92:4e:68:d5:ba:03:80:21:
                    e3:1a:35:90:d6:89:af:d2:7e:74:c3:78:65:ad:4d:
                    cf:65:fb:d2:00:d3:a5:bb:ce:b0:a6:63:d9:bc:39:
                    e6:b7:f3:de:42:56:74:b0:9b:bf:a4:cf:a6:f1:3c:
                    f4:ea:ba:d1:26:0b:f3:5c:4e:ae:6f:b8:2f:c9:0e:
                    82:00:c3:18:ee:59:b4:b4:57:1e:2f:0d:3d:cf:ec:
                    2c:e6:ec:7d:ce:2d:44:d2:28:42:47:22:8c:96:d2:
                    d4:f9:21:20:80:3e:ba:23:ce:a3:35:16:98:14:53:
                    78:87:0c:71:f3:37:4b:b4:80:be:b8:09:be:f1:63:
                    13:a1:fd:ae:f4:2f:eb:d2:19:3d:8a:85:22:6d:49:
                    5e:0b:13:66:dc:74:e3:db:c1:53:fb:6b:7c:8f:b3:
                    db:f0:cc:54:f3:91:4c:e9:fd:06:bc:6b:47:9a:f6:
                    7e:de:f5:13:b9:52:80:93:2a:b5:5f:96:9b:2e:68:
                    d1:ac:69:b9:59:9d:6e:58:a9:d5:17:12:a4:27:7b:
                    41:0e:47:32:e0:b9:8d:96:cf:40:83:02:d5:d2:17:
                    ea:82:e2:8d:c5:34:7d:02:a1:30:06:6e:00:c9:87:
                    ac:4f:14:17:d5:7d:1f:9e:57:b9:b9:f8:4c:06:d3:
                    8c:83
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         4c:0c:83:05:65:44:9a:6e:22:dc:f6:58:2f:96:73:a7:ca:ae:
         86:96:50:ba:4c:74:cd:32:47:4b:82:74:6f:aa:d1:7e:fe:c3:
         47:06:1c:81:c8:4f:4c:56:e1:c0:27:32:db:f5:ee:12:f2:35:
         93:91:ba:1a:7f:59:aa:99:13:14:28:50:a5:e2:70:4e:35:0c:
         cc:b4:72:38:6d:c3:f2:4b:40:95:34:fc:59:a8:80:f6:8f:fc:
         09:1d:1b:0f:e7:1f:f1:72:04:af:4b:ea:91:40:c5:c6:e8:36:
         4b:65:e2:b1:30:c5:3c:e0:93:b7:21:7d:79:73:c9:da:e6:a4:
         87:4c:6d:39:7d:b5:b7:7c:d3:7f:cb:98:37:aa:e1:c3:c4:6b:
         36:35:34:ce:34:36:83:d8:18:5b:68:1e:d1:18:c9:60:0d:79:
         6b:75:b5:71:e6:85:1a:d6:8e:4e:25:7d:48:77:ff:f2:f8:9f:
         8a:6e:14:19:a8:9a:87:e5:89:42:d9:07:93:53:52:80:98:9d:
         e1:9d:cf:af:32:a8:f3:af:f4:62:f1:38:f7:5f:37:9a:a7:e9:
         d0:d3:76:06:f3:32:93:2e:ca:27:c8:c9:80:ae:57:8c:c6:5a:
         58:66:ba:40:49:a2:02:21:f5:fc:1d:34:f9:20:a8:1b:59:cf:
         79:c8:c8:9c

切换到kubeadm用户中查看k8s的信息。

[kubeadm@server1 ~]$ kubectl config view
    cluster: kubernetes  ##集群是k8s
    user: kubernetes-admin   ##用户只有一个

下来需要再添加一个用户。

[kubeadm@server1 pki]$ kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=ture  ##添加一个test用户  

将认证信息进行添加,最后的参数是将路径隐藏,更为安全。
创建完成之后

[kubeadm@server1 pki]$ kubectl config view 
- name: test
  user:

里面会多一个用户
用户创建完成下面就需要进行用户的切换。
首先将用户进行添加

[kubeadm@server1 pki]$ kubectl config set-context test@kubernetes --cluster=kubernetes --user=test 
[kubeadm@server1 pki]$ kubectl config use-context test@kubernetes  ##用户切换
Switched to context "test@kubernetes".
[kubeadm@server1 pki]$ kubectl config current-context 
test@kubernetes   ##切换完成

这个时候我们查看pod

[kubeadm@server1 pki]$ kubectl get pod
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"

下面的提示为Forbidden被拒绝掉了,原因在于认证已经通过但是没有做授权。

授权

我们切换回去,使用kubernetes-admin进行授权。
RBAC基于角色访问控制权。
RBAC只有授权,没有拒绝授权,只用定义允许做什么
创建一个角色

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: myrole
  namespace: default
rules:  ##规则
- apiGroups: [""]  ##子资源
  resources: ["pods"]  ##专门针对pod
  verbs: ##给的权限 ["get","watch","list","create","update","patch","delete"]

使用这个文件创建一个角色

[kubeadm@server1 rbac]$ kubectl get role
NAME     AGE
myrole   8s
这样就多了一个角色,角色创建完成下来就需要进行绑定。
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test-read-pods
  namespace: default
subjects:
- kind: User
  name:test  ##用户test
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: myrole  ##绑定角色
  apiGroup: rbac.authorization.k8s.io

这样就将之绑定到test用户上了。之后我民进行用户的切换,这样操作就不会被拒绝了。

[kubeadm@server1 rbac]$ kubectl config use-context test@kubernetes 
Switched to context "test@kubernetes".
[kubeadm@server1 rbac]$ kubectl get pod
NAME    READY   STATUS    RESTARTS   AGE
mypod   1/1     Running   1          22h

但是这种操作只限于pod,其余任何东西还是会被拒绝。

[kubeadm@server1 rbac]$ kubectl get sa
Error from server (Forbidden): serviceaccounts is forbidden: User "test" cannot list resource "serviceaccounts" in API group "" in the namespace "default"

同时这个权限只能在当前pod中使用,如果我们需要一片的权限那么就需要集群调用了,或者设置更多的api
创建用户

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole  ##类型
metadata:
  name: myclusterrole
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list","create","update","delete"]  
- apiGroups: ["extensions","apps"] ##子api类型
  resources: ["deployment"]
  verbs: ["get","watch","list","create","update","patch","delete"] 

创建完成后只是一个角色,不能使用,想要使用那么先要进行绑定。

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rolebind-myclusterrole
  namespace: default
subjects:
- kind: User
  name: test
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: myclusterrole
  apiGroup: rbac.authorization.k8s.io
[kubeadm@server1 rbac]$ kubectl get rolebindings.rbac.authorization.k8s.io 
NAME                     AGE
rolebind-myclusterrole   22s
test-read-pods           124m

这样再切换用户也是可以查询更多的,但是这个不能跳出ns,否则还是没有权限的。
创建集群角色绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding  ##集群
metadata:
  name: clusterrolebinding-myclusterrole##这里不设置ns因为面对所有的ns
subjects:
- kind: User
  name: test
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: myclusterrole
  apiGroup: rbac.authorization.k8s.io

使用这种方式可以访问整个ns不受限制。

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐