k8s集群创建用户只读权限资源的kubeconfig
用户需要一定的权限获取k8s的一些资源,根据需求需要为用户创建一个只读权限的kubeconfig。创建只读权限的⽤户,⼤致可以分为以下3个步骤:根据ca签发⽤户的证书根据⽤户证书绑定⻆⾊并⽣成kubeconfig⽂件(只读权限模版使⽤的是k8s默认view 的clusterrole,如果需要可以⾃⾏设定⻆⾊role)将kubeconfig⽂件放⼊⽤户的.kube⽬录下,并测试权限新建一个name-
·
用户需要一定的权限获取k8s的一些资源,根据需求需要为用户创建一个只读权限的kubeconfig。
创建只读权限的⽤户,⼤致可以分为以下3个步骤:
- 根据ca签发⽤户的证书
- 根据⽤户证书绑定⻆⾊并⽣成kubeconfig⽂件(只读权限模版使⽤的是k8s默认view 的clusterrole,如果需要可以⾃⾏设定⻆⾊role)
- 将kubeconfig⽂件放⼊⽤户的.kube⽬录下,并测试权限
新建一个name-csr.json文件,内容如下
# 根据ca签发⽤户证书,这⾥选择⽤cfssl,也可以使⽤openssl等⼯具⽣成,根据情况安装相应工具
## 1.1 ⽣成证书请求⽂件
{
"CN": "centos", # 根据情况修改⽤户名
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
创建生成kubeconfig的脚本rbac.sh
#!/bin/env bash
# 需要修改为对应集群名称,通过cat /etc/kubernetes/kubelet.conf中context下的cluster名
确定
CLUSTER=global
# 集群kube-apiserver的地址
KUBE_APISERVER="https://192.168.25.84:6443"
K8S_CA_CRT="/etc/kubernetes/pki/ca.crt"
K8S_CA_KEY="/etc/kubernetes/pki/ca.key"
# ⽤户名称,和步骤1中的保持一致
USER=centos
# 签发证书
cfssl gencert -ca=${K8S_CA_CRT} -ca-key=${K8S_CA_KEY} -profile=${CLUSTER}
./name-csr.json | cfssljson -bare ${USER}
# 设定权限上下⽂
kubectl config set-cluster ${CLUSTER} \
--certificate-authority=${K8S_CA_CRT} \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${USER}.kubeconfig
kubectl config set-credentials ${USER} \
--client-certificate=${USER}.pem \
--client-key=${USER}-key.pem \
--embed-certs=true \
--kubeconfig=${USER}.kubeconfig
kubectl config set-context ${CLUSTER} \
--cluster=${CLUSTER} \
--user=${USER} \
--kubeconfig=${USER}.kubeconfig
kubectl create clusterrolebinding ${USER}-admin-binding --clusterrole=view --
user=${USER}
集群角色view为k8s集群自带的只读角色,以下为view的部分yaml内容。
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2020-12-08T10:33:02Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
manager: kube-apiserver
operation: Update
time: "2020-12-08T10:33:02Z"
- apiVersion: rbac.authorization.k8s.io/v1
manager: kube-controller-manager
operation: Update
time: "2020-12-08T10:47:30Z"
name: view
resourceVersion: "2905"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/view
uid: c50b8459-8a17-4260-ab1d-f4cb7f644c95
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- get
- list
- watch
从yaml文件中可以看到集群中列出了pods,configmap等资源的get,list.watch权限。如果有需要增加的资源可以自建一个clusterrole。
执行rbac脚本,生成kubeconfig文件,同时生成了clusterrolebinding,将集群角色view绑定到用户User。打印如下信息。
# 3. 执⾏脚本,⽣成⽂件
2020/12/18 10:17:32 [INFO] generate received request
2020/12/18 10:17:32 [INFO] received CSR
2020/12/18 10:17:32 [INFO] generating key: rsa-2048
2020/12/18 10:17:32 [INFO] encoded CSR
2020/12/18 10:17:32 [INFO] signed certificate with serial number
48967242497240478378774045513000121529517476793
2020/12/18 10:17:32 [WARNING] This certificate lacks a "hosts" field. This
makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance
and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum
(https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Cluster "global" set.
User "centos" set.
Context "global" created.
clusterrolebinding.rbac.authorization.k8s.io/centos-admin-binding created
[root@master1 centos]# ls
centos.csr centos-key.pem centos.kubeconfig centos.pem name-csr.json
rbac.sh
可以看到生成了centos.kubeconfig。
接下来创建一个linux用户测试。
将centos.kubeconfig拷⻉⾄⽤户家⽬录下的.kube⽬录,并测试权限
[root@master1 centos]# useradd centos
[root@master1 centos]# mkdir /home/centos/.kube
[root@master1 centos]# cp centos.kubeconfig /home/centos/.kube/config
[root@master1 centos]# chown -R centos:centos /home/centos/.kube
[root@master1 centos]# su - centos
切换到用户目录,接下来测试权限
[centos@master1 ~]$ kubectl config use-context global --kubeconfig=.kube/config
Switched to context "global".
[centos@master1 ~]$ kubectl get pod
NAME READY STATUS
RESTARTS AGE
nginx-7db659cf8-tdhdl 1/1 Running
0 44h
[centos@master1 ~]$ kubectl exec -it nginx-7db659cf8-tdhdl sh
Error from server (Forbidden): pods "nginx-7db659cf8-tdhdl" is forbidden: User
"centos" cannot create resource "pods/exec" in API group "" in the namespace
"default"
可以看到当用户执行非get操作时会提示没有权限。
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献16条内容
所有评论(0)