Kubectl之RBAC分析(含自定义Kubectl权限)
Kubectl之RBAC分析实验环境具体环境请参考我之前搭建k8s环境的博客:https://editor.csdn.net/md/?articleId=120629783Kubectl搭建# 创建kubectl证书请求文件cat > admin-csr.json <<EOF{"CN": "admin","hosts": [],"key": {"algo": "rsa","siz
实验环境
具体环境请参考-k8s-v1.20.10 1master&2node 二进制部署指导文档
Kubectl搭建
# 创建kubectl证书请求文件
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "hunan",
"L": "changsha",
"O": "system:masters",
"OU": "system"
}
]
}
EOF
# 查看clusterrole角色
[root@k8s-master-1 ~]# kubectl get clusterrole cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
...................
name: cluster-admin
...................
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
cluster-admin这个内置的用户从上面可以看出,该角色拥有k8s集群内所有的权限
注解:
apiGroups
:支持的 API 组列表,例如: "apiVersion: batch/ 等resources
:支持的资源对象列表,例如 pods 、 deplayments 、 jobs 等resourceNames
:指定 resource 的名称verbs
:对资源对象的操作方法列表
# 查看clusterrolebing
[root@k8s-master-1 ~]# kubectl get clusterrolebinding cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
..................
name: cluster-admin
..................
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
从上面可以看出,k8s默认将cluster-admin角色授权给了system:masters组,这也是为什么admin-csr.json中O为什么一定要是system:masters组了,如果不设置成这个组,kubectl将没有权限对k8s集群进行操作
,当kubectl去访问apiserver后,双方先会进行证书认证(这里需要确保二者证书由同一CA机构颁发),然后会进行鉴权(即通过证书的CN、或者O去判断拥有哪些权限),然后进行准入控制(即判断该用户和组可以对哪些资源拥有相应的权限)
kubectl自定义证书和RBAC
将自定义kubectl部署在k8s-node-1
生成证书
# 创建kubectl证书请求文件,必须要由和apiserver证书相同机构来颁发这个证书,否则无法认证
cat > kubectl-test-csr.json <<EOF
{
"CN": "kubectl-test",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "hunan",
"L": "changsha",
"O": "kubectl-test",
"OU": "system"
}
]
}
EOF
# 生成证书
[root@k8s-master-1 kubectl]# cfssl gencert -ca=/root/ssl/kube-apiserver-ca.pem -ca-key=/root/ssl/kube-apiserver-ca-key.pem -config=/root/ssl/ca-config.json -profile=kubernetes kubectl-test-csr.json | cfssljson -bare kubectl-test
生成Kubeconfig
# 设置集群参数
kubectl config set-cluster kubernetes --certificate-authority=/root/ssl/kube-apiserver-ca.pem --embed-certs=true --server=https://192.168.0.10:6443 --kubeconfig=kube.config
# 设置客户端认证参数
kubectl config set-credentials kubectl-test --client-certificate=kubectl-test.pem --client-key=kubectl-test-key.pem --embed-certs=true --kubeconfig=kube.config
# 设置上下文参数
kubectl config set-context kubernetes --cluster=kubernetes --user=kubectl-test --kubeconfig=kube.config
# 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=kube.config
# 拷贝到指定目录
ssh root@k8s-node-1 "mkdir -p /root/.kube"
scp kube.config k8s-node-1:/root/.kube/config
# 查看pod
[root@k8s-node-1 .kube]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "kubectl-test" cannot list resource "services" in API group "" in the namespace "default"
可以发现kubectl-test这个用户没有任何权限去操作k8s集群
RBAC自定义授权
[root@k8s-master-1 kubectl]# cat clusterrolebinding-user.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ClusterRole-user
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ClusterRoleBinding-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ClusterRole-user
subjects:
- kind: User
name: kubectl-test
apiGroup: rbac.authorization.k8s.io
[root@k8s-master-1 kubectl]# kubectl apply -f clusterrolebinding-user.yaml
clusterrole.rbac.authorization.k8s.io/ClusterRole-user unchanged
clusterrolebinding.rbac.authorization.k8s.io/ClusterRoleBinding-user unchanged
# k8s-node-1节点运行kubectl
[root@k8s-node-1 .kube]# kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-service-account 1/1 Running 2 12h
[root@k8s-node-1 .kube]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "kubectl-test" cannot list resource "services" in API group "" in the namespace "default"
通过上面可以发现,通过自定义RBAC可以实现对权限更加细粒度的控制
参考文档
https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/
https://kubernetes.io/zh/docs/reference/access-authn-authz/authentication/
更多推荐
所有评论(0)