k8sRBAC角色访问控制之serviceaccount

在k8s上我们如何控制访问权限呢,答案就是Role-based access control (RBAC) - 基于角色(Role)的访问控制,(RBAC)是一种基于组织中用户的角色来调节控制对 计算机或网络资源的访问的方法。

在早期的K8s版本,RBAC还未出现的时候,整个K8s的安全是较为薄弱的,有了RBAC后,我们可以对K8s集群的访问人员作非常明细化的控制,控制他们能访问什么资源,以只读还是可以读写的形式来访问,目前RBAC是K8s默认的安全授权标准,所以我们非常有必要来掌握RBAC的使用,这样才有更有力的保障我们的K8s集群的安全使用,下面我们将以生产中的实际使用来大家了解及掌握RBAC的生产应用。

RBAC里面的几种资源关系图,下面将用下面的资源来演示生产中经典的RBAC应用

                  |--- Role --- RoleBinding                只在指定namespace中生效
ServiceAccount ---|
                  |--- ClusterRole --- ClusterRoleBinding  不受namespace限制,在整个K8s集群中生效

在我看来,RBAC在K8s上的用途主要分为两大类:

第一类是保证在K8s上运行的pod服务具有相应的集群权限,如gitlab的CI/CD,它需要能访问除自身以外其他pod,比如gitlab-runner的pod的权限,再比如gitlab-runner的pod需要拥有创建新的临时pod的权限,用以来构建CI/CD自动化流水线,这里大家没用过不懂没关系,先简单了解下就可以了,在本课程后面基于K8s及gitlab的生产实战CI/CD内容会给大家作详细实战讲解;

第二类是创建能访问K8s相应资源、拥有对应权限的kube-config配置给到使用K8s的人员,来作为连接K8s的授权凭证

第一类的实战这里先暂时以早期的helm2来作下讲解,helm是一个快捷安装K8s各类资源的管理工具,通过之前给大家讲解的,一个较为完整的服务可能会存在deployment,service,configmap,secret,ingress等资源来组合使用,大家在用的过程中可能会觉得配置使用较为麻烦,这时候helm就出现了,它把这些资源都打包封装成它自己能识别的内容,我们在安装一个服务的时候,就只需要作下简单的配置,一条命令即可完成上述众多资源的配置安装,titller相当于helm的服务端,它是需要有权限在K8s中创建各类资源的,在初始安装使用时,如果没有配置RBAC权限,我们会看到如下报错:

root@node1:~# helm install stable/mysql
Error: no available release name found

这时,我们可以来快速解决这个问题,创建sa关联K8s自带的最高权限的ClusterRole(生产中建议不要这样做,权限太高有安全隐患,这个就和linux的root管理帐号一样,一般都是建议通过sudo来控制帐号权限)

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

第二类,我这里就直接以我在生产中实施的完整脚本来做讲解及实战,相信会给大家带来一个全新的学习感受,并能很快掌握它们:

  1. 创建对指定namespace有所有权限的kube-config (适用于创建新的namespace)

    #!/bin/bash
    #
    # This Script based on  https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html
    # K8s'RBAC doc:         https://kubernetes.io/docs/reference/access-authn-authz/rbac
    # Gitlab'CI/CD doc:     hhttps://docs.gitlab.com/ee/user/permissions.html#running-pipelines-on-protected-branches
    #
    # In honor of the remarkable Windson
    
    BASEDIR="$(dirname "$0")"
    folder="$BASEDIR/kube_config"
    
    echo -e "All namespaces is here: \n$(kubectl get ns|awk 'NR!=1{print $1}')"
    echo "endpoint server if local network you can use $(kubectl cluster-info |awk '/Kubernetes/{print $NF}')"
    
    namespace=$1
    endpoint=$(echo "$2" | sed -e 's,https\?://,,g')
    
    if [[ -z "$endpoint" || -z "$namespace" ]]; then
        echo "Use "$(basename "$0")" NAMESPACE ENDPOINT";
        exit 1;
    fi
    
    if ! kubectl get ns|awk 'NR!=1{print $1}'|grep -w "$namespace";then kubectl create ns "$namespace";else echo "namespace: $namespace was exist.";exit 1 ;fi
    
    echo "---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: $namespace-user
      namespace: $namespace
    ---
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: $namespace-user-full-access
      namespace: $namespace
    rules:
    - apiGroups: ['', 'extensions', 'apps', 'metrics.k8s.io']
      resources: ['*']
      verbs: ['*']
    - apiGroups: ['batch']
      resources:
      - jobs
      - cronjobs
      verbs: ['*']
    ---
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: $namespace-user-view
      namespace: $namespace
    subjects:
    - kind: ServiceAccount
      name: $namespace-user
      namespace: $namespace
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: $namespace-user-full-access
    ---
    # https://kubernetes.io/zh/docs/concepts/policy/resource-quotas/
    apiVersion: v1
    kind: ResourceQuota
    metadata:
      name: $namespace-compute-resources
      namespace: $namespace
    spec:
      hard:
        pods: "10"
        services: "10"
        persistentvolumeclaims: "5"
        requests.cpu: "1"
        requests.memory: 2Gi
        limits.cpu: "2"
        limits.memory: 4Gi" | kubectl apply -f -
    kubectl -n $namespace describe quota $namespace-compute-resources
    mkdir -p $folder
    tokenName=$(kubectl get sa $namespace-user -n $namespace -o "jsonpath={.secrets[0].name}")
    token=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data.token}" | base64 --decode)
    certificate=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data['ca\.crt']}")
    
    echo "apiVersion: v1
    kind: Config
    preferences: {}
    clusters:
    - cluster:
        certificate-authority-data: $certificate
        server: https://$endpoint
      name: $namespace-cluster
    users:
    - name: $namespace-user
      user:
        as-user-extra: {}
        client-key-data: $certificate
        token: $token
    contexts:
    - context:
        cluster: $namespace-cluster
        namespace: $namespace
        user: $namespace-user
      name: $namespace
    current-context: $namespace" > $folder/$namespace.kube.conf
    
  2. 创建对指定namespace有所有权限的kube-config(在已有的namespace中创建)

#!/bin/bash


BASEDIR="$(dirname "$0")"
folder="$BASEDIR/kube_config"

echo -e "All namespaces is here: \n$(kubectl get ns|awk 'NR!=1{print $1}')"
echo "endpoint server if local network you can use $(kubectl cluster-info |awk '/Kubernetes/{print $NF}')"

namespace=$1
endpoint=$(echo "$2" | sed -e 's,https\?://,,g')

if [[ -z "$endpoint" || -z "$namespace" ]]; then
    echo "Use "$(basename "$0")" NAMESPACE ENDPOINT";
    exit 1;
fi


echo "---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: $namespace-user
  namespace: $namespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: $namespace-user-full-access
  namespace: $namespace
rules:
- apiGroups: ['', 'extensions', 'apps', 'metrics.k8s.io']
  resources: ['*']
  verbs: ['*']
- apiGroups: ['batch']
  resources:
  - jobs
  - cronjobs
  verbs: ['*']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: $namespace-user-view
  namespace: $namespace
subjects:
- kind: ServiceAccount
  name: $namespace-user
  namespace: $namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: $namespace-user-full-access" | kubectl apply -f -

mkdir -p $folder
tokenName=$(kubectl get sa $namespace-user -n $namespace -o "jsonpath={.secrets[0].name}")
token=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data.token}" | base64 --decode)
certificate=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data['ca\.crt']}")

echo "apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
    certificate-authority-data: $certificate
    server: https://$endpoint
  name: $namespace-cluster
users:
- name: $namespace-user
  user:
    as-user-extra: {}
    client-key-data: $certificate
    token: $token
contexts:
- context:
    cluster: $namespace-cluster
    namespace: $namespace
    user: $namespace-user
  name: $namespace
current-context: $namespace" > $folder/$namespace.kube.conf

  1. 同上,创建只读权限的
#!/bin/bash


BASEDIR="$(dirname "$0")"
folder="$BASEDIR/kube_config"

echo -e "All namespaces is here: \n$(kubectl get ns|awk 'NR!=1{print $1}')"
echo "endpoint server if local network you can use $(kubectl cluster-info |awk '/Kubernetes/{print $NF}')"

namespace=$1
endpoint=$(echo "$2" | sed -e 's,https\?://,,g')

if [[ -z "$endpoint" || -z "$namespace" ]]; then
    echo "Use "$(basename "$0")" NAMESPACE ENDPOINT";
    exit 1;
fi


echo "---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: $namespace-user-readonly
  namespace: $namespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: $namespace-user-readonly-access
  namespace: $namespace
rules:
- apiGroups: ['', 'extensions', 'apps', 'metrics.k8s.io']
  resources: ['pods', 'pods/log']
  verbs: ['get', 'list', 'watch']
- apiGroups: ['batch']
  resources: ['jobs', 'cronjobs']
  verbs: ['get', 'list', 'watch']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: $namespace-user-view-readonly
  namespace: $namespace
subjects:
- kind: ServiceAccount
  name: $namespace-user-readonly
  namespace: $namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: $namespace-user-readonly-access" | kubectl apply -f -

mkdir -p $folder
tokenName=$(kubectl get sa $namespace-user-readonly -n $namespace -o "jsonpath={.secrets[0].name}")
token=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data.token}" | base64 --decode)
certificate=$(kubectl get secret $tokenName -n $namespace -o "jsonpath={.data['ca\.crt']}")

echo "apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
    certificate-authority-data: $certificate
    server: https://$endpoint
  name: $namespace-cluster-readonly
users:
- name: $namespace-user-readonly
  user:
    as-user-extra: {}
    client-key-data: $certificate
    token: $token
contexts:
- context:
    cluster: $namespace-cluster-readonly
    namespace: $namespace
    user: $namespace-user-readonly
  name: $namespace
current-context: $namespace" > $folder/$namespace-readonly.kube.conf
  1. 最后,来一个多个集群配置融合的创建,这个在多集群管理方面非常有用,这里只以创建只读权限配置作为演示

    #!/bin/bash
    # describe: create k8s cluster all namespaces resources with readonly clusterrole, no exec 、delete ...
    
    # look system default to study:
    # kubectl describe clusterrole view
    
    # restore all change:
    #kubectl -n kube-system delete sa all-readonly-${clustername}
    #kubectl delete clusterrolebinding all-readonly-${clustername}
    #kubectl delete clusterrole all-readonly-${clustername}
    
    
    clustername=$1
    
    Help(){
        echo "Use "$(basename "$0")" ClusterName(example: k8s1|k8s2|k8s3|delk8s1|delk8s2|delk8s3|3in1)";
        exit 1;
    }
    
    if [[ -z "${clustername}" ]]; then
        Help
    fi
    
    case ${clustername} in
        k8s1)
        endpoint="https://x.x.x.x:123456"
        ;;
        k8s2)
        endpoint="https://x.x.x.x:123456"
        ;;
        k8s3)
        endpoint="https://x.x.x.x:123456"
        ;;
        delk8s1)
        kubectl -n kube-system delete sa all-readonly-k8s1
        kubectl delete clusterrolebinding all-readonly-k8s1
        kubectl delete clusterrole all-readonly-k8s1
        echo "${clustername} successful."
        exit 0
        ;;
        delk8s2)
        kubectl -n kube-system delete sa all-readonly-k8s2
        kubectl delete clusterrolebinding all-readonly-k8s2
        kubectl delete clusterrole all-readonly-k8s2
        echo "${clustername} successful."
        exit 0
        ;;
        delk8s3)
        kubectl -n kube-system delete sa all-readonly-k8s3
        kubectl delete clusterrolebinding all-readonly-k8s3
        kubectl delete clusterrole all-readonly-k8s3
        echo "${clustername} successful."
        exit 0
        ;;
        3in1)
        KUBECONFIG=./all-readonly-k8s1.conf:all-readonly-k8s2.conf:all-readonly-k8s3.conf kubectl config view --flatten > ./all-readonly-3in1.conf
        kubectl --kubeconfig=./all-readonly-3in1.conf config use-context "k8s3"
        kubectl --kubeconfig=./all-readonly-3in1.conf config set-context "k8s3" --namespace="default"
        kubectl --kubeconfig=./all-readonly-3in1.conf config get-contexts
        echo -e "\n\n\n"
        cat ./all-readonly-3in1.conf |base64 -w 0
        exit 0
        ;;
        *)
        Help
    esac
    
    echo "---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: all-readonly-${clustername}
    rules:
    - apiGroups:
      - ''
      resources:
      - configmaps
      - endpoints
      - persistentvolumes
      - persistentvolumeclaims
      - pods
      - replicationcontrollers
      - replicationcontrollers/scale
      - serviceaccounts
      - services
      - nodes
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ''
      resources:
      - bindings
      - events
      - limitranges
      - namespaces/status
      - pods/log
      - pods/status
      - replicationcontrollers/status
      - resourcequotas
      - resourcequotas/status
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ''
      resources:
      - namespaces
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - apps
      resources:
      - controllerrevisions
      - daemonsets
      - deployments
      - deployments/scale
      - replicasets
      - replicasets/scale
      - statefulsets
      - statefulsets/scale
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - autoscaling
      resources:
      - horizontalpodautoscalers
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - batch
      resources:
      - cronjobs
      - jobs
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - extensions
      resources:
      - daemonsets
      - deployments
      - deployments/scale
      - ingresses
      - networkpolicies
      - replicasets
      - replicasets/scale
      - replicationcontrollers/scale
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - policy
      resources:
      - poddisruptionbudgets
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - networking.k8s.io
      resources:
      - networkpolicies
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - metrics.k8s.io
      resources:
      - pods
      verbs:
      - get
      - list
      - watch" | kubectl apply -f -
    
    kubectl -n kube-system create sa all-readonly-${clustername}
    kubectl create clusterrolebinding all-readonly-${clustername} --clusterrole=all-readonly-${clustername} --serviceaccount=kube-system:all-readonly-${clustername}
    
    tokenName=$(kubectl -n kube-system get sa all-readonly-${clustername} -o "jsonpath={.secrets[0].name}")
    token=$(kubectl -n kube-system get secret $tokenName -o "jsonpath={.data.token}" | base64 --decode)
    certificate=$(kubectl -n kube-system get secret $tokenName -o "jsonpath={.data['ca\.crt']}")
    
    echo "apiVersion: v1
    kind: Config
    preferences: {}
    clusters:
    - cluster:
        certificate-authority-data: $certificate
        server: $endpoint
      name: all-readonly-${clustername}-cluster
    users:
    - name: all-readonly-${clustername}
      user:
        as-user-extra: {}
        client-key-data: $certificate
        token: $token
    contexts:
    - context:
        cluster: all-readonly-${clustername}-cluster
        user: all-readonly-${clustername}
      name: ${clustername}
    current-context: ${clustername}" > ./all-readonly-${clustername}.conf
    

参考https://www.toutiao.com/article/6942467217019666952

官方RBAC文档:https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐