RBAC
(基于角色的访问控制)
使用 rbac.authorization.k8s.io API 组来实现权限控制,RBAC 允许管理员通过 Kubernetes API 动态的配置权限策略。在 1.8 版本后默认启用,开启 RBAC 授权模式需要在 apiserver 组件中指定 –authorization-mode=RBAC 选项;
关于 kubernetes 手动安装移步查看 kubernetes 1.13.8 二进制手动部署
关于 RBAC授权的基础概念参考 Kubernetes中使用RBAC授权
创建用户
devops
#首先先创建一个用于签发证书的 json
{
"CN": "devops",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shenzhen",
"L": "Shenzhen",
"O": "k8s",
"OU": "System"
}
]
}
cfssl gencert --ca=/etc/kubernetes/ssl/k8s-root-ca.pem --ca-key=/etc/kubernetes/ssl/k8s-root-ca-key.pem --config=/etc/kubernetes/json/k8s-gencert.json -profile=kubernetes devops-csr.json | cfssljson -bare devops
devops.kubeconfig
创建一个kubeconfig文件,以供kubectl 使用;
#我这里的server 为127.0.0.1,可根据实际IP修改即可
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/k8s-root-ca.pem \
--embed-certs=true \
--namespace=default \
--server=https://127.0.0.1:6443 \
--kubeconfig=devops.kubeconfig
kubectl config set-credentials devops \
--client-certificate=devops.pem \
--client-key=devops-key.pem \
--embed-certs=true \
--namespace=default \
--kubeconfig=devops.kubeconfig
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=devops \
--namespace=default \
--kubeconfig=devops.kubeconfig
kubectl config use-context kubernetes \
--namespace=default \
--kubeconfig=devops.kubeconfig
ClusterRole
本示例创建的是一个权限针对 pods 只读且范围为Cluster 集群的用户; 所以需要先创建一个只读的ClusterRole
kubectl create clusterrole cluster-devops-reader --verb=get,list,watch --resource=pods,pods/exec,pods/attach,svc --dry-run -o yaml > clusterrole-demo.yaml
## 可根据需要调整资源和权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-devops-reader
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- services
- services/proxy
verbs:
- create
- get
- list
- patch
- update
- watch
ClusterRoleBinding
用户以及集群的权限都已经配置, 下面开始绑定 ClusterRoleBinding
# kubectl create clusterrolebinding devops-readallpods --clusterrole=cluster-devops-reader --user=devops --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: devops-readallpods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-devops-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: devops
保存为 devops-readallpods.yaml 执行 kubectl create -f devops-readallpods.yaml 创建即可
测试权限
将 devops.kubeconfig
文件复制到 任何一个节点 ~/.kube/config 或者直接使用 –kubeconfig 选项测试
[root@k8s-node02 .kube]# pwd
/root/.kube
[root@k8s-node02 .kube]# ls
cache config http-cache
[root@k8s-node02 .kube]# cd
[root@k8s-node02 ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
apple-app 1/1 Running 3 11d
jevic-app-deploy-65df48dfc6-4nzd8 1/1 Running 3 11d
jevic-app-deploy-65df48dfc6-9d6rw 1/1 Running 0 8d
jevic-app-deploy-65df48dfc6-nptln 1/1 Running 3 10d
myapp 1/1 Running 3 11d
[root@k8s-node02 ~]# kubectl delete pods/myapp
Error from server (Forbidden): pods "myapp" is forbidden: User "devops" cannot delete resource "pods" in API group "" in the namespace "default"
[root@k8s-node02 ~]#
转载请注明出处,本文采用 CC4.0 协议授权