RBAC
基于角色(Role)的访问控制(RBAC)是一种基于组织中用户的角色来调节控制对计算机或网络资源的访问的方法。
RBAC 鉴权机制使用 rbac.authorization.k8s.io API 组来驱动鉴权决定, 允许你通过 Kubernetes API 动态配置策略
要启用 RBAC,在启动 API 服务器时将 --authorization-mode 参数设置为一个逗号分隔的列表并确保其中包含 RBAC。
Role 和 ClusterRole
RBAC 的 Role 或 ClusterRole 中包含一组代表相关权限的规则。 这些权限是纯粹累加的(不存在拒绝某操作的规则), Role 总是用来在某个命名空间内设置访问权限; 在你创建 Role 时,你必须指定该 Role 所属的命名空间。与之相对,ClusterRole 则是一个集群作用域的资源。这两种资源的名字不同(Role 和 ClusterRole) 是因为 Kubernetes 对象要么是命名空间作用域的,要么是集群作用域的,不可两者兼具。
role示例
下面是一个位于 "default" 名字空间的 Role 的示例,可用来授予对 pods 的读访问权限:
bash
$ cat > role-simple.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" 标明 core API 组
resources: ["pods"]
verbs: ["get", "watch", "list"]
EOF
ClusterRole示例
ClusterRole 可以和 Role 相同完成授权。 因为 ClusterRole 属于集群范围,所以它也可以为以下资源授予访问权限:
- 集群范围资源(比如节点(Node))
- 跨命名空间访问的命名空间作用域的资源(如 Pod)
比如,你可以使用 ClusterRole 来允许某特定用户执行 kubectl get pods --all-namespaces
下面是一个 ClusterRole 的示例,可用来为任一特定命名空间中的 Secret 授予读访问权限, 或者跨命名空间的访问权限(取决于该角色是如何绑定的):
bash
$ cat > cluster-role-simple.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" 被忽略,因为 ClusterRoles 不受命名空间限制
name: secret-reader
rules:
- apiGroups: [""]
# 在 HTTP 层面,用来访问 Secret 资源的名称为 "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]
EOF
RoleBinding 和 ClusterRoleBinding
角色绑定(Role Binding)是将角色中定义的权限赋予一个或者一组用户。 它包含若干 主体(用户、组或服务账户)的列表和对这些主体所获得的角色的引用。 RoleBinding 在指定的命名空间中执行授权,而 ClusterRoleBinding 在集群范围执行授权。
一个 RoleBinding 可以引用同一的命名空间中的任何 Role。 或者,一个 RoleBinding 可以引用某 ClusterRole 并将该 ClusterRole 绑定到 RoleBinding 所在的命名空间。 如果你希望将某 ClusterRole 绑定到集群中所有命名空间,你要使用 ClusterRoleBinding。
RoleBinding 示例
下面的例子中的 RoleBinding 将 "pod-reader" Role 授予在 "default" 命名空间中的用户 "jane"。 这样,用户 "jane" 就具有了读取 "default" 命名空间中 pods 的权限。
bash
$ cat > rolebinding-simple.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1。
# 此角色绑定允许 "jane" 读取 "default" 命名空间中的 Pod
# 你需要在该命名空间中有一个名为 "pod-reader" 的 Role
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
# 你可以指定不止一个"subject(主体)"
- kind: User
name: jane # "name" 是区分大小写的
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" 指定与某 Role 或 ClusterRole 的绑定关系
kind: Role # 此字段必须是 Role 或 ClusterRole
name: pod-reader # 此字段必须与你要绑定的 Role 或 ClusterRole 的名称匹配
apiGroup: rbac.authorization.k8s.io
EOF
RoleBinding 也可以引用 ClusterRole,以将对应 ClusterRole 中定义的访问权限授予 RoleBinding 所在命名空间的资源。这种引用使得你可以跨整个集群定义一组通用的角色,之后在多个命名空间中复用。
尽管下面的 RoleBinding 引用的是一个 ClusterRole,"dave"(这里的主体, 区分大小写)只能访问 "development" 命名空间中的 Secrets 对象,因为 RoleBinding 所在的命名空间(由其 metadata 决定)是 "development"。
bash
$ cat > olebinding-clusterrole-simple.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
# 此角色绑定使得用户 "dave" 能够读取 "development" 命名空间中的 Secrets
# 你需要一个名为 "secret-reader" 的 ClusterRole
kind: RoleBinding
metadata:
name: read-secrets
# RoleBinding 的命名空间决定了访问权限的授予范围。
# 这里隐含授权仅在 "development" 命名空间内的访问权限。
namespace: development
subjects:
- kind: User
name: dave # 'name' 是区分大小写的
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
EOF
ClusterRoleBinding示例
要跨整个集群完成访问权限的授予,你可以使用一个 ClusterRoleBinding。 下面的 ClusterRoleBinding 允许 "manager" 组内的所有用户访问任何命名空间中的 Secrets。
bash
cat > clusterrolebinding.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
# 此集群角色绑定允许 "manager" 组中的任何人访问任何名字空间中的 Secret 资源
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager # 'name' 是区分大小写的
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
EOF
kubernetes RBAC鉴权实战
一、创建普通用户,并使用kubectl工具
目标:Linux下建立一个新的普通用户(Normal User),k8s集群创建 2 个新的 namespace,然后把新的用户设置到其中一个 namespace 当中,让用户只能在一个namespace 中操作。
bash
# 在k8s集群下创建user1和user2 namespce
$ kubectl create ns user1
$ kubectl create ns user2
# 创建user1用户并切换到用户家目录下(当然也可以不需要创建用户,可以通过k8s来切换use-contexts来实现)
$ useradd -m -d /home/user1 -s /bin/bash user1
$ passwd user1
$ cd /home/user1/
# 创建用户私钥
$ openssl genrsa -out user1.key 2048
# 生成一个待签名文件(user1.csr),注意 O=user代表的是它的组,而不是 namespace。
$ openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=user"
# 用 k8s 的 ca 文件来签名这个 user1.csr, 最终产生一个有效期为 3600 天的证书文件。
$ openssl x509 -req -in user1.csr -CA /opt/kubelw/cfssl/ca.pem -CAkey /opt/kubelw/cfssl/ca-key.pem -CAcreateserial -out user1.crt -days 3600
注意:/opt/kubelw/cfssl/ca.pem 、/opt/kubelw/cfssl/ca-key.pem 根据自身集群实际路径填写(多数情况下是在 /etc/kubernetes/pki/路径下)。
$ cat /opt/kubelw/cfssl/ca.pem
-----BEGIN CERTIFICATE-----
MIIDxjCCAq6gAwIBAgIUFJFR4wlmMYvYMzfVcmfL+K2VLDowDQYJKoZIhvcNAQEL
BQAwaTELMAkGA1UEBhMCQ04xEjAQBgNVBAgTCUdVQU5HRE9ORzESMBAGA1UEBxMJ
R1VBTkdaSE9VMQwwCgYDVQQKEwNrOHMxDzANBgNVBAsTBnN5c3RlbTETMBEGA1UE
AxMKa3ViZXJuZXRlczAeFw0yMjA2MjgwNjUyMDBaFw0zMjA2MjUwNjUyMDBaMGkx
CzAJBgNVBAYTAkNOMRIwEAYDVQQIEwlHVUFOR0RPTkcxEjAQBgNVBAcTCUdVQU5H
WkhPVTEMMAoGA1UEChMDazhzMQ8wDQYDVQQLEwZzeXN0ZW0xEzARBgNVBAMTCmt1
YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwbY5jGqc0
uupFuPB3lWtoCXr3UciqfISbGcR+ZzoqRqGOvwp0OLzqsW6zEMvXvJZpTJjrcc+x
SJtHC3eccTrGGM24RsLxgzz++MJFM5Rzr2gDDAspt/5wox6wRK0iLBa07EXztMJR
Tzq5VBqCiLQ8Spte5s9Ghy+MwOWajJojQFHgD7y93QFQMmmyz5Az9GQtL5sIJoIg
vGNUfO++stniceBuhRrpVYWOwNd/ZidHlus7rqtpFKEedOAHFzAUPlZrHf7wQ9QL
9KMYGnaea3uuhEzx/EuuHhozSdR7/lDRNKaQ+8u2e+WeDvXjABhZLgORIqfSOnQq
ncuaBp9svl03AgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
AQH/AgECMB0GA1UdDgQWBBQcgKUPl6v2oiZcLVJWKaIZGn1I1jAfBgNVHSMEGDAW
gBQcgKUPl6v2oiZcLVJWKaIZGn1I1jANBgkqhkiG9w0BAQsFAAOCAQEAhc8gjihU
8RUyxHwnY0UWReJ7BtBIk+UZqbphKKIbtCeIHMgl/I2aSNIpmZsxFhlccnoDRu4S
K8lVI1ck+agUwdDw1BOih5e35bN+ooNWNO6rpywEU8r4kqc9ghUb69QZF5eK6UZU
fxYUf5c78QsZGcvL7iYRGQ/LiNMfdkdzvADBJXy50Li+d+RIZZk7DMCSki8KoRqg
fsC/IzKCV5mvXqEOuXCUK+EjDjdHxeyRA1wyTmQyxfu2kF4M9BKY/Y/mRR54ARvU
6J/xQtkRXw2xn6/e5H2fAFKjPEDRyrXWsfV6Okgl55UAx3Pa+E89lcmMRnVLLFkq
n7hXQuAz4zImXA==
-----END CERTIFICATE-----
$ cat /opt/kubelw/cfssl/ca-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsG2OYxqnNLrqRbjwd5VraAl691HIqnyEmxnEfmc6Kkahjr8K
dDi86rFusxDL17yWaUyY63HPsUibRwt3nHE6xhjNuEbC8YM8/vjCRTOUc69oAwwL
Kbf+cKMesEStIiwWtOxF87TCUU86uVQagoi0PEqbXubPRocvjMDlmoyaI0BR4A+8
vd0BUDJpss+QM/RkLS+bCCaCILxjVHzvvrLZ4nHgboUa6VWFjsDXf2YnR5brO66r
aRShHnTgBxcwFD5Wax3+8EPUC/SjGBp2nmt7roRM8fxLrh4aM0nUe/5Q0TSmkPvL
tnvlng714wAYWS4DkSKn0jp0Kp3LmgafbL5dNwIDAQABAoIBAQCHt18m4WPqbja0
97UTaH+9Aj3zbpg8fZjMbx/2VJYr2zWAR3lVOigpKeCMIsmL5WiXC/M+eshYChBY
sHuMfpXFuWLW9KgVfO04/kcDUNBLxYzvex5DM2SpZPHAirPca6nz9yVAebZZMeds
lUPnUh3Dm2i1sjuUd32eeuyk3K/dmN862G+wigqlkKtjihp0sNbdB1ucFsEVUkAt
eQ3dq0YwL1f7nCg9ZY7PMQ2eh/2JkG0jwTsZA41odyA1OkZBAPBevdgH8hdxV2/y
YNnDWAoxDhOhD4q7tCg862z3F1/55oj9w24Rsm38hJYLl1D0/zHzkmeX1lgkpMQD
LGFK7gsxAoGBAMcsF2yRl7GZfmmiILJPvjua3PQv+YCUIaqr/xFIRMhOBD0dUw67
pAPOxTgEH81hqyY9/CkTH/ZCKLgGz35OPYaJYsTZVM5aSoWkWNJfOqeYNCzaZJwT
O9vVa7KHr0QcfymN8yRLlT4J9f2oPknQt2QqmvwoPDvlsHJhcBzCTWOFAoGBAOLE
LjU21ZHupTVaJ0uposc3uySENw3wZlRcHOyOKy69exf7wMy/N+tTs4g/NvmKhzO9
gpQ9SKJj8n8YrA7I8TxuA4sQT7hCESFKw1tyw3EH8OZrzz1lPvJyHsu/k9xTqqhY
eSwRfvl7KXCOSus+Anb3R8N/rHb/TcPwjNG+QkSLAoGBAI4IDEA45vMYYYRUwHpH
0YHR4sUjvQoLGKML+l3Jqnso327xjXxRJRouBof2sPMWNiWUSFDGOaGz9jOdb7RD
eS6KpGt6DDcHPmNlGo4SqNJBANwHdX2zXZlb7WwnxD2PEMOCXaRBXhEaq1gS9TBQ
bac5lsJAswuHtTcr8vYfPW69AoGADS37xYn/VbD6FyS7PfGJDW0WymOI052SRPrp
j3If3mKS4ez24q+Gb3345EVQS6aafw5XpYf+TbnjYTGs5lsVcj6upAl5qKrmVfoD
arA73bjpbmr7q4TT6MFrOspSrK6ML6acvEv0Bkn7OZh7kDqVaBatLBaijnP+MBIu
DQ6yyUsCgYEAgzBdL2bu6/lHNykHIYlsAECVePAoDRwSNkyDBblhyJgdE/qw1+8c
6qKKm5KhHAOOsfhxCKLUgDxnNJyk17Hu9NKMDHS9HBK8DZSZLR97D1aNETBZzs3R
Aj1/DdFQKYkvG7Tj4S4kTv7OwZ/Z+yMOQO7usgAGUpMJgBs1Wo7l9F4=
-----END RSA PRIVATE KEY-----
# 赋予所有权限
$ chmod 777 -R /home/user1/*
# 修改/root/.kube/config 文件,会自动添加一个user1用户的配置项在/root/.kube/config 文件中。
$ kubectl config set-credentials user1 --client-certificate=/home/user1/user1.crt --client-key=/home/user1/user1.key
$ cat /root/.kube/config
............
- name: user1
user:
client-certificate: /home/user1/user1.crt
client-key: /home/user1/user1.key
# 复制/root.kube/config 文件到/home/user1/.kube
$ mkdir /home/user1/.kube && cp -r /root/.kube/config /home/user1/.kube/
$ chown user1:user1 /home/user1/.kube/*
# 切换到user1用户。
$ su user1
# 修改/home/user1/.kube/config文件。
# 修改前/home/user1/.kube/config 文件。
$ cat /home/user1/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4akNDQXE2Z0F3SUJBZ0lVRkpGUjR3bG1NWXZZTXpmVmNtZkwrSzJWTERvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FURUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkVlFVNUhSRTlPUnpFU01CQUdBMVVFQnhNSgpSMVZCVGtkYVNFOVZNUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFVE1CRUdBMVVFCkF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTJNamd3TmpVeU1EQmFGdzB6TWpBMk1qVXdOalV5TURCYU1Ha3gKQ3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhWVUZPUjBSUFRrY3hFakFRQmdOVkJBY1RDVWRWUVU1SApXa2hQVlRFTU1Bb0dBMVVFQ2hNRGF6aHpNUTh3RFFZRFZRUUxFd1p6ZVhOMFpXMHhFekFSQmdOVkJBTVRDbXQxClltVnlibVYwWlhNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN3Ylk1akdxYzAKdXVwRnVQQjNsV3RvQ1hyM1VjaXFmSVNiR2NSK1p6b3FScUdPdndwME9MenFzVzZ6RU12WHZKWnBUSmpyY2MreApTSnRIQzNlY2NUckdHTTI0UnNMeGd6eisrTUpGTTVSenIyZ0REQXNwdC81d294NndSSzBpTEJhMDdFWHp0TUpSClR6cTVWQnFDaUxROFNwdGU1czlHaHkrTXdPV2FqSm9qUUZIZ0Q3eTkzUUZRTW1teXo1QXo5R1F0TDVzSUpvSWcKdkdOVWZPKytzdG5pY2VCdWhScnBWWVdPd05kL1ppZEhsdXM3cnF0cEZLRWVkT0FIRnpBVVBsWnJIZjd3UTlRTAo5S01ZR25hZWEzdXVoRXp4L0V1dUhob3pTZFI3L2xEUk5LYVErOHUyZStXZUR2WGpBQmhaTGdPUklxZlNPblFxCm5jdWFCcDlzdmwwM0FnTUJBQUdqWmpCa01BNEdBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUcKQVFIL0FnRUNNQjBHQTFVZERnUVdCQlFjZ0tVUGw2djJvaVpjTFZKV0thSVpHbjFJMWpBZkJnTlZIU01FR0RBVwpnQlFjZ0tVUGw2djJvaVpjTFZKV0thSVpHbjFJMWpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWhjOGdqaWhVCjhSVXl4SHduWTBVV1JlSjdCdEJJaytVWnFicGhLS0lidENlSUhNZ2wvSTJhU05JcG1ac3hGaGxjY25vRFJ1NFMKSzhsVkkxY2srYWdVd2REdzFCT2loNWUzNWJOK29vTldOTzZycHl3RVU4cjRrcWM5Z2hVYjY5UVpGNWVLNlVaVQpmeFlVZjVjNzhRc1pHY3ZMN2lZUkdRL0xpTk1mZGtkenZBREJKWHk1MExpK2QrUklaWms3RE1DU2tpOEtvUnFnCmZzQy9JektDVjVtdlhxRU91WENVSytFakRqZEh4ZXlSQTF3eVRtUXl4ZnUya0Y0TTlCS1kvWS9tUlI1NEFSdlUKNkoveFF0a1JYdzJ4bjYvZTVIMmZBRktqUEVEUnlyWFdzZlY2T2tnbDU1VUF4M1BhK0U4OWxjbU1SblZMTEZrcQpuN2hYUXVBejR6SW1YQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://10.20.43.147:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: admin
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1VENDQXMyZ0F3SUJBZ0lVREozRTY0NDRKVXlEdWh5dEg4czVwWXR5eTZRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FURUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkVlFVNUhSRTlPUnpFU01CQUdBMVVFQnhNSgpSMVZCVGtkYVNFOVZNUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFVE1CRUdBMVVFCkF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTJNamd3TmpVek1EQmFGdzB6TWpBMk1qVXdOalV6TURCYU1HOHgKQ3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhWVUZPUjBSUFRrY3hFakFRQmdOVkJBY1RDVWRWUVU1SApXa2hQVlRFWE1CVUdBMVVFQ2hNT2MzbHpkR1Z0T20xaGMzUmxjbk14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVPCk1Bd0dBMVVFQXhNRllXUnRhVzR3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRHgKT0c3a3psd1hTc243dS9GV2JNWGMyRlEyTS9SWDliSjhDNW5ER3ZpMHRRc096RndhcUZwSkx4cCtZakk4K2Z0cwpZU3c1STNpNk5vcEdzNk5yNkhhV0VpVkZHdkFjREdORUhZYTVFNkRXNkNjN1NiSDVvOS8zdmVPZTNZQTF6V3h5CnAxejNGQjl4Tll0dmkyUkpJenZPdnpWRDI4MUdJQ1lSN1ZnZXM3VDJGQUp2V2t5SzRDT0NMbWppRjlRTkNKKzcKVGtYVFZVZjFuRThjZ0lCWHMyVllxNjhFQzlCTDlzUjBJaGFNa05MTHRZcFVVV040UVNGN3hscTZLT0tTUlZXKwpqRXozR3hjK0NsaVNIL2kwSDZ4ZnZYbVBXMWhDQXNqWVhvT3dKWWxpRlYreVFLSktYd241dHVFRVRaTEFPbmJZCjQyNC9MQi9JL2hjK0JXSXBza1piQWdNQkFBR2pmekI5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUUKRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFRmdRVQpDMjVOZU4zQmFVV3ZYRWlFallqSHI5WkJybVV3SHdZRFZSMGpCQmd3Rm9BVUhJQ2xENWVyOXFJbVhDMVNWaW1pCkdScDlTTll3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUZsclFaZW9XVUU5VjJMUUM5Tnl5Ynp1NkdsN3dsdVYKd3YwTW9HcWZnNVIwbnJFRDdrbUl5cy9zd0FXQ3FCYkRETjhldU5KUDFWZXp1QnpNUWVQWm9OdXU2ZzhhbEtYVwp0eW92M25EOU1TTTdIc3hvbXM4cjVvOVN2eTNoRHNCTVplUDlMWUlIbzJhUHp4enpzMEhjNGR0Zy9KS1JraCswCm8xbm9lSVBldTNpSXpLeXZDWnZJUk5hd1Y4TzhFVThTL3VRWmhrcXR3d1dCTFVZanF2MTF0WkxYVEdicmMybkoKRTc1TW0zb3B1NTNkR1RjeVFRT0NGOXhuZ09GS0VHNnVjSDNSMHpibnNXNmlySzlDWnFLV0dZZnk3c0NlRGlzeApQbGI1YWZlTkErTGc0dnF1ZENlZi8ycjdBZjNaQXZVNUFzTzFMY3NhMW1URUxnb1ZkaDdEMm44PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBOFRodTVNNWNGMHJKKzd2eFZtekYzTmhVTmpQMFYvV3lmQXVad3hyNHRMVUxEc3hjCkdxaGFTUzhhZm1JeVBQbjdiR0VzT1NONHVqYUtSck9qYStoMmxoSWxSUnJ3SEF4alJCMkd1Uk9nMXVnbk8wbXgKK2FQZjk3M2pudDJBTmMxc2NxZGM5eFFmY1RXTGI0dGtTU003enI4MVE5dk5SaUFtRWUxWUhyTzA5aFFDYjFwTQppdUFqZ2k1bzRoZlVEUWlmdTA1RjAxVkg5WnhQSElDQVY3TmxXS3V2QkF2UVMvYkVkQ0lXakpEU3k3V0tWRkZqCmVFRWhlOFphdWlqaWtrVlZ2b3hNOXhzWFBncFlraC80dEIrc1g3MTVqMXRZUWdMSTJGNkRzQ1dKWWhWZnNrQ2kKU2w4SitiYmhCRTJTd0RwMjJPTnVQeXdmeVA0WFBnVmlLYkpHV3dJREFRQUJBb0lCQVFEYWxLS1lIdzUvNUx0bQpxd1dqcE9rZWw4Q25aU2pTMDhjcWRIQ2V4VC84cjlrWFRjTmdQSkdqbzFWRWxNS2xVbmlyMnRueDVOeXZFR0Q0CmRDdHZ5clE2aExMVkRmWHAxS2ZXdjFLblBzd09NVXZyZzNvTWxweUtwNzBzNWRZWjZzMk1qMi9FVEsyNUxpWHQKcThmeUprVTVzVFlaQ1lIWE82YUR0Q2lYbVl3dk5td21ra3Y1TjBSQ3YyZmdlQVZ2aCtKV1R2eDE3ZDkwNnMwdgo5aUpXYkhhbXk1QUhYK3JLUDc1K3FlR25ja1IvaDN4R3hWZkFIYXFYaTVZWXBWMFo3OE43eGtwRlZEMWg2OVlPCm00emNCUUVWZi80RFhXWnpHYmQrdmpqOWtmUVYrMi9zd1MwRWJOOVRha2I3VVZKcDVmYy9vcFNKNlpKWW9ZcFMKa280M2ZGUnhBb0dCQVBwbUtiRXoyWXowT2dIdjRWaU15TUlkVWQ0L1V4bldRVnM3RURaMTQ5bStwdXhmaFRxNApSSStMOGpZNzhBNWVZYTh5L1I4T1VnR0EvdFpjV015SVdnV1VtQkVWNW9BWXBDVjZRVU0xTjRiYmxGNzNzc0pDClpTZWRQZWN2YVlVK1lYamxZVW9HZzhyeE1iYmdlV3gzOGhNRFdFdGhTcTg2V0NSSjVVdk5pL1l2QW9HQkFQYWQKdGlrNklTbDVkbkp5cGczd3F6OXZ3RjZPV2ZFUjNydVdVREtuTnhPMm9mUWt4WXY5TWlPSVpDZnY2V01PV0FuTQpMeXpQY0MvSEY2T0dGaU1wN1dTNFBKUEZBSW42OHpTT2x5MmMrSVhUVmhvV0plSkZjeDFFY3RHdWVmTmN1QnY2CkxJc1FwUlA1MlJYTnJrYXo2YWE5T3orQlkxYnhFb3o4WmZQOFVaT1ZBb0dBRU9ja21WbXVyZDB1clVMTUszWVYKZDBVVGFiVk1uc25mejVERkgyZ0Y0WVVGTDUrakZydXBwU2NGU3JQeEdJYzJnT1VvUVJodVlMdWNlRXZ6a3BzQgp1SzYzTlRBTlIwaGlqRVVjY3JUODhwV1FCbmtpRUFyN1dSazhQSWJ1MEpmTmJLUFBWWGZySFovNmd5WFVESVpzClNPeEk0WTNIeE54alpzKzJNcy9GU3ZFQ2dZRUF0Z05HTzMxRWxtaW42K1lEK292aXgrb0JqNGYraDdhSnJlZE4KZjJUOGVGYzFob3hSSkhXVnVMWGtQYm1LaGVwRFBjL3VEV040U0RybmptL2JETTdYLzVzZVVtMTJiVi9DZWNxMwpkeG5BTG4wQXNqWWdkYlNPTms2YmMzZ1RWM0xhQ3dRRU5ncnQyeVZ1ZS9JV3F1WUVEMlRnUW9tTE9OS3B2MVpWCkpOTFhubFVDZ1lCY0pTRTgyeEZ0Z1VmanpDdmxXNlVaK0laeE1QNXRFWEpuVDZ0eG42anRQb3VESUU2bTNqdVgKYW1wbEJwZmEyYnA5TExncTRIMWMrSUhRL0E2dGptU1pJaDN1NEFIT3FDcjMwaHptR0NOaTZSU2RGeVdJMWZDSQp0R244QWViUUdxVzVSMjg0amlpWFBROER6d2ZGUWF3UHpyZE5PRUo0Vzc2S3hWTVp0cEpvWGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
- name: user1
user:
client-certificate: /home/user1/user1.crt
client-key: /home/user1/user1.key
# 修改内容一:修改用户
- context:
cluster: kubernetes
user: admin # 此处修改为:user1
name: kubernetes # 此处修改为:user1
current-context: kubernetes # 此处修改为:user1
# 修改内容二:admin用户数据删除掉。
- name: admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1VENDQXMyZ0F3SUJBZ0lVREozRTY0NDRKVXlEdWh5dEg4czVwWXR5eTZRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FURUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkVlFVNUhSRTlPUnpFU01CQUdBMVVFQnhNSgpSMVZCVGtkYVNFOVZNUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFVE1CRUdBMVVFCkF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTJNamd3TmpVek1EQmFGdzB6TWpBMk1qVXdOalV6TURCYU1HOHgKQ3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhWVUZPUjBSUFRrY3hFakFRQmdOVkJBY1RDVWRWUVU1SApXa2hQVlRFWE1CVUdBMVVFQ2hNT2MzbHpkR1Z0T20xaGMzUmxjbk14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVPCk1Bd0dBMVVFQXhNRllXUnRhVzR3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRHgKT0c3a3psd1hTc243dS9GV2JNWGMyRlEyTS9SWDliSjhDNW5ER3ZpMHRRc096RndhcUZwSkx4cCtZakk4K2Z0cwpZU3c1STNpNk5vcEdzNk5yNkhhV0VpVkZHdkFjREdORUhZYTVFNkRXNkNjN1NiSDVvOS8zdmVPZTNZQTF6V3h5CnAxejNGQjl4Tll0dmkyUkpJenZPdnpWRDI4MUdJQ1lSN1ZnZXM3VDJGQUp2V2t5SzRDT0NMbWppRjlRTkNKKzcKVGtYVFZVZjFuRThjZ0lCWHMyVllxNjhFQzlCTDlzUjBJaGFNa05MTHRZcFVVV040UVNGN3hscTZLT0tTUlZXKwpqRXozR3hjK0NsaVNIL2kwSDZ4ZnZYbVBXMWhDQXNqWVhvT3dKWWxpRlYreVFLSktYd241dHVFRVRaTEFPbmJZCjQyNC9MQi9JL2hjK0JXSXBza1piQWdNQkFBR2pmekI5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUUKRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFRmdRVQpDMjVOZU4zQmFVV3ZYRWlFallqSHI5WkJybVV3SHdZRFZSMGpCQmd3Rm9BVUhJQ2xENWVyOXFJbVhDMVNWaW1pCkdScDlTTll3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUZsclFaZW9XVUU5VjJMUUM5Tnl5Ynp1NkdsN3dsdVYKd3YwTW9HcWZnNVIwbnJFRDdrbUl5cy9zd0FXQ3FCYkRETjhldU5KUDFWZXp1QnpNUWVQWm9OdXU2ZzhhbEtYVwp0eW92M25EOU1TTTdIc3hvbXM4cjVvOVN2eTNoRHNCTVplUDlMWUlIbzJhUHp4enpzMEhjNGR0Zy9KS1JraCswCm8xbm9lSVBldTNpSXpLeXZDWnZJUk5hd1Y4TzhFVThTL3VRWmhrcXR3d1dCTFVZanF2MTF0WkxYVEdicmMybkoKRTc1TW0zb3B1NTNkR1RjeVFRT0NGOXhuZ09GS0VHNnVjSDNSMHpibnNXNmlySzlDWnFLV0dZZnk3c0NlRGlzeApQbGI1YWZlTkErTGc0dnF1ZENlZi8ycjdBZjNaQXZVNUFzTzFMY3NhMW1URUxnb1ZkaDdEMm44PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBOFRodTVNNWNGMHJKKzd2eFZtekYzTmhVTmpQMFYvV3lmQXVad3hyNHRMVUxEc3hjCkdxaGFTUzhhZm1JeVBQbjdiR0VzT1NONHVqYUtSck9qYStoMmxoSWxSUnJ3SEF4alJCMkd1Uk9nMXVnbk8wbXgKK2FQZjk3M2pudDJBTmMxc2NxZGM5eFFmY1RXTGI0dGtTU003enI4MVE5dk5SaUFtRWUxWUhyTzA5aFFDYjFwTQppdUFqZ2k1bzRoZlVEUWlmdTA1RjAxVkg5WnhQSElDQVY3TmxXS3V2QkF2UVMvYkVkQ0lXakpEU3k3V0tWRkZqCmVFRWhlOFphdWlqaWtrVlZ2b3hNOXhzWFBncFlraC80dEIrc1g3MTVqMXRZUWdMSTJGNkRzQ1dKWWhWZnNrQ2kKU2w4SitiYmhCRTJTd0RwMjJPTnVQeXdmeVA0WFBnVmlLYkpHV3dJREFRQUJBb0lCQVFEYWxLS1lIdzUvNUx0bQpxd1dqcE9rZWw4Q25aU2pTMDhjcWRIQ2V4VC84cjlrWFRjTmdQSkdqbzFWRWxNS2xVbmlyMnRueDVOeXZFR0Q0CmRDdHZ5clE2aExMVkRmWHAxS2ZXdjFLblBzd09NVXZyZzNvTWxweUtwNzBzNWRZWjZzMk1qMi9FVEsyNUxpWHQKcThmeUprVTVzVFlaQ1lIWE82YUR0Q2lYbVl3dk5td21ra3Y1TjBSQ3YyZmdlQVZ2aCtKV1R2eDE3ZDkwNnMwdgo5aUpXYkhhbXk1QUhYK3JLUDc1K3FlR25ja1IvaDN4R3hWZkFIYXFYaTVZWXBWMFo3OE43eGtwRlZEMWg2OVlPCm00emNCUUVWZi80RFhXWnpHYmQrdmpqOWtmUVYrMi9zd1MwRWJOOVRha2I3VVZKcDVmYy9vcFNKNlpKWW9ZcFMKa280M2ZGUnhBb0dCQVBwbUtiRXoyWXowT2dIdjRWaU15TUlkVWQ0L1V4bldRVnM3RURaMTQ5bStwdXhmaFRxNApSSStMOGpZNzhBNWVZYTh5L1I4T1VnR0EvdFpjV015SVdnV1VtQkVWNW9BWXBDVjZRVU0xTjRiYmxGNzNzc0pDClpTZWRQZWN2YVlVK1lYamxZVW9HZzhyeE1iYmdlV3gzOGhNRFdFdGhTcTg2V0NSSjVVdk5pL1l2QW9HQkFQYWQKdGlrNklTbDVkbkp5cGczd3F6OXZ3RjZPV2ZFUjNydVdVREtuTnhPMm9mUWt4WXY5TWlPSVpDZnY2V01PV0FuTQpMeXpQY0MvSEY2T0dGaU1wN1dTNFBKUEZBSW42OHpTT2x5MmMrSVhUVmhvV0plSkZjeDFFY3RHdWVmTmN1QnY2CkxJc1FwUlA1MlJYTnJrYXo2YWE5T3orQlkxYnhFb3o4WmZQOFVaT1ZBb0dBRU9ja21WbXVyZDB1clVMTUszWVYKZDBVVGFiVk1uc25mejVERkgyZ0Y0WVVGTDUrakZydXBwU2NGU3JQeEdJYzJnT1VvUVJodVlMdWNlRXZ6a3BzQgp1SzYzTlRBTlIwaGlqRVVjY3JUODhwV1FCbmtpRUFyN1dSazhQSWJ1MEpmTmJLUFBWWGZySFovNmd5WFVESVpzClNPeEk0WTNIeE54alpzKzJNcy9GU3ZFQ2dZRUF0Z05HTzMxRWxtaW42K1lEK292aXgrb0JqNGYraDdhSnJlZE4KZjJUOGVGYzFob3hSSkhXVnVMWGtQYm1LaGVwRFBjL3VEV040U0RybmptL2JETTdYLzVzZVVtMTJiVi9DZWNxMwpkeG5BTG4wQXNqWWdkYlNPTms2YmMzZ1RWM0xhQ3dRRU5ncnQyeVZ1ZS9JV3F1WUVEMlRnUW9tTE9OS3B2MVpWCkpOTFhubFVDZ1lCY0pTRTgyeEZ0Z1VmanpDdmxXNlVaK0laeE1QNXRFWEpuVDZ0eG42anRQb3VESUU2bTNqdVgKYW1wbEJwZmEyYnA5TExncTRIMWMrSUhRL0E2dGptU1pJaDN1NEFIT3FDcjMwaHptR0NOaTZSU2RGeVdJMWZDSQp0R244QWViUUdxVzVSMjg0amlpWFBROER6d2ZGUWF3UHpyZE5PRUo0Vzc2S3hWTVp0cEpvWGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
# 修改后/home/user1/.kube/config文件。
$ cat /home/user1/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4akNDQXE2Z0F3SUJBZ0lVRkpGUjR3bG1NWXZZTXpmVmNtZkwrSzJWTERvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FURUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkVlFVNUhSRTlPUnpFU01CQUdBMVVFQnhNSgpSMVZCVGtkYVNFOVZNUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFVE1CRUdBMVVFCkF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTJNamd3TmpVeU1EQmFGdzB6TWpBMk1qVXdOalV5TURCYU1Ha3gKQ3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhWVUZPUjBSUFRrY3hFakFRQmdOVkJBY1RDVWRWUVU1SApXa2hQVlRFTU1Bb0dBMVVFQ2hNRGF6aHpNUTh3RFFZRFZRUUxFd1p6ZVhOMFpXMHhFekFSQmdOVkJBTVRDbXQxClltVnlibVYwWlhNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN3Ylk1akdxYzAKdXVwRnVQQjNsV3RvQ1hyM1VjaXFmSVNiR2NSK1p6b3FScUdPdndwME9MenFzVzZ6RU12WHZKWnBUSmpyY2MreApTSnRIQzNlY2NUckdHTTI0UnNMeGd6eisrTUpGTTVSenIyZ0REQXNwdC81d294NndSSzBpTEJhMDdFWHp0TUpSClR6cTVWQnFDaUxROFNwdGU1czlHaHkrTXdPV2FqSm9qUUZIZ0Q3eTkzUUZRTW1teXo1QXo5R1F0TDVzSUpvSWcKdkdOVWZPKytzdG5pY2VCdWhScnBWWVdPd05kL1ppZEhsdXM3cnF0cEZLRWVkT0FIRnpBVVBsWnJIZjd3UTlRTAo5S01ZR25hZWEzdXVoRXp4L0V1dUhob3pTZFI3L2xEUk5LYVErOHUyZStXZUR2WGpBQmhaTGdPUklxZlNPblFxCm5jdWFCcDlzdmwwM0FnTUJBQUdqWmpCa01BNEdBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUcKQVFIL0FnRUNNQjBHQTFVZERnUVdCQlFjZ0tVUGw2djJvaVpjTFZKV0thSVpHbjFJMWpBZkJnTlZIU01FR0RBVwpnQlFjZ0tVUGw2djJvaVpjTFZKV0thSVpHbjFJMWpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWhjOGdqaWhVCjhSVXl4SHduWTBVV1JlSjdCdEJJaytVWnFicGhLS0lidENlSUhNZ2wvSTJhU05JcG1ac3hGaGxjY25vRFJ1NFMKSzhsVkkxY2srYWdVd2REdzFCT2loNWUzNWJOK29vTldOTzZycHl3RVU4cjRrcWM5Z2hVYjY5UVpGNWVLNlVaVQpmeFlVZjVjNzhRc1pHY3ZMN2lZUkdRL0xpTk1mZGtkenZBREJKWHk1MExpK2QrUklaWms3RE1DU2tpOEtvUnFnCmZzQy9JektDVjVtdlhxRU91WENVSytFakRqZEh4ZXlSQTF3eVRtUXl4ZnUya0Y0TTlCS1kvWS9tUlI1NEFSdlUKNkoveFF0a1JYdzJ4bjYvZTVIMmZBRktqUEVEUnlyWFdzZlY2T2tnbDU1VUF4M1BhK0U4OWxjbU1SblZMTEZrcQpuN2hYUXVBejR6SW1YQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://10.20.43.147:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: user1
name: user1
current-context: user1
kind: Config
preferences: {}
users:
- name: user1
user:
client-certificate: /home/user1/user1.crt
client-key: /home/user1/user1.key
# 切换到root用户,创建role,并通过rolebinding与用户绑定,赋予user1用户操作权限
$ cat > user1_role.yaml<< EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: user1 # 通过此角色绑定,"user1"可以读取"user1"名称空间中的Pod、replicasets、deployments。
name: user1Role
rules:
- apiGroups: ["apps"] #目标api群组
resources: ["replicasets", "deployments"] #目标资源的操作权限
verbs: ["get", "watch", "list", "create", "delete", "edit", "exec"]
- apiGroups: [""]
resources: ["pods"] #目标资源的操作权限
verbs: ["get", "watch", "list", "create", "delete", "edit", "exec"]
EOF
$ kubectl create -f user1_role.yaml
$ cat > user1Rolebinding.yaml << EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rolebind-user1
namespace: user1 # 修改user需要访问的namespace
subjects:
- kind: User
name: user1 # 修改自己定义的user1,user1根role进行绑定。
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: user1Role # 修改自己定义的role名字
apiGroup: rbac.authorization.k8s.io
EOF
$ kubectl create -f user1Rolebinding.yaml
# 进行测试
$ su user1
$ kubectl get deployments -n user1
NAME READY UP-TO-DATE AVAILABLE AGE
deploy-web-user1 3/3 3 3 4h2m
$ kubectl get rs -n user1
NAME DESIRED CURRENT READY AGE
deploy-web-user1-7797f778bd 3 3 3 4h2m
$ kubectl get pod -n user1
NAME READY STATUS RESTARTS AGE
deploy-web-user1-7797f778bd-7sf6g 1/1 Running 0 4h2m
deploy-web-user1-7797f778bd-bhrjj 1/1 Running 0 4h2m
deploy-web-user1-7797f778bd-hrsw4 1/1 Running 0 4h2m
nginx 1/1 Running 0 4h31m
# 如果你试图访问其它namespace你会发现报了权限错误。因为user1没有访问名为user2 namespace资源的权限。
$ kubectl get pod -n user2
Error from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" in the namespace "user2"
二、创建普通用户赋予超级权限
目的:创建kubenetes集群内一个普通用户,然后直接通过Group(组)来绑定它的权限,我们的目标是要绑定默认的超级角色 cluster-admin
bash
# 这次我们为了省时间,就不会在linux创建一个用户了,直接创建一个k8s集群普通用户。
$ mkdir /root/superuser
# 生成私钥
$ openssl genrsa -out superuser.key 2048
# 生成一个待签名文件(superuser.csr),注意 O= system:masters 代表它的超管权限组, 直接代表了superuser用户加入后拥有超管权限。
$ openssl req -new -key superuser.key -out superuser.csr -subj "/CN= superuser /O=system:masters"
# 用 k8s 的 ca 文件来签名这个superuser.csr,最终产生一个有效期为 3600 天的证书文件。
$ openssl x509 -req -in superuser.csr -CA /opt/kubelw/cfssl/ca.pem -CAkey /opt/kubelw/cfssl/ca-key.pem -CAcreateserial -out superuser.crt -days 3600
注意:/opt/kubelw/cfssl/ca.pem 、/opt/kubelw/cfssl/ca-key.pem 根据自身集群实际路径填写(多数情况下是在 /etc/kubernetes/pki/路径下)。
# 修改/root/.kube/config 文件,会自动添加一个用的配置项在/root/.kube/config 文件中。
$ kubectl config set-credentials superuser \
--client-certificate=/root/superuser/superuser.crt \
--client-key=/root/superuser/superuser.key
$ cat /root/.kube/config
..........
- name: superuser
user:
client-certificate: /root/superuser/superuser.crt
client-key: /root/superuser/superuser.key
# 创建一个superuser context
$ kubectl config set-context superuser-context --cluster=kubernetes --user=superuser
# 该命令行在/root/.kube/config 文件中添加了以下文本。
- context:
cluster: kubernetes
user: superuser
name: superuser-context
# 获取当前contexts 环境信息。
$ kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes kubernetes admin
superuser-context kubernetes superuser
user1 kubernetes user1
# 设置 superuser 为当前使用的 context(环境身份文件), 切换后superuser可以操作任意资源。
$ kubectl config use-context superuser-context
$ kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default daemon-web-4z9xk 1/1 Running 0 13h
default daemon-web-bh5pc 1/1 Running 0 13h
default daemon-web-t5zb9 1/1 Running 0 13h
default deploy-web-7797f778bd-lzzkg 1/1 Running 0 14h
default deploy-web-7797f778bd-qwh9r 1/1 Running 0 14h
default deploy-web-7797f778bd-xgpmg 1/1 Running 0 14h
ingress-nginx ingress-nginx-admission-create-2fknd 0/1 Completed 0 14d
ingress-nginx ingress-nginx-admission-patch-l5lbm 0/1 Completed 1 14d
ingress-nginx ingress-nginx-controller-559fb9c8bd-7vzxs 1/1 Running 2 14d
ingress-nginx ingress-nginx-controller-559fb9c8bd-plz4c 1/1 Running 2 14d
ingress-nginx ingress-nginx-controller-559fb9c8bd-wkcnt 1/1 Running 4 14d
kube-system coredns-75674bbdf4-h4p24 1/1 Running 2 14d
kube-system kube-flannel-ds-gkxfr 1/1 Running 2 14d
kube-system kube-flannel-ds-scpxh 1/1 Running 4 14d
kube-system kube-flannel-ds-vgnp4 1/1 Running 3 14d
quota-mem-cpu-example quota-mem-cpu-demo 1/1 Running 0 37h
quota-mem-cpu-example quota-mem-cpu-demo2 1/1 Running 0 37h
user1 deploy-web-user1-7797f778bd-7sf6g 1/1 Running 0 5h1m
user1 deploy-web-user1-7797f778bd-bhrjj 1/1 Running 0 5h1m
user1 deploy-web-user1-7797f778bd-hrsw4 1/1 Running 0 5h1m
user1 nginx 1/1 Running 0 5h29m
Service Account
Service Account 为 Pod 提供必要的身份认证。所有的 kubernetes 集群中账户分为两类,Kubernetes管理的 serviceaccount(服务账户)和useraccount(用户账户)。
Service Account 是为了方便 Pod 里面的进程调用 Kubernetes API 或其他外部服务而设计的, 有它自己的namespace,每个namespace 都会自动创建一个default service account。然后Token Controller会自动监测 service account 的创建,并为它们创建kubernetes.io/service-account-token secret。
Service Account 创建
自动创建 service account:
- 创建namespace都会自动创建一个service account;每个 Pod 在创建时都会自动设置 spec.serviceAccountName 为 default。
- 创建pod时候,kubernetes会判断 Pod 引用的 service account 是否已经存在,如不存在,拒绝创建该pod。
- 如果 Pod 没有指定 ImagePullSecrets,则把 service account 的 ImagePullSecrets 加到 Pod 中。
- 每个 container 启动后都会挂载容器宿主机的/var/lib/kubelet/pods/*id/volumes/kubernetes.io~secret/container-name目录里面service account 的 token、ca.crt 和namespace,到容器目录 /var/run/secrets/kubernetes.io/serviceaccount/。
imagePullSecret资源将Secret提供的密码传递给kubelet从而在拉取镜像前完成必要的认证过程(此操作可跳过),简单说就是你的镜像仓库是私有的,每次拉取是需要认证的。
手动创建一个service account
bash
# 创建一个名为app-acount。
$ kubectl create serviceaccount app-acount
# Token Controller会自动监测 service account 的创建,自动创建一个名为app-acount-token-c5h6j的secrets。
$kubectl get secrets
NAME TYPE DATA AGE
app-acount-token-c5h6j kubernetes.io/service-account-token 3 11s
# 向刚创建的service account 添加imagePullSecret。
$ kubectl patch serviceaccount app-acount -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'
Service Account 授权
Service Account 为服务提供了一种方便的认证机制,但它不关心授权的问题,但可以配合RBAC来对 Service Account 进行授权。
yaml
cat > rolebinding-serviceaccount.yaml << EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
nonResourceURLs: []
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
EOF