RBAC 鉴权

rbac 权限控制

基于角色的控制访问(Role-Based Access,RBAC)
API Server作为Kubernetes网关,是访问和管理资源对象的唯一入口,其各种集群组件访问资源都需要经过网关才能进行正常访问和管理。每一次的访问请求都需要进行合法性的检验,其中包括身份验证、操作权限验证以及操作规范验证等

其中就包括 serviceAccount , Secret, Role, ClusterRole , RoleBinding, ClusterRoleBinding
RBAC 授权策略会创建一系列的 Role 和 ClusterRole 来绑定相应的资源实体(serviceAccount 或 group),以此来限制其对集群的操作。

pod 中使用kubectl

测试pod

apiVersion: apps/v1
kind: StatefulSet # 腾讯云固定ip必须使用StatefulSet
metadata:
  labels:
    name: comcast
  name: comcast
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: comcast
  serviceName: comcast
  template:
    metadata:
      labels:
        app: comcast #这里是容器的标签
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: comcast
        image: harbor.qima-inc.com/paas/comcast:v1
        imagePullPolicy: Always
      serviceAccount: comcast #指定serviceAccount

serviceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
  labels:
    app.kubernetes.io/component: comcast
    app.kubernetes.io/instance: comcast
    app.kubernetes.io/name: comcast
  name: comcast # ServiceAccount 的名字,给上面的comcast statefulset 使用
  namespace: kube-system
secrets:
- name: comcast-token-test # 给secrets起个名字,serviceAccount的方式是会自动创建secrets

ClusterRole

每一个 Role 都基于 Create, Read, Update, Delete(CRUD)模型来构建,并使用“动词”来应用相应的权限。例如,动词 get 表示能够获取特定资源的详细信息。
创建一个集群角色ClusterRole,因为我们需要访问其他的namespace 资源所以需要设置clusterRole,不然会forbidden。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  labels:
    app.kubernetes.io/component: comcast
    app.kubernetes.io/instance: comcast
    app.kubernetes.io/name: comcast
  name: exceptionTesting:comcast
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - *
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - patch
  - create
- apiGroups:
  - ""
  resources:
  - configmaps #对configmaps资源操作的
  verbs:
  - '*'
- apiGroups: [""] # 指定api 分组,空字符串""表明使用 core API group
  resources: ["pods/exec"] # 指定资源,该资源表示可以使用exec 指令
  verbs: ["create"]
- apiGroups: ["extensions", "apps"] 
  resources: ["deployments","deployments/scale"] #deployments/scale 是一个资源
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

binding

将角色权限绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
  labels:
    app.kubernetes.io/component: comcast
    app.kubernetes.io/instance: comcast
    app.kubernetes.io/name: comcast
  name: exceptionTesting:comcast # 指定 ClusterRoleBinding 的名字
  resourceVersion: "7990095823"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: exceptionTesting:comcast
subjects:     # 将 ClusterRole绑定到指定的ServiceAccount
- kind: ServiceAccount
  name: comcast
  namespace: kube-system

参考

Kubernetes之ServiceAccount+Secret
exec的执行权限
RBAC鉴权

posted @ 2022-02-15 19:40  zhqqqy  阅读(84)  评论(0编辑  收藏  举报