RBAC 鉴权
rbac 权限控制
基于角色的控制访问(Role-Based Access,RBAC)
API Server作为Kubernetes网关,是访问和管理资源对象的唯一入口,其各种集群组件访问资源都需要经过网关才能进行正常访问和管理。每一次的访问请求都需要进行合法性的检验,其中包括身份验证、操作权限验证以及操作规范验证等
其中就包括 serviceAccount
, Secret
, Role
, ClusterRole
, RoleBinding
, ClusterRoleBinding
RBAC 授权策略会创建一系列的 Role 和 ClusterRole 来绑定相应的资源实体(serviceAccount 或 group),以此来限制其对集群的操作。
pod 中使用kubectl
测试pod
apiVersion: apps/v1
kind: StatefulSet # 腾讯云固定ip必须使用StatefulSet
metadata:
labels:
name: comcast
name: comcast
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: comcast
serviceName: comcast
template:
metadata:
labels:
app: comcast #这里是容器的标签
spec:
terminationGracePeriodSeconds: 10
containers:
- name: comcast
image: harbor.qima-inc.com/paas/comcast:v1
imagePullPolicy: Always
serviceAccount: comcast #指定serviceAccount
serviceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
labels:
app.kubernetes.io/component: comcast
app.kubernetes.io/instance: comcast
app.kubernetes.io/name: comcast
name: comcast # ServiceAccount 的名字,给上面的comcast statefulset 使用
namespace: kube-system
secrets:
- name: comcast-token-test # 给secrets起个名字,serviceAccount的方式是会自动创建secrets
ClusterRole
每一个 Role 都基于 Create, Read, Update, Delete(CRUD)模型来构建,并使用“动词”来应用相应的权限。例如,动词 get 表示能够获取特定资源的详细信息。
创建一个集群角色ClusterRole,因为我们需要访问其他的namespace 资源所以需要设置clusterRole,不然会forbidden。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
labels:
app.kubernetes.io/component: comcast
app.kubernetes.io/instance: comcast
app.kubernetes.io/name: comcast
name: exceptionTesting:comcast
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- *
- apiGroups:
- ""
resources:
- events
verbs:
- patch
- create
- apiGroups:
- ""
resources:
- configmaps #对configmaps资源操作的
verbs:
- '*'
- apiGroups: [""] # 指定api 分组,空字符串""表明使用 core API group
resources: ["pods/exec"] # 指定资源,该资源表示可以使用exec 指令
verbs: ["create"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments","deployments/scale"] #deployments/scale 是一个资源
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
binding
将角色权限绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
labels:
app.kubernetes.io/component: comcast
app.kubernetes.io/instance: comcast
app.kubernetes.io/name: comcast
name: exceptionTesting:comcast # 指定 ClusterRoleBinding 的名字
resourceVersion: "7990095823"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: exceptionTesting:comcast
subjects: # 将 ClusterRole绑定到指定的ServiceAccount
- kind: ServiceAccount
name: comcast
namespace: kube-system
参考
不自见,故明;不自是,故彰;不自伐,故有功;不自矜,故长