Kubernetes ---- RBAC授权管理
RBAC(授权插件)
RBAC基于角色访问控制:
许可: 对于任何一个被访问的对象(k8s组件),对于对象能施加的操作组合,将某些操作权限赋给角色,就完成了授权;
角色: 可以让一个用户扮演一个角色,而这个角色拥有些权限,那么这个用户就拥有了这个角色的权限,权限授权给角色,与rolebinding工作在名称空间级别,授予名称空间范围内的许可权限的;
operations: 允许角色做的操作,写进来就是说明允许,不能定义拒绝;
subject: 对象,对哪些对象做哪些操作;
rolebinding:
将user account OR service account 绑定在哪个角色;
clusterrole: 定义了角色允许的操作后, 与角色绑定的用户执行的操作位于集群,而不仅限于某个名称空间;
clusterrolebinding: 将user account OR service account 绑定在哪个角色;
注:
user可通过rolebinding绑定clusterrole:
所有操作依然是在名称空间范围内,当名称空间过多时,而且每个名称空间都需要一个管理员,直接定义一个clusterrole使用rolebinding就相当于每个用户都是在自己的名称空间中操作的,如果不用这种
方法的话,有N个名称空间就要创建N个role,N个rolebinding;
创建角色:
$ kubectl create role --help
Usage:
kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]
$ kubectl create role pod-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
$ vim role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
$ kubectl get role
NAME AGE
pod-reader 39s
$ kubectl describe role pod-reader
....
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
rolebinding创建并绑定:
$ kubectl create rolebinding --help
Usage:
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run] [options]
$ kubectl create rolebinding kfree-read-pods --role=pod-reader --user=kfree --dry-run -o yaml > rolebinding-demo.yaml
$ vim rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kfree-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kfree
$ kubectl config use-context kfree@kubernetes
# 发现之前创建的用户已经有了查看pods的权限;
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
deploy-demo-854b57c687-4hbp4 1/1 Running 0 5h26m
deploy-demo-854b57c687-f7txr 1/1 Running 0 5h26m
deploy-demo-854b57c687-t9bbl 1/1 Running 0 5h26m
clusterrole创建并绑定:
$ kubectl create clusterrole --help
Usage:
kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run]
$ kubectl create clusterrole cluster-readers --verb=get,list,watch --resource=pods,deployment --dry-run -o yaml > clusterrole-demo.yaml
$ kubectl apply -f clusterrole-demo.yaml
$ kubectl get clusterrole
....
cluster-readers
....
绑定:
$ kubectl create clusterrolebinding --help
Usage:
kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run] [options]
$ kubectl create clusterrolebinding kfree-read-all-pods --clusterrole=cluster-readers --user=kfree --dry-run -o yaml > clusterrolebinding-demo.yaml
$ kubectl apply -f clusterrolebinding-demo.yaml
$ kubectl config use-context kfree@kubernetes
# 绑定后发现所有名称空间的deployment与pods资源都可以查看(get,list,watch)
$ kubectl get pods && kubectl get pods -n kube-system
$ kubectl get deploy && kubectl get deploy -n kube-system
使用rolebinding绑定clusterrole:
$ kubectl delete clusterrolebinding kfree-read-all-pods
$ kubectl create rolebinding kfree-read-pods --clusterrole=cluster-readers --user=kfree --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
$ kubectl apply -f rolebinding-clusterrole-demo.yaml
$ kubectl get rolebinding
NAME AGE
kfree-read-pods 3m
$ kubectl config view
....
current-context: kfree@kubernetes
....
$ kubectl get pods -n kube-system
Error from server (Forbidden): pods is forbidden: User "kfree" cannot list resource "pods" in API group "" in the namespace "kube-system"
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
deploy-demo-854b57c687-4hbp4 1/1 Running 1 18h
deploy-demo-854b57c687-f7txr 1/1 Running 1 18h
deploy-demo-854b57c687-t9bbl 1/1 Running 1 18h