shell

k8s 使用 RBAC 鉴权 建立不同用户使用k8s。只有指定命名空间的权限

k8s 使用 RBAC 鉴权

https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/

# 创建sa账号
kubectl create sa sa-test-20230408


# 使用sa 账号创建pod资源
[root@master01 sa]# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
 name: sa-test-pod-20230408
 namespace: default
 labels:
   app: sa
spec:
  serviceAccountName: sa-test-20230408
  containers:
  - name: sa-nginx
    ports:
    - containerPort: 80
    image: nginx
    imagePullPolicy: IfNotPresent
    command: ["/bin/sh","-c","sleep 3600"]
    
# 进去pod容器访问资源,没授权访问
[root@master01 sa]# kubectl  exec -it sa-test-pod-20230408 -- /bin/bash

root@sa-test-pod-20230408:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H  "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/default
返回信息"code": 403


# 授权sa-test-20230408 有cluster-admin 权限后访问
kubectl create clusterrolebinding sa-test-20230408-clusterrolebinding  --clusterrole=cluster-admin --serviceaccount=default:sa-test-20230408


root@sa-test-pod-20230408:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H  "Authorization: Bearer $(cat ./token)"  https://kubernetes/api/v1/namespaces/default
{
  "kind": "Namespace",
  "apiVersion": "v1",
  "metadata": {
    "name": "default",
    "uid": "f6ba86a9-b5ec-4850-a1d4-2afb7fc61083",
    "resourceVersion": "842384",
    "creationTimestamp": "2023-02-22T03:17:00Z",
    "labels": {
      "field.cattle.io/projectId": "p-hph99",
      "kubernetes.io/metadata.name": "default"
    },



# 查看clusterrolebinding 授权信息

[root@master01 ~]# kubectl  get clusterrolebinding| grep 20230408
sa-test-20230408-clusterrolebinding                    ClusterRole/cluster-admin                                                          2m28s

[root@master01 ~]# kubectl  describe  clusterrolebinding sa-test-20230408-clusterrolebinding
Name:         sa-test-20230408-clusterrolebinding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name              Namespace
  ----            ----              ---------
  ServiceAccount  sa-test-20230408  default

创建不同用户操作k8s

限制不同的用户操作 k8s 集群

ssl 认证
生成一个证书
(1)生成一个私钥
cd /etc/kubernetes/pki/
(umask 077; openssl genrsa -out k8s-test-20230408.key 2048)
(2)生成一个证书请求
openssl req -new -key k8s-test-20230408.key -out k8s-test-20230408.csr -subj "/CN=k8s-test-20230408"
(3)生成一个证书
openssl x509 -req -in k8s-test-20230408.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out k8s-test-20230408.crt -
days 3650

在 kubeconfig 下新增加一个 k8s-test-20230408 这个用户
[root@xuegod63 ~]# cp /root/.kube/config /root/.kube/config.bak
(1)把 k8s-test-20230408 这个用户添加到 kubernetes 集群中,可以用来认证 apiserver 的连接
kubectl config set-credentials k8s-test-20230408 --client-certificate=./k8s-test-20230408.crt --client-key=./k8s-test-20230408.key
--embed-certs=true
(2)在 kubeconfig 下新增加一个上下文
kubectl config set-context k8s-test-20230408@kubernetes --cluster=kubernetes --user=k8s-test-20230408
(3)切换账号到 k8s-test-20230408,默认没有任何权限
kubectl config use-context k8s-test-20230408@kubernetes
kubectl config use-context kubernetes-admin@kubernetes 这个是集群用户,有任何权限
把 user 这个用户通过 rolebinding 绑定到 clusterrole 上,授予权限,权限只是在 k8s-test-20230408 这个名称
空间有效
kubectl create ns k8s-test-20230408
(1)把 k8s-test-20230408 这个用户通过 rolebinding 绑定到 clusterrole 上
kubectl create rolebinding k8s-test-20230408 -n k8s-test-20230408 --clusterrole=cluster-admin --user=k8s-test-20230408
(2)切换到 k8s-test-20230408 这个用户
kubectl config use-context k8s-test-20230408@kubernetes
(3)测试是否有权限
kubectl get pods -n k8s-test-20230408
有权限操作这个名称空间
kubectl get pods
没有权限操作其他名称空间

添加一个 k8s-test-20230408 的普通用户
useradd k8s-test-20230408
cp -ar /root/.kube/ /home/k8s-test-20230408/

# 查看当前使用账号
[root@master01 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.10.202:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: k8s-test-20230408
name: k8s-test-20230408@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: k8s-test-20230408
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED


# 编辑config文件,只留k8s-test-20230408 用户的配置信息
[root@master01 sa]# cat /home/k8stest/.kube/config


chown -R k8s-test-20230408.k8s-test-20230408 /home/k8s-test-20230408/
su - k8s-test-20230408
kubectl get pods -n k8s-test-20230408


[k8stest@master01 ~]$ kubectl apply -f pod2.yaml -n k8s-test-20230408
pod/tomcat-pod-20230408-2 created
[k8stest@master01 ~]$
[k8stest@master01 ~]$ kubectl get pod
Error from server (Forbidden): pods is forbidden: User "k8s-test-20230408" cannot list resource "pods" in API group "" in the namespace "default"
[k8stest@master01 ~]$ kubectl get pod -n k8s-test-20230408
NAME READY STATUS RESTARTS AGE
tomcat-pod-20230408 1/1 Running 0 64s
tomcat-pod-20230408-2 1/1 Running 0 17s
[k8stest@master01 ~]$
[k8stest@master01 ~]$
[k8stest@master01 ~]$ kubectl get pod -n k8s-test-20230408
NAME READY STATUS RESTARTS AGE
tomcat-pod-20230408 1/1 Running 0 2m23s
tomcat-pod-20230408-2 1/1 Running 0 96s
[k8stest@master01 ~]$ kubectl delete -f pod2.yaml -n k8s-test-20230408
pod "tomcat-pod-20230408-2" deleted
[k8stest@master01 ~]$ kubectl get pod -n k8s-test-20230408
NAME READY STATUS RESTARTS AGE
tomcat-pod-20230408 1/1 Running 0 2m42s


最后不要忘了切换回 kubernetes-admin 用户:
kubectl config use-context kubernetes-admin@kubernetes

 

posted @ 2023-05-04 14:20  devops运维  阅读(124)  评论(0编辑  收藏  举报
python