kubernetes学习笔记之十:RBAC(二)

     上一章中我们简单讲解了k8s集群用户使用Role/ClusterRole/RoleBingding/ClusterRoleBingding设置不同的权限,但是kubeconfig文件使用的admin,实际部署过程中用户应该使用自己的kubeconfig文件,下面我们参照实际使用配置用户权限.

一、创建 dev namespace

[root@k8s-master-155-221 rbac]# cat create-namespace.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: dev

[root@k8s-master-155-221 rbac]# kubectl apply -f create-namespace.yaml 
namespace/dev created
[root@k8s-master-155-221 rbac]# kubectl get namespaces 
NAME              STATUS   AGE
default           Active   51d
dev               Active   5s
ingress-nginx     Active   8d
kube-node-lease   Active   51d
kube-public       Active   51d
kube-system       Active   51d

二、在dev namesapce中创建测试pod

[root@k8s-master-155-221 rbac]# cat pod-demo.yaml 
apiVersion: v1
kind: Pod
metadata: 
  name: dev-pod-demo
  namespace: dev
  labels:
    app: dev-myapp
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
[root@k8s-master-155-221 rbac]# kubectl apply -f pod-demo.yaml
pod/dev-pod-demo created
[root@k8s-master-155-221 rbac]# kubectl get pods -n dev
NAME           READY   STATUS    RESTARTS   AGE
dev-pod-demo   1/1     Running   0          5s

三、创建dev-read/dev-admin/cluster-read/cluster-admin四个用户,分别对应namespace和cluster的读取和管理

创建dev-read csr文件

[root@k8s-master-155-221 cert]# cat dev-read-csr.json 
{
  "CN": "dev-read",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "4Paradigm"
    }
  ]
}

创建dev-read用户的证书和秘钥

[root@k8s-master-155-221 cert]# cfssl gencert -ca=/mnt/k8s/cert/ca.pem -ca-key=/mnt/k8s/cert/ca-key.pem dev-read-csr.json  | cfssljson -bare dev-read
2020/01/20 15:59:20 [INFO] generate received request
2020/01/20 15:59:20 [INFO] received CSR
2020/01/20 15:59:20 [INFO] generating key: rsa-2048
2020/01/20 15:59:21 [INFO] encoded CSR
2020/01/20 15:59:21 [INFO] signed certificate with serial number 5387334044569180330097517551617071931
2020/01/20 15:59:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

创建dev-read用户kubecofnig文件

[root@k8s-master-155-221 cert]# cat tem.kubeconfig 
#!/bin/bash
# 设置集群参数
export KUBE_APISERVER="https://172.16.155.220:8443"
kubectl config set-cluster kubernetes \
--certificate-authority=/mnt/k8s/cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=dev-read.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials dev-read \
--client-certificate=/mnt/k8s/cert/dev-read.pem \
--client-key=/mnt/k8s/cert/dev-read-key.pem \
--embed-certs=true \
--kubeconfig=dev-read.kubeconfig

# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=dev-read \
--kubeconfig=dev-read.kubeconfig

# 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=dev-read.kubeconfig
[root@k8s-master-155-221 cert]# sh tem.kubeconfig 
Cluster "kubernetes" set.
User "dev-read" set.
Context "kubernetes" created.
Switched to context "kubernetes".

四、对用户设置不同的权限

1.配置dev-read用户可以对dev namespace具有读取pod的权限

拷贝dev-read用户的kubeconfig文件,并查看默认权限

#master上
[root@k8s-master-155-221 cert]# scp dev-read.kubeconfig 172.16.155.224:/root  #在master上拷贝dev-read用户的kubeconfig到集群某个节点上
#测试节点上
[root@k8s-node-155-224 ~]# mkdir .kube #创建kubeconfig默认目录并重命名文默认文件名config
[root@k8s-node-155-224 ~]# mv dev-read.kubeconfig .kube/config
[root@k8s-node-155-224 ~]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default"  #当前dev-read没有任何权限
[root@k8s-node-155-224 ~]# kubectl get pods -n dev
Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "dev"

创建一个对dev namespace具有读取权限的role

[root@k8s-master-155-221 rbac]# cat role-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dev-pods-reader
  namespace: dev
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
[root@k8s-master-155-221 rbac]# kubectl apply -f role-demo.yaml 
role.rbac.authorization.k8s.io/dev-pods-reader created
[root@k8s-master-155-221 rbac]# kubectl get role -n dev
NAME              AGE
dev-pods-reader   10s

创建一个rolebingding,将dev-read用户和pods-reader

[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-read-pods
  namespace: dev
roleRef:  
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev-read
[root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/dev-read-pods created
[root@k8s-master-155-221 rbac]# kubectl get rolebindings.rbac.authorization.k8s.io -n dev
NAME            AGE
dev-read-pods   7s

测试:

[root@k8s-node-155-224 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.16.155.220:8443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: dev-read
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: dev-read
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

[root@k8s-node-155-224 ~]# kubectl get pods -n dev
NAME           READY   STATUS    RESTARTS   AGE
dev-pod-demo   1/1     Running   0          30m
[root@k8s-node-155-224 ~]# kubectl get pods -n default
Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default"

2.配置dev-read用户可以对dev namespace具有admin权限

[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-read-pods
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev-read
[root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/dev-read-pods created

测试,查看是否可以删除和创建pod

[root@k8s-node-155-224 ~]# cat deploy-demo.yaml 
apiVersion: apps/v1
kind: Deployment
metadata: 
  name: myapp-deploy
  namespace: dev
spec:
  replicas: 3
  selector: 
    matchLabels:
      app: myapp
      release: canary
  template:
    metadata:
      labels:
        app: myapp
        release: canary
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
        ports:
        - name: httpd
          containerPort: 80
[root@k8s-node-155-224 ~]# kubectl apply -f deploy-demo.yaml 
deployment.apps/myapp-deploy created
[root@k8s-node-155-224 ~]# kubectl get  deploy -n dev
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
myapp-deploy   3/3     3            3           17s
[root@k8s-node-155-224 ~]# kubectl get  pods  -n dev
NAME                            READY   STATUS    RESTARTS   AGE
myapp-deploy-5c67ffb9fb-5cntq   1/1     Running   0          4m21s
myapp-deploy-5c67ffb9fb-mvpkb   1/1     Running   0          4m21s
myapp-deploy-5c67ffb9fb-rj5qp   1/1     Running   0          4m21s

集群只读ClusterRole样例清单(用户名字自定义)

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   name: cluster-read rules: - apiGroups:   - ""   resources:   - configmaps   - endpoints   - persistentvolumeclaims   - pods   - replicationcontrollers   - replicationcontrollers/scale   - serviceaccounts   - services   - nodes   - secrets   - persistentvolumeclaims   - persistentvolumes   verbs:   - get   - list   - watch - apiGroups:   - ""   resources:   - bindings   - events   - limitranges   - namespaces/status   - pods/log   - pods/status   - replicationcontrollers/status   - resourcequotas   - resourcequotas/status   verbs:   - get   - list   - watch - apiGroups:   - ""   resources:   - namespaces   verbs:   - get   - list   - watch - apiGroups:   - apps   resources:   - daemonsets   - deployments   - deployments/scale   - replicasets   - replicasets/scale   - statefulsets   verbs:   - get   - list   - watch - apiGroups:   - autoscaling   resources:   - horizontalpodautoscalers   verbs:   - get   - list   - watch - apiGroups:   - batch   resources:   - cronjobs   - jobs   verbs:   - get   - list   - watch - apiGroups:   - extensions   resources:   - daemonsets   - deployments   - deployments/scale   - ingresses   - networkpolicies   - replicasets   - replicasets/scale   - replicationcontrollers/scale   verbs:   - get   - list   - watch - apiGroups:   - policy   resources:   - poddisruptionbudgets   verbs:   - get   - list   - watch - apiGroups:   - networking.k8s.io   resources:   - networkpolicies   verbs:   - get   - list   - watch - apiGroups:   - storage.k8s.io   resources:   - storageclasses   - volumeattachments   verbs:   - get   - list   - watch - apiGroups:   - rbac.authorization.k8s.io   resources:   - clusterrolebindings   - clusterroles   - roles   - rolebindings   verbs:   - get   - list   - watch

#对于集群,可以通过绑定ClusterRoleBinding和ClusterRole来实现,具体过程类似,不再赘述