十一,k8s集群访问控制之ServicAccount

认证安全

任何用途操作集群的资源对象是,都要经历三种安全相关的操作:

  1. 任何用户来访问时, 都需要完成kubernetes系统认证操作
  2. 认证通过后, 进行授权检查
  3. 准入控制, 检查是否有权限操作其它的一些资源操作

认证方式:

  1. 令牌认证:token
  2. SSL 秘钥认证:也是最常用的方式,能确认服务器身份
  3. RBAC :全称Role Base AccessControl ,用于授权操作

访问认证流程

客户端 访问 API Server是常用的参数.

user: username, uid
group:
extra:

API
Request path:
    http://172.27.1.241:8888/apis/apps/v1/namespaces/default/deployments/myapp-deploy/  # 8888端口是因为之前在master上执行了kubectl proxy --port=8888 ,查询所在组,可kubectl api-versions查看组
HTTP request verb:  #请求方法,使用curl需要指定请求方法
    get  post  put  delete

API requets verb: #映射到kubernetes请求的动作
    get  list  create  update patch watch proxy  redirect delete  deletecollection

Resource: #请求访问的资源 

Subresource: #请求的子资源 

API group:

连接Api-Server的两类账号

kubernetes 有两类认证值的用户账号,分别是

ServiceAccountName: 是用于Pod客户端认证使用的账户
UserAccount: 用于真实用户,或者说操作集群资源的人使用的账户

ServiceAccount 创建

可以使用kubectl create serviceaccount USER_NAME 来创建

[root@master manifests]# kubectl create serviceaccount admin -o yaml --dry-run
apiVersion: v1
kind: ServiceAccount
metadata:                     #可以用来导出标准yaml格式。--dry-run执行但不真实创建sa
  creationTimestamp: null
  name: admin

[root@master manifests]# kubectl create serviceaccount admin
serviceaccount/admin created

[root@master manifests]# kubectl get sa
NAME           SECRETS   AGE
admin          1         2s
default        1         37d
[root@master manifests]# kubectl describe sa admin
Name:                admin
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   admin-token-48wdj
Tokens:              admin-token-48wdj      # 自动生产的token
Events:              <none>

当创建一个sa后,会自动创建一个secret

[root@master manifests]# kubectl get secret
NAME                       TYPE                                  DATA   AGE
admin-token-48wdj          kubernetes.io/service-account-token   3      3m3s        # 这里自动创建的是认证信息,但不代表有权限。
default-token-bc86p        kubernetes.io/service-account-token   3      37d
[root@master manifests]# kubectl describe secret admin-token-48wdj
Name:         admin-token-48wdj
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin
              kubernetes.io/service-account.uid: dc343339-8eaf-4022-a03a-4cc8df8c9ebf

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFkbWluLXRva2VuLTQ4d2RqIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGMzNDMzMzktOGVhZi00MDIyLWEwM2EtNGNjOGRmOGM5ZWJmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YWRtaW4ifQ.xgehKowaM6sHykd6vbfi4hu4M0DxFAYrfuY9fkN_8vkcpi_c4HC8yl0MZD4GQivRVyEPb_7X6A81BkaHLVEHvbt7bl20Gk5F2tnFxWbSGMGNh2pRa0GxtnWEO03EyGHt1Yl_YGdqT13UnwfUFC5302P7dvuC15OKjd3az-vaMu3YgUkAKyceZZRltBasmoWVHdAY1u2kVFpjT60TYPtAyV6eAeDaucB94Ye60EmyhAHBNP8DkdFbWcHT25rdRQa72B_IVZ_ZaeCfJtZkpsg4XplniC1OuXV_25nqXCNRbIqp_yaH7dT0NKhT9_EYEC4b8MYZcL2e_RZyNgBWSUf-9Q
ca.crt:     1025 bytes
namespace:  7 bytes

使用admin 的SA

定义一个清单文件,使用admin的SA

[root@master manifests]# cat pod-sa-demo.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-sa-demo
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    jubaozhu.com/created-by: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
  serviceAccountName: admin   #在此处给pod定义sa为admin
 [root@master manifests]# kubectl apply -f pod-sa-demo.yaml 
pod/pod-sa-demo created
[root@master manifests]# kubectl get pods
NAME          READY   STATUS    RESTARTS   AGE
pod-sa-demo   1/1     Running   0          3s

查看该Pods的详细信息中servername

[root@master manifests]# kubectl describe pods pod-sa-demo | grep SecretName
    SecretName:  admin-token-46wdj  # 这里已经和admin这个sa对应自动生成的secret名称是一样的。

也可以通过--dry-run-o yaml 来获取yaml配置文件,该命令亦可用于导出标准yaml格式文件

[root@master manifests]# kubectl create serviceaccount admin --dry-run -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: null
  name: admin

这样就能把导出的yaml格式的保存到文件中,在使用kubectl apply 来执行。

测试 URL访问kubernetes资源

首先,本地要启动一个proxy代理,之后通过这个代理来访问

[root@master ~]# kubectl proxy --port=8080
Starting to serve on 127.0.0.1:8080

再起一个新的终端进行测试

[root@master pki]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/coredns
{
  "kind": "Deployment",
  "apiVersion": "apps/v1",
  "metadata": {
    "name": "coredns",
    "namespace": "kube-system",
    "selfLink": "/apis/apps/v1/namespaces/kube-system/deployments/coredns",
    "uid": "c730eb98-8fe7-47a8-9856-1fc3ff2044aa",
    "resourceVersion": "1039",
    "generation": 1,
    "creationTimestamp": "2019-07-09T08:36:50Z",
    "labels": {
      "k8s-app": "kube-dns"
    },
    "annotations": {
      "deployment.kubernetes.io/revision": "1"
    }
  },
  "spec": {
    "replicas": 2,
    "selector": {
      "matchLabels": {
        "k8s-app": "kube-dns"
... ...
... ...

/apis/apps/v1/namespaces/kube-system/deployments/coredns 这里的访问路径都是固定套路。

这里的路径区别

api 其实的资源,均为核心资源

剩下的其他资源,都需要以 apis 为起始路径。

有哪些资源的客户端需要和APIserver有交互

[root@master pki]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.cnf --server="https://172.27.1.241:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "mycluster" set.
[root@master pki]# kubectl config view --kubeconfig=/tmp/test.cnf 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.27.1.241:6443
  name: mycluster
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

授权插件:

  1. Node
  2. ABAC
  3. RBAC
  4. Webhook http的回调机制

角色机制: 给特定的角色赋权, 在把对应的角色赋予给用户, 那么该用户就拥有该角色的权限.

APIserver客户端定义的配置文件

包括kubectl、kubelet、kube-controller-manager等在内的API Server的各类客户端都可以使用kubeconfig配置文件提供接入多个集群的相关配置信息,即kubeconfig是用来存放客户端访问认证信息的

包括API Server的URL及认证信息,且可设置不同的上下文,并在各环境之间快速切换

/etc/kubernetes/admin.conf即为kubeconfig格式的配置文件

查看config命令帮助:**

[root@master manifests]# kubectl config --help
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"

 The loading order follows these rules:

  1.  If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes
place.
  2.  If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for
your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When
a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the
last file in the list.
  3.  Otherwise, ${HOME}/.kube/config is used and no merging takes place.

Available Commands:
  current-context Displays the current-context
  delete-cluster  Delete the specified cluster from the kubeconfig
  delete-context  Delete the specified context from the kubeconfig
  get-clusters    Display clusters defined in the kubeconfig
  get-contexts    Describe one or many contexts
  rename-context  Renames a context from the kubeconfig file.
  set             Sets an individual value in a kubeconfig file
  set-cluster     Sets a cluster entry in kubeconfig
  set-context     Sets a context entry in kubeconfig
  set-credentials Sets a user entry in kubeconfig
  unset           Unsets an individual value in a kubeconfig file
  use-context     Sets the current-context in a kubeconfig file
  view            Display merged kubeconfig settings or a specified kubeconfig file

Usage:
  kubectl config SUBCOMMAND [options]

Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
名称 注解
set-cluster 设定集群
set-credentials 设定用户账号
set-context 设定上下文
use-context 设定当前上下文

可以直接通过命令的方式进行创建,也可以使用配置清单来定义后,使用kubectl apply -f 来执行设定;

查看当前配置文件的示例说明

[root@master manifests]# kubectl config view
apiVersion: v1                                      # 这里可以看出,config也是一个标准的kubernetes资源对象
clusters:                                           # 集群列表
- cluster:                                          # 定义一个集群,在下面可以定义多个
    certificate-authority-data: DATA+OMITTED        # 服务器发过来的认证方式
    server: https://172.27.1.241:6443                 # 访问验证地址
  name: kubernetes                                  # 集群名称
contexts:                                           # 上下文列表,即账号访问权限列表
- context: 
    cluster: kubernetes                             # 对应用户能访问的集群名称
    user: kubernetes-admin                          # 该上下文对应的用户
  name: kubernetes-admin@kubernetes                 # 此上下文的名称
current-context: kubernetes-admin@kubernetes        # 当前定义的哪个账号可以访问哪个集群
kind: Config
preferences: {}
users:                                              # 用户列表
- name: kubernetes-admin                            # 用户已名称
  user:
    client-certificate-data: REDACTED               # 客户端的认证方式
    client-key-data: REDACTED                       # key信息
      

kubeconfig配置文件简单来说就是在Api-server上有多个集群(clusters)以及多个账号(users),contents就是定义哪些账号可以访问哪些集群的。

kubernetes 集群相关的私有CA证书

[root@master ~]# ll /etc/kubernetes/pki/
-rw-r--r-- 1 root root 1233 Jul  9 16:36 apiserver.crt
-rw-r--r-- 1 root root 1090 Jul  9 16:36 apiserver-etcd-client.crt
-rw------- 1 root root 1675 Jul  9 16:36 apiserver-etcd-client.key
-rw------- 1 root root 1675 Jul  9 16:36 apiserver.key
-rw-r--r-- 1 root root 1099 Jul  9 16:36 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Jul  9 16:36 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 Jul  9 16:36 ca.crt
-rw------- 1 root root 1679 Jul  9 16:36 ca.key
drwxr-xr-x 2 root root  162 Jul  9 16:36 etcd
-rw-r--r-- 1 root root 1038 Jul  9 16:36 front-proxy-ca.crt
-rw------- 1 root root 1675 Jul  9 16:36 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 Jul  9 16:36 front-proxy-client.crt
-rw------- 1 root root 1679 Jul  9 16:36 front-proxy-client.key
-rw------- 1 root root 1679 Jul  9 16:36 sa.key
-rw------- 1 root root  451 Jul  9 16:36 sa.pub

创建新的apiserver的账号及证书

新建的密钥对就直接放到kubernetes集群对应的pki目录下

[root@master ~]# cd /etc/kubernetes/pki/
[root@master pki]# ll
total 60
-rw-r--r-- 1 root root 1233 Jul  9 16:36 apiserver.crt
-rw-r--r-- 1 root root 1090 Jul  9 16:36 apiserver-etcd-client.crt
-rw------- 1 root root 1675 Jul  9 16:36 apiserver-etcd-client.key
-rw------- 1 root root 1675 Jul  9 16:36 apiserver.key
-rw-r--r-- 1 root root 1099 Jul  9 16:36 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Jul  9 16:36 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 Jul  9 16:36 ca.crt
-rw------- 1 root root 1679 Jul  9 16:36 ca.key
drwxr-xr-x 2 root root  162 Jul  9 16:36 etcd
-rw-r--r-- 1 root root 1038 Jul  9 16:36 front-proxy-ca.crt
-rw------- 1 root root 1675 Jul  9 16:36 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 Jul  9 16:36 front-proxy-client.crt
-rw------- 1 root root 1679 Jul  9 16:36 front-proxy-client.key
-rw------- 1 root root 1679 Jul  9 16:36 sa.key
-rw------- 1 root root  451 Jul  9 16:36 sa.pub

新创建私钥

# 创建过程均在/etc/kubernetes/pki/目录下
[root@master pki]# (umask 077; openssl genrsa -out jerry.key 2048)
Generating RSA private key, 2048 bit long modulus
.........................+++
.....................................................+++
e is 65537 (0x10001)
[root@master pki]# ll jerry.key 
-rw------- 1 root root 1679 Aug 19 16:07 jerry.key

然后基于jerry.key私钥来生成证书使用kubernetes集群的ca.crt来签署

生成证书签署请求

[root@master pki]# openssl req -new -key jerry.key -out jerry.csr -subj "/CN=jerry"
# 注意,最后的 "/CN=jerry" 中的jerry,就是用户名

用ca.crt 来签署

[root@master pki]# openssl x509 -req -in jerry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out jerry.crt -days 365
Signature ok
subject=/CN=jerry
Getting CA Private Key
[root@master pki]# ll jerry.*
-rw-r--r-- 1 root root  973 Aug 19 16:14 jerry.csr
-rw------- 1 root root 1679 Aug 19 16:07 jerry.key

验证查看生成的证书

[root@master pki]# openssl x509 -in jerry.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            ea:48:9e:47:1b:2e:19:ac
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes           # 这里可以看到是kubernetes自己的ca.crt证书签署的
        Validity
            Not Before: Aug 19 08:14:53 2019 GMT        # 证书有效期限起始
            Not After : Aug 18 08:14:53 2020 GMT        # 证书有效期限结束
        Subject: CN=jerry       # 作为用户账号连入kubernetes用户
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cd:e3:a1:7a:db:17:70:57:16:b3:f6:6a:6c:87:
                    50:5f:2f:38:86:67:93:fc:b2:ba:5f:c4:60:16:66:
                    2f:67:29:01:c7:f0:b5:d8:ca:c6:db:ca:42:8a:a8:
                    ce:17:ac:d1:43:64:eb:a8:1b:34:6c:97:d9:49:dc:
                    24:b9:ab:8c:cd:be:6a:ad:ff:70:64:40:51:40:0f:
                    16:d5:61:73:dc:3f:aa:57:4f:7a:c8:60:a7:37:ee:
                    53:d0:ec:25:78:fc:4a:af:81:67:2c:d8:08:0f:a0:
                    4d:38:0f:28:36:4b:f7:c6:bb:a2:0f:4b:33:e4:77:
                    44:83:4d:14:2e:ef:ce:d4:6a:47:37:09:0b:9d:41:
                    ad:07:62:8e:06:94:71:04:f7:1b:a2:e7:6a:d6:86:
                    8e:7c:45:69:5e:a2:74:22:6a:8f:47:c8:ef:ba:f7:
                    d4:08:05:6e:c0:ae:36:bc:68:4b:7f:a5:c8:1c:87:
                    c4:34:a7:28:94:96:49:b1:cc:53:c0:75:7b:c9:44:
                    f4:78:c9:f4:fa:e2:5a:55:64:0d:dd:0a:40:31:19:
                    4e:80:f2:cf:02:f4:48:ae:65:93:a9:e7:41:d7:0b:
                    e1:7a:27:38:dc:4f:9d:12:be:8e:62:2b:73:98:0c:
                    45:07:c5:ad:43:91:06:0e:30:4c:5c:63:9d:25:de:
                    bb:29
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         74:7b:c9:fd:9e:2d:4e:84:c1:f8:83:8d:9a:37:c1:50:27:e3:
         f6:1c:d4:ea:ae:4f:83:f3:dc:23:81:01:fd:3d:02:e1:26:7c:
         8a:94:a7:dd:0a:3c:86:52:45:2a:25:b3:63:3f:51:15:87:0f:
         f9:25:8b:eb:b0:7e:0f:7c:4a:f1:23:b9:72:7e:c6:87:55:16:
         7a:bf:29:2e:da:5f:3c:4c:f2:b2:77:09:fb:fe:5a:38:67:1b:
         db:c5:db:4b:64:87:1c:c7:e8:71:84:92:fd:39:17:9d:7b:b3:
         dc:4b:1a:56:a8:75:63:1e:be:80:ac:98:a6:d7:41:96:8d:44:
         b4:13:79:c6:08:07:b8:4a:8c:5b:04:09:a6:8d:73:47:b5:a8:
         0b:97:40:66:cf:04:bc:01:93:4a:6a:ed:b2:91:94:51:12:0e:
         dd:c9:70:c9:fd:65:ed:49:c2:1a:89:0f:6e:ed:69:1c:d5:2c:
         cb:42:f4:ce:69:bd:99:a2:ff:ea:a7:69:5f:f7:43:b5:c3:03:
         86:67:95:6e:1e:80:c7:8c:35:ac:7f:e6:e2:4e:11:08:dc:cd:
         16:02:e1:cd:59:4d:70:e8:fe:5a:85:4a:18:97:bb:97:f4:6a:
         82:ee:e3:c1:73:b4:2a:24:73:bd:f1:fc:08:02:6c:5d:e1:53:

设定用户账号

[root@master pki]# kubectl config set-credentials jerry --client-certificate=jerry.crt --client-key=jerry.key --embed-certs=true
User "jerry" set.
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.27.1.241:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: jerry           # 这里可以看到刚刚设定的用户账号
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

给jerry用户加入上下文

[root@master pki]# kubectl config set-context jerry@kubernetes --cluster=kubernetes --user=jerry
Context "jerry@kubernetes" created.
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.27.1.241:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:                          # 这里开始向下就是jerry的上下文相关的配置了
    cluster: kubernetes
    user: jerry
  name: jerry@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: jerry
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

切换至刚刚增加的jerry用户的对应的

[root@master pki]# kubectl config use-context jerry@kubernetes
Switched to context "jerry@kubernetes".
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.27.1.241:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    user: jerry
  name: jerry@kubernetes
current-context: jerry@kubernetes       # 看到当前上下文已经切换到 jerry@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: jerry
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

测试jerry用户权限

由于jerry@kubernetes 没有赋予任何角色,所以对集群是没有任何操作权限

[root@master pki]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "default"

这里报错意思是 default 名称空间中,不能获取数据

重新切换至kubernetes-admin@kubernetes测试

[root@master pki]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@master pki]# kubectl get pods
NAME          READY   STATUS    RESTARTS   AGE
pod-sa-demo   1/1     Running   0          3d3h

保存配置文件

默认 kubernetes-admin 的配置文件保存目录是~/.kube/config文件中。

也可以保存到别的目录下:

[root@master ~]# kubectl config set-cluster test --kubeconfig=/tmp/test.conf --server="https://172.27.1.241:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "test" set.
[root@master ~]# kubectl config view --kubeconfig=/tmp/test.conf 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.27.1.241:6443
  name: test
contexts: []
posted @ 2019-10-16 12:24  戴红领巾的少年  阅读(888)  评论(0编辑  收藏  举报
感谢您的阅读,如果您觉得阅读本文对您有帮助,请点一下“推荐”按钮。本文欢迎各位转载,但是转载文章之后必须在文章页面中给出作者和原文连接