授权插件:node ,ABAC,RBAC,webhook
rbac: role-based ac:基于角色授权,k8s1.6起默认使用基于角色的访问控制
ABAC:基于属性的访问控制
角色: Role、ClusterRole
权限:读get、写write、更新update、列出list、监视watch
账户:用户账户、服务账户
角色绑定:Role、ClusterRole、RoleBinding、ClusterRoleBinding
namespace级别的授权:
role:
operation
objects
rolebinding:
user account or service account
role
集群级别的授权:clusterrole,clusterrolebinding
创建role:
#kuebctl create role pods-reader --verb=get,list,watch --resource=pods
#kuebctl create role pods-reader --verb=get,list,watch --resource=pods --dry-run
#kuebctl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pods-reader
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
# kubectl get role
给创建的账号(如myuser)绑定role:
#kubectl create rolebinding myuser-read-pods --role=pods-reader --user=myuser
#kubectl create rolebinding myuser-read-pods --role=pods-reader --user=myuser --try-run -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: myuser-read-pods
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: role
name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: myuser
# kubectl get rolebinding
# kubectl config view #查看当前已有的用户账号
切换到某用户
# kubectl config user-context myuser@xxxx
# kubectl get pods
给创建的账号(如myuser)绑定clusterrole:
# kubectl create clusterrolebinding myuser-read-all-pods --clusterrole=cluster-reader --user=myuser --dry-run -oyaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: myuser-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: myuser
# kubectl get clusterrole
# kubectl get clusterrolebinding
相关命令行工具
获取并查看Role/ClusterRole/RoleBinding/ClusterRoleBinding的信息:
kubectl get role -n kube-system
查看kube-system namespace下的所有role:
kubectl get role <role-name> -n kube-system -o yaml
查看某个role定义的资源权限:
kubectl get rolebinding -n kube-system
查看kube-system namespace下所有的rolebinding:
kubectl get rolebinding <rolebind-name> -n kube-system -o yaml
查看集群所有的clusterrole:
kubectl get clusterrole
查看kube-system namespace下的某个rolebinding详细信息(绑定的Role和subject):
kubectl get clusterrole <clusterrole-name> -o yaml
查看所有的clusterrolebinding:
kubectl get clusterrolebinding
查看某个clusterrole定义的资源权限详细信息:
kubectl get clusterrolebinding <clusterrolebinding-name> -o yaml
有两个kubectl命令可以用于在命名空间内或者整个集群内授予角色。
kubectl create rolebinding
在某一特定名字空间内授予Role或者ClusterRole。示例如下:
a) 在名为”acme”的名字空间中将admin ClusterRole授予用户”bob”:
kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acme
b) 在名为”acme”的名字空间中将view ClusterRole授予服务账户”myapp”:
kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=acme
kubectl create clusterrolebinding
在整个集群中授予ClusterRole,包括所有名字空间。示例如下:
a) 在整个集群范围内将cluster-admin ClusterRole授予用户”root”:
kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root
b) 在整个集群范围内将system:node ClusterRole授予用户”kubelet”:
kubectl create clusterrolebinding kubelet-node-binding --clusterrole=system:node --user=kubelet
c) 在整个集群范围内将view ClusterRole授予名字空间”acme”内的服务账户”myapp”:
kubectl create clusterrolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp
