12、kubernetes之 RBAC

第十一部分 RBAC
restful操作对象:许可授权都作用于角色,用户是什么角色,就拥有什么操作权限

授权插件:Node、ABAC、RBAC、Webhook
   RBAC:Role-based AC
   角色:Role
   许可:permission

关联图示

客户端访问示意图:

role:
  operations:许可
  object:

rolebinging:
  user account or service account
  role

授权:定义标准的。
Role、RoleBinding:命名空间内级别
ClusterRole、ClusterRoleBinding:集群角色、集群角色绑定
视图:

RoleBinding限制在ns范围内,即使绑定了clusterRole,也只在ns内生效。
RoleBinding:只作用于当前名称空间。
clusterrolebindings:作用集群内所有ns。

Role、RoleBinding、clusterrole、clusterrolebindings都是标准的kubernetes资源。。
示例:为每个ns配置一个管理员,可配置一个clusterrole,RoleBinding绑定(这样角色可以作用于集群,用户管理各自的ns,互不干扰)。
[root@k8s-master ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml  # 查看创建信息

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
...
[root@k8s-master rbac]# cat role-demo.yaml

[root@k8s-master rbac]# cat role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

[root@k8s-master rbac]# kubectl create -f role-demo.yaml
role.rbac.authorization.k8s.io/pods-reader created
[root@k8s-master rbac]# kubectl get role
NAME AGE
pods-reader 10s
[root@k8s-master rbac]# kubectl describe role pods-reader
Name: pods-reader
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
开始绑定用户:
前面章节创建过sunny用户
[root@k8s-master rbac]# kubectl create rolebinding sunny-read-pods --role=pods-reader --user=sunny --dry-run -o yaml
[root@k8s-master rbac]# kubectl create rolebinding sunny-read-pods --role=pods-reader --user=sunny --dry-run -o yaml >rolebinding-demo.yaml

[root@k8s-master rbac]# cat rolebinding-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sunny-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: sunny
rolebinding-demo.yaml

[root@k8s-master rbac]# kubectl create -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/sunny-read-pods created

[root@k8s-master rbac]# kubectl get rolebinding
NAME              AGE
sunny-read-pods   12s
[root@k8s-master rbac]# kubectl describe rolebinding
Name:         sunny-read-pods
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  pods-reader
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  sunny 

验证测试:切换用户
[root@master ~]# kubectl config view 查看用户
[root@master ~]# kubectl config use-context sunny@kubernetes(切换用户,查看权限。切换后,影响同一个客户端)
[root@k8s-master rbac]# kubectl get pods -n kube-system
Error from server (Forbidden): pods is forbidden: User "sunny" cannot list resource "pods" in API group "" in the namespace "kube-system"
[root@k8s-master rbac]# kubectl get pods -A
Error from server (Forbidden): pods is forbidden: User "sunny" cannot list resource "pods" in API group "" at the cluster scope
[root@k8s-master rbac]# kubectl get pods -n default (rolebinding只对当前ns生效)
NAME READY STATUS RESTARTS AGE
myapp-0 1/1 Running 0 28h
...
[root@k8s-master rbac]# kubectl delete pods myapp-0
Error from server (Forbidden): pods "myapp-0" is forbidden: User "sunny" cannot delete resource "pods" in API group "" in the namespace "default"
假设需要授予所有权限,咱们可以使用*来代替。
避免账户切换后,影响统一客户端多窗口切换,可创建普通账户。
[root@k8s-master ~]# useradd ik8s
[root@k8s-master ~]# cp -rp .kube/ /home/ik8s
[root@k8s-master ~]# chown -R ik8s.ik8s /home/ik8s/
[root@k8s-master ~]# su - ik8s
[ik8s@k8s-master ~]$ kubectl config use-context sunny@kubernetes
Switched to context "sunny@kubernetes".
[ik8s@k8s-master ~]$ kubectl config view
[root@k8s-master rbac]# kubectl delete rolebinding sunny-read-pods 删除rolebinding,切换用户,立马没有操作权限了。
[root@k8s-master rbac]# kubectl config use-context sunny@kubernetes
Switched to context "sunny@kubernetes".
[root@k8s-master rbac]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "sunny" cannot list resource "pods" in API group "" in the namespace "default"

下面介绍ClusterRole
配置clusterrole,rolebinding晋级模式
ClusterRolebinding只能绑定ClusterRole
RoleBinding可以绑定ClusterRole、Role。
创建clusterrole
[root@k8s-master ~]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > clusterrole-demo.yaml
编辑配置文件,

[root@k8s-master rbac]# cat clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
clusterrole-demo.yaml

创建clusterrolebinding
[root@k8s-master rbac]# kubectl create clusterrolebinding sunny-read-all-pods --clusterrole=cluster-read --user=sunny --dry-run -oyaml> clusterrolebinding-demo.yaml
[root@k8s-master rbac]# vim clusterrolebinding-demo.yaml

[root@k8s-master rbac]# cat clusterrolebinding-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: sunny-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-read
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: sunny
clusterrolebinding-demo.yaml

[root@k8s-master rbac]# kubectl create -f clusterrolebinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io/sunny-read-all-pods created
[ik8s@k8s-master ~]$ kubectl get clusterrolebinding |grep sunn
sunny-read-all-pods 10s
[ik8s@k8s-master ~]$ kubectl describe clusterrolebinding sunny-read-all-pods
验证测试:切换用户验证读权限ok,没有授权删除,故没有删除权限
换成cluster服务,只授予读权限,在全集群内都可生效。
ClusterRole绑定RoleBinding会降级,由集群权限变成RoleBinding单个ns范围内。

不妨使用rolebing绑定clusterrole试试,
换成cluster服务,只授予读权限,在全集群内都可生效。
RoleBinding绑定ClusterRole会降级,由集群权限变成RoleBinding单个ns范围内。这部分自行演示下。

[root@k8s-master ~]# kubectl get clusterrole admin -oyaml
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
...
可以通过github官网查看flannel yaml配置文件。加深理解四个RBAC含义。
自此,完成了RABC的学习过程。

 

posted @ 2023-07-15 22:01  wang_wei123  阅读(34)  评论(0编辑  收藏  举报