28. RBAC
28.1 Kubernetes API 鉴权流程
kubernetes API-Server验证客户端身份是不是合法的service account账户,如果不是则API服务器直接返回错误状态码401并终止请求,此步骤会检查头部报文和客户端证书如:client certificates,password,tokens
如果请求者有效,API服务器继续验证客户端是否有权限执行当前的请求操作,如果请求者未经授权则API服务器返回错误403并终止请求 此步骤会检测Policy与verbs,如get、delete
如果客户端权限验证通过,则API服务器的准入控制器判断请求是否呗允许执行
此步骤由控制器检测权限,如:DenyExecOnPrivileged、LimitRanger等
28.2 RBAC简介
RBAC API声明了四种Kubernetes对象:Role、ClusterRole、RoleBinding和ClusterRoleBinding
Role:定义一组规则,用于访问命名空间中的Kubernetes资源
RoleBinding:定义用户和角色(Role)的绑定关系
ClusterRole:定义了一组访问集群中Kubernetes资源包括所有命名空间的规则
ClusterRoleBinding:定义了用户和集群角色(ClusterRole)的绑定关系
28.3 创建角色生成token授权并登录
root@k8s-master1:~# kubectl create serviceaccount quyi -n demo
serviceaccount/quyi created
root@k8s-master1:~# kubectl get sa -n demo
NAME SECRETS AGE
default 0 7d3h
quyi 0 8s
root@k8s-master1:~/20220814/RBAC-yaml-case# vim magedu-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: demo
name: quyi-role
rules:
- apiGroups: ["*"] #api版本
resources: ["pods/exec"] #能在容器执行的命令
#verbs: ["*"] #执行的动作
##RO-Role
verbs: ["get", "list", "watch", "create"] #授权信息
- apiGroups: ["*"]
resources: ["pods"]
#verbs: ["*"]
##RO-Role
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["apps/v1"]
resources: ["deployments"]
#verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
##RO-Role
verbs: ["get", "watch", "list"]
#查看
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get role -n demo
NAME CREATED AT
quyi-role 2022-12-17T06:27:20Z
#查看详细信息
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get role -o yaml -n demo
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-bind-quyi
namespace: demo
subjects:
- kind: ServiceAccount #服务账号
name: quyi
namespace: demo #把demo名称空间下的quyi账号跟Role类型quyi-role进行绑定
roleRef:
kind: Role #类型
name: quyi-role
apiGroup: rbac.authorization.k8s.io
#查看账号信息
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get sa -o yaml -n demo
#查看role信息
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get role -o yaml -n demo
#查看rolebinding信息
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get rolebindings.rbac.authorization.k8s.io -o yaml -n demo
#绑定成功了
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get rolebindings.rbac.authorization.k8s.io role-bind-quyi -o yaml -n demo
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"role-bind-quyi","namespace":"demo"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"quyi-role"},"subjects":[{"kind":"ServiceAccount","name":"quyi","namespace":"demo"}]}
creationTimestamp: "2022-12-17T06:33:14Z"
name: role-bind-quyi
namespace: demo
resourceVersion: "279142"
uid: 6e261f82-1112-4cd9-b8e2-36aaf80e0426
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: quyi-role #看这个账号
subjects:
- kind: ServiceAccount
name: quyi #这个名字
namespace: demo #这个名称空间
root@k8s-master1:~/20220814/RBAC-yaml-case# cat quyi-tokem.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: quyi-admin-user
namespace: demo
annotations:
kubernetes.io/service-account.name: "quyi"
#查看
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get secrets -n demo
NAME TYPE DATA AGE
quyi-admin-user kubernetes.io/service-account-token 3 9s
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl describe secrets quyi-admin-user -n demo
Name: quyi-admin-user
Namespace: demo
Labels: <none>
Annotations: kubernetes.io/service-account.name: quyi
kubernetes.io/service-account.uid: 0e05998b-30d7-4749-a1a0-72da075b49d5
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1302 bytes
#这个token就可以使用了
namespace: 4 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im1TckdJQzhDUVIxM2RqeWxCV211TXQ1b3M1N1hYSlljTEptU2lhanRWT2cifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InF1eWktYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJxdXlpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMGUwNTk5OGItMzBkNy00NzQ5LWExYTAtNzJkYTA3NWI0OWQ1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlbW86cXV5aSJ9.JKebBWn7NiI3Dyz_etkks_6FMvawFqG2-V1VcH3Vu32xjLUs_9CbqSDBVoV2pF3Olp_KeMcRKypTDj5cPdMrNuvqX17DEfcuhZU11RgInwPtlx6otEf1I9Wsg5qRGByJZ1AKjLzpdsEk_zHBZQaRsr9aMD3Ao3Hir-UYwqrHR2UOGq-wvlmyZ9ODF5z4RRJYYDQxOFmWIXPZ7ch5iEo2cXiIvhdNb5uRdHoY1ucYusbWUQunBkeH5qZG3djAaigK3KE3YBlntK2_1xHvnjLGPqkCYj1RwO2YU17QfRK8gkSS7_yBcpQkEHJD3eV8-ovuq-_jOXbdRdSC5py124mSEw
root@k8s-master1:~/20220814/RBAC-yaml-case#
28.4 生成kubeconfig文件登录
#找出超级管理员的token
root@k8s-master1:~/dashboard-v2.6.0# kubectl get secrets -A | grep admin
#例如 复制出来token
root@k8s-master1:~/dashboard-v2.6.0# kubectl describe secrets -n kuboard kuboard-admin-token
#将这个token复制到/root/.kube/config下面 空格4个对齐放入即可强制保存退出
28.5 普通用户实现kubeconfig文件登录
root@k8s-master1:~/20220814/RBAC-yaml-case/certs# cat magedu-csr.json
{
"CN": "China",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
root@k8s-deploy-ha:~# cat /etc/kubeasz/clusters/k8s-cluster1/ssl/ca-config.json
{
"signing": {
"default": {
"expiry": "438000h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "438000h"
}
},
"profiles": {
"kcfg": {
"usages": [
"signing",
"key encipherment",
"client auth"
],
"expiry": "438000h"
}
}
}
}
#这是同一个k8s集群证书签发的是可被信任的
cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=./ca-config.json -profile=kubernetes ./quyi-csr.json | cfssljson -bare quyi
#里面的IP其实应该改成VIP
root@k8s-master1:~/20220814/RBAC-yaml-case/certs# vim /root/.kube/config
#生成普通用户kubeconfig文件
kubectl config set-cluster cluster1 --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=quyi.kubeconfig
#设置客户端认证参数:
cp *.pem /etc/kubernetes/ssl/
kubectl config set-credentials quyi \
--client-certificate=/etc/kubernetes/ssl/quyi.pem \
--client-key=/etc/kubernetes/ssl/quyi-key.pem \
--embed-certs=true \
--kubeconfig=quyi.kubeconfig
然后这个文件里面就会有一个用户了quyi.kubeconfig
#设置上下文参数(多集群使用上下文区分)
https://kubernetes.io/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/
kubectl config set-context cluster1 \
--cluster=cluster1 \
--user=quyi \
--namespace=demo \
--kubeconfig=quyi.kubeconfig
然后就有一些集群信息了
contexts:
- context:
cluster: cluster1
namespace: demo
user: quyi
name: cluster1
#设置默认上下文
kubectl config use-context cluster1 --kubeconfig=quyi.kubeconfig
#编辑追加token空格4
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im1TckdJQzhDUVIxM2RqeWxCV211TXQ1b3M1N1hYSlljTEptU2lhanRWT2cifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InF1eWktYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJxdXlpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMGUwNTk5OGItMzBkNy00NzQ5LWExYTAtNzJkYTA3NWI0OWQ1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlbW86cXV5aSJ9.JKebBWn7NiI3Dyz_etkks_6FMvawFqG2-V1VcH3Vu32xjLUs_9CbqSDBVoV2pF3Olp_KeMcRKypTDj5cPdMrNuvqX17DEfcuhZU11RgInwPtlx6otEf1I9Wsg5qRGByJZ1AKjLzpdsEk_zHBZQaRsr9aMD3Ao3Hir-UYwqrHR2UOGq-wvlmyZ9ODF5z4RRJYYDQxOFmWIXPZ7ch5iEo2cXiIvhdNb5uRdHoY1ucYusbWUQunBkeH5qZG3djAaigK3KE3YBlntK2_1xHvnjLGPqkCYj1RwO2YU17QfRK8gkSS7_yBcpQkEHJD3eV8-ovuq-_jOXbdRdSC5py124mSEw