k8s安全管理认证
1、SA
Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的。
-
是为Pod中的进程调用Kubernetes API而设计;
-
仅局限它所在的namespace;
-
每个namespace都会自动创建一个default service account;
-
Token controller检测service account的创建,并为它们创建secret;
开启ServiceAccount Admission Controller后,每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定了其他ServiceAccout);验证Pod引用的service account已经存在,否则拒绝创建;如果Pod没有指定ImagePullSecrets,则把service account的ImagePullSecrets加到Pod中;每个container启动后都会挂载该service account的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/
创建SA用户
# vim 01_k8s_pod_test.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: superopsmsb-sa
---
apiVersion: v1
kind: Pod
metadata:
name: my-nginx-1
spec:
containers:
- image: nginx:1.23.0
name: my-nginx
serviceAccountName: superopsmsb-sa
# kubectl apply -f 01_k8s_pod_test.yml
# kubectl get sa
# kubectl get pods -o wide
# kubectl describe pod my-nginx-1
2、UA
创建UA
# vim test-csr.json
{
"CN": "test",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:test",
"OU": "system"
}
]
}
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes test-csr.json | cfssljson -bare test
# cp test*.pem /etc/kubernetes/ssl/
## 创建集群
# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.16.250:16443 --kubeconfig=test.kubeconfig
## 创建用户
# kubectl config set-credentials test --client-certificate=test.pem --client-key=test-key.pem --embed-certs=true --kubeconfig=test.kubeconfig
## 创建上下文,用户和集群关联
# kubectl config set-context kubernetes --cluster=kubernetes --user=test --kubeconfig=test.kubeconfig
# kubectl config current-context --kubeconfig=test.kubeconfig
# kubectl config view --kubeconfig=test.kubeconfig
## 设置使用默认的上下文
# kubectl config use-context kubernetes --kubeconfig=test.kubeconfig
# kubectl --kubeconfig=test.kubeconfig get pods
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
# kubectl --kubeconfig=kube.config get pods
NAME READY STATUS RESTARTS AGE
my-nginx-1 1/1 Running 0 4h26m
pod-cm1 1/1 Running 3 4d22h
pod-harbor 1/1 Running 2 26h
pod-mysql-secret1 1/1 Running 5 4d21h
pod-mysql-secret2 1/1 Running 2 4d21h
3、config文件
-
创建登录k8s集群的用户,基于证书和密钥信息创建用户
-
创建登录k8s集群的地址
-
将登录用户和目标k8s集群关联在一起,形成k8s集群入口
-
设定默认的k8s集群入口
config文件优先级
-
--kubeconfig 指定文件
-
设置系统环境 KUBECONFIG
-
/root/.kube/config
4、role创建
资源对象的权限集合定义
# kubectl create role myrole --verb=get,list --resource=pods --dry-run=client -o yaml > 02_k8s_secure_role.yaml
# vim 02_k8s_secure_role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: myrole
rules:
- apiGroups:
- ""
- "apps"
resources:
- pods
- deployments
- replicasets
verbs:
- get
- list
- delete
# kubectl apply -f 02_k8s_secure_role.yaml
# kubectl get role
NAME CREATED AT
myrole 2023-11-30T02:34:21Z
# kubectl describe role myrole
Name: myrole
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments [] [] [get list delete]
pods [] [] [get list delete]
replicasets [] [] [get list delete]
deployments.apps [] [] [get list delete]
pods.apps [] [] [get list delete]
replicasets.apps [] [] [get list delete]
5、rolebinding创建
# kubectl create rolebinding test-myrole --role=myrole --user=test --dry-run=client -o yaml > 03_k8s_test-myrole.yaml
# kubectl apply -f 03_k8s_test-myrole.yaml
# kubectl describe rolebinding test-myrole
Name: test-myrole
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: myrole
Subjects:
Kind Name Namespace
---- ---- ---------
User test
# kubectl get pods --kubeconfig=test.kubeconfig
NAME READY STATUS RESTARTS AGE
my-nginx-1 1/1 Running 1 25h
pod-cm1 1/1 Running 5 5d20h
# kubectl get deployment --kubeconfig=test.kubeconfig
# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-system
Error from server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"
# kubectl get svc --kubeconfig=test.kubeconfig
Error from server (Forbidden): services is forbidden: User "test" cannot list resource "services" in API group "" in the namespace "default"
6、clusterrole和clusterrolebinding创建
# kubectl create clusterrole myclusterrole --verb=get,list,delete --resource=pods --dry-run=client -o yaml > 04_k8s_secure-clsterrole.yaml
# kubectl apply -f 04_k8s_secure-clsterrole.yaml
# kubectl create clusterrolebinding test-myclusterrole --clusterrole=myclusterrole --user=test
# kubectl edit clusterrolebinding test-myclusterrole
[root@k8s-master01 tools]# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-system
Error from server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"
# kubectl get pods --kubeconfig=test.kubeconfig -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-7cc8dd57d9-hvkz5 1/1 Running 55 6d23h
calico-node-c4dxg 1/1 Running 7 6d22h
calico-node-srqch 1/1 Running 8 6d22h
calico-node-tcdmv 0/1 Running 7 6d22h
calico-node-tvjzj 1/1 Running 7 6d22h
coredns-675db8b7cc-5fbjk 1/1 Running 7 6d22h
role和clusterrole混合使用,赋予clusterrole权限,但又限制命名空间权限
# kubectl create rolebinding test-myclusterrole --clusterrole=myclusterrole --user=test
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 使用C#创建一个MCP客户端
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· ollama系列1:轻松3步本地部署deepseek,普通电脑可用
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· 按钮权限的设计及实现