kubernetes學習筆記之十:RBAC
阿新 • • 發佈:2018-12-01
第一章、RBAC介紹
在Kubernetes中,授權有ABAC(基於屬性的訪問控制)、RBAC(基於角色的訪問控制)、Webhook、Node、AlwaysDeny(一直拒絕)和AlwaysAllow(一直允許)這6種模式。從1.6版本起,Kubernetes 預設啟用RBAC訪問控制策略。從1.8開始,RBAC已作為穩定的功能。通過設定–authorization-mode=RBAC,啟用RABC。在RABC API中,通過如下的步驟進行授權:1)定義角色:在定義角色時會指定此角色對於資源的訪問控制的規則;2)繫結角色:將主體與角色進行繫結,對使用者進行訪問授權。
1、 角色和叢集角色
在RBAC API中,角色包含代表權限集合的規則。在這裡,許可權只有被授予,而沒有被拒絕的設定。在Kubernetes中有兩類角色,即普通角色和叢集角色。可以通過Role定義在一個名稱空間中的角色,或者可以使用ClusterRole定義叢集範圍的角色。一個角色只能被用來授予訪問單一命令空間中的資源。
叢集角色(ClusterRole)能夠被授予如下資源的許可權:
叢集範圍的資源(類似於Node)
非資源端點(類似於”/healthz”)
叢集中所有名稱空間的資源(類似Pod)
2、角色繫結和叢集角色繫結
角色繫結用於將角色與一個或一組使用者進行繫結,從而實現將對使用者進行授權的目的。主體分為使用者、組和服務帳戶。角色繫結也分為角色普通角色繫結和叢集角色繫結。角色繫結只能引用同一個名稱空間下的角色。 角色繫結也可以通過引用叢集角色授予訪問許可權,當主體對資源的訪問僅限與本名稱空間,這就允許管理員定義整個叢集的公共角色集合,然後在多個名稱空間中進行復用。 叢集角色可以被用來在叢集層面和整個名稱空間進行授權。
3、資源
在Kubernets中,主要的資源包括:Pods、Nodes、Services、Deployment、Replicasets、Statefulsets、Namespace、Persistents、Secrets和ConfigMaps等。另外,有些資源下面存在子資源,例如:Pod下就存在log子資源
4、主體
RBAC授權中的主體可以是組,使用者或者服務帳戶。使用者通過字串表示,比如“alice”、 “[email protected]”等,具體的形式取決於管理員在認證模組中所配置的使用者名稱。system:被保留作為用來Kubernetes系統使用,因此不能作為使用者的字首。組也有認證模組提供,格式與使用者類似。
第二章、簡單示例
1、使用RoleBanding將使用者繫結到Role上
檢視命令幫助及格式
[[email protected] ~]# kubectl create role -h #檢視建立role的命令幫助,以及一些簡單的示例
[[email protected]-master01 RBAC]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml #通過 -o引數匯出yaml格式,可以大致看到Role是如何定義的
[[email protected]-master01 RBAC]# cat role-demo.yaml #最後完成的yaml檔案如下
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pods-reader
namespace: default #名稱空間名稱
rules:
- apiGroups:
- ""
resources: #包含哪些資源
- pods
verbs: #對以上資源允許進行哪些操作
- get
- list
- watch
建立role
[[email protected] RBAC]# kubectl apply -f role-demo.yaml role.rbac.authorization.k8s.io "pods-reader" created [[email protected]-master01 RBAC]# kubectl get role #檢視role的資訊 NAME AGE pods-reader 8s [[email protected]-master01 RBAC]# kubectl describe role pods-reader #檢視pods-reader 的詳細資訊 Name: pods-reader Labels: <none> Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroup... PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch] # Resources:資源類別,表示對該資源類別下的所有資源進行操作 Non-Resource URLs:非資源URL,對某些資源進行某種特殊操作的存在 Resource Names:對資源類別下某個或多個資源進行操作 Verbs:操作的型別
建立一個RoleBinding,將使用者qiangungun(該使用者在上一章節serviceaccount中已經被建立)繫結到pods-reader 這個role上去
[[email protected] ~]# kubectl create rolebinding -h #檢視命令幫助
kubectl create rolebinding qiangungun-read-pods --role=pods-reader --user=qiangungun --dry-run -o yaml #建立名稱為qiangungun-read-pods的rolebinding,繫結到名稱為pods-reader的role上
[[email protected]-master01 RBAC]# cat rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: qiangungun-read-pods
roleRef: #role引用,表示引用哪個role
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-reader
subjects: #動作的執行主題
- apiGroup: rbac.authorization.k8s.io
kind: User
name: qiangungun
[[email protected]-master01 RBAC]# kubectl describe rolebinding qiangungun-read-pods
Name: qiangungun-read-pods
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"qiangungun-read-pods","namespace":"default"},"ro...
Role:
Kind: Role
Name: pods-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User qiangungun
驗證操作
[[email protected] RBAC]# kubectl config use-context [email protected] #前後當前上下文到qiangungun使用者
Switched to context "[email protected]".
[[email protected]-master01 RBAC]# kubectl get pods #獲取當前名稱空間的pod資訊,可以看到能夠正常顯示
NAME READY STATUS RESTARTS AGE
myapp-deploy-5cfd895984-262kz 1/1 Running 0 3d
myapp-deploy-5cfd895984-7whdn 1/1 Running 0 3d
myapp-deploy-5cfd895984-lg8sh 1/1 Running 0 3d
myapp-deploy-5cfd895984-m7h5j 1/1 Running 0 3d
myapp-deploy-5cfd895984-zd9cm 1/1 Running 0 3d
[[email protected]-master01 RBAC]# kubectl get pods -n kube-system #檢視其它空間pod的資訊,可以看到提示沒有許可權,即驗證RoleBanding的許可權只對當前的名稱空間生效
Error from server (Forbidden): pods is forbidden: User "qiangungun" cannot list pods in the namespace "kube-system"
2、使用ClusterRoleBanding將使用者繫結到ClusterRole上
建立一個ClusterRole
[[email protected] RBAC]# kubectl config use-context kubernetes-[email protected] #切換上下文
Switched to context "[email protected]".
[[email protected]-master01 RBAC]# kubectl create clusterrole -h
[[email protected]-master01 RBAC]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run
[[email protected]-master01 RBAC]# cat clusterrole-cluster.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader #ClusterRole屬於叢集級別,所有不可以定義namespace
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[[email protected]-master01 RBAC]# kubectl apply -f clusterrole-cluster.yaml
[[email protected]-master01 RBAC]# useradd admin
[[email protected]-master01 RBAC]# cp -rp ~/.kube/ /home/admin
[[email protected]-master01 RBAC]# chown -R admin:admin /home/admin
[[email protected]-master01 RBAC]# su - admin
[[email protected]-master01 ~]$ kubectl config use-context [email protected]
[[email protected]-master01 ~]$ kubectl config view
建立一個ClusterRoleBinding,將使用者qiangungun繫結到cluster-reader這個ClusterRole上面去
[[email protected] RBAC]# kubectl delete rolebinding qiangungun-read-pods #root使用者
[[email protected]-master01 ~]$ kubectl get pods #admin使用者下驗證
Error from server (Forbidden): pods is forbidden: User "qiangungun" cannot list pods in the namespace "default"
[[email protected]-master01 RBAC]# kubectl create clusterrolebinding -h
[[email protected]-master01 RBAC]# kubectl create clusterrolebinding qiangungun-read-all-pods --clusterrole=cluster-reader --user=qiangungun --dry-run -o yaml #建立名稱為qiangungun-read-all-pods的才clusterrolebinding,將名稱為cluster-reader的clusterrole繫結到使用者名稱稱為qiangungun上
[[email protected]-master01 RBAC]# cat clusterrolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: qiangungun-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: qiangungun
[[email protected]-master01 RBAC]# kubectl apply -f clusterrolebinding-demo.yaml
[[email protected]-master01 RBAC]# kubectl describe clusterrolebinding qiangungun-read-all-pods
驗證
#切換到admin使用者終端下
[[email protected]-master01 ~]$ kubectl get pods #可以檢視當前名稱空間pod資訊
NAME READY STATUS RESTARTS AGE
myapp-deploy-5cfd895984-262kz 1/1 Running 0 3d
myapp-deploy-5cfd895984-7whdn 1/1 Running 0 3d
myapp-deploy-5cfd895984-lg8sh 1/1 Running 0 3d
myapp-deploy-5cfd895984-m7h5j 1/1 Running 0 3d
myapp-deploy-5cfd895984-zd9cm 1/1 Running 0 3d
[[email protected]-master01 ~]$ kubectl get pods -n ingress-nginx #可以檢視其他空間的pod資訊
NAME READY STATUS RESTARTS AGE
default-http-backend-66c4fbf5b4-m8d6j 1/1 Running 0 24d
nginx-ingress-controller-64bcff8657-6j4tq 1/1 Running 0 24d
[[email protected]-master01 ~]$ kubectl delete pod myapp-deploy-5cfd895984-262kz #無法刪除pod
Error from server (Forbidden): pods "myapp-deploy-5cfd895984-262kz" is forbidden: User "qiangungun" cannot delete pods in the namespace "default"
3、使用RoleBinding繫結ClusterRole
建立一個RoleBinding(ClusterRole使用以及存在的),並將使用者繫結到ClusterRole上
[[email protected] RBAC]# kubectl delete clusterrolebinding qiangungun-read-all-pods #為了避免衝突,先將之前的clusterrolebinding刪除
clusterrolebinding.rbac.authorization.k8s.io "qiangungun-read-all-pods" deleted
[[email protected]-master01 RBAC]#kubectl create rolebinding qiangungun-read-pods --clusterrole=cluster-reader --user=qiangungun --dry-run -o yam
[[email protected]-master01 RBAC]# cat rolebinding-cluster-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: qiangungun-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: qiangungun
[[email protected]-master01 RBAC]# kubectl apply -f rolebinding-cluster-demo.yaml
rolebinding.rbac.authorization.k8s.io "qiangungun-read-pods" created
[[email protected]-master01 RBAC]# kubectl describe rolebinding qiangungun-read-pods
驗證:
#admin使用者終端下
[[email protected]-master01 ~]$ kubectl get pods #可以獲取當前名稱空間的pod資訊
NAME READY STATUS RESTARTS AGE
myapp-deploy-5cfd895984-262kz 1/1 Running 0 3d
myapp-deploy-5cfd895984-7whdn 1/1 Running 0 3d
myapp-deploy-5cfd895984-lg8sh 1/1 Running 0 3d
myapp-deploy-5cfd895984-m7h5j 1/1 Running 0 3d
myapp-deploy-5cfd895984-zd9cm 1/1 Running 0 3d
[[email protected]-master01 ~]$ kubectl get pods -n ingress-nginx #不可用獲取其他名稱空間的資訊
Error from server (Forbidden): pods is forbidden: User "qiangungun" cannot list pods in the namespace "ingres
4、使用RoleBinding繫結叢集自帶的ClusterRole
[[email protected] RBAC]# kubectl get clusterrole #檢視當前叢集存在的clusterrole
[[email protected]-master01 RBAC]# kubectl create rolebinding default-ns-admin --clusterrole=admin --user=qiangungun --dry-run -o yaml #將qiangungun使用者繫結到名稱為admin的clusterrole上,可以使用get檢視admin的配置
[[email protected]-master01 RBAC]# cat rolebinding-cluster-admin-demo.yaml
piVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default-ns-admin
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: qiangungun
[[email protected]-master01 RBAC]# kubectl apply -f rolebinding-cluster-admin-demo.yaml
[[email protected]-master01 RBAC]# kubectl describe rolebinding default-ns-admin
驗證
#admin使用者終端下
[[email protected] ~]$ kubectl get pods #可以獲取當前名稱空間的pod資訊
NAME READY STATUS RESTARTS AGE
myapp-deploy-5cfd895984-262kz 1/1 Running 0 3d
myapp-deploy-5cfd895984-7whdn 1/1 Running 0 3d
myapp-deploy-5cfd895984-lg8sh 1/1 Running 0 3d
myapp-deploy-5cfd895984-m7h5j 1/1 Running 0 3d
myapp-deploy-5cfd895984-zd9cm 1/1 Running 0 3d
......
[[email protected]-master01 ~]$ kubectl delete pod myapp-deploy-5cfd895984-262kz #可以刪除當前名稱空間的pod
pod "myapp-deploy-5cfd895984-262kz" deleted
[[email protected]-master01 ~]$ kubectl get deploy #可以檢視名稱空間中的其他資源,如deployment
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
nginx-deploy 5 5 5 5 3d
[[email protected]-master01 ~]$ kubectl delete deployment nginx-deploy #可以刪除當前名稱空間的其他資源,如deployment
deployment.extensions "nginx-deploy" deleted
[[email protected]-master01 ~]$ kubectl get pods -n kube-system #對其名稱空間沒有任何許可權
Error from server (Forbidden): pods is forbidden: User "qiangungun" cannot list pods in the namespace "kube-system"
第三章、Role、CluseterRole、RoleBinding、ClusterRoleBinding在系統的相關聯絡
[[email protected] RBAC]# kubectl get clusterrolebinding #檢視叢集中的clusterrolebingding
NAME AGE
cluster-admin 31d
......
[[email protected]-master01 RBAC]# kubectl get clusterrolebinding cluster-admin -o yaml #獲取名稱為cluster-admin的clusterrolebingding配置資訊
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2018-10-30T02:32:22Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "103"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
uid: 07b1d436-dbec-11e8-8969-5254001b07db
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group #型別是一個組
name: system:masters #這個組中包含了kubernetes-admin這個使用者,而這個使用者是預設的當前使用使用者
[[email protected]-master01 RBAC]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.16.150.212:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin #預設使用的當前使用者
name: kubernetes-[email protected]
- context:
cluster: kubernetes
user: qiangungun
name: [email protected]
current-context: kubernetes-[email protected] #當前的使用sa
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: qiangungun
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[[email protected]-master01 RBAC]# cd /etc/kubernetes/pki/
[[email protected]-master01 pki]# openssl x509 -in ./apiserver-kubelet-client.crt -text -noout #檢視證書籤發的內容
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3187679453637891293 (0x2c3ce992f3e5d4dd)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Oct 30 02:32:03 2018 GMT
Not After : Oct 30 02:32:03 2019 GMT
Subject: O=system:masters, CN=kube-apiserver-kubelet-client #kubernetes-admin使用者之所以屬於system:master這個組,是因為在它的的證書中定義的,O表示組,如果以後我們想一次授權多個使用者,可以將這些使用者新增至一個組內,然後給這個組授權即可
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
.....
#如果RoleBinding或者ClusterRoleBinding的物件是serviceaccount,,那麼任意一個pod(spec.serviceAcountName中定義)如果啟動時以這個serviceaccount name作為它是以的serviceaccount,那麼pod中的應用程式也同時擁有了這個serviceaccount的許可權,也就是擁有該serviceaccount繫結的Role或者ClusterRole的許可權。系統上一下特殊的pod可能需要做這樣的設定,下面我就以叢集建立時使用的flannel網路外掛為示例講解
檢視flannel的配置
[[email protected] kubernetes]# cat kube-flannel.yml #flannel的配置檔案
---
kind: ClusterRole #定義一個ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding #定義了一個ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount #定義了一個ServiceAccount
metadata:
name: flannel
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-system
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
---
......(以下省略)
檢視flannel建立的pod資訊
[[email protected]8s-master01 kubernetes]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
etcd-k8s-master01 1/1 Running 0 32d
kube-apiserver-k8s-master01 1/1 Running 0 32d
kube-controller-manager-k8s-master01 1/1 Running 0 7d
kube-dns-86f4d74b45-72kdh 3/3 Running 0 32d
kube-flannel-ds-amd64-847wt 1/1 Running 0 32d
kube-flannel-ds-amd64-9v9t6 1/1 Running 0 32d
kube-flannel-ds-amd64-k4blq 1/1 Running 0 32d
kube-proxy-8l9tf 1/1 Running 0 32d
kube-proxy-m6pqm 1/1 Running 0 32d
kube-proxy-scj8n 1/1 Running 0 32d
kube-scheduler-k8s-master01 1/1 Running 0 32d
[[email protected]-master01 kubernetes]# kubectl get pod kube-flannel-ds-amd64-847wt -n kube-system -o yaml
......(省略)
serviceAccount: flannel
serviceAccountName: flannel #表示當前的pod在啟動容器時,執行的程序與APIserver進行通訊的時候,會以serviceAccountName的賬號與APIserver進行連線,從而獲得該serviceaccount的許可權
.....(省略)
下面是一張我個人總結的關於user繫結到不同的Role和Binding時所擁有的許可權邊界
| User |
Binding 型別 |
Role 型別 |
許可權 |
| RoleBinding |
Role |
namespace |
|
| ClusterRoleBinding |
ClusterRole |
Cluster |
|
| RoleBinding |
ClusterRole |
namespace |
#其實關於RBAC還有很多需要講解的地方,當時能力有限,有些內容雖然自己理解,但是不知道如何以檔案的形式表達出來,寫的不好,請多多諒解