21天轉型容器實戰營(十三容器進階之Kubernetes安全原理分析-實戰)
阿新 • • 發佈:2018-12-17
[[email protected] ~]# kubectl get namespace
NAME STATUS AGE
default Active 8d
kube-public Active 8d
kube-system Active 8d
[[email protected] ~]#
建立一個namespace,後續只讀使用者只能在該namespace下操作
[[email protected] ~]# kubectl create namespace cce
namespace "cce" created
[ [email protected] ~]# kubectl get namespace
NAME STATUS AGE
cce Active 3s
default Active 8d
kube-public Active 8d
kube-system Active 8d
在cce namespace下建立一個serviceAccount(sa)並獲取對應的secret下的token
[[email protected] ~]# kubectl create sa cce-service-account -ncce
serviceaccount "cce-service-account" created
獲取sa對應的secret名字
[ [email protected] ~]# kubectl get sa cce-service-account -ncce -oyaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-12-16T02:02:02Z
name: cce-service-account
namespace: cce
resourceVersion: "506135"
selfLink: /api/v1/namespaces/cce/serviceaccounts/cce-service-account
uid: 94960f67-00d6-11e9-8978-fa163efa3106
secrets:
- name: cce-service-account-token-b86r5
[ [email protected] ~]#
獲取secret下的token,並base64解碼獲取token明文
[[email protected] ~]# token=`kubectl get secret cce-service-account-token-b86r5 -ncce -oyaml |grep token: | awk '{print $2}' | xargs echo -n | base64 -d`
[[email protected] ~]# echo $token
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2NlLXNlcnZpY2UtYWNjb3VudC10b2tlbi1iODZyNSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjY2Utc2VydmljZS1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTQ5NjBmNjctMDBkNi0xMWU5LTg5NzgtZmExNjNlZmEzMTA2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmNjZTpjY2Utc2VydmljZS1hY2NvdW50In0.CfUnS_anvuK8QFEpzkkA-_epJ42N6v-kxAU6TPNpIEbpzyNylnAydUnpzc1t72RR13W1j5ESgm91ksQAeu09Xois_OtEnEVt6BfNKU_gKfRYXxv4ZoFO07wpbkgRojGa8aics3w4hCyaZWZNV7xNbzGArQwFFv2TR2WsQaJKmf8vRiwySzCNfIivOgD5lROULEHtAWcx7xxWr5xWWfFvBKDigJkNumZWPnEx_hLJgav3pt2lUucWpuDZQoM8g1UwMHV06eO8-Uu4VfaHJsAoBXPFgWvKGPOlbFfrNUX-SZAcMS9ej8vvuBvi8ZPFWkKnwedBDxzL7uwi6XImf9lTTA
[[email protected] ~]#
新增cce-user使用者(綠色字型為自定義欄位,可以不修改)
[[email protected] ~]# kubectl config set-cluster cce-viewer --server=https://192.168.47.160:5443 --certificate-authority=/var/paas/srv/kubernetes/ca.crt
Cluster "cce-viewer" set.
[[email protected] ~]# kubectl config set-context cce-viewer --cluster=cce-21days-cluster
Context "cce-viewer" created.
[[email protected] ~]# kubectl config set-credentials cce-user --token=$token
[[email protected] ~]# kubectl config set-context cce-viewer --user=cce-user
Context "cce-viewer" modified.
[[email protected] ~]#
通過如下命令可以看到已經有新建的context:
[[email protected] ~]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
cce-viewer cce-21days-cluster cce-user
* internal internalCluster user
[[email protected] ~]#
[[email protected] day13]# cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: cce
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
[[email protected] day13]# cat rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: pod-reader-binding
namespace: cce
subjects:
- kind: ServiceAccount
name: cce-service-account
namespace: cce
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
[[email protected] day13]#
[[email protected] day13]# kubectl create -f role.yaml
[[email protected] day13]# kubectl create -f rolebinding.yaml
切換context到cce-viewer使用者下,驗證許可權設定結果:
[[email protected] day13]# kubectl config use-context cce-viewer
Switched to context "cce-viewer".
[[email protected] day13]#
[[email protected] day13]# kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?
上述錯誤,說明沒有環境變數,即增加環境變數
[[email protected] day13]# export KUBERNETES_MASTER=https://192.168.47.160:5443
#檢視default namespace下的pod,應該會反回403無許可權的錯誤
[[email protected] day13]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:cce:cce-service-account" cannot list pods in the namespace "default"
[[email protected] day13]#
[[email protected] day13]# kubectl config use-context cce-viewer
Switched to context "cce-viewer".
[[email protected] day13]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:cce:cce-service-account" cannot list pods in the namespace "default"
[[email protected] day13]# kubectl get pods -ncce
No resources found.
#適用如下命令即可切換回admin管理員許可權的context:
[[email protected] day13]# kubectl config use-context internal
Switched to context "internal".
[[email protected] day13]#