kubernetes RBAC實戰 kubernetes 使用者角色訪問控制,dashboard訪問,kubectl配置生成
阿新 • • 發佈:2019-02-11
kubernetes RBAC實戰
環境準備
先用kubeadm安裝好kubernetes叢集,[包地址在此](https://market.aliyun.com/products/56014009/cmxz022571.html#sku=yuncode1657100000) 好用又方便,服務周到,童叟無欺
本文目的,讓名為devuser的使用者只能有許可權訪問特定namespace下的pod
命令列kubectl訪問
安裝cfssl
此工具生成證書非常方便, pem證書與crt證書,編碼一致可直接使用 wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 chmod+x cfssl_linux-amd64 mv cfssl_linux-amd64 /bin/cfssl wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 chmod +x cfssljson_linux-amd64 mv cfssljson_linux-amd64 /bin/cfssljson wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl-certinfo_linux-amd64 mv cfssl-certinfo_linux-amd64 /bin/cfssl-certinfo
簽發客戶端證書
根據ca證書與麼鑰簽發使用者證書
根證書已經在/etc/kubernetes/pki目錄下了
[[email protected] ~]# ls /etc/kubernetes/pki/ apiserver.crt ca-config.json devuser-csr.json front-proxy-ca.key sa.pub apiserver.key ca.crt devuser-key.pem front-proxy-client.crt apiserver-kubelet-client.crt ca.key devuser.pem front-proxy-client.key apiserver-kubelet-client.key devuser.csr front-proxy-ca.crt sa.key
注意以下幾個檔案: `ca.crt ca.key ca-config.json devuser-csr.json`
建立ca-config.json檔案
cat > ca-config.json < devuser-csr.json <校驗證書 cfssl-certinfo -cert kubernetes.pem
生成config檔案
kubeadm已經生成了admin.conf,我們可以直接利用這個檔案,省的自己再去配置叢集引數
$ cp /etc/kubernetes/admin.conf devuser.kubeconfig
設定客戶端認證引數:
kubectl config set-credentials devuser \ --client-certificate=/etc/kubernetes/ssl/devuser.pem \ --client-key=/etc/kubernetes/ssl/devuser-key.pem \ --embed-certs=true \ --kubeconfig=devuser.kubeconfig
設定上下文引數:
kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=devuser \ --namespace=kube-system \ --kubeconfig=devuser.kubeconfig
設定莫認上下文:
kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig
以上執行一個步驟就可以看一下 devuser.kubeconfig的變化。裡面最主要的三個東西
- cluster: 叢集資訊,包含叢集地址與公鑰
- user: 使用者資訊,客戶端證書與私鑰,正真的資訊是從證書裡讀取出來的,人能看到的只是給人看的。
- context: 維護一個三元組,namespace cluster 與 user
建立角色
建立一個叫pod-reader的角色
[[email protected] ~]# cat pod-reader.yaml kind:Role apiVersion: rbac.authorization.k8s.io/v1 metadata:namespace: kube-system name: pod-reader rules:- apiGroups:[""]# "" indicates the core API group resources:["pods"] verbs:["get","watch","list"]
kubectl create -f pod-reader.yaml
繫結使用者
建立一個角色繫結,把pod-reader角色繫結到 devuser上
[[email protected] ~]# cat devuser-role-bind.yaml kind:RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: kube-system subjects:- kind:User name: devuser # 目標使用者 apiGroup: rbac.authorization.k8s.io roleRef: kind:Role name: pod-reader # 角色資訊 apiGroup: rbac.authorization.k8s.io
kubectl create -f devuser-role-bind.yaml
使用新的config檔案
$ rm .kube/config && cp devuser.kubeconfig .kube/config
效果, 已經沒有別的namespace的許可權了,也不能訪問node資訊了:
[[email protected] ~]# kubectl get nodeErrorfrom server (Forbidden): nodes is forbidden:User"devuser" cannot list nodes at the cluster scope [[email protected] ~]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-55449f8d88-74x8f1/1Running08d calico-node-clpqr 2/2Running08d kube-apiserver-master1 1/1Running28d kube-controller-manager-master1 1/1Running18d kube-dns-545bc4bfd4-p6trj 3/3Running08d kube-proxy-tln54 1/1Running08d kube-scheduler-master1 1/1Running18d[[email protected] ~]# kubectl get pod -n defaultErrorfrom server (Forbidden): pods is forbidden:User"devuser" cannot list pods in the namespace"default": role.rbac.authorization.k8s.io "pod-reader"not found
dashboard訪問
service account原理
k8s裡面有兩種使用者,一種是User,一種就是service account,User給人用的,service account給程序用的,讓程序有相關的許可權。
如dasboard就是一個程序,我們就可以建立一個service account給它,讓它去訪問k8s。
我們看一下是如何把admin許可權賦給dashboard的:
╰─➤ cat dashboard-admin.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind:ClusterRoleBinding metadata: name: kubernetes-dashboard labels: k8s-app: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind:ClusterRole name: cluster-admin subjects:- kind:ServiceAccount name: kubernetes-dashboard namespace: kube-system
把 kubernetes-dashboard 這個ServiceAccount繫結到cluster-admin這個ClusterRole上,這個cluster role非常牛逼,啥許可權都有
[[email protected] ~]# kubectl describe clusterrole cluster-admin -n kube-systemName: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate=truePolicyRule:ResourcesNon-ResourceURLsResourceNamesVerbs---------------------------------------------[*][][*]*.*[][][*]
而建立dashboard時建立了這個service account:
apiVersion: v1 kind:ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system
然後deployment裡指定service account
volumes:- name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir:{} serviceAccountName: kubernetes-dashboard
更安全的做法
[[email protected] ~]# cat admin-token.yaml kind:ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: admin annotations: rbac.authorization.kubernetes.io/autoupdate:"true" roleRef: kind:ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io subjects:- kind:ServiceAccount name: admin namespace: kube-system --- apiVersion: v1 kind:ServiceAccount metadata: name: admin namespace: kube-system labels: kubernetes.io/cluster-service:"true" addonmanager.kubernetes.io/mode:Reconcile
[[email protected] ~]# kubectl get secret -n kube-system|grep admin admin-token-7rdhf kubernetes.io/service-account-token 314m
[[email protected] ~]# kubectl describe secret admin-token-7rdhf -n kube-systemName: admin-token-7rdhfNamespace: kube-system Labels:Annotations: kubernetes.io/service-account.name=admin kubernetes.io/service-account.uid=affe82d4-d10b-11e7-ad03-00163e01d684Type: kubernetes.io/service-account-token Data==== ca.crt:1025 bytes namespace:11 bytes token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi03cmRoZiIsImt1YmVybmV0ZXMuaW8vc2V