23.kubernetes(k8s)筆記 認(rèn)證、授權(quán)與準(zhǔn)入控制(三) RBAC 訪問控制

RBAC 訪問控制 Users Accounts

前言:
前面已經(jīng)對ServiceAccount、Users Account認(rèn)證進(jìn)行了介紹與創(chuàng)建,但最后的測試發(fā)現(xiàn)是Users Account并沒有訪問權(quán)限,本節(jié)介紹RBAC授權(quán) 對ServiceAccount、Users Account認(rèn)證進(jìn)行授權(quán)

RBAC是什么?

RBAC 是基于角色的訪問控制(Role-Based Access Control )在 RBAC 中,權(quán)限與角色相關(guān)聯(lián),用戶通過成為適當(dāng)角色的成員而得到這些角色的權(quán)限。這就極大地簡化了權(quán)限的管理。這樣管理都是層級相互依賴的,權(quán)限賦予給角色,而把角色又賦予用戶,這樣的權(quán)限設(shè)計(jì)很清楚,管理起來很方便。

角色
  Role:角色,名稱空間級別;授權(quán)特定命名空間的訪問權(quán)限
  ClusterRole:集群角色,全局級別;授權(quán)所有命名空間的訪問權(quán)限

角色綁定
  RoleBinding:將角色綁定到主體(即subject),意味著,用戶僅得到了特定名稱空間下的Role的權(quán)限,作用范圍也限于該名稱空間;
  ClusterRoleBinding:將集群角色綁定到主體,讓用戶扮演指定的集群角色;意味著,用戶得到了是集群級別的權(quán)限,作用范圍也是集群級別;
  
主體(subject)
  User:用戶
  Group:用戶組
  ServiceAccount:服務(wù)賬號

綁定對應(yīng)關(guān)系
主體(Subject) --> RoleBinding --> Role #主體獲得名稱空間下的Role的權(quán)限
主體(Subject) --> ClusterRoleBinding --> clusterRoles #主體獲得集群級別clusterRoles的權(quán)限
主體(Subject) --> Rolebindig -->ClusterRole #權(quán)限降級 主體獲得名稱空間下的clusterRoles的權(quán)限

  • rules中的參數(shù)說明:
    1、apiGroups:支持的API組列表,例如:"apiVersion: batch/v1"等
    2、resources:支持的資源對象列表,例如pods、deplayments、jobs等
    3、resourceNames: 指定resource的名稱
    3、verbs:對資源對象的操作方法列表。
  • RBAC使用rbac.authorization.k8s.io API Group 來實(shí)現(xiàn)授權(quán)決策,允許管理員通過 Kubernetes API 動(dòng)態(tài)配置策略,要啟用RBAC,需要在 apiserver 中添加參數(shù)--authorization-mode=RBAC,如果使用的kubeadm安裝的集群,都默認(rèn)開啟了RBAC,可以通過查看 Master 節(jié)點(diǎn)上 apiserver 的靜態(tài)Pod定義文件:
[root@k8s-master usercerts]# cat /etc/kubernetes/manifests/kube-apiserver.yaml 
apiVersion: v1
kind: Pod
metadata:
 ...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=192.168.4.170
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC   #默認(rèn)支持BRAC 基于角色的訪問控制
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
...
  • 查看 kube-system名稱空間下的role角色詳情
[root@k8s-master ~]# kubectl get role -n kube-system
NAME                                             CREATED AT
extension-apiserver-authentication-reader        2021-06-28T17:43:31Z
kube-proxy                                       2021-06-28T17:43:33Z
kubeadm:kubelet-config-1.19                      2021-06-28T17:43:31Z
kubeadm:nodes-kubeadm-config                     2021-06-28T17:43:31Z
system::leader-locking-kube-controller-manager   2021-06-28T17:43:31Z
system::leader-locking-kube-scheduler            2021-06-28T17:43:31Z
system:controller:bootstrap-signer               2021-06-28T17:43:31Z
system:controller:cloud-provider                 2021-06-28T17:43:31Z
system:controller:token-cleaner                  2021-06-28T17:43:31Z

[root@k8s-master ~]# kubectl get role kube-proxy -n kube-system -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2021-06-28T17:43:33Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: kubeadm
    operation: Update
    time: "2021-06-28T17:43:33Z"
  name: kube-proxy
  namespace: kube-system
  resourceVersion: "195"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/kube-proxy
  uid: a5404b1f-90f0-447f-b104-86fcbdd388e0
rules:   #角色規(guī)則詳細(xì)信息
- apiGroups:
  - ""
  resourceNames:
  - kube-proxy
  resources:
  - configmaps
  verbs:   #能執(zhí)行的操作
  - get
  • role角色綁定
  • RoleBinding 角色綁定
[root@k8s-master ~]# kubectl explain rolebinding
KIND:     RoleBinding
VERSION:  rbac.authorization.k8s.io/v1
...
   roleRef  <Object> -required-
     RoleRef can reference a Role in the current namespace or a ClusterRole in
     the global namespace. If the RoleRef cannot be resolved, the Authorizer
     must return an error.

   subjects <[]Object>
     Subjects holds references to the objects the role applies to.
示例1: 創(chuàng)建role角色綁定 作用域?yàn)槊Q空間
[root@k8s-master authfiles]# cat pods-reader-rbac.yaml 
kind : Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""]  #空表示默認(rèn)群組
  resources: ["pods","services","pods/log"]  #對象資源
  verbs: ["get","list","watch"]  #權(quán)限

[root@k8s-master authfiles]# cat tom-pods-reader.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tom-pods-reader
  namespace: default
subjects:
- kind: User
  name: tom   #綁定的用戶名
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pods-reader  #綁定之前的角色
  apiGroup: rbac.authorization.k8s.io
  
[root@k8s-master authfiles]# kubectl apply -f pods-reader-rbac.yaml 
[root@k8s-master authfiles]# kubectl apply -f tom-pods-reader.yaml 

[root@k8s-master authfiles]# kubectl get role
NAME          CREATED AT
pods-reader   2021-08-24T07:33:54Z
[root@k8s-master authfiles]# kubectl get rolebinding
NAME              ROLE               AGE
tom-pods-reader   Role/pods-reader   15m
  • 使用tom用戶驗(yàn)證權(quán)限 pod、svc
[root@k8s-master authfiles]# kubectl config get-contexts   --kubeconfig=/tmp/mykubeconfig  #查看當(dāng)前用戶
CURRENT   NAME             CLUSTER      AUTHINFO   NAMESPACE
*         tom@kubernetes   kubernetes   tom 

[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
NAME                                 READY   STATUS    RESTARTS   AGE
centos-deployment-66d8cd5f8b-bnnw6   1/1     Running   0          7m8s
[root@k8s-master authfiles]# kubectl get svc --kubeconfig=/tmp/mykubeconfig
NAME          TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
demoapp       ClusterIP   10.97.26.1     <none>        80/TCP     10d
demoapp-svc   ClusterIP   10.99.170.77   <none>        80/TCP     10d
demodb        ClusterIP   None           <none>        9907/TCP   5d22h
kubernetes    ClusterIP   10.96.0.1      <none>        443/TCP    10d
  • 驗(yàn)證deployment、nodes權(quán)限 沒有授權(quán)訪問失敗
[root@k8s-master authfiles]# kubectl get deployment  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"

[root@k8s-master authfiles]# kubectl get nodes  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope
內(nèi)建管理員admin

  • 名稱空間管理員admin

  • clusterrole admin 名稱空間級別資源 擁有所有名稱空間下的資源 所有操作權(quán)限

  • 集群管理員 cluster-admin

  • clusterrole cluster-admin 集群級別資源 擁有集群所有空的資源 所有操作權(quán)限

  • 之前綁定的rolebinding只對默認(rèn)名稱空間有一定的權(quán)限

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "longhorn-system"
  • clusterrole admin 對所有名稱空間下的資源權(quán)限
[root@k8s-master authfiles]# kubectl get clusterrole admin
NAME    CREATED AT
admin   2021-06-28T17:43:30Z
[root@k8s-master authfiles]# kubectl get clusterrole admin -o yaml
  • 刪除綁定,重新綁定到clusterrole admin
[root@k8s-master authfiles]# kubectl get rolebinding
NAME              ROLE               AGE
tom-pods-reader   Role/pods-reader   35m

[root@k8s-master authfiles]# kubectl delete Role/pods-reader
role.rbac.authorization.k8s.io "pods-reader" deleted

[root@k8s-master authfiles]# kubectl delete rolebinding/tom-pods-reader
rolebinding.rbac.authorization.k8s.io "tom-pods-reader" deleted

[root@k8s-master authfiles]# kubectl get pod  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"
示例2: 綁定admin 并驗(yàn)證權(quán)限,作用域?yàn)槊Q空間
[root@k8s-master authfiles]# kubectl create --help  
...
Available Commands:
  clusterrole         Create a ClusterRole.
  clusterrolebinding  Create a ClusterRoleBinding for a particular ClusterRole
  configmap           Create a configmap from a local file, directory or literal value
  cronjob             Create a cronjob with the specified name.
  deployment          Create a deployment with the specified name.
  job                 Create a job with the specified name.
  namespace           Create a namespace with the specified name
  poddisruptionbudget Create a pod disruption budget with the specified name.
  priorityclass       Create a priorityclass with the specified name.
  quota               Create a quota with the specified name.
  role                Create a role with single rule.
  rolebinding         Create a RoleBinding for a particular Role or ClusterRole
  secret              Create a secret using specified subcommand
  service             Create a service using specified subcommand.
  serviceaccount      Create a service account with the specified name
  • 可以分別對--user、--group、--serviceaccount進(jìn)行授權(quán)
[root@k8s-master authfiles]# kubectl create clusterrolebinding  --help
Create a ClusterRoleBinding for a particular ClusterRole.
....
Usage:  
  kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
  • 綁定并進(jìn)行權(quán)限驗(yàn)證
[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-admin --user=tom  --clusterrole=admin
clusterrolebinding.rbac.authorization.k8s.io/tom-admin created

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
NAME                                        READY   STATUS    RESTARTS   AGE
csi-attacher-54c7586574-bh88g               1/1     Running   5          7d
csi-attacher-54c7586574-fvv4p               1/1     Running   7          19d
csi-attacher-54c7586574-zkzrg               1/1     Running   10         19d
csi-provisioner-5ff5bd6b88-9tqnh            1/1     Running   5          7d
csi-provisioner-5ff5bd6b88-bs687            1/1     Running   8          19d
csi-provisioner-5ff5bd6b88-qkzt4            1/1     Running   12         19d
csi-resizer-7699cdfc4-4w49w                 1/1     Running   8          19d
......

[root@k8s-master authfiles]# kubectl get pod -n kube-system  --kubeconfig=/tmp/mykubeconfig
NAME                                 READY   STATUS    RESTARTS   AGE
coredns-f9fd979d6-l9zck              1/1     Running   16         56d
coredns-f9fd979d6-s8fp5              1/1     Running   15         56d
etcd-k8s-master                      1/1     Running   12         56d
kube-apiserver-k8s-master            1/1     Running   16         56d
kube-controller-manager-k8s-master   1/1     Running   39         56d
kube-flannel-ds-6sppx                1/1     Running   1          6d22h
kube-flannel-ds-j5g9s                1/1     Running   3          6d22h
kube-flannel-ds-nfz77                1/1     Running   1          6d22h
kube-flannel-ds-sqhq2                1/1     Running   1          6d22h

[root@k8s-master authfiles]# kubectl get deployment   --kubeconfig=/tmp/mykubeconfig
NAME                READY   UP-TO-DATE   AVAILABLE   AGE
centos-deployment   1/1     1            1           6d22h
  • node是集群級別資源 無權(quán)限
[root@k8s-master authfiles]# kubectl get node  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope

[root@k8s-master authfiles]# kubectl get pv  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): persistentvolumes is forbidden: User "tom" cannot list resource "persistentvolumes" in API group "" at the cluster scope
示例3: 綁定cluster-admin 并驗(yàn)證權(quán)限 作用域?yàn)榧杭墑e資源
[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-admin" deleted

[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-cluste-admin --user=tom  --clusterrole=cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/tom-cluste-admin created
[root@k8s-master authfiles]# kubectl get pv  --kubeconfig=/tmp/mykubeconfig
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM                   STORAGECLASS   REASON   AGE
pv-nfs-demo002                             10Gi       RWX            Retain           Available                                                   21d
pv-nfs-demo003                             1Gi        RWO            Retain           Available                                                   21d
pvc-33e9acff-afd9-417e-bbfb-293cb6305fb1   1Gi        RWX            Retain           Bound       default/data-demodb-1   longhorn                5d23h
pvc-c5a0bfaa-6948-4814-886f-8bf079b00dd1   1Gi        RWX            Retain           Bound       default/data-demodb-0   longhorn                5d23h
[root@k8s-master authfiles]# kubectl get node  --kubeconfig=/tmp/mykubeconfig
NAME         STATUS   ROLES    AGE   VERSION
k8s-master   Ready    master   56d   v1.19.9
k8s-node1    Ready    <none>   56d   v1.19.9
k8s-node2    Ready    <none>   56d   v1.19.9
k8s-node3    Ready    <none>   20d   v1.19.9
  • 需要注意的是 cluster-admin 是通過system:masters組方式進(jìn)行授權(quán),如果我們在創(chuàng)建用戶證書時(shí),/CN=XX/O=system:masters;那么這個(gè)用戶就擁有超級管理員的權(quán)限
[root@k8s-master authfiles]# kubectl describe clusterrolebinding cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters   #通過組授權(quán)所有system:masters都擁有超級管理員權(quán)限
示例4: rolebinding 綁定admin 并驗(yàn)證權(quán)限 權(quán)限降級

  • 前面有提到
    User --> Rolebindig -->ClusterRole:權(quán)限降級,
    ClusterRole,用戶得到的權(quán)限僅是ClusterRole的權(quán)限在Rolebinding所屬的名稱空間上的一個(gè)子集;

  • 刪除之前綁定

[root@k8s-master authfiles]# kubectl delete  clusterrolebinding tom-cluste-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-cluste-admin" deleted
  • 創(chuàng)建角色綁定集群角色 權(quán)限降級 只對指定名稱空間有權(quán)限
[root@k8s-master authfiles]# kubectl create  rolebinding tom-admin --user=tom  -n longhorn-system --clusterrole=admin
rolebinding.rbac.authorization.k8s.io/tom-admin created
  • 測試權(quán)限 作用域盡為longhorn-system名稱空間
[root@k8s-master authfiles]# kubectl get pod -n kube-system  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system"

[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"

[root@k8s-master authfiles]# kubectl get deployment  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
NAME                                        READY   STATUS    RESTARTS   AGE
csi-attacher-54c7586574-bh88g               1/1     Running   5          7d
csi-attacher-54c7586574-fvv4p               1/1     Running   7          19d
csi-attacher-54c7586574-zkzrg               1/1     Running   10         19d
csi-provisioner-5ff5bd6b88-9tqnh            1/1     Running   5          7d
csi-provisioner-5ff5bd6b88-bs687            1/1     Running   8          19d
csi-provisioner-5ff5bd6b88-qkzt4            1/1     Running   12         19d
csi-resizer-7699cdfc4-4w49w                 1/1     Running   8          19d
csi-resizer-7699cdfc4-f5jph                 1/1     Running   6          7d
csi-resizer-7699cdfc4-l2j49                 1/1     Running   9          19d
...
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容