備戰(zhàn)CKA每日一題——第11天 | k8s訪問控制RBAC、Role、RoleBinding,并引出kubectl常用命令

昨日考題

創(chuàng)建一個Role(只有cka namespace下pods的所有操作權(quán)限)和RoleBinding(使用serviceaccount認證鑒權(quán)),使用對應(yīng)serviceaccount作為認證信息對cka namespace下的pod進行操作以及對default namespace下的pods進行操作。
– Role和RoleBinding的名稱的名稱為cka-1202-role、cka-1202-rb
注意:請附所用命令、創(chuàng)建的Role、RoleBinding以及serviceaccount的完整yaml,可分多次評論。

昨日答案

創(chuàng)建Service Account:

[root@liabio cka]# kubectl create serviceaccount cka-1202-sa -n cka  -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2019-12-02T23:37:42Z"
  name: cka-1202-sa
  namespace: cka
  resourceVersion: "15159020"
  selfLink: /api/v1/namespaces/cka/serviceaccounts/cka-1202-sa
  uid: 6764e90c-cb28-4de1-9109-6e3d56941fcb

創(chuàng)建Role:

[root@liabio cka]# kubectl create role  cka-1202-role -n cka  --verb=* --resource=pods -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2019-12-02T23:40:26Z"
  name: cka-1202-role
  namespace: cka
  resourceVersion: "15159247"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/cka/roles/cka-1202-role
  uid: fc2c5593-2fd9-46d7-a809-99bcee32249e
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

創(chuàng)建RoleBinding:

[root@liabio cka]# kubectl create rolebinding cka-1202-rb -n cka  --role=cka-1202-role --serviceaccount=cka:cka-1202-sa  -oyaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2019-12-02T23:46:50Z"
  name: cka-1202-rb
  namespace: cka
  resourceVersion: "15159794"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/cka/rolebindings/cka-1202-rb
  uid: c00d104e-a531-4781-90f4-2821651492bf
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cka-1202-role
subjects:
- kind: ServiceAccount
  name: cka-1202-sa
  namespace: cka

驗證:

獲取到cka-1202-sa這個Service Account綁定的secretbase64 -d解碼token字段:

[root@liabio ~]# kubectl get secret -n cka   
NAME                      TYPE                                  DATA   AGE
cka-1202-sa-token-9rgp4   kubernetes.io/service-account-token   3      42m
default-token-r77xn       kubernetes.io/service-account-token   3      4d14h
[root@liabio ~]# kubectl get secret -n cka  cka-1202-sa-token-9rgp4 -ojson | jq .data.token 
"ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmphMkVpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxZM0psZEM1dVlXMWxJam9pWTJ0aExURXlNREl0YzJFdGRHOXJaVzR0T1hKbmNEUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2lZMnRoTFRFeU1ESXRjMkVpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUkyTnpZMFpUa3dZeTFqWWpJNExUUmtaVEV0T1RFd09TMDJaVE5rTlRZNU5ERm1ZMklpTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNlkydGhPbU5yWVMweE1qQXlMWE5oSW4wLnFXanJUcTdEbVZTU01TM0h4YzR0bFd4ODdUNGtvUkNvVmkxMjVzZXNWRWJ2QUtEaTJ6MFhvNjJaNzAza2htQ1dsWTU1TkxPYWVKS2taWXhYOWZMTEdYMnpPVWVFdzFvbUpmRkZpTm41NGxjOUhRTjlRXzVmTjRyYS1WNFZSaU5uQkFUeW43Yzc2aGk2Nks1aUh5WjB4bFRNcnBNQThXN1l2TmJnU1pIOXhnaFdSenpkSElKYWF1UXBTY0xtSk5MNmxGNGd5ZG9Xd0dDQy1QU0VjdGpKTkRtMF8zSTZoUkhEZkJzd3k2d0t4VGx4T3lIdE9yeUc0ckUzZzVqUWZOdV9BNTdTNVlocmEwWVM0emM0X0RvdXBmUC1zVjU3R0FQS1JxODZsRGdlOHo4cWFIaDRyb0k3RTNJbC1DRU9HS1JJeE52SWZVX3d0aHRrMG95aW5HR2wydw=="
[root@liabio ~]# echo ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmphMkVpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxZM0psZEM1dVlXMWxJam9pWTJ0aExURXlNREl0YzJFdGRHOXJaVzR0T1hKbmNEUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2lZMnRoTFRFeU1ESXRjMkVpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUkyTnpZMFpUa3dZeTFqWWpJNExUUmtaVEV0T1RFd09TMDJaVE5rTlRZNU5ERm1ZMklpTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNlkydGhPbU5yWVMweE1qQXlMWE5oSW4wLnFXanJUcTdEbVZTU01TM0h4YzR0bFd4ODdUNGtvUkNvVmkxMjVzZXNWRWJ2QUtEaTJ6MFhvNjJaNzAza2htQ1dsWTU1TkxPYWVKS2taWXhYOWZMTEdYMnpPVWVFdzFvbUpmRkZpTm41NGxjOUhRTjlRXzVmTjRyYS1WNFZSaU5uQkFUeW43Yzc2aGk2Nks1aUh5WjB4bFRNcnBNQThXN1l2TmJnU1pIOXhnaFdSenpkSElKYWF1UXBTY0xtSk5MNmxGNGd5ZG9Xd0dDQy1QU0VjdGpKTkRtMF8zSTZoUkhEZkJzd3k2d0t4VGx4T3lIdE9yeUc0ckUzZzVqUWZOdV9BNTdTNVlocmEwWVM0emM0X0RvdXBmUC1zVjU3R0FQS1JxODZsRGdlOHo4cWFIaDRyb0k3RTNJbC1DRU9HS1JJeE52SWZVX3d0aHRrMG95aW5HR2wydw== | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJja2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2thLTEyMDItc2EtdG9rZW4tOXJncDQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2thLTEyMDItc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NzY0ZTkwYy1jYjI4LTRkZTEtOTEwOS02ZTNkNTY5NDFmY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6Y2thOmNrYS0xMjAyLXNhIn0.qWjrTq7DmVSSMS3Hxc4tlWx87T4koRCoVi125sesVEbvAKDi2z0Xo62Z703khmCWlY55NLOaeJKkZYxX9fLLGX2zOUeEw1omJfFFiNn54lc9HQN9Q_5fN4ra-V4VRiNnBATyn7c76hi66K5iHyZ0xlTMrpMA8W7YvNbgSZH9xghWRzzdHIJaauQpScLmJNL6lF4gydoWwGCC-PSEctjJNDm0_3I6hRHDfBswy6wKxTlxOyHtOryG4rE3g5jQfNu_A57S5Yhra0YS4zc4_DoupfP-sV57GAPKRq86lDge8z8qaHh4roI7E3Il-CEOGKRIxNvIfU_wthtk0oyinGGl2w[root@liabio ~]#

把解碼后的信息添加到將添加到~/.kube/config中,注意到下面加了name為coderaction的context和name為coderaction的user

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDLQo=
    server: https://10.0.0.0:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: coderaction
  name: coderaction
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: coderaction
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJja2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2thLTEyMDItc2EtdG9rZW4tOXJncDQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2thLTEyMDItc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NzY0ZTkwYy1jYjI4LTRkZTEtOTEwOS02ZTNkNTY5NDFmY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6Y2thOmNrYS0xMjAyLXNhIn0.qWjrTq7DmVSSMS3Hxc4tlWx87T4koRCoVi125sesVEbvAKDi2z0Xo62Z703khmCWlY55NLOaeJKkZYxX9fLLGX2zOUeEw1omJfFFiNn54lc9HQN9Q_5fN4ra-V4VRiNnBATyn7c76hi66K5iHyZ0xlTMrpMA8W7YvNbgSZH9xghWRzzdHIJaauQpScLmJNL6lF4gydoWwGCC-PSEctjJNDm0_3I6hRHDfBswy6wKxTlxOyHtOryG4rE3g5jQfNu_A57S5Yhra0YS4zc4_DoupfP-sV57GAPKRq86lDge8z8qaHh4roI7E3Il-CEOGKRIxNvIfU_wthtk0oyinGGl2w
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiB1M1Y2NDTnpPUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CBS0NBUUVBdjNpTkx5eUEwaVdmOU1hUjA3cVFTOEtFWS0tLS0tCg==

通過切換到coderaction這個use-context可以發(fā)現(xiàn),get默認分區(qū)下的Pod時提示system:serviceaccount:cka:cka-1202-sa沒有權(quán)限,但可以正常獲取cka namespace下的Pods

[root@liabio cka]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@liabio cka]# kubectl get pod
NAME                               READY   STATUS    RESTARTS   AGE
cka-1128-01-7b8b8cb79-mll6d        1/1     Running   118        32h
[root@liabio cka]# 
[root@liabio cka]# 
[root@liabio cka]# kubectl get node
NAME     STATUS   ROLES    AGE    VERSION
liabio   Ready    master   141d   v1.15.2
[root@liabio cka]# kubectl config use-context coderaction
Switched to context "coderaction".
[root@liabio cka]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:cka:cka-1202-sa" cannot list resource "pods" in API group "" in the namespace "default"
[root@liabio cka]# kubectl get pod -n cka
No resources found.

昨日解析

k8s對于訪問 API 來說提供了兩個步驟的安全措施:認證和授權(quán)。認證解決用戶是誰的問題,授權(quán)解決用戶能做什么的問題。通過合理的權(quán)限管理,能夠保證系統(tǒng)的安全可靠。

k8s集群的所有操作基本上都是通過kube-apiserver這個組件進行的,它提供HTTP RESTful形式的API供集群內(nèi)外客戶端調(diào)用。需要注意的是:認證授權(quán)過程只存在HTTPS形式的API中。也就是說,如果客戶端使用HTTP連接到kube-apiserver,那么是不會進行認證授權(quán)的。所以說,可以這么設(shè)置,在集群內(nèi)部組件間通信使用HTTP,集群外部就使用HTTPS,這樣既增加了安全性,也不至于太復(fù)雜。

本題主要是考察授權(quán):基于角色的訪問控制(RBAC)的考題。

RBAC官方文檔:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/

創(chuàng)建RoleBinding 、Role、Service Account官網(wǎng)命令指導(dǎo):
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#-em-rolebinding-em-

使用 kubeconfig 文件組織集群訪問:
https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/

context相關(guān)操作官方命令指南:
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config

基于角色的訪問控制(RBAC)是一種基于企業(yè)內(nèi)各個用戶的角色來調(diào)節(jié)對計算機或網(wǎng)絡(luò)資源的訪問的方法。

RBAC使用rbac.authorization.k8s.io API組 驅(qū)動授權(quán)決策,使管理員可以通過Kubernetes API動態(tài)配置策略。

從1.8開始,RBAC模式是穩(wěn)定的,并由rbac.authorization.k8s.io/v1 API提供支持。

要啟用RBAC,請通過啟動apiserver --authorization-mode=RBAC

RBAC API聲明了四個頂級類型:

Role和ClusterRole

在RBAC API中,Role包含代表一組權(quán)限的規(guī)則。權(quán)限純粹是累加的(沒有“拒絕”規(guī)則)。可以在namespace中用Role或在集群范圍內(nèi)用ClusterRole。

Role只能用于授予對單個名稱空間內(nèi)資源的訪問權(quán)限。

ClusterRole由于它們是集群范圍的,因此它們還可以用于授予以下權(quán)限:

  • 集群范圍內(nèi)的資源(如節(jié)點)
  • 非資源端點(例如“ /healthz”)
  • 所有namespace中的命名空間資源(例如pod)

RoleBinding和ClusterRoleBinding

RoleBinding向一個或一組用戶授予在Role中定義的權(quán)限。它包含subjects(User,Group或Service Account),以及對所授予角色的引用。可以在namespace中使用RoleBinding或在集群范圍內(nèi)使用ClusterRoleBinding。

RoleBinding可以引用同一namespace下的Role。

roleRef是實際創(chuàng)建綁定的方式。該kind可以是Role或ClusterRole,并且name將引用具體名字的Role或ClusterRole

ClusterRoleBinding可以在集群級別和所有namespace中授予權(quán)限。

創(chuàng)建Role命令:

kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]

--verb指定,對資源的操作動作集合,包括get、delete、update、create、patch、watch、list,所有操作動作為*
--resource指定可操作資源類型集合;
--resource-name指定可操作資源名稱集合;
如:

[root@liabio ~]# kubectl create role pod-reader-cka -n cka  --verb=get --verb=list --resource=pods --resource-name=readablepod --resource-name=anotherpod -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2019-12-03T03:50:34Z"
  name: pod-reader-cka
  namespace: cka
  resourceVersion: "15179947"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/cka/roles/pod-reader-cka
  uid: 16742721-4890-43de-9725-d6c721c6e4cf
rules:
- apiGroups:
  - ""
  resourceNames:
  - readablepod
  - anotherpod
  resources:
  - pods
  verbs:
  - get
  - list

創(chuàng)建RoleBinding

kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run]

--role指定RoleBinding的roleRef中的Role名稱;
--clusterrole指定RoleBinding的roleRef中的ClusterRole名稱;
--serviceaccount指定RoleBinding的subjects集合;
--user指定RoleBinding的subjects下User的名稱;
如:

[root@liabio ~]# kubectl create rolebinding admin-cka -n cka --clusterrole=admin --user=user1 --user=user2 --group=group1 -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2019-12-03T03:47:55Z"
  name: admin-cka
  namespace: cka
  resourceVersion: "15179732"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/cka/rolebindings/admin-cka
  uid: 4d4eacfb-3ba0-4fa1-96c3-c624fbafb12c
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user1
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user2
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: group1

創(chuàng)建ServiceAccount

kubectl create serviceaccount NAME [--dry-run]

如:

[root@liabio cka]# kubectl create serviceaccount cka-1202-sa -n cka  -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2019-12-02T23:37:42Z"
  name: cka-1202-sa
  namespace: cka
  resourceVersion: "15159020"
  selfLink: /api/v1/namespaces/cka/serviceaccounts/cka-1202-sa
  uid: 6764e90c-cb28-4de1-9109-6e3d56941fcb

今日考題

創(chuàng)建兩個deployment名字分別為cka-1203-01、cka-1203-02;
cka-1203-01的Pod加label:cka:cka-1203-01;
cka-1203-02的Pod加label:cka:cka-1203-02;

請用利用kubectl命令label選擇器查出這兩個deployment,并按照創(chuàng)建時間排序。

例如:

NAME          READY   UP-TO-DATE   AVAILABLE   AGE
cka-1203-01   1/1     1            1           8m40s
cka-1203-02   1/1     1            1           8m38

作者簡介

作者:小碗湯,一位熱愛、認真寫作的小伙,目前維護原創(chuàng)公眾號:『我的小碗湯』,專注于寫linux、golang、docker、kubernetes等知識等提升硬實力的文章,期待你的關(guān)注。轉(zhuǎn)載說明:務(wù)必注明來源(注明:來源于公眾號:我的小碗湯, 作者:小碗湯)

作者簡潔

作者:小碗湯,一位熱愛、認真寫作的小伙,目前維護原創(chuàng)公眾號:『我的小碗湯』,專注于寫go語言、docker、kubernetes、java等開發(fā)、運維知識等提升硬實力的文章,期待你的關(guān)注。轉(zhuǎn)載說明:務(wù)必注明來源(注明:來源于公眾號:我的小碗湯,作者:小碗湯)

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容