7

Kubernetes-一文详解ServiceAccount与RBAC权限控制

 3 years ago
source link: http://www.yunweipai.com/38955.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

一、ServiceAccount

1.ServiceAccount 介绍

首先Kubernetes中账户区分为:User Accounts(用户账户) 和 Service Accounts(服务账户) 两种,它们的设计及用途如下:

  • UserAccount是给kubernetes集群外部用户使用的,例如运维或者集群管理人员,使用kubectl命令时用的就是UserAccount账户;UserAccount是全局性。在集群所有namespaces中,名称具有唯一性,默认情况下用户为admin;

    用户名称可以在kubeconfig中查看

    [root@Centos8 ~]# cd ~/.kube/
    [root@Centos8 .kube]# ls
    cache  config  http-cache
    [root@Centos8 .kube]# cat config
    ...
      users:
      - name: kubernetes-admin
    ...

    [ root @ Centos8 ~ ] # cd ~/.kube/

    [ root @ Centos8 . kube ] # ls

    cache   config   http - cache

    [ root @ Centos8 . kube ] # cat config

    . . .

       users :

       - name : kubernetes - admin

    . . .

  • ServiceAccount是给运行在Pod的程序使用的身份认证,Pod容器的进程需要访问API Server时用的就是ServiceAccount账户;ServiceAccount仅局限它所在的namespace,每个namespace创建时都会自动创建一个default service account;创建Pod时,如果没有指定Service Account,Pod则会使用default Service Account。

2.Secret 与 SA(ServiceAccount) 的关系

Kubernetes设计了一种Secret资源,分为两类,一种是用于 ServiceAccount 的kubernetes.io/ service-account-token,就是上边说的 SA,每创建一个SA,就会随之创建一个Secret;另一种就是用户自定义的保密信息Opaque。

3.默认的Service Account

ServiceAccount仅局限它所在的namespace,所以在创建namespace时会自动创建一个默认的 SA,而 SA 创建时,也会创建对应的 Secret,下面操作验证下:

创建名称空间

[root@Centos8 .kube]# kubectl create ns vfan
namespace/vfan created

[ root @ Centos8 . kube ] # kubectl create ns vfan

namespace / vfan created

查看SA

[root@Centos8 .kube]# kubectl get sa -n vfan
NAME      SECRETS   AGE
default   1         67s

[ root @ Centos8 . kube ] # kubectl get sa -n vfan

NAME       SECRETS   AGE

default    1          67s

查看 SA 的 Secret

[root@Centos8 .kube]# kubectl describe sa default -n vfan
Name:                default
Namespace:           vfan
Labels:              
Annotations:         
Image pull secrets:  
Mountable secrets:   default-token-wwbc8
Tokens:              default-token-wwbc8
Events:              

[root@Centos8 ~]# kubectl get secret -n vfan
NAME                  TYPE                                  DATA   AGE
default-token-wwbc8   kubernetes.io/service-account-token   3      3m15s

[ root @ Centos8 . kube ] # kubectl describe sa default -n vfan

Name :                  default

Namespace :            vfan

Labels :               

Annotations :         

Image pull secrets :   

Mountable secrets :    default - token - wwbc8

Tokens :                default - token - wwbc8

Events :               

[ root @ Centos8 ~ ] # kubectl get secret -n vfan

NAME                   TYPE                                   DATA   AGE

default - token - wwbc8   kubernetes . io / service - account - token    3        3m15s

可以看到,创建ns时默认创建了SA,SA默认创建了一个 kubernetes.io/service-account-token类型的secret

创建一个Pod

vim pods.yaml

apiVersion: v1
kind: Pod
metadata:
  name: test-sa
  namespace: vfan
spec:
  containers:
  - name: test-sa
    image: nginx:1.2.1
    imagePullPolicy: IfNotPresent
    ports:
    - containerPort: 80

apiVersion : v1

kind : Pod

metadata :

   name : test - sa

   namespace : vfan

spec :

   containers :

   - name : test - sa

     image : nginx : 1.2.1

     imagePullPolicy : IfNotPresent

     ports :

     - containerPort : 80

[root@Centos8 rbac]# kubectl create -f pods.yaml 
pod/test-sa created

[root@Centos8 rbac]# kubectl get pod -n vfan
NAME      READY   STATUS    RESTARTS   AGE
test-sa   1/1     Running   0          12s

[root@Centos8 rbac]# kubectl describe pod test-sa -n vfan
...
Containers:
  test-sa:
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-wwbc8 (ro)
Volumes:
  default-token-wwbc8:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-wwbc8
    Optional:    false
...

[ root @ Centos8 rbac ] # kubectl create -f pods.yaml

pod / test - sa created

[ root @ Centos8 rbac ] # kubectl get pod -n vfan

NAME       READY   STATUS     RESTARTS   AGE

test - sa    1 / 1      Running    0            12s

[ root @ Centos8 rbac ] # kubectl describe pod test-sa -n vfan

. . .

Containers :

   test - sa :

     Mounts :

       / var / run / secrets / kubernetes . io / serviceaccount from default - token - wwbc8 ( ro )

Volumes :

   default - token - wwbc8 :

     Type :          Secret ( a volume populated by a Secret )

     SecretName :    default - token - wwbc8

     Optional :      false

. . .

在不指定SA的情况下,当前 ns下面的 Pod 会默认使用 “default” 这个 SA,对应的 Secret 会自动挂载到 Pod 的 /var/run/secrets/kubernetes.io/serviceaccount/ 目录中,我们可以在 Pod 里面获取到用于身份认证的信息。

进入Pod Container内,查看 SA

[root@Centos8 rbac]# kubectl exec -it test-sa -n vfan -- /bin/bash root@test-sa:/# cd /var/run/secrets/kubernetes.io/serviceaccount/ root@test-sa:/var/run/secrets/kubernetes.io/serviceaccount# ls ca.crt namespace token

可以看到有三个文件,作用分别为

ca.crt:根证书,用于Client端验证API Server发送的证书
namespace:标识这个service-account-token的作用域空间
token:使用API Server私钥签名的JWT,用于访问API Server时,Server端的验证

[ root @ Centos8 rbac ] # kubectl exec -it test-sa -n vfan -- /bin/bash

root @ test - sa : / # cd /var/run/secrets/kubernetes.io/serviceaccount/

root @ test - sa : / var / run / secrets / kubernetes . io / serviceaccount # ls

ca . crt   namespace    token

### 可以看到有三个文件,作用分别为

ca . crt :根证书,用于 Client 端验证 API Server 发送的证书

namespace :标识这个 service - account - token 的作用域空间

token :使用 API Server 私钥签名的 JWT ,用于访问 API Server 时, Server 端的验证

4.使用自定义SA

创建一个 SA

[root@Centos8 rbac]# kubectl create sa vfansa -n vfan
serviceaccount/vfansa created

[root@Centos8 rbac]# kubectl get sa -n vfan
NAME      SECRETS   AGE
default   1         19m
vfansa    1         7s

[root@Centos8 rbac]# kubectl describe sa vfansa -n vfan
Name:                vfansa
Namespace:           vfan
Labels:              
Annotations:         
Image pull secrets:  
Mountable secrets:   vfansa-token-9s8f7
Tokens:              vfansa-token-9s8f7
Events:              

[root@Centos8 rbac]# kubectl get secret -n vfan
NAME                  TYPE                                  DATA   AGE
default-token-wwbc8   kubernetes.io/service-account-token   3      19m
vfansa-token-9s8f7    kubernetes.io/service-account-token   3      49s

[ root @ Centos8 rbac ] # kubectl create sa vfansa -n vfan

serviceaccount / vfansa created

[ root @ Centos8 rbac ] # kubectl get sa -n vfan

NAME       SECRETS   AGE

default    1          19m

vfansa      1          7s

[ root @ Centos8 rbac ] # kubectl describe sa vfansa -n vfan

Name :                  vfansa

Namespace :            vfan

Labels :               

Annotations :         

Image pull secrets :   

Mountable secrets :    vfansa - token - 9s8f7

Tokens :                vfansa - token - 9s8f7

Events :               

[ root @ Centos8 rbac ] # kubectl get secret -n vfan

NAME                   TYPE                                   DATA   AGE

default - token - wwbc8   kubernetes . io / service - account - token    3        19m

vfansa - token - 9s8f7      kubernetes . io / service - account - token    3        49s

同样,手动创建 SA 后,自动创建了对应的 Secret

更新Pod,使用新创建的SA

vim pods.yaml

apiVersion: v1
kind: Pod
metadata:
  name: test-sa
  namespace: vfan
spec:
  containers:
  - name: test-sa
    image: nginx:1.2.1
    imagePullPolicy: IfNotPresent
    ports:
    - containerPort: 80
  serviceAccountName: vfansa    # 加入此参数

apiVersion : v1

kind : Pod

metadata :

   name : test - sa

   namespace : vfan

spec :

   containers :

   - name : test - sa

     image : nginx : 1.2.1

     imagePullPolicy : IfNotPresent

     ports :

     - containerPort : 80

   serviceAccountName : vfansa      # 加入此参数

[root@Centos8 rbac]# kubectl create -f pods.yaml 
pod/test-sa created

[root@Centos8 rbac]# kubectl describe pod test-sa -n vfan
...
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from vfansa-token-9s8f7 (ro)
Volumes:
  vfansa-token-9s8f7:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  vfansa-token-9s8f7
    Optional:    false
...

[ root @ Centos8 rbac ] # kubectl create -f pods.yaml

pod / test - sa created

[ root @ Centos8 rbac ] # kubectl describe pod test-sa -n vfan

. . .

     Mounts :

       / var / run / secrets / kubernetes . io / serviceaccount from vfansa - token - 9s8f7 ( ro )

Volumes :

   vfansa - token - 9s8f7 :

     Type :          Secret ( a volume populated by a Secret )

     SecretName :    vfansa - token - 9s8f7

     Optional :      false

. . .

5.ServiceAccount中添加Image pull secrets

在笔者之前的博客中:Secret介绍及演示( https://www.cnblogs.com/v-fan/p/13269433.html )中提及到,可以使用Secret来保存私人镜像仓库的登录信息,来达到免登录获取image的效果,同样,可以将创建好的Secret直接与SA进行绑定,绑定完成后,只要使用此 SA 的 Pod,都可达到免登录获取image的效果

创建 docker-registry 的 Secret

[root@Centos8 rbac]# kubectl create secret docker-registry myregistrykey --docker-server=hub.vfancloud.com --docker-username=admin --docker-password=admin@123 [email protected] -n vfan
secret/myregistrykey created

[root@Centos8 rbac]# kubectl get secret -n vfan
NAME                  TYPE                                  DATA   AGE
default-token-wwbc8   kubernetes.io/service-account-token   3      62m
myregistrykey         kubernetes.io/dockerconfigjson        1      7s
vfansa-token-9s8f7    kubernetes.io/service-account-token   3      43m

[ root @ Centos8 rbac ] # kubectl create secret docker-registry myregistrykey --docker-server=hub.vfancloud.com --docker-username=admin --docker-password=admin@123 [email protected] -n vfan

secret / myregistrykey created

[ root @ Centos8 rbac ] # kubectl get secret -n vfan

NAME                   TYPE                                   DATA   AGE

default - token - wwbc8   kubernetes . io / service - account - token    3        62m

myregistrykey         kubernetes . io / dockerconfigjson          1        7s

vfansa - token - 9s8f7      kubernetes . io / service - account - token    3        43m

将 docker-registry 的 Secret 添加到SA

kubectl edit sa vfansa -n vfan

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2020-08-30T03:38:47Z"
  name: vfansa
  namespace: vfan
  resourceVersion: "471829"
  selfLink: /api/v1/namespaces/vfan/serviceaccounts/vfansa
  uid: 8a44df93-b2d6-4e61-ad2e-25bc5852f66e
secrets:
- name: vfansa-token-9s8f7
imagePullSecrets:   #添加此字段
- name: myregistrykey

apiVersion : v1

kind : ServiceAccount

metadata :

   creationTimestamp : "2020-08-30T03:38:47Z"

   name : vfansa

   namespace : vfan

   resourceVersion : "471829"

   selfLink : / api / v1 / namespaces / vfan / serviceaccounts / vfansa

   uid : 8a44df93 - b2d6 - 4e61 - ad2e - 25bc5852f66e

secrets :

- name : vfansa - token - 9s8f7

imagePullSecrets :    #添加此字段

- name : myregistrykey

查看 SA 的 Image pull secrets

[root@Centos8 rbac]# kubectl describe sa vfansa -n vfan 
Name:                vfansa
Namespace:           vfan
Labels:              
Annotations:         
Image pull secrets:  myregistrykey  #已添加成功
Mountable secrets:   vfansa-token-9s8f7
Tokens:              vfansa-token-9s8f7
Events:

[ root @ Centos8 rbac ] # kubectl describe sa vfansa -n vfan

Name :                  vfansa

Namespace :            vfan

Labels :               

Annotations :         

Image pull secrets :    myregistrykey    #已添加成功

Mountable secrets :    vfansa - token - 9s8f7

Tokens :                vfansa - token - 9s8f7

Events :               

这个时候,只要是使用此 SA 的Pod,都可以在docker-registry拉取镜像了,同样,可以把此 Secret 添加到default 的 SA 中,达到相同的效果

二、RBAC

1.RBAC介绍

在Kubernetes中,所有资源对象都是通过API对象进行操作,他们保存在etcd里。而对etcd的操作我们需要通过访问 kube-apiserver 来实现,上面的Service Account其实就是APIServer的认证过程,而授权的机制是通过RBAC:基于角色的访问控制实现。

2.Role and ClusterRole

在RBAC API中,Role表示一组规则权限,权限只会增加(累加权限),不存在一个资源开始就有很多权限而通过RBAC对其进行减少的操作:Role 是定义在一个 namespace 中,而 ClusterRole 是集群级别的。

下面我们定义一个Role:

vim roles.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-role
  namespace: vfan
rules:
- apiGroups: [""]  # 为空表示为默认的core api group
  resources: ["pods"] # 数据源类型
  verbs: ["get","watch","list"] #赋予的权限

apiVersion : rbac . authorization . k8s . io / v1

kind : Role

metadata :

   name : test - role

   namespace : vfan

rules :

- apiGroups : [ "" ]    # 为空表示为默认的core api group

   resources : [ "pods" ] # 数据源类型

   verbs : [ "get" , "watch" , "list" ] #赋予的权限

以上Role策略表示在名字为 vfan namespace 中,对Pods有get,watch,list的权限

ClusterRole 具有与 Role 相同权限角色控制能力,不同的就是 Cluster Role是集群级别,它可以用于:

  • 集群级别的资源控制(例如 node 访问权限)
  • 非资源型 endpoints(例如对某个目录或文件的访问:/healthz)
  • 所有命名空间资源控制(Pod、Deployment等)

vim clusterroles.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterrole
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","create","list"]

apiVersion : rbac . authorization . k8s . io / v1

kind : ClusterRole

metadata :

   name : test - clusterrole

rules :

- apiGroups : [ "" ]

   resources : [ "services" ]

   verbs : [ "get" , "create" , "list" ]

以上Cluster role策略表示,有get,create,list整个集群service的权限

下面开始创建

创建role

[root@Centos8 rbac]# kubectl create -f roles.yaml role.rbac.authorization.k8s.io/test-rbac created

[root@Centos8 rbac]# kubectl get role -n vfan NAME AGE test-rbac 27s

创建cluster role

[root@Centos8 rbac]# kubectl get clusterrole -n vfan NAME AGE admin 141d cluster-admin 141d edit 141d flannel 141d ingress-nginx 90d ingress-nginx-admission 90d system:aggregate-to-admin 141d system:aggregate-to-edit 141d system:aggregate-to-view 141d test-clusterrole 30s

## 创建role

[ root @ Centos8 rbac ] # kubectl create -f roles.yaml

role . rbac . authorization . k8s . io / test - rbac created

[ root @ Centos8 rbac ] # kubectl get role -n vfan

NAME         AGE

test - rbac    27s

## 创建cluster role

[ root @ Centos8 rbac ] # kubectl get clusterrole -n vfan

NAME                                                                   AGE

admin                                                                    141d

cluster - admin                                                            141d

edit                                                                    141d

flannel                                                                  141d

ingress - nginx                                                            90d

ingress - nginx - admission                                                  90d

system : aggregate - to - admin                                                141d

system : aggregate - to - edit                                                141d

system : aggregate - to - view                                                141d

test - clusterrole                                                        30s

可以看到,role和cluster role都已经创建成功,但是clusterrole除了这次创建的还有许多,其中以system开头的全部是系统所用的,其他的都是在装一些插件时自动添加的,也要注意,我们自己创建cluster role时不要以system开通,以免分不清楚

3.RoleBinding and ClusterRoleBinding

RoleBinding可以将角色中定义的权限授予用户或用户组,RoleBinding包含一组权限列表(Subjects),权限列表中包含有不同形式的待授予权限资源类型(users,groups, or Service Account):Rolebinding 同样包含对被 Bind 的 Role 引用;RoleBinding 适用于某个命名空间内授权,ClusterRoleBinding适用于集群范围内的授权。

创建RoleBinding

vim rolebindings.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test-rolebinding
  namespace: vfan
subjects:
- kind: User    # 权限资源类型
  name: vfan    # 名称
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role    #要绑定的Role的类型(可以是Role或ClusterRole)
  name: test-role   # Role的名称
  apiGroup: rbac.authorization.k8s.io

apiVersion : rbac . authorization . k8s . io / v1

kind : RoleBinding

metadata :

   name : test - rolebinding

   namespace : vfan

subjects :

- kind : User      # 权限资源类型

   name : vfan      # 名称

   apiGroup : rbac . authorization . k8s . io

roleRef :

   kind : Role      #要绑定的Role的类型(可以是Role或ClusterRole)

   name : test - role    # Role的名称

   apiGroup : rbac . authorization . k8s . io

此策略表示,将名称为test-role的Role的权限资源赋予名为vfan的用户,仅作用于vfan namespace。

RoleBinding也可以引用ClusterRole来对当前 namespace 内用户、用户组或SA来进行授权,这种操作允许管理员在整个集群中定义一些通用的ClusterRole,然后在不同的namespace中使用RoleBinding绑定。

vim rolebindings2.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test-rolebinding2
  namespace: vfan
subjects:
- kind: User
  name: vfan
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: test-clusterrole
  apiGroup: rbac.authorization.k8s.io

apiVersion : rbac . authorization . k8s . io / v1

kind : RoleBinding

metadata :

   name : test - rolebinding2

   namespace : vfan

subjects :

- kind : User

   name : vfan

   apiGroup : rbac . authorization . k8s . io

roleRef :

   kind : ClusterRole

   name : test - clusterrole

   apiGroup : rbac . authorization . k8s . io

以上策略表示,将名称为test-clusterrole的ClusterRole的资源权限赋予给了名称为vfan的用户,虽然赋予的是ClusterRole,但是由于Role仅作用于单个namespace,所以此资源策略仅仅对vfan namespace有效

创建ClusterRoleBinding

vim clusterrolebindings.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test-clusterrolebinding
subjects:
- kind: Group
  name: vfan
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: test-clusterrole
  apiGroup: rbac.authorization.k8s.io

apiVersion : rbac . authorization . k8s . io / v1

kind : ClusterRoleBinding

metadata :

   name : test - clusterrolebinding

subjects :

- kind : Group

   name : vfan

   apiGroup : rbac . authorization . k8s . io

roleRef :

   kind : ClusterRole

   name : test - clusterrole

   apiGroup : rbac . authorization . k8s . io

以上策略表示,将name为test-clusterrole的ClusterRole的资源权限赋予给groupname为vfan的用户组,此用户组下所有用户拥有对整个集群的 test-clusterrole内的资源权限

实践:创建一个用户只能管理名为 vfan 的NameSpace

1.创建系统用户

[root@Centos8 rbac]# useradd vfan
[root@Centos8 rbac]# su - vfan 

## 进入vfan用户测试访问k8s集群
[vfan@Centos8 ~]$ kubectl get pod 
The connection to the server localhost:8080 was refused - did you specify the right host or port?

[ root @ Centos8 rbac ] # useradd vfan

[ root @ Centos8 rbac ] # su - vfan

## 进入vfan用户测试访问k8s集群

[ vfan @ Centos8 ~ ] $ kubectl get pod

The connection to the server localhost : 8080 was refused - did you specify the right host or port ?

默认肯定是访问不到的,如果想要访问,必须要创建vfan用户的访问证书

2.为 vfan 用户创建访问证书

下载证书生成工具 cfssl

[root@Centos8 bin]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 [root@Centos8 bin]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@Centos8 bin]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

改名,给执行权限

[root@Centos8 bin]# mv cfssl_linux-amd64 cfssl [root@Centos8 bin]# mv cfssljson_linux-amd64 cfssljson [root@Centos8 bin]# mv cfssl-certinfo_linux-amd64 cfssl-certinfo [root@Centos8 bin]# chmod +x * [root@Centos8 bin]# ll -h 总用量 19M -rwxr-xr-x 1 root root 9.9M 3月 30 2016 cfssl -rwxr-xr-x 1 root root 6.3M 3月 30 2016 cfssl-certinfo -rwxr-xr-x 1 root root 2.2M 3月 30 2016 cfssljson [root@Centos8 bin]# mkdir /usr/local/vfancert [root@Centos8 bin]# cd /usr/local/vfancert/

## 下载证书生成工具 cfssl

[ root @ Centos8 bin ] # wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

[ root @ Centos8 bin ] # wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

[ root @ Centos8 bin ] # wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

## 改名,给执行权限

[ root @ Centos8 bin ] # mv cfssl_linux-amd64 cfssl

[ root @ Centos8 bin ] # mv cfssljson_linux-amd64 cfssljson

[ root @ Centos8 bin ] # mv cfssl-certinfo_linux-amd64 cfssl-certinfo

[ root @ Centos8 bin ] # chmod +x *

[ root @ Centos8 bin ] # ll -h

总用量 19M

- rwxr - xr - x 1 root root 9.9M 3   30 2016 cfssl

- rwxr - xr - x 1 root root 6.3M 3   30 2016 cfssl - certinfo

- rwxr - xr - x 1 root root 2.2M 3   30 2016 cfssljson

[ root @ Centos8 bin ] # mkdir /usr/local/vfancert

[ root @ Centos8 bin ] # cd /usr/local/vfancert/

创建CA证书签名请求JSON文件

vim vfan-csr.json

{
  "CN": "vfan",     # 用户名称,必填
  "hosts": [],      # 主机地址,不填表示所有主机都可使用
  "key": {
    "algo": "rsa",  # 加密算法
    "size": 2048
},
  "names": [
    {
       "C": "CN",
       "L": "BeiJing",
       "O": "Ctyun",
       "ST": "BeiJing",            
       "OU": "System"
    }
  ]
}

{

   "CN" : "vfan" ,      # 用户名称,必填

   "hosts" : [ ] ,        # 主机地址,不填表示所有主机都可使用

   "key" : {

     "algo" : "rsa" ,    # 加密算法

     "size" : 2048

} ,

   "names" : [

     {

       "C" : "CN" ,

       "L" : "BeiJing" ,

       "O" : "Ctyun" ,

       "ST" : "BeiJing" ,             

       "OU" : "System"

     }

   ]

}

开始创建访问证书

[root@Centos8 vfancert]# cd /etc/kubernetes/pki/ [root@Centos8 pki]# cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /usr/local/vfancert/vfan-csr.json | cfssljson -bare vfanuser 2020/09/02 22:08:51 [INFO] generate received request 2020/09/02 22:08:51 [INFO] received CSR 2020/09/02 22:08:51 [INFO] generating key: rsa-2048 2020/09/02 22:08:51 [INFO] encoded CSR 2020/09/02 22:08:51 [INFO] signed certificate with serial number 191102646650271030964539871811792985454770130197 2020/09/02 22:08:51 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").

创建成功,pki目录下多出vfanuser-key.pem、vfanuser.pem和vfanuser.csr文件

[root@Centos8 pki]# ls vfanuser.csr vfanuser-key.pem vfanuser.pem

[ root @ Centos8 vfancert ] # cd /etc/kubernetes/pki/

[ root @ Centos8 pki ] # cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /usr/local/vfancert/vfan-csr.json | cfssljson -bare vfanuser

2020 / 09 / 02 22 : 08 : 51 [ INFO ] generate received request

2020 / 09 / 02 22 : 08 : 51 [ INFO ] received CSR

2020 / 09 / 02 22 : 08 : 51 [ INFO ] generating key : rsa - 2048

2020 / 09 / 02 22 : 08 : 51 [ INFO ] encoded CSR

2020 / 09 / 02 22 : 08 : 51 [ INFO ] signed certificate with serial number 191102646650271030964539871811792985454770130197

2020 / 09 / 02 22 : 08 : 51 [ WARNING ] This certificate lacks a "hosts" field . This makes it unsuitable for

websites . For more information see the Baseline Requirements for the Issuance and Management

of Publicly - Trusted Certificates , v . 1.1.6 , from the CA / Browser Forum ( https : //cabforum.org);

specifically , section 10.2.3 ( "Information Requirements" ) .

## 创建成功,pki目录下多出vfanuser-key.pem、vfanuser.pem和vfanuser.csr文件

[ root @ Centos8 pki ] # ls

vfanuser . csr

vfanuser - key . pem

vfanuser . pem

3.为 vfan 用户生成集群配置文件

设置api server的环境变量

[root@Centos8 vfancert]# export KUBE_APISERVER="https://192.168.152.53:6443"

创建kubeconfig文件,以下详细参数信息可通过kubectl config set-cluster --help查看

[root@Centos8 vfancert]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=vfan.kubeconfig Cluster "kubernetes" set.

配置文件生成

[root@Centos8 vfancert]# ls vfan-csr.json vfan.kubeconfig

设置客户端参数,绑定用户信息至kubeconfig中

[root@Centos8 vfancert]# kubectl config set-credentials vfanuser

> --client-certificate=/etc/kubernetes/pki/vfanuser.pem

> --client-key=/etc/kubernetes/pki/vfanuser-key.pem

> --embed-certs=true

> --kubeconfig=vfan.kubeconfig User "vfanuser" set.

设置上下文参数

[root@Centos8 vfancert]# kubectl config set-context kubernetes

> --cluster=kubernetes

> --user=vfan

> --namespace=vfan

> --kubeconfig=vfan.kubeconfig Context "kubenetes" created.

## 设置api server的环境变量

[ root @ Centos8 vfancert ] # export KUBE_APISERVER="https://192.168.152.53:6443"

## 创建kubeconfig文件,以下详细参数信息可通过kubectl config set-cluster --help查看

[ root @ Centos8 vfancert ] # kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=vfan.kubeconfig

Cluster "kubernetes" set .

## 配置文件生成

[ root @ Centos8 vfancert ] # ls

vfan - csr . json   vfan . kubeconfig

## 设置客户端参数,绑定用户信息至kubeconfig中

[ root @ Centos8 vfancert ] # kubectl config set-credentials vfanuser \

& gt ; -- client - certificate = / etc / kubernetes / pki / vfanuser . pem \

& gt ; -- client - key = / etc / kubernetes / pki / vfanuser - key . pem \

& gt ; -- embed - certs = true \

& gt ; -- kubeconfig = vfan . kubeconfig

User "vfanuser" set .

## 设置上下文参数

[ root @ Centos8 vfancert ] # kubectl config set-context kubernetes \

& gt ; -- cluster = kubernetes \

& gt ; -- user = vfan \

& gt ; -- namespace = vfan \

& gt ; -- kubeconfig = vfan . kubeconfig

Context "kubenetes" created .

4.进行RoleBinding 验证权限生效

vim vfanrolebind.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test-rolebinding
  namespace: vfan
subjects:
- kind: User
  name: vfan
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: test-rbac   # 绑定上文中创建的名称为 test-rbac 的Role,具体权限,往上翻下哈
  apiGroup: rbac.authorization.k8s.io

apiVersion : rbac . authorization . k8s . io / v1

kind : RoleBinding

metadata :

   name : test - rolebinding

   namespace : vfan

subjects :

- kind : User

   name : vfan

   apiGroup : rbac . authorization . k8s . io

roleRef :

   kind : Role

   name : test - rbac    # 绑定上文中创建的名称为 test-rbac 的Role,具体权限,往上翻下哈

   apiGroup : rbac . authorization . k8s . io

把kubeconfig文件复制到 vfan 用户的家目录的.kube下

[root@Centos8 vfancert]# mkdir -p /home/vfan/.kube
[root@Centos8 vfancert]# cp vfan.kubeconfig /home/vfan/.kube/config
[root@Centos8 vfancert]# cd /home/vfan/.kube/
[root@Centos8 .kube]# ls
config

## 修改文件所有者
[root@Centos8 vfan]# chown -R vfan:vfan .kube/

[ root @ Centos8 vfancert ] # mkdir -p /home/vfan/.kube

[ root @ Centos8 vfancert ] # cp vfan.kubeconfig /home/vfan/.kube/config

[ root @ Centos8 vfancert ] # cd /home/vfan/.kube/

[ root @ Centos8 . kube ] # ls

config

## 修改文件所有者

[ root @ Centos8 vfan ] # chown -R vfan:vfan .kube/

切换上下文,使kubectl读取到config的信息

[vfan@Centos8 .kube]$ kubectl config use-context kubernetes --kubeconfig=config 
Switched to context "kubernetes".

[ vfan @ Centos8 . kube ] $ kubectl config use - context kubernetes -- kubeconfig = config

Switched to context "kubernetes" .

开始测试权限

[vfan@Centos8 .kube]$ kubectl get pod 
No resources found.

[vfan@Centos8 .kube]$ kubectl get svc 
Error from server (Forbidden): services is forbidden: User "vfan" cannot list resource "services" in API group "" in the namespace "vfan"

[ vfan @ Centos8 . kube ] $ kubectl get pod

No resources found .

[ vfan @ Centos8 . kube ] $ kubectl get svc

Error from server ( Forbidden ) : services is forbidden : User "vfan" cannot list resource "services" in API group "" in the namespace "vfan"

可以get pod,但是不可以get service,因为之前的Role中明确的表示了自己只有get,watch,list Pod的权限

在vfan名称空间下创建测试Deployment

root用户下创建

[root@Centos8 k8sYaml]# kubectl run deployment test-vfan --replicas=3 --image=nginx:1.2.1 --namespace=vfan

[root@Centos8 k8sYaml]# kubectl get pod -n vfan NAME READY STATUS RESTARTS AGE deployment-7b89b946d-5dtvp 1/1 Running 0 17s deployment-7b89b946d-jpr5v 1/1 Running 0 17s deployment-7b89b946d-r8k4l 1/1 Running 0 17s

前往vfan用户查看

[vfan@Centos8 .kube]$ kubectl get pod NAME READY STATUS RESTARTS AGE deployment-7b89b946d-5dtvp 1/1 Running 0 67s deployment-7b89b946d-jpr5v 1/1 Running 0 67s deployment-7b89b946d-r8k4l 1/1 Running 0 67s

## root用户下创建

[ root @ Centos8 k8sYaml ] # kubectl run deployment test-vfan --replicas=3 --image=nginx:1.2.1 --namespace=vfan

[ root @ Centos8 k8sYaml ] # kubectl get pod -n vfan

NAME                         READY   STATUS     RESTARTS   AGE

deployment - 7b89b946d - 5dtvp    1 / 1      Running    0            17s

deployment - 7b89b946d - jpr5v    1 / 1      Running    0            17s

deployment - 7b89b946d - r8k4l    1 / 1      Running    0            17s

## 前往vfan用户查看

[ vfan @ Centos8 . kube ] $ kubectl get pod

NAME                         READY   STATUS     RESTARTS   AGE

deployment - 7b89b946d - 5dtvp    1 / 1      Running    0            67s

deployment - 7b89b946d - jpr5v    1 / 1      Running    0            67s

deployment - 7b89b946d - r8k4l    1 / 1      Running    0            67s

可以看到,vfan用户也可以查看到相对应的Pod,因为vfan用户在get pod时并没有指定名称空间,所以可以证明vfan用户的默认名称空间即是vfan

本文链接:http://www.yunweipai.com/38955.html


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK