K8S原来如此简单(八)ServiceAccount+RBAC - chester·chen
source link: https://www.cnblogs.com/chenyishi/p/16052883.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
正文
ServiceAccount
ServiceAccount是给运行在Pod的程序使用的身份认证,Pod容器的进程需要访问API Server时用的就是ServiceAccount账户。
ServiceAccount仅局限它所在的namespace,每个namespace创建时都会自动创建一个default service account。
创建Pod时,如果没有指定Service Account,Pod则会使用default Service Account。
通过以下命令可以查看我们前面创建chesterns这个namespace下的serviceaccount与对应的secret
kubectl describe pod -n chesterns kubectl describe sa -n chesterns kubectl describe secrets -n chesterns
通过以下命令查看serviceaccount挂载进容器内部的文件
kubectl exec -it chesterdeployment-cb855fb4b-5ksgd -n chesterns -- ls /var/run/secrets/kubernetes.io/serviceaccount/
- ca.crt:根证书,用于Client端验证API Server发送的证书
- namespace:标识这个service-account-token的作用域空间
- token:使用API Server私钥签名的JWT,用于访问API Server时,Server端的验证
自定义ServiceAccount
kubectl create sa chestersa -n chesterns kubectl describe sa chestersa -n chesterns
通过指定serviceAccountName,让pod使用自定义的sa
apiVersion: apps/v1 kind: Deployment metadata: name: chesterdeployment namespace: chesterns labels: app: chesterapi spec: replicas: 1 selector: matchLabels: app: chesterapi template: metadata: labels: app: chesterapi spec: serviceAccountName: chestersa containers: - name: oneapi image: registry.cn-beijing.aliyuncs.com/chester-k8s/oneapi:latest ports: - containerPort: 5000 livenessProbe: httpGet: path: /test port: 5000 - name: twoapi image: registry.cn-beijing.aliyuncs.com/chester-k8s/twoapi:latest ports: - containerPort: 5001 livenessProbe: httpGet: path: /test/calloneapi port: 5001
我们可以配置serviceaccount中的ImagePullSecret,拉取私有镜像。
创建secret
kubectl create secret docker-registry aliregistry --docker-server=registry.cn-beijing.aliyuncs.com --docker-username=陈xx --docker-password=xxxxx -n chesterns
kubectl edit sa chestersa -n chesterns imagePullSecrets: #添加此字段 - name: aliregistry
通过我们自定义的sa拉取私有镜像
apiVersion: apps/v1 kind: Deployment metadata: name: chesterdeployment namespace: chesterns labels: app: chesterapi spec: replicas: 1 selector: matchLabels: app: chesterapi template: metadata: labels: app: chesterapi spec: serviceAccountName: chestersa containers: - name: oneapi image: registry.cn-beijing.aliyuncs.com/chester-k8s/privateoneapi:latest ports: - containerPort: 5000 livenessProbe: httpGet: path: /test port: 5000
通过以下命令验证私有镜像拉取状态
kubectl delete -f deployment.yaml kubectl apply -f deployment.yaml kubectl describe pod -n chesterns
RBAC
在Kubernetes中,所有资源对象都是通过API对象进行操作,他们保存在etcd里。
而对etcd的操作我们需要通过访问 kube-apiserver 来实现,上面的Service Account其实就是APIServer的认证过程,而授权的机制是通过RBAC这个基于角色的访问控制实现。
Role与ClusterRole
在RBAC中,Role表示一组规则权限,权限只会增加(累加权限)。
-
Role 是定义在一个 namespace 中
-
ClusterRole 是集群级别的
定义Role
定义一个Role,限定在在名字为 chesterns namespace 中,对Pods有get,watch,list的权限
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: chesterrole namespace: chesterns rules: - apiGroups: [""] resources: ["pods"] verbs: ["get","watch","list"]
kubectl create -f role.yaml kubectl get role -n chesterns
修改初始化集群时,应用kubeconfig文件的模式
vi /etc/profile export KUBECONFIG=/etc/kubernetes/admin.conf #删除 source /etc/profile mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config
创建用户
useradd chester su - chester #尝试访问集群 kubectl get pod
下载cfssl
cd /usr/bin wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 ## 改名,给执行权限 mv cfssl_linux-amd64 cfssl mv cfssljson_linux-amd64 cfssljson mv cfssl-certinfo_linux-amd64 cfssl-certinfo chmod +x * ll -h
生成证书
mkdir /usr/local/chestercert cd /usr/local/chestercert vi chester-csr.json
{ "CN": "chester", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "O": "Ctyun", "ST": "BeiJing", "OU": "System" } ] }
cd /etc/kubernetes/pki/ cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /usr/local/chestercert/chester-csr.json | cfssljson -bare chesteruser ls
为chester用户生成集群配置文件
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=https://192.168.43.111:6443 --kubeconfig=chester.kubeconfig ls
绑定用户信息至kubeconfig中
kubectl config set-credentials chesteruser \ --client-certificate=/etc/kubernetes/pki/chesteruser.pem \ --client-key=/etc/kubernetes/pki/chesteruser-key.pem \ --embed-certs=true \ --kubeconfig=chester.kubeconfig
设置上下文参数
kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=chesteruser \ --namespace=chesterns \ --kubeconfig=chester.kubeconfig
把kubeconfig文件复制到chester用户的目录的.kube下
mkdir -p /home/chester/.kube cp chester.kubeconfig /home/chester/.kube/config cd /home/chester/.kube/ ls config ## 修改文件所有者 cd /home/chester/ chown -R chester:chester .kube/
RoleBinding与ClusterRoleBinding
RoleBinding可以将角色中定义的权限授予用户或用户组。
RoleBinding包含一组权限列表(Subjects),权限列表中包含有不同形式的待授予权限资源类型(users,groups, or Service Account),Rolebinding 同样包含对被 Bind的Role
-
RoleBinding 适用于某个命名空间内授权
-
ClusterRoleBinding适用于集群范围内的授权。
定义RoleBinding
定义一个名称为chesterrolebinding,将chesterrole权限资源赋予名为chester的用户,仅作用于chesterns namespace。
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: chesterrolebinding namespace: chesterns subjects: - kind: User name: chester apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: chesterrole apiGroup: rbac.authorization.k8s.io
kubectl apply -f rolebinding.yaml kubectl describe rolebinding -n chesterns
验证chester用户能否正常访问
su chester cd /home/chester/.kube kubectl config use-context kubernetes --kubeconfig=config kubectl get pod -n chesterns
C#/.net/.net core QQ群:953553560
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK