RBAC 访问控制 Users Accounts
前言:
后面曾经对 ServiceAccount、Users Account 认证进行了介绍与创立, 但最初的测试发现是 Users Account 并没有拜访权限, 本节介绍 RBAC 受权 对 ServiceAccount、Users Account 认证进行受权
- RBAC 是什么?
RBAC 是基于角色的访问控制(Role-Based Access Control)在 RBAC 中,权限与角色相关联,用户通过成为适当角色的成员而失去这些角色的权限。这就极大地简化了权限的治理。这样治理都是层级相互依赖的,权限赋予给角色,而把角色又赋予用户,这样的权限设计很分明,治理起来很不便。
- 角色
Role:角色, 名称空间级别; 受权特定命名空间的拜访权限
ClusterRole:集群角色, 全局级别; 受权所有命名空间的拜访权限
- 角色绑定
RoleBinding:将角色绑定到主体(即 subject), 意味着,用户仅失去了特定名称空间下的 Role 的权限,作用范畴也限于该名称空间;
ClusterRoleBinding:将集群角色绑定到主体, 让用户表演指定的集群角色; 意味着,用户失去了是集群级别的权限,作用范畴也是集群级别;
- 主体(subject)
User:用户
Group:用户组
ServiceAccount:服务账号
- 绑定对应关系
主体 (Subject) –> RoleBinding –> Role #主体取得名称空间下的 Role 的权限
主体 (Subject) –> ClusterRoleBinding –> clusterRoles #主体取得集群级别 clusterRoles 的权限
主体(Subject) –> Rolebindig –>ClusterRole #权限降级 主体取得名称空间下的 clusterRoles 的权限
- rules 中的参数阐明:
1、apiGroups:反对的 API 组列表,例如:”apiVersion: batch/v1″ 等
2、resources:反对的资源对象列表,例如 pods、deplayments、jobs 等
3、resourceNames: 指定 resource 的名称
3、verbs:对资源对象的操作方法列表。
- RBAC 应用 rbac.authorization.k8s.io API Group 来实现受权决策,容许管理员通过 Kubernetes API 动静配置策略,要启用 RBAC,须要在 apiserver 中增加参数 –authorization-mode=RBAC,如果应用的 kubeadm 装置的集群,都默认开启了 RBAC,能够通过查看 Master 节点上 apiserver 的动态 Pod 定义文件:
[root@k8s-master usercerts]# cat /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
...
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=192.168.4.170
- --allow-privileged=true
- --authorization-mode=Node,RBAC #默认反对 BRAC 基于角色的访问控制
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
...- 查看 kube-system 名称空间下的 role 角色详情
[root@k8s-master ~]# kubectl get role -n kube-system
NAME CREATED AT
extension-apiserver-authentication-reader 2021-06-28T17:43:31Z
kube-proxy 2021-06-28T17:43:33Z
kubeadm:kubelet-config-1.19 2021-06-28T17:43:31Z
kubeadm:nodes-kubeadm-config 2021-06-28T17:43:31Z
system::leader-locking-kube-controller-manager 2021-06-28T17:43:31Z
system::leader-locking-kube-scheduler 2021-06-28T17:43:31Z
system:controller:bootstrap-signer 2021-06-28T17:43:31Z
system:controller:cloud-provider 2021-06-28T17:43:31Z
system:controller:token-cleaner 2021-06-28T17:43:31Z
[root@k8s-master ~]# kubectl get role kube-proxy -n kube-system -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2021-06-28T17:43:33Z"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:rules: {}
manager: kubeadm
operation: Update
time: "2021-06-28T17:43:33Z"
name: kube-proxy
namespace: kube-system
resourceVersion: "195"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/kube-proxy
uid: a5404b1f-90f0-447f-b104-86fcbdd388e0
rules: #角色规定详细信息
- apiGroups:
- ""
resourceNames:
- kube-proxy
resources:
- configmaps
verbs: #能执行的操作
- get- role 角色绑定
- RoleBinding 角色绑定
[root@k8s-master ~]# kubectl explain rolebinding
KIND: RoleBinding
VERSION: rbac.authorization.k8s.io/v1
...
roleRef <Object> -required-
RoleRef can reference a Role in the current namespace or a ClusterRole in
the global namespace. If the RoleRef cannot be resolved, the Authorizer
must return an error.
subjects <[]Object>
Subjects holds references to the objects the role applies to.
示例 1: 创立 role 角色绑定 作用域为名称空间
[root@k8s-master authfiles]# cat pods-reader-rbac.yaml
kind : Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pods-reader
rules:
- apiGroups: [""] #空示意默认群组
resources: ["pods","services","pods/log"] #对象资源
verbs: ["get","list","watch"] #权限
[root@k8s-master authfiles]# cat tom-pods-reader.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tom-pods-reader
namespace: default
subjects:
- kind: User
name: tom #绑定的用户名
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pods-reader #绑定之前的角色
apiGroup: rbac.authorization.k8s.io
[root@k8s-master authfiles]# kubectl apply -f pods-reader-rbac.yaml
[root@k8s-master authfiles]# kubectl apply -f tom-pods-reader.yaml
[root@k8s-master authfiles]# kubectl get role
NAME CREATED AT
pods-reader 2021-08-24T07:33:54Z
[root@k8s-master authfiles]# kubectl get rolebinding
NAME ROLE AGE
tom-pods-reader Role/pods-reader 15m- 应用 tom 用户验证权限 pod、svc
[root@k8s-master authfiles]# kubectl config get-contexts --kubeconfig=/tmp/mykubeconfig #查看以后用户
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* tom@kubernetes kubernetes tom
[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
NAME READY STATUS RESTARTS AGE
centos-deployment-66d8cd5f8b-bnnw6 1/1 Running 0 7m8s
[root@k8s-master authfiles]# kubectl get svc --kubeconfig=/tmp/mykubeconfig
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demoapp ClusterIP 10.97.26.1 <none> 80/TCP 10d
demoapp-svc ClusterIP 10.99.170.77 <none> 80/TCP 10d
demodb ClusterIP None <none> 9907/TCP 5d22h
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 10d- 验证 deployment、nodes 权限 没有受权拜访失败
[root@k8s-master authfiles]# kubectl get deployment --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"
[root@k8s-master authfiles]# kubectl get nodes --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope内建管理员 admin
- 名称空间管理员 admin
- clusterrole admin 名称空间级别资源 领有所有名称空间下的资源 所有操作权限
- 集群管理员 cluster-admin
- clusterrole cluster-admin 集群级别资源 领有集群所有空的资源 所有操作权限
- 之前绑定的 rolebinding 只对默认名称空间有肯定的权限
[root@k8s-master authfiles]# kubectl get pod -n longhorn-system --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group ""in the namespace"longhorn-system"- clusterrole admin 对所有名称空间下的资源权限
[root@k8s-master authfiles]# kubectl get clusterrole admin
NAME CREATED AT
admin 2021-06-28T17:43:30Z
[root@k8s-master authfiles]# kubectl get clusterrole admin -o yaml- 删除绑定, 从新绑定到 clusterrole admin
[root@k8s-master authfiles]# kubectl get rolebinding
NAME ROLE AGE
tom-pods-reader Role/pods-reader 35m
[root@k8s-master authfiles]# kubectl delete Role/pods-reader
role.rbac.authorization.k8s.io "pods-reader" deleted
[root@k8s-master authfiles]# kubectl delete rolebinding/tom-pods-reader
rolebinding.rbac.authorization.k8s.io "tom-pods-reader" deleted
[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group ""in the namespace"default"示例 2: 绑定 admin 并验证权限, 作用域为名称空间
[root@k8s-master authfiles]# kubectl create --help
...
Available Commands:
clusterrole Create a ClusterRole.
clusterrolebinding Create a ClusterRoleBinding for a particular ClusterRole
configmap Create a configmap from a local file, directory or literal value
cronjob Create a cronjob with the specified name.
deployment Create a deployment with the specified name.
job Create a job with the specified name.
namespace Create a namespace with the specified name
poddisruptionbudget Create a pod disruption budget with the specified name.
priorityclass Create a priorityclass with the specified name.
quota Create a quota with the specified name.
role Create a role with single rule.
rolebinding Create a RoleBinding for a particular Role or ClusterRole
secret Create a secret using specified subcommand
service Create a service using specified subcommand.
serviceaccount Create a service account with the specified name- 能够别离对 –user、–group、–serviceaccount 进行受权
[root@k8s-master authfiles]# kubectl create clusterrolebinding --help
Create a ClusterRoleBinding for a particular ClusterRole.
....
Usage:
kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]- 绑定并进行权限验证
[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-admin --user=tom --clusterrole=admin
clusterrolebinding.rbac.authorization.k8s.io/tom-admin created
[root@k8s-master authfiles]# kubectl get pod -n longhorn-system --kubeconfig=/tmp/mykubeconfig
NAME READY STATUS RESTARTS AGE
csi-attacher-54c7586574-bh88g 1/1 Running 5 7d
csi-attacher-54c7586574-fvv4p 1/1 Running 7 19d
csi-attacher-54c7586574-zkzrg 1/1 Running 10 19d
csi-provisioner-5ff5bd6b88-9tqnh 1/1 Running 5 7d
csi-provisioner-5ff5bd6b88-bs687 1/1 Running 8 19d
csi-provisioner-5ff5bd6b88-qkzt4 1/1 Running 12 19d
csi-resizer-7699cdfc4-4w49w 1/1 Running 8 19d
......
[root@k8s-master authfiles]# kubectl get pod -n kube-system --kubeconfig=/tmp/mykubeconfig
NAME READY STATUS RESTARTS AGE
coredns-f9fd979d6-l9zck 1/1 Running 16 56d
coredns-f9fd979d6-s8fp5 1/1 Running 15 56d
etcd-k8s-master 1/1 Running 12 56d
kube-apiserver-k8s-master 1/1 Running 16 56d
kube-controller-manager-k8s-master 1/1 Running 39 56d
kube-flannel-ds-6sppx 1/1 Running 1 6d22h
kube-flannel-ds-j5g9s 1/1 Running 3 6d22h
kube-flannel-ds-nfz77 1/1 Running 1 6d22h
kube-flannel-ds-sqhq2 1/1 Running 1 6d22h
[root@k8s-master authfiles]# kubectl get deployment --kubeconfig=/tmp/mykubeconfig
NAME READY UP-TO-DATE AVAILABLE AGE
centos-deployment 1/1 1 1 6d22h
- node 是集群级别资源 无权限
[root@k8s-master authfiles]# kubectl get node --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope
[root@k8s-master authfiles]# kubectl get pv --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): persistentvolumes is forbidden: User "tom" cannot list resource "persistentvolumes" in API group "" at the cluster scope示例 3: 绑定 cluster-admin 并验证权限 作用域为集群级别资源
[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-admin" deleted
[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-cluste-admin --user=tom --clusterrole=cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/tom-cluste-admin created
[root@k8s-master authfiles]# kubectl get pv --kubeconfig=/tmp/mykubeconfig
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pv-nfs-demo002 10Gi RWX Retain Available 21d
pv-nfs-demo003 1Gi RWO Retain Available 21d
pvc-33e9acff-afd9-417e-bbfb-293cb6305fb1 1Gi RWX Retain Bound default/data-demodb-1 longhorn 5d23h
pvc-c5a0bfaa-6948-4814-886f-8bf079b00dd1 1Gi RWX Retain Bound default/data-demodb-0 longhorn 5d23h
[root@k8s-master authfiles]# kubectl get node --kubeconfig=/tmp/mykubeconfig
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 56d v1.19.9
k8s-node1 Ready <none> 56d v1.19.9
k8s-node2 Ready <none> 56d v1.19.9
k8s-node3 Ready <none> 20d v1.19.9- 须要留神的是 cluster-admin 是通过 system:masters 组形式进行受权, 如果咱们在创立用户证书时,/CN=XX/O=system:masters; 那么这个用户就领有超级管理员的权限
[root@k8s-master authfiles]# kubectl describe clusterrolebinding cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters #通过组受权所有 system:masters 都领有超级管理员权限示例 4: rolebinding 绑定 admin 权限降级
- 后面有提到
User –> Rolebindig –>ClusterRole: 权限降级,
ClusterRole,用户失去的权限仅是 ClusterRole 的权限在 Rolebinding 所属的名称空间上的一个子集; - 删除之前绑定
[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-cluste-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-cluste-admin" deleted- 创立角色绑定集群角色 权限降级 只对指定名称空间有权限
[root@k8s-master authfiles]# kubectl create rolebinding tom-admin --user=tom -n longhorn-system --clusterrole=admin
rolebinding.rbac.authorization.k8s.io/tom-admin created- 测试权限 作用域尽为 longhorn-system 名称空间
[root@k8s-master authfiles]# kubectl get pod -n kube-system --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group ""in the namespace"kube-system"
[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group ""in the namespace"default"
[root@k8s-master authfiles]# kubectl get deployment --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"
[root@k8s-master authfiles]# kubectl get pod -n longhorn-system --kubeconfig=/tmp/mykubeconfig
NAME READY STATUS RESTARTS AGE
csi-attacher-54c7586574-bh88g 1/1 Running 5 7d
csi-attacher-54c7586574-fvv4p 1/1 Running 7 19d
csi-attacher-54c7586574-zkzrg 1/1 Running 10 19d
csi-provisioner-5ff5bd6b88-9tqnh 1/1 Running 5 7d
csi-provisioner-5ff5bd6b88-bs687 1/1 Running 8 19d
csi-provisioner-5ff5bd6b88-qkzt4 1/1 Running 12 19d
csi-resizer-7699cdfc4-4w49w 1/1 Running 8 19d
csi-resizer-7699cdfc4-f5jph 1/1 Running 6 7d
csi-resizer-7699cdfc4-l2j49 1/1 Running 9 19d
...