欢迎关注我的公众号:
目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:
istio多集群探秘,部署了50次多集群后我得出的结论
istio多集群链路追踪,附实操视频
istio防故障利器,你知道几个,istio新手不要读,太难!
istio业务权限控制,原来可以这么玩
istio实现非侵入压缩,微服务之间如何实现压缩
不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限
不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs
不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了
不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization
不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs
不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs
不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr
不懂envoyfilter也敢说精通istio系列-08-连接池和断路器
不懂envoyfilter也敢说精通istio系列-09-http-route filter
不懂envoyfilter也敢说精通istio系列-network filter-redis proxy
不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager
不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册
————————————————
K8s的认证包含以下3种方式:
证书认证
设置apiserver的启动参数:
--client_ca_file=SOMEFILE。
Token认证
设置apiserver的启动参数:
--token_auth_file=SOMEFILE。
基本信息认证
设置apiserver的启动参数:
-- basic_auth_file=SOMEFILE
Kubectl config:
•clusters :配置要访问的kubernetes集群
•contexts :配置访问kubernetes集群的具体上下文环境
•current-context: 配置当前使用的上下文环境
•users: 配置访问的用户信息,用户名以及证书信息
•kubectl config view
• kubectl config set-cluster k8s-cluster2 --server=https://192.168.198.155:6443 --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true
•kubectl config set-context kube-system-ctx --cluster=k8s-cluster1 --user=kubectl --namespace=kube-system
•kubectl config unset [clusters | contexts | users | current-context]
•cfssl gencert -ca /etc/kubernetes/ssl/ca.pem -ca-key /etc/kubernetes/ssl/ca-key.pem -config /etc/kubernetes/ssl/ca-config.json -profile kubernetes kubectl-csr.json | cfssljson -bare kubectl
•kubectl config set-credentials mark --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true
•kubectl config --kubeconfig=config-demo set-credentials experimenter --username=exp --password=some-password
[root@master01 auth]# vi basic_auth_file
123456,mark,123,"group1,group2,group3“
Vi /etc/systemd/system/kube-apiserver.service
--basic-auth-file=/etc/kubernetes/auth/basic_auth_file \
K8s权限控制:
•在Kubernetes中,授权有ABAC(基于属性的访问控制)、RBAC(基于角色的访问控制)、Webhook、Node、AlwaysDeny(一直拒绝)和AlwaysAllow(一直允许)这6种模式。
RBAC
•Role-based access control(RBAC)基于企业内个人用户属于角色来访问计算和网络的常规访问控制方法。简单理解为权限与角色关联,用户通过成为角色的成员来得到角色的权限。K8S的RBAC使用rbac.authorization.k8s.io/v1 API组驱动认证决策,准许管理员通过API动态配置策略。为了启用RBAC,需要在apiserver启动参数添加--authorization-mode=RBAC。
支持的动作
create delete deletecollection get list patch update watch,bind等
支持的资源
“services”, “endpoints”, “pods“,"deployments“
“jobs”,“configmaps”,“nodes”,“rolebindings”,“clusterroles”,等
示例:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: svc-reader
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-svc
namespace: default
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: svc-reader
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: svc-reader
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-svc-global
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: svc-reader
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: svc-reader
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-svc-global
subjects:
- kind: Group
name: group1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: svc-reader
apiGroup: rbac.authorization.k8s.io
子资源:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
resources: ["pods","pods/log"]
verbs: ["get","list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods-log
namespace: default
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-and-pod-logs-reader
apiGroup: rbac.authorization.k8s.io
特定资源:
•kubectl create cm my-configmap --from-literal=username=mark --from-literal=pass=123456
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: configmap-updater
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["my-configmap"]
verbs: ["update","get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: configmap-updater-default
namespace: default
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: configmap-updater
apiGroup: rbac.authorization.k8s.io
所有被认证的用户:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
serviceaccount:
kubectl create sa mysa
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: mysa
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
命令:
•kubectl create rolebinding
•kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acme
•$ kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=acme
•kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
•kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
•kubectl create role foo --verb=get,list,watch --resource=replicasets.apps
•kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
•kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
•kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
•kubectl create clusterrole foo --verb=get,list,watch --resource=replicasets.apps
•kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
•kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
•kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
•kubectl auth reconcile 子命令已经被添加用来应用 RBAC 资源。当传入一个文件包括 RBAC roles,rolebindings,clusterroles,或者 clusterrolebindings,该命令能够计算出覆盖的权限并且添加遗漏的规则。
•Kubectl auth can-i
