0
点赞
收藏
分享

微信扫一扫

k8s资源之role&rolebinding&clusterrole&clusterrolebinding


 欢迎关注我的公众号:

k8s资源之role&rolebinding&clusterrole&clusterrolebinding_访问控制

 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

​​istio多集群探秘,部署了50次多集群后我得出的结论​​

​​istio多集群链路追踪,附实操视频​​

​​istio防故障利器,你知道几个,istio新手不要读,太难!​​

​​istio业务权限控制,原来可以这么玩​​

​​istio实现非侵入压缩,微服务之间如何实现压缩​​

​​不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限​​

​​不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs​​

​​不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了​​

​​不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization​​

​​不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs​​

​​不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs​​

​​不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr​​

​​不懂envoyfilter也敢说精通istio系列-08-连接池和断路器​​

​​不懂envoyfilter也敢说精通istio系列-09-http-route filter​​

​​不懂envoyfilter也敢说精通istio系列-network filter-redis proxy​​

​​不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager​​

​​不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册​​

 

————————————————

K8s的认证包含以下3种方式:

证书认证   

    设置apiserver的启动参数:

   --client_ca_file=SOMEFILE。

Token认证     

  设置apiserver的启动参数:

   --token_auth_file=SOMEFILE。

基本信息认证      

设置apiserver的启动参数:

 -- basic_auth_file=SOMEFILE

Kubectl config:

•clusters :配置要访问的kubernetes集群

•contexts :配置访问kubernetes集群的具体上下文环境

•current-context: 配置当前使用的上下文环境

•users: 配置访问的用户信息,用户名以及证书信息

•kubectl config view

• kubectl config set-cluster k8s-cluster2 --server=https://192.168.198.155:6443 --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true

•kubectl config set-context kube-system-ctx --cluster=k8s-cluster1 --user=kubectl --namespace=kube-system

•kubectl config unset [clusters | contexts | users | current-context]

•cfssl gencert -ca /etc/kubernetes/ssl/ca.pem -ca-key /etc/kubernetes/ssl/ca-key.pem -config /etc/kubernetes/ssl/ca-config.json -profile kubernetes kubectl-csr.json | cfssljson -bare kubectl

kubectl config set-credentials mark --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true

•kubectl config --kubeconfig=config-demo set-credentials experimenter --username=exp --password=some-password

[root@master01 auth]# vi basic_auth_file

123456,mark,123,"group1,group2,group3“

Vi /etc/systemd/system/kube-apiserver.service

--basic-auth-file=/etc/kubernetes/auth/basic_auth_file \

K8s权限控制:

•在Kubernetes中,授权有ABAC(基于属性的访问控制)、RBAC(基于角色的访问控制)、Webhook、Node、AlwaysDeny(一直拒绝)和AlwaysAllow(一直允许)这6种模式。

RBAC

•Role-based access control(RBAC)基于企业内个人用户属于角色来访问计算和网络的常规访问控制方法。简单理解为权限与角色关联,用户通过成为角色的成员来得到角色的权限。K8S的RBAC使用rbac.authorization.k8s.io/v1 API组驱动认证决策,准许管理员通过API动态配置策略。为了启用RBAC,需要在apiserver启动参数添加--authorization-mode=RBAC。

k8s资源之role&rolebinding&clusterrole&clusterrolebinding_权限控制_02

支持的动作

create delete deletecollection get list patch update watch,bind等

支持的资源

“services”, “endpoints”, “pods“,"deployments“

“jobs”,“configmaps”,“nodes”,“rolebindings”,“clusterroles”,等

示例:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: svc-reader
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-svc
namespace: default
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: svc-reader
apiGroup: rbac.authorization.k8s.io

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: svc-reader
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-svc-global
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: svc-reader
apiGroup: rbac.authorization.k8s.io

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: svc-reader
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-svc-global
subjects:
- kind: Group
name: group1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: svc-reader
apiGroup: rbac.authorization.k8s.io

子资源:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
resources: ["pods","pods/log"]
verbs: ["get","list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods-log
namespace: default
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-and-pod-logs-reader
apiGroup: rbac.authorization.k8s.io

特定资源:

•kubectl create cm my-configmap --from-literal=username=mark --from-literal=pass=123456

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: configmap-updater
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["my-configmap"]
verbs: ["update","get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: configmap-updater-default
namespace: default
subjects:
- kind: User
name: mark
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: configmap-updater
apiGroup: rbac.authorization.k8s.io

所有被认证的用户:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io

serviceaccount:


kubectl create sa mysa


kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: ServiceAccount
name: mysa
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io

命令:

kubectl create rolebinding

kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acme

$ kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=acme

•kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods

•kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

•kubectl create role foo --verb=get,list,watch --resource=replicasets.apps

•kubectl create role foo --verb=get,list,watch --resource=pods,pods/status

•kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods

•kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

•kubectl create clusterrole foo --verb=get,list,watch --resource=replicasets.apps

•kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status

•kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*

•kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"

•kubectl auth reconcile 子命令已经被添加用来应用 RBAC 资源。当传入一个文件包括 RBAC roles,rolebindings,clusterroles,或者 clusterrolebindings,该命令能够计算出覆盖的权限并且添加遗漏的规则。

•Kubectl auth can-i

举报

相关推荐

0 条评论