Kubernetes集群利用RBAC+ServiceAccount管理权限

发表于 | 更新于: | 分类于 | 阅读次数:
字数统计: 694

说明

这里简单记录一下如何通过k8s集群创建clusterrole配合serviceaccount实现权限控制,并且使用kubectl生成kubeconfig文件用于实现人员权限管理。

操作步骤

创建ClusterRole

这里参考了kube-apiserver初始化时生成的clusterrole.views权限设定

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-readonly
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.example.com/aggregate-to-monitoring: "true"
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - nodes/metrics
  - nodes/proxy
  - nodes/status
  - persistentvolumeclaims
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - deployments
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metrics.k8s.io
  resources:
  - nodes
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - monitoring.coreos.com
  resources:
  - alertmanagers
  - podmonitors
  - prometheuses
  - prometheusrules
  - servicemonitors
  verbs:
  - get
  - list
  - watch
- nonResourceURLs:
  - /metrics
  - /log
  - /logs
  - /healthz
  - /healthz/*
  verbs:
  - get

如果需要有Pod的exec权限可以创建一个ClusterRole

1
2
3
4
5
6
7
8
9
10
11
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-exec
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create

创建用户

1
2
3
4
5
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cluster-readonly
  namespace: default

创建ClusterRoleBinding

这里创建的ClusterRoleBinding是整个集群级别的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-readonly
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-readonly
subjects:
- kind: ServiceAccount
  name: cluster-readonly
  namespace: default

创建RoleBinding

这里创建的RoleBinding可以具体到某一个namespace

这里创建一个default命名空间的RoleBinding

1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-pod-exec
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: pod-exec
subjects:
- kind: ServiceAccount
  name: cluster-readonly
  namespace: kube-system

获取ServiceAccount对应的Secret

1
SECRET=$(kubectl -n default get serviceaccount cluster-readonly -o go-template='{{range .secrets}}{{.name}}{{end}}')

定义Kube-APIServer

1
API_SERVER="https://192.168.1.100:6443"

获取集群CA证书

1
kubectl -n default get secret ${SECRET} -o yaml | awk '/ca.crt:/{print $2}' | base64 -d > ca.crt

获取ServiceAccount对应的Token

1
TOKEN=$(kubectl -n default get secret ${SECRET} -o go-template='{{.data.token}}')

定义kubeconfig文件名

1
KUBECONFIG="cluster-readonly.kubeconfig"

创建kubeconfig

  • 设置kubeconfig集群信息
1
2
3
4
5
6
kubectl config \
        set-cluster k8s-cluster \
        --server=${API_SERVER} \
        --embed-certs=true \
        --certificate-authority=./ca.crt \
        --kubeconfig=${KUBECONFIG}
  • 设置kubeconfig使用用户名+token认证
1
2
3
4
kubectl config \
        set-credentials cluster-readonly \
        --token=`echo ${TOKEN} | base64 -d` \
        --kubeconfig=${KUBECONFIG}
  • 设置kubeconfig的context
1
2
3
4
5
kubectl config \
        set-context default \
        --cluster=k8s-cluster \
        --user=cluster-readonly \
        --kubeconfig=${KUBECONFIG}
  • 将context设置为kubeconfig默认值
1
2
3
kubectl config \
        use-context default \
        --kubeconfig=${KUBECONFIG}

验证权限

有权限的操作

获取Pod

1
kubectl --kubeconfig=${KUBECONFIG} auth can-i get pod --all-namespaces

获取Pod日志

1
kubectl --kubeconfig=${KUBECONFIG} auth can-i get pod --subresource=log --all-namespaces

获取ingress

1
kubectl --kubeconfig=${KUBECONFIG} auth can-i get ingress --all-namespaces

返回结果

1
yes

无权限的操作

创建容器

1
kubectl --kubeconfig=${KUBECONFIG} auth can-i create pods --all-namespaces

删除容器

1
kubectl --kubeconfig=${KUBECONFIG} auth can-i delete pods --all-namespaces

获取Secret

1
kubectl --kubeconfig=${KUBECONFIG} auth can-i get secrets -n kube-system

返回结果

1
no - no RBAC policy matched