k8s资源之role&rolebinding&clusterrole&clusterrolebinding-摩杜云开发者社区

————————————————

K8s的认证包含以下3种方式：

证书认证

设置apiserver的启动参数：

--client_ca_file=SOMEFILE。

Token认证

设置apiserver的启动参数：

--token_auth_file=SOMEFILE。

基本信息认证

设置apiserver的启动参数：

-- basic_auth_file=SOMEFILE

Kubectl config：

•clusters ：配置要访问的kubernetes集群

•contexts ：配置访问kubernetes集群的具体上下文环境

•current-context: 配置当前使用的上下文环境

•users：配置访问的用户信息，用户名以及证书信息

•kubectl config view

• kubectl config set-cluster k8s-cluster2 --server=https://192.168.198.155:6443 --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true

•kubectl config set-context kube-system-ctx --cluster=k8s-cluster1 --user=kubectl --namespace=kube-system

•kubectl config unset [clusters | contexts | users | current-context]

•cfssl gencert -ca /etc/kubernetes/ssl/ca.pem -ca-key /etc/kubernetes/ssl/ca-key.pem -config /etc/kubernetes/ssl/ca-config.json -profile kubernetes kubectl-csr.json | cfssljson -bare kubectl

•kubectl config* set-credentials * mark -- client-certificate= admin.pem * --client-key=admin-* key.pem * --* *embed-certs=true*

•kubectl config --kubeconfig=config-demo set-credentials experimenter --username=exp --password=some-password

[root@master01 auth]# vi basic_auth_file

123456,mark,123,"group1,group2,group3“

Vi /etc/systemd/system/kube-apiserver.service

--basic-auth-file=/etc/kubernetes/auth/basic_auth_file \

K8s权限控制：

•在Kubernetes中，授权有ABAC（基于属性的访问控制）、RBAC（基于角色的访问控制）、Webhook、Node、AlwaysDeny（一直拒绝）和AlwaysAllow（一直允许）这6种模式。

RBAC

•Role-based access control(RBAC)基于企业内个人用户属于角色来访问计算和网络的常规访问控制方法。简单理解为权限与角色关联，用户通过成为角色的成员来得到角色的权限。K8S的RBAC使用rbac.authorization.k8s.io/v1 API组驱动认证决策，准许管理员通过API动态配置策略。为了启用RBAC，需要在apiserver启动参数添加--authorization-mode=RBAC。

k8s资源之role&rolebinding&clusterrole&clusterrolebinding

支持的动作

create delete deletecollection get list patch update watch，bind等

支持的资源

“services”, “endpoints”, “pods“，"deployments“

“jobs”，“configmaps”，“nodes”，“rolebindings”，“clusterroles”，等

示例:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: mark
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: svc-reader
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","watch","list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-svc
  namespace: default 
subjects:
- kind: User
  name: mark
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: svc-reader
  apiGroup: rbac.authorization.k8s.io

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: svc-reader
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","watch","list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-svc-global
subjects:
- kind: User
  name: mark
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: svc-reader
  apiGroup: rbac.authorization.k8s.io

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: svc-reader
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","watch","list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-svc-global
subjects:
- kind: Group
  name: group1
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: svc-reader
  apiGroup: rbac.authorization.k8s.io

子资源:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 namespace: default
 name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
  resources: ["pods","pods/log"]
  verbs: ["get","list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods-log
  namespace: default
subjects:
- kind: User
  name: mark
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-and-pod-logs-reader
  apiGroup: rbac.authorization.k8s.io

特定资源:

•kubectl create cm my-configmap --from-literal=username=mark --from-literal=pass=123456

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: configmap-updater
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["my-configmap"]
  verbs: ["update","get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: configmap-updater-default
  namespace: default
subjects:
- kind: User
  name: mark
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: configmap-updater
  apiGroup: rbac.authorization.k8s.io

所有被认证的用户:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

serviceaccount:

kubectl
create
sa
mysa

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: ServiceAccount
  name: mysa
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

命令:

•kubectl** create **rolebinding

•kubectl* create rolebinding * bob-admin-binding -- clusterrole *=admin --user=bob --* *namespace=acme*

•$ kubectl create rolebinding myapp -view-binding -- clusterrole =view -- serviceaccount = acme:myapp --namespace=acme

•kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods

•kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

•kubectl create role foo --verb=get,list,watch --resource=replicasets.apps

•kubectl create role foo --verb=get,list,watch --resource=pods,pods/status

•kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods

•kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

•kubectl create clusterrole foo --verb=get,list,watch --resource=replicasets.apps

•kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status

•kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*

•kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"

•kubectl auth reconcile 子命令已经被添加用来应用 RBAC 资源。当传入一个文件包括 RBAC roles，rolebindings，clusterroles，或者 clusterrolebindings，该命令能够计算出覆盖的权限并且添加遗漏的规则。

•Kubectl auth can-i