运维开发实践 - Kubernetes - 用户权限管控

1.背景

当我们有一个k8s 集群，并且需要将该集群提供给用户使用的时候，我们当然只希望用户只能操作我们预先定义好的资源，即权限管控，RBAC

2. 介绍

Kubernetes中有2种权限管控，一种是为Pod中的应用提供权限管理；另一种是为用户提供权限管理；kubernetes内部使用RBAC这一套鉴权机制;

2.1.实现

openssl genrsa -out liyuan.key 2048
openssl req -new -key liyuan.key -out liyuan.csr -subj "/CN=liyuan"
# 登录集群主节点查看该目录下的证书，基于kubernetes证书签发新证书
openssl x509 -req -in liyuan.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out liyuan.crt -days 365
openssl x509 -in liyuan.crt -text -noout

# 创建用户liyuan，并未该用户绑定上述生成的证书
kubectl config set-credentials liyuan --client-certificate=./sa/liyuan.crt --client-key=./sa/liyuan.key 

# 设置当前上下文
# --namespace=default表示用户使用kubectl无需主动指定namespace, kubectl get po 会默认获取kube-system namespace下Pod资源
# --user=liyuan 别名
kubectl config set-context liyuan --cluster=kubernetes --namespace=default --user=liyuan
kubectl config use-context liyuan
kubectl config get-contexts

2.2. Role & RoleBinding（namespace层面资源权限管理）

• Role 用户设置某个命名空间内的资源权限，必须和namespace绑定
• RoleBinding用于绑定账户和Role

# role-user.yaml
# 为用户liyuan赋予default namespace下获取Pod资源的权限
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-liyuan
rules:
  - apiGroups: [""] # "" 标明 core API 组
    resources: ["pods", "pods/log"]
    verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rolebinding-liyuan
subjects:
  - kind: User
    name: liyuan
    apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-liyuan

kubectl apply -f role-user.yaml

2.3. ClusterRole & ClusterRoleBinding （集群层面资源权限管理）

# clusterrole-user.yaml
# 为用户liyuan赋予获取集群下所有secrets资源的权限
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" 被忽略，因为 ClusterRoles 不受名字空间限制
  name: clusterrole-liyuan
rules:
  - apiGroups: [ "" ]
    # 在 HTTP 层面，用来访问 Secret 资源的名称为 "secrets"
    resources: [ "secrets" ]
    verbs: [ "get", "watch", "list" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: clusterrolebinding-liyuan
subjects:
  - kind: User
    name: liyuan
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: clusterrole-liyuan
  apiGroup: rbac.authorization.k8s.io

3. 参考

# cluster-admin clusterrole
kind: ClusterRole
metadata:
  annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2023-12-12T13:19:37Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "77"
  uid: ba8010ec-8a5c-4881-b26b-37fed5dc5c67
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

# apiGroups: 默认为 *
# resources 
kubectl api-resources
# verbs
"get", "list", "watch", "create", "update", "patch", "delete"]

参考

为 Pod 配置服务账号
k8s之基于用户/用户组授权