Kubernetes RBAC
Kubernetes 定义都是许可权限,没有定义则标识拒绝
Subject
- User
- Group
- ServiceAccount
Object
- Role:角色,名称空间级别
- RoleBinding: 绑定关系,名称空间级别
- ClusterRole:集群角色,集群级别
- ClusterRoleBinding:集群角色绑定,集群级别
action
- GET
- LIST
- WATCH
- ...
关于权限的理解
- Permission = 动作(Operation/action) + 执行的对象(Object)
- Permission = GET + /api/v1/
相关命令
创建Role
创建一个叫做pods-reader的角色,该角色只可以对Pods资源执行get、list、watch操作
# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run
role.rbac.authorization.k8s.io/pods-reader created (dry run)
# kubectl create role pods-reader --verb=get,list --resource=pods --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: pods-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
查看Rle相关信息
# kubectl describe role pods-reader
Name: pods-reader
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroup...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
创建RoleBinding
RoleBinding中--userk可以使human user,也可以是serverAccount,这里的lotus并没有事先创建,在创建绑定是会自动创建lotus人类用户
# kubectl create rolebinding lotus-read-pods --role=pods-reader --user=lotus --dry-run=true -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: lotus-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: lotus
# kubectl create rolebinding lotus-read-pods --role=pods-reader --user=lotus
rolebinding.rbac.authorization.k8s.io/lotus-read-pods created
查看RoleBinding信息
# kubectl describe rolebinding lotus-read-pods
Name: lotus-read-pods
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: pods-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User lotus
切换新创建的帐号测试绑定角色权限
切换账号
# kubectl config use-context lotus@kubernetes
测试获取相关资源
# kubectl get pods
NAME READY STATUS RESTARTS AGE
client-bbf58867f-tzxhf 1/1 Running 8 14d
myapp 1/1 Running 1 2d
# kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "lotus" cannot list pods in the namespace "kube-system"
# kubectl get rs
No resources found.
Error from server (Forbidden): replicasets.extensions is forbidden: User "lotus" cannot list replicasets.extensions in the namespace "default"
创建ClusterRole和ClusterRoleBinding
创建ClusterRole
# kubectl create clusterrole cluster-readers --verb=get,list,watch --resource=pods -o yaml --dry-run=true
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-readers
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
# kubectl apply -f clusterRole-demo.yaml
clusterrole.rbac.authorization.k8s.io/cluster-readers created
查看创建的ClusterRole
# kubectl get clusterrole|grep reader
cluster-readers 26s
# kubectl describe clusterrole cluster-readers
Name: cluster-readers
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-readers","namespace":""},"rules":[{"apiG...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
创建ClusterRoleBinding
# kubectl create clusterrolebinding lotus-admin-read-all-pods --clusterrole=cluster-readers --user=lotus --dry-run=true -o yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: lotus-admin-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readers
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: lotus
# kubectl apply -f clusterrolebinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io/lotus-admin-read-all-pods created
切换上下文并测试ClusterRoleBinding效果
# kubectl config use-context lotus@kubernetes
Switched to context "lotus@kubernetes".
# kubectl get pods
NAME READY STATUS RESTARTS AGE
client-bbf58867f-tzxhf 1/1 Running 9 14d
myapp 1/1 Running 2 2d
# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-846b65fb5f-fdljl 1/1 Running 6 9d
nginx-ingress-controller-d658896cd-4npnf 1/1 Running 6 9d
# kubectl get rs
No resources found.
Error from server (Forbidden): replicasets.extensions is forbidden: User "lotus" cannot list replicasets.extensions in the namespace "default"
补充说明
关于RoleBinding和ClusterRoleBinding
- RoleBinding + User1 + Role1 = User1通过RoleBinding绑定Role1,拥有名称空间内Role1定义的权限
- ClusterRoleBinding + User1 + ClusterRole1 = User1通过ClusterRoleBinding绑定ClusterRole1,拥有集群内所有名称空间ClusterRole1定义的权限
- RoleBinding + User1 + ClusterRole1 = User1通过RoleBinding绑定ClusterRole1,拥有名称空间内ClusterRole1定义的权限
第三条绑定关系,主要用于每个名称空间都需要有一个管理员角色权限的用户
原本需要在每个名称空间创建一个adminUser和adminRole,然后通过RoleBinding一一绑定,而现在只需要创建一个AdminClusterRole,然后所有名称空间的adminUser通过RoleBinding绑定ClusterRoleAdmin就可以拥有这个adminUser所对应的名称空间的管理员权限,通过RoleBinding+ClusterRole1这个关系绑定可以减少重复性的操作
资源权限管理对象有哪几种?
- 资源类别:Pods、Deployment、ReplicaSet、 ...
- 特定资源:特定的Pod
- Non-Resource URLs: 不能够定义为对象的资源
角色绑定subject有哪几种?
- user
- group
- serviceAccount
kubernetes-admin是如何有用最大权限的?
首先,使用kubeadm安装的K8S集群中默认会有一个名为cluster-admin的ClusterRole和ClusterRoleBinding
在cluster-admin(ClusterRole)中定义开放了很多权限,而在cluster-admin(ClusterRoleBinding)中定义了绑定cluster-admin(ClusterRole)到一个名为system:masters的组上了
而这个组是创建用户时生成证书请求时主题中定义的,lotus用户创建时只标明了用户名
# openssl req -new -key lotus.key -out lotus.csr -subj "/CN=lotus"
如果使用到组来管理权限的话,可以使用,未测试
# openssl req -new -key USERNAME.key -out USERNAME.csr -subj "/O=GROUPNAME/CN=USERNAME"