kubernetes学习笔记之十:RBAC(二)

     上一章中我们简单讲解了k8s集群用户使用Role/ClusterRole/RoleBingding/ClusterRoleBingding设置不同的权限,但是kubeconfig文件使用的admin,实际部署过程中用户应该使用自己的kubeconfig文件,下面我们参照实际使用配置用户权限.

一、创建 dev namespace

[root@k8s-master-155-221 rbac]# cat create-namespace.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: dev

[root@k8s-master-155-221 rbac]# kubectl apply -f create-namespace.yaml 
namespace/dev created
[root@k8s-master-155-221 rbac]# kubectl get namespaces 
NAME              STATUS   AGE
default           Active   51d
dev               Active   5s
ingress-nginx     Active   8d
kube-node-lease   Active   51d
kube-public       Active   51d
kube-system       Active   51d

二、在dev namesapce中创建测试pod

[root@k8s-master-155-221 rbac]# cat pod-demo.yaml 
apiVersion: v1
kind: Pod
metadata: 
  name: dev-pod-demo
  namespace: dev
  labels:
    app: dev-myapp
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
[root@k8s-master-155-221 rbac]# kubectl apply -f pod-demo.yaml
pod/dev-pod-demo created
[root@k8s-master-155-221 rbac]# kubectl get pods -n dev
NAME           READY   STATUS    RESTARTS   AGE
dev-pod-demo   1/1     Running   0          5s

三、创建dev-read/dev-admin/cluster-read/cluster-admin四个用户,分别对应namespace和cluster的读取和管理

创建dev-read csr文件

[root@k8s-master-155-221 cert]# cat dev-read-csr.json 
{
  "CN": "dev-read",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "4Paradigm"
    }
  ]
}

创建dev-read用户的证书和秘钥

[root@k8s-master-155-221 cert]# cfssl gencert -ca=/mnt/k8s/cert/ca.pem -ca-key=/mnt/k8s/cert/ca-key.peubernetes dev-read-csr.json  | cfssljson -bare dev-read
2020/01/20 15:59:20 [INFO] generate received request
2020/01/20 15:59:20 [INFO] received CSR
2020/01/20 15:59:20 [INFO] generating key: rsa-2048
2020/01/20 15:59:21 [INFO] encoded CSR
2020/01/20 15:59:21 [INFO] signed certificate with serial number 5387334044569180330097517551617071931
2020/01/20 15:59:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

创建dev-read用户kubecofnig文件

[root@k8s-master-155-221 cert]# cat tem.kubeconfig 
#!/bin/bash
# 设置集群参数
export KUBE_APISERVER="https://172.16.155.220:8443"
kubectl config set-cluster kubernetes \
--certificate-authority=/mnt/k8s/cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=dev-read.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials dev-read \
--client-certificate=/mnt/k8s/cert/dev-read.pem \
--client-key=/mnt/k8s/cert/dev-read-key.pem \
--embed-certs=true \
--kubeconfig=dev-read.kubeconfig

# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=dev-read \
--kubeconfig=dev-read.kubeconfig

# 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=dev-read.kubeconfig
[root@k8s-master-155-221 cert]# sh tem.kubeconfig 
Cluster "kubernetes" set.
User "dev-read" set.
Context "kubernetes" created.
Switched to context "kubernetes".

四、对用户设置不同的权限

1.配置dev-read用户可以对dev namespace具有读取pod的权限

拷贝dev-read用户的kubeconfig文件,并查看默认权限

#master上
[root@k8s-master-155-221 cert]# scp dev-read.kubeconfig 172.16.155.224:/root #在master上拷贝dev-read用户的kubeconfig到集群某个节点上
#测试节点上 [root@k8s-node-155-224 ~]# mkdir .kube #创建kubeconfig默认目录并重命名文默认文件名config [root@k8s-node-155-224 ~]# mv dev-read.kubeconfig .kube/config [root@k8s-node-155-224 ~]# kubectl get pods Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default" #当前dev-read没有任何权限 [root@k8s-node-155-224 ~]# kubectl get pods -n dev Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "dev"

创建一个对dev namespace具有读取权限的role

[root@k8s-master-155-221 rbac]# cat role-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dev-pods-reader
  namespace: dev
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
[root@k8s-master-155-221 rbac]# kubectl apply -f role-demo.yaml 
role.rbac.authorization.k8s.io/dev-pods-reader created
[root@k8s-master-155-221 rbac]# kubectl get role -n dev
NAME              AGE
dev-pods-reader   10s

创建一个rolebingding,将dev-read用户和pods-reader

[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-read-pods
  namespace: dev
roleRef:  
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev-read
[root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/dev-read-pods created
[root@k8s-master-155-221 rbac]# kubectl get rolebindings.rbac.authorization.k8s.io -n dev
NAME            AGE
dev-read-pods   7s

测试:

[root@k8s-node-155-224 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.16.155.220:8443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: dev-read
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: dev-read
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

[root@k8s-node-155-224 ~]# kubectl get pods -n dev
NAME           READY   STATUS    RESTARTS   AGE
dev-pod-demo   1/1     Running   0          30m
[root@k8s-node-155-224 ~]# kubectl get pods -n default
Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default"

2.配置dev-read用户可以对dev namespace具有admin权限

[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-read-pods
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev-read
[root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/dev-read-pods created

测试,查看是否可以删除和创建pod

[root@k8s-node-155-224 ~]# cat deploy-demo.yaml 
apiVersion: apps/v1
kind: Deployment
metadata: 
  name: myapp-deploy
  namespace: dev
spec:
  replicas: 3
  selector: 
    matchLabels:
      app: myapp
      release: canary
  template:
    metadata:
      labels:
        app: myapp
        release: canary
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
        ports:
        - name: httpd
          containerPort: 80
[root@k8s-node-155-224 ~]# kubectl apply -f deploy-demo.yaml 
deployment.apps/myapp-deploy created
[root@k8s-node-155-224 ~]# kubectl get  deploy -n dev
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
myapp-deploy   3/3     3            3           17s
[root@k8s-node-155-224 ~]# kubectl get  pods  -n dev
NAME                            READY   STATUS    RESTARTS   AGE
myapp-deploy-5c67ffb9fb-5cntq   1/1     Running   0          4m21s
myapp-deploy-5c67ffb9fb-mvpkb   1/1     Running   0          4m21s
myapp-deploy-5c67ffb9fb-rj5qp   1/1     Running   0          4m21s

#对于集群,可以通过绑定ClusterRoleBinding和ClusterRole来实现,具体过程类似,不再赘述

上一篇:RBAC权限管理


下一篇:基于角色访问控制RBAC权限模型的动态资源访问权限管理实现