一、kubectl proxy
# kubectl proxy --port=8080
# curl http://localhost:8080/api/v1/
# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/
二、serviceaccount资源
- 创建自定义serviceaccount:用于pod与api通信的认证账号
# kubectl create serviceaccount admin
serviceaccount/admin created
# kubectl create serviceaccount dongfei -o yaml --dry-run #生成配置清单
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: dongfei
# kubectl get sa #sa,serviceaccount的简写
NAME SECRETS AGE
admin 1 5s
default 1 77d
# kubectl describe sa admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: admin-token-76kb7
Tokens: admin-token-76kb7
Events: <none>
# kubectl get secret
NAME TYPE DATA AGE
admin-token-76kb7 kubernetes.io/service-account-token 3 36s
default-token-4q4c9 kubernetes.io/service-account-token 3 77d
mysql-root-password Opaque 1 7d21h
apiVersion: v1
kind: Pod
metadata:
name: pod-sa-demo
namespace: default
labels:
app: myapp
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccountName: admin
# kubectl describe pods pod-sa-demo |grep -A4 Volumes
Volumes:
admin-token-76kb7:
Type: Secret (a volume populated by a Secret)
SecretName: admin-token-76kb7
Optional: false
三、RBAC 基于角色的访问控制
1、apiserver客户端配置及创建UserAccount用户
# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.100.51:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
# cd /etc/kubernetes/pki/
# (umask 077;openssl genrsa -out dongfei.key 2048)
# openssl req -new -key dongfei.key -out dongfei.csr -subj "/CN=dongfei"
# openssl x509 -req -in dongfei.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dongfei.crt -days 365
# openssl x509 -in dongfei.crt -text -noout #查看
# kubectl config set-credentials dongfei --client-certificate=./dongfei.crt --client-key=./dongfei.key --embed-certs=true
# kubectl config set-context dongfei@kubernetes --cluster=kubernetes --user=dongfei
# kubectl config use-context dongfei@kubernetes
# kubectl config view
# kubectl config use-context kubernetes-admin@kubernetes
# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://192.168.100.51:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
# kubectl config view --kubeconfig=/tmp/test.conf
2、Role角色
# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
# vim role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: pods-reader
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
# kubectl apply -f role-demo.yaml
# kubectl get role
# kubectl describe role pods-reader
3、rolebinding
# kubectl create rolebinding dongfei-read-pods --role=pods-reader --user=dongfei -o yaml --dry-run > rolebinding-demo.yaml
# vim rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: dongfei-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: dongfei
# kubectl apply -f rolebinding-demo.yaml
# kubectl get rolebinding
# kubectl describe rolebinding dongfei-read-pods
# kubectl config use-context dongfei@kubernetes
# kubectl get pods #默认名称空间有权限
# kubectl get pods -n kube-system #无权限
# kubectl delete rolebinding dongfei-read-pods
4、clusterrole
# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run -o yaml > clusterrole-demo.yaml
# vim clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
# kubectl apply -f clusterrole-demo.yaml
5、clusterrolebinding
# kubectl create clusterrolebinding dongfei-read-all-pods --clusterrole=cluster-reader --user=dongfei --dry-run -o yaml > clusterrolebinding-demo.yaml
# kubectl apply -f clusterrolebinding-demo.yaml
# kubectl describe clusterrolebinding dongfei-read-all-pods
# kubectl config use-context dongfei@kubernetes
# kubectl get pods
# kubectl get pods -n kube-system #可以访问集群所以的名称空间
6、role绑定至clusterrole
# kubectl create rolebinding dongfei-read-pods --clusterrole=cluster-reader --user=dongfei