k8s-案例为指定用户授权访问不同命名空间权限
1. 示例
-
示例:为zhangsan用户授权default命名空间Pod读取权限
- 用K8S CA签发客户端证书
- 生成kubeconfig授权文件
- 创建RBAC权限策略
-
安装cfssl证书生成工具
[root@k8s-master rbac]# vim cfssl.sh [root@k8s-master rbac]# cat cfssl.sh #!/bin/bash wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl* mv cfssl_linux-amd64 /usr/bin/cfssl mv cfssljson_linux-amd64 /usr/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
-
用K8S CA签发客户端证书
[root@k8s-master rbac]# vim cert.sh [root@k8s-master rbac]# cat cert.sh cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF cat > zhangsan-csr.json <<EOF { "CN": "zhangsan", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes zhangsan-csr.json | cfssljson -bare zhangsan
-
为指定用户授权访问不同命名空间权限
[root@k8s-master rbac]# vim kubeconfig.sh [root@k8s-master rbac]# cat kubeconfig.sh kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/pki/ca.crt \ --embed-certs=true \ --server=https://172.17.0.2:6443 \ --kubeconfig=zhangsan.kubeconfig # 设置客户端认证 kubectl config set-credentials zhangsan \ --client-key=zhangsan-key.pem \ --client-certificate=zhangsan.pem \ --embed-certs=true \ --kubeconfig=zhangsan.kubeconfig # 设置默认上下文 kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=zhangsan \ --kubeconfig=zhangsan.kubeconfig # 设置当前使用配置 kubectl config use-context kubernetes --kubeconfig=zhangsan.kubeconfig
-
为指定用户授权访问不同命名空间权限
[root@k8s-master rbac]# vim rbac.yaml [root@k8s-master rbac]# cat rbac.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # api组 resources: ["pods"] # 资源 verbs: ["get", "watch", "list"] # 资源操作方案 --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods # 调用上面集合名称 namespace: default subjects: - kind: User name: zhangsan # 授权访问的用户 apiGroup: rbac.authorization.k8s.io roleRef: kind: Role # 授权特定命名空间的访问权限 name: pod-reader apiGroup: rbac.authorization.k8s.io
-
认证流程图
2. 案例操作
-
执行cfssl工具安装
[root@k8s-master rbac]# vim cfssl.sh [root@k8s-master rbac]# sh cfssl.sh --2021-08-27 15:58:44-- https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 Resolving pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229, 2606:4700::6812:17e5, ... Connecting to pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl_linux-amd64 [following] --2021-08-27 15:58:45-- https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl_linux-amd64 Resolving github.com (github.com)... 20.205.243.166 Connecting to github.com (github.com)|20.205.243.166|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://github-releases.githubusercontent.com/21591001/6deaa080-9ebe-11eb-919d-cbab8a7bb20b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T075826Z&X-Amz-Expires=300&X-Amz-Signature=ba13061928bac86e9aa4e37155c23b3b1ec2ed273d252773f2754f0180dd497f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssl_linux-amd64&response-content-type=application%2Foctet-stream [following] --2021-08-27 15:58:45-- https://github-releases.githubusercontent.com/21591001/6deaa080-9ebe-11eb-919d-cbab8a7bb20b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T075826Z&X-Amz-Expires=300&X-Amz-Signature=ba13061928bac86e9aa4e37155c23b3b1ec2ed273d252773f2754f0180dd497f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssl_linux-amd64&response-content-type=application%2Foctet-stream Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.111.154, 185.199.109.154, 185.199.108.154, ... Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.111.154|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10376657 (9.9M) [application/octet-stream] Saving to: ‘cfssl_linux-amd64’ 100%[==============================================================>] 10,376,657 1.54MB/s in 2m 23s 2021-08-27 16:01:09 (70.8 KB/s) - ‘cfssl_linux-amd64’ saved [10376657/10376657] --2021-08-27 16:01:09-- https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 Resolving pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229, 2606:4700::6812:17e5, ... Connecting to pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssljson_linux-amd64 [following] --2021-08-27 16:01:10-- https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssljson_linux-amd64 Resolving github.com (github.com)... 20.205.243.166 Connecting to github.com (github.com)|20.205.243.166|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://github-releases.githubusercontent.com/21591001/8a86d880-9ebe-11eb-9d16-2fd0c4fe9f34?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T080110Z&X-Amz-Expires=300&X-Amz-Signature=16d0c382b735e876b99cdc07efbd6572ac9c7b0cbe00a244773de81a72b069b7&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssljson_linux-amd64&response-content-type=application%2Foctet-stream [following] --2021-08-27 16:01:11-- https://github-releases.githubusercontent.com/21591001/8a86d880-9ebe-11eb-9d16-2fd0c4fe9f34?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T080110Z&X-Amz-Expires=300&X-Amz-Signature=16d0c382b735e876b99cdc07efbd6572ac9c7b0cbe00a244773de81a72b069b7&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssljson_linux-amd64&response-content-type=application%2Foctet-stream Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.109.154, 185.199.110.154, 185.199.111.154, ... Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.109.154|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2277873 (2.2M) [application/octet-stream] Saving to: ‘cfssljson_linux-amd64’ 100%[==============================================================>] 2,277,873 408KB/s in 5.5s 2021-08-27 16:01:18 (401 KB/s) - ‘cfssljson_linux-amd64’ saved [2277873/2277873] --2021-08-27 16:01:18-- https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 Resolving pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229, 2606:4700::6812:17e5, ... Connecting to pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl-certinfo_linux-amd64 [following] --2021-08-27 16:01:18-- https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl-certinfo_linux-amd64 Resolving github.com (github.com)... 20.205.243.166 Connecting to github.com (github.com)|20.205.243.166|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://github-releases.githubusercontent.com/21591001/7b078f80-9ebe-11eb-8422-7005df0eb28f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T080053Z&X-Amz-Expires=300&X-Amz-Signature=29c27a564c53e2b1cc5b7bd74f2ff78414d64cb633c27f8114f491d71670ea51&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssl-certinfo_linux-amd64&response-content-type=application%2Foctet-stream [following] --2021-08-27 16:01:19-- https://github-releases.githubusercontent.com/21591001/7b078f80-9ebe-11eb-8422-7005df0eb28f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T080053Z&X-Amz-Expires=300&X-Amz-Signature=29c27a564c53e2b1cc5b7bd74f2ff78414d64cb633c27f8114f491d71670ea51&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssl-certinfo_linux-amd64&response-content-type=application%2Foctet-stream Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.110.154, 185.199.111.154, 185.199.108.154, ... Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.110.154|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6595195 (6.3M) [application/octet-stream] Saving to: ‘cfssl-certinfo_linux-amd64’ 100%[==============================================================>] 6,595,195 178KB/s in 22s 2021-08-27 16:01:42 (287 KB/s) - ‘cfssl-certinfo_linux-amd64’ saved [6595195/6595195]
-
用K8S CA签发客户端证书
[root@k8s-master rbac]# vim cert.sh [root@k8s-master rbac]# cat cert.sh cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF cat > zhangsan-csr.json <<EOF { "CN": "zhangsan", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes zhangsan-csr.json | cfssljson -bare zhangsan [root@k8s-master rbac]# sh cert.sh 2021/08/27 16:33:32 [INFO] generate received request 2021/08/27 16:33:32 [INFO] received CSR 2021/08/27 16:33:32 [INFO] generating key: rsa-2048 2021/08/27 16:33:32 [INFO] encoded CSR 2021/08/27 16:33:32 [INFO] signed certificate with serial number 163143268857299429625748078038132938378015415460 2021/08/27 16:33:32 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
-
执行生成kubeconfig文件
[root@k8s-master rbac]# vim kubeconfig.sh [root@k8s-master rbac]# cat kubeconfig.sh kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/pki/ca.crt \ --embed-certs=true \ --server=https://172.17.0.2:6443 \ --kubeconfig=zhangsan.kubeconfig # 设置客户端认证 kubectl config set-credentials zhangsan \ --client-key=zhangsan-key.pem \ --client-certificate=zhangsan.pem \ --embed-certs=true \ --kubeconfig=zhangsan.kubeconfig # 设置默认上下文 kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=zhangsan \ --kubeconfig=zhangsan.kubeconfig # 设置当前使用配置 kubectl config use-context kubernetes --kubeconfig=zhangsan.kubeconfig [root@k8s-master rbac]# sh kubeconfig.sh Cluster "kubernetes" set. User "zhangsan" set. Context "kubernetes" created. Switched to context "kubernetes".
-
没有授权访问测试一下
[root@k8s-master rbac]# kubectl --kubeconfig=zhangsan.kubeconfig get pods Error from server (Forbidden): pods is forbidden: User "zhangsan" cannot list resource "pods" in API group "" in the namespace "default"
-
执行授权配置
[root@k8s-master rbac]# vim rbac.yaml [root@k8s-master rbac]# cat rbac.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # api组 resources: ["pods"] # 资源 verbs: ["get", "watch", "list"] # 资源操作方案 --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods # 调用上面集合名称 namespace: default subjects: - kind: User name: zhangsan # 授权访问的用户 apiGroup: rbac.authorization.k8s.io roleRef: kind: Role # 授权特定命名空间的访问权限 name: pod-reader apiGroup: rbac.authorization.k8s.io [root@k8s-master rbac]# kubectl apply -f rbac.yaml role.rbac.authorization.k8s.io/pod-reader created rolebinding.rbac.authorization.k8s.io/read-pods created
-
测试
[root@k8s-master rbac]# kubectl --kubeconfig=zhangsan.kubeconfig get pods NAME READY STATUS RESTARTS AGE nfs-client-provisioner-ff6b5d864-sbcqq 1/1 Running 0 3d7h web-7d87d686d6-54txq 1/1 Running 0 20h [root@k8s-master rbac]# kubectl --kubeconfig=zhangsan.kubeconfig get svc Error from server (Forbidden): services is forbidden: User "zhangsan" cannot list resource "services" in API group "" in the namespace "default"