k8s 案例为指定用户授权访问不同命名空间权限

k8s-案例为指定用户授权访问不同命名空间权限

1. 示例

  • 示例:为zhangsan用户授权default命名空间Pod读取权限

    1. 用K8S CA签发客户端证书
    2. 生成kubeconfig授权文件
    3. 创建RBAC权限策略
  • 安装cfssl证书生成工具

    [root@k8s-master rbac]# vim cfssl.sh 
    [root@k8s-master rbac]# cat cfssl.sh 
    #!/bin/bash
    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
    chmod +x cfssl*
    mv cfssl_linux-amd64 /usr/bin/cfssl
    mv cfssljson_linux-amd64 /usr/bin/cfssljson
    mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
    
  • 用K8S CA签发客户端证书

    [root@k8s-master rbac]# vim cert.sh 
    [root@k8s-master rbac]# cat cert.sh 
    
    cat > ca-config.json <<EOF
    {
      "signing": {
        "default": {
          "expiry": "87600h"
        },
        "profiles": {
          "kubernetes": {
            "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ],
            "expiry": "87600h"
          }
        }
      }
    }
    EOF
    
    cat > zhangsan-csr.json <<EOF
    {
      "CN": "zhangsan",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "ST": "BeiJing",
          "L": "BeiJing",
          "O": "k8s",
          "OU": "System"
        }
      ]
    }
    EOF
    
    cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes zhangsan-csr.json | cfssljson -bare zhangsan
    
  • 为指定用户授权访问不同命名空间权限

    [root@k8s-master rbac]# vim kubeconfig.sh 
    [root@k8s-master rbac]# cat kubeconfig.sh 
    
    kubectl config set-cluster kubernetes \
      --certificate-authority=/etc/kubernetes/pki/ca.crt \
      --embed-certs=true \
      --server=https://172.17.0.2:6443 \
      --kubeconfig=zhangsan.kubeconfig
     
    # 设置客户端认证
    kubectl config set-credentials zhangsan \
      --client-key=zhangsan-key.pem \
      --client-certificate=zhangsan.pem \
      --embed-certs=true \
      --kubeconfig=zhangsan.kubeconfig
    
    # 设置默认上下文
    kubectl config set-context kubernetes \
      --cluster=kubernetes \
      --user=zhangsan \
      --kubeconfig=zhangsan.kubeconfig
    
    # 设置当前使用配置
    kubectl config use-context kubernetes --kubeconfig=zhangsan.kubeconfig
    
  • 为指定用户授权访问不同命名空间权限

    [root@k8s-master rbac]# vim rbac.yaml 
    [root@k8s-master rbac]# cat rbac.yaml 
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      namespace: default
      name: pod-reader
    rules:
    - apiGroups: [""]     # api组
      resources: ["pods"]      # 资源
      verbs: ["get", "watch", "list"]  # 资源操作方案
    
    ---
    
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: read-pods         # 调用上面集合名称
      namespace: default
    subjects:
    - kind: User
      name: zhangsan      # 授权访问的用户
      apiGroup: rbac.authorization.k8s.io
    roleRef:
      kind: Role      # 授权特定命名空间的访问权限
      name: pod-reader
      apiGroup: rbac.authorization.k8s.io
    
  • 认证流程图
    k8s 案例为指定用户授权访问不同命名空间权限

2. 案例操作

  • 执行cfssl工具安装

    [root@k8s-master rbac]# vim cfssl.sh 
    [root@k8s-master rbac]# sh cfssl.sh 
    --2021-08-27 15:58:44--  https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    Resolving pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229, 2606:4700::6812:17e5, ...
    Connecting to pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... connected.
    HTTP request sent, awaiting response... 301 Moved Permanently
    Location: https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl_linux-amd64 [following]
    --2021-08-27 15:58:45--  https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl_linux-amd64
    Resolving github.com (github.com)... 20.205.243.166
    Connecting to github.com (github.com)|20.205.243.166|:443... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: https://github-releases.githubusercontent.com/21591001/6deaa080-9ebe-11eb-919d-cbab8a7bb20b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T075826Z&X-Amz-Expires=300&X-Amz-Signature=ba13061928bac86e9aa4e37155c23b3b1ec2ed273d252773f2754f0180dd497f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssl_linux-amd64&response-content-type=application%2Foctet-stream [following]
    --2021-08-27 15:58:45--  https://github-releases.githubusercontent.com/21591001/6deaa080-9ebe-11eb-919d-cbab8a7bb20b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T075826Z&X-Amz-Expires=300&X-Amz-Signature=ba13061928bac86e9aa4e37155c23b3b1ec2ed273d252773f2754f0180dd497f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssl_linux-amd64&response-content-type=application%2Foctet-stream
    Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.111.154, 185.199.109.154, 185.199.108.154, ...
    Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.111.154|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 10376657 (9.9M) [application/octet-stream]
    Saving to: ‘cfssl_linux-amd64’
    
    100%[==============================================================>] 10,376,657  1.54MB/s   in 2m 23s 
    
    2021-08-27 16:01:09 (70.8 KB/s) - ‘cfssl_linux-amd64’ saved [10376657/10376657]
    
    --2021-08-27 16:01:09--  https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    Resolving pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229, 2606:4700::6812:17e5, ...
    Connecting to pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... connected.
    HTTP request sent, awaiting response... 301 Moved Permanently
    Location: https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssljson_linux-amd64 [following]
    --2021-08-27 16:01:10--  https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssljson_linux-amd64
    Resolving github.com (github.com)... 20.205.243.166
    Connecting to github.com (github.com)|20.205.243.166|:443... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: https://github-releases.githubusercontent.com/21591001/8a86d880-9ebe-11eb-9d16-2fd0c4fe9f34?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T080110Z&X-Amz-Expires=300&X-Amz-Signature=16d0c382b735e876b99cdc07efbd6572ac9c7b0cbe00a244773de81a72b069b7&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssljson_linux-amd64&response-content-type=application%2Foctet-stream [following]
    --2021-08-27 16:01:11--  https://github-releases.githubusercontent.com/21591001/8a86d880-9ebe-11eb-9d16-2fd0c4fe9f34?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T080110Z&X-Amz-Expires=300&X-Amz-Signature=16d0c382b735e876b99cdc07efbd6572ac9c7b0cbe00a244773de81a72b069b7&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssljson_linux-amd64&response-content-type=application%2Foctet-stream
    Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.109.154, 185.199.110.154, 185.199.111.154, ...
    Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.109.154|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 2277873 (2.2M) [application/octet-stream]
    Saving to: ‘cfssljson_linux-amd64’
    
    100%[==============================================================>] 2,277,873    408KB/s   in 5.5s   
    
    2021-08-27 16:01:18 (401 KB/s) - ‘cfssljson_linux-amd64’ saved [2277873/2277873]
    
    --2021-08-27 16:01:18--  https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
    Resolving pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229, 2606:4700::6812:17e5, ...
    Connecting to pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... connected.
    HTTP request sent, awaiting response... 301 Moved Permanently
    Location: https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl-certinfo_linux-amd64 [following]
    --2021-08-27 16:01:18--  https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl-certinfo_linux-amd64
    Resolving github.com (github.com)... 20.205.243.166
    Connecting to github.com (github.com)|20.205.243.166|:443... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: https://github-releases.githubusercontent.com/21591001/7b078f80-9ebe-11eb-8422-7005df0eb28f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T080053Z&X-Amz-Expires=300&X-Amz-Signature=29c27a564c53e2b1cc5b7bd74f2ff78414d64cb633c27f8114f491d71670ea51&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssl-certinfo_linux-amd64&response-content-type=application%2Foctet-stream [following]
    --2021-08-27 16:01:19--  https://github-releases.githubusercontent.com/21591001/7b078f80-9ebe-11eb-8422-7005df0eb28f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210827T080053Z&X-Amz-Expires=300&X-Amz-Signature=29c27a564c53e2b1cc5b7bd74f2ff78414d64cb633c27f8114f491d71670ea51&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=21591001&response-content-disposition=attachment%3B%20filename%3Dcfssl-certinfo_linux-amd64&response-content-type=application%2Foctet-stream
    Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.110.154, 185.199.111.154, 185.199.108.154, ...
    Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.110.154|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 6595195 (6.3M) [application/octet-stream]
    Saving to: ‘cfssl-certinfo_linux-amd64’
    
    100%[==============================================================>] 6,595,195    178KB/s   in 22s    
    
    2021-08-27 16:01:42 (287 KB/s) - ‘cfssl-certinfo_linux-amd64’ saved [6595195/6595195]
    
    
  • 用K8S CA签发客户端证书

    [root@k8s-master rbac]# vim cert.sh 
    [root@k8s-master rbac]# cat cert.sh 
    
    cat > ca-config.json <<EOF
    {
      "signing": {
        "default": {
          "expiry": "87600h"
        },
        "profiles": {
          "kubernetes": {
            "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ],
            "expiry": "87600h"
          }
        }
      }
    }
    EOF
    
    cat > zhangsan-csr.json <<EOF
    {
      "CN": "zhangsan",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "ST": "BeiJing",
          "L": "BeiJing",
          "O": "k8s",
          "OU": "System"
        }
      ]
    }
    EOF
    
    cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes zhangsan-csr.json | cfssljson -bare zhangsan
    [root@k8s-master rbac]# sh cert.sh 
    2021/08/27 16:33:32 [INFO] generate received request
    2021/08/27 16:33:32 [INFO] received CSR
    2021/08/27 16:33:32 [INFO] generating key: rsa-2048
    2021/08/27 16:33:32 [INFO] encoded CSR
    2021/08/27 16:33:32 [INFO] signed certificate with serial number 163143268857299429625748078038132938378015415460
    2021/08/27 16:33:32 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
    websites. For more information see the Baseline Requirements for the Issuance and Management
    of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
    specifically, section 10.2.3 ("Information Requirements").
    
  • 执行生成kubeconfig文件

    [root@k8s-master rbac]# vim kubeconfig.sh 
    [root@k8s-master rbac]# cat kubeconfig.sh 
    
    kubectl config set-cluster kubernetes \
      --certificate-authority=/etc/kubernetes/pki/ca.crt \
      --embed-certs=true \
      --server=https://172.17.0.2:6443 \
      --kubeconfig=zhangsan.kubeconfig
     
    # 设置客户端认证
    kubectl config set-credentials zhangsan \
      --client-key=zhangsan-key.pem \
      --client-certificate=zhangsan.pem \
      --embed-certs=true \
      --kubeconfig=zhangsan.kubeconfig
    
    # 设置默认上下文
    kubectl config set-context kubernetes \
      --cluster=kubernetes \
      --user=zhangsan \
      --kubeconfig=zhangsan.kubeconfig
    
    # 设置当前使用配置
    kubectl config use-context kubernetes --kubeconfig=zhangsan.kubeconfig
    
    
    [root@k8s-master rbac]# sh kubeconfig.sh 
    Cluster "kubernetes" set.
    User "zhangsan" set.
    Context "kubernetes" created.
    Switched to context "kubernetes".
    
  • 没有授权访问测试一下

    [root@k8s-master rbac]# kubectl --kubeconfig=zhangsan.kubeconfig  get pods
    Error from server (Forbidden): pods is forbidden: User "zhangsan" cannot list resource "pods" in API group "" in the namespace "default"
    
  • 执行授权配置

    [root@k8s-master rbac]# vim rbac.yaml 
    [root@k8s-master rbac]# cat rbac.yaml 
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      namespace: default
      name: pod-reader
    rules:
    - apiGroups: [""]     # api组
      resources: ["pods"]      # 资源
      verbs: ["get", "watch", "list"]  # 资源操作方案
    
    ---
    
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: read-pods         # 调用上面集合名称
      namespace: default
    subjects:
    - kind: User
      name: zhangsan      # 授权访问的用户
      apiGroup: rbac.authorization.k8s.io
    roleRef:
      kind: Role      # 授权特定命名空间的访问权限
      name: pod-reader
      apiGroup: rbac.authorization.k8s.io
    [root@k8s-master rbac]# kubectl apply -f rbac.yaml 
    role.rbac.authorization.k8s.io/pod-reader created
    rolebinding.rbac.authorization.k8s.io/read-pods created
    
  • 测试

    [root@k8s-master rbac]# kubectl --kubeconfig=zhangsan.kubeconfig get pods
    NAME                                     READY   STATUS    RESTARTS   AGE
    nfs-client-provisioner-ff6b5d864-sbcqq   1/1     Running   0          3d7h
    web-7d87d686d6-54txq                     1/1     Running   0          20h
    [root@k8s-master rbac]# kubectl --kubeconfig=zhangsan.kubeconfig get svc
    Error from server (Forbidden): services is forbidden: User "zhangsan" cannot list resource "services" in API group "" in the namespace "default"
    
上一篇:k8s RBAC介绍


下一篇:基于JAVA+SpringBoot+Vue+Mybatis+MYSQL的物资管理系统