rbac 权限控制

基于角色的控制访问(Role-Based Access，RBAC)
API Server作为Kubernetes网关，是访问和管理资源对象的唯一入口，其各种集群组件访问资源都需要经过网关才能进行正常访问和管理。每一次的访问请求都需要进行合法性的检验，其中包括身份验证、操作权限验证以及操作规范验证等

其中就包括 serviceAccount , Secret, Role, ClusterRole , RoleBinding, ClusterRoleBinding
RBAC 授权策略会创建一系列的 Role 和 ClusterRole 来绑定相应的资源实体（serviceAccount 或 group），以此来限制其对集群的操作。

pod 中使用kubectl

测试pod

apiVersion: apps/v1
kind: StatefulSet # 腾讯云固定ip必须使用StatefulSet
metadata:
  labels:
    name: comcast
  name: comcast
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: comcast
  serviceName: comcast
  template:
    metadata:
      labels:
        app: comcast #这里是容器的标签
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: comcast
        image: harbor.qima-inc.com/paas/comcast:v1
        imagePullPolicy: Always
      serviceAccount: comcast #指定serviceAccount

serviceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
  labels:
    app.kubernetes.io/component: comcast
    app.kubernetes.io/instance: comcast
    app.kubernetes.io/name: comcast
  name: comcast # ServiceAccount 的名字，给上面的comcast statefulset 使用
  namespace: kube-system
secrets:
- name: comcast-token-test # 给secrets起个名字，serviceAccount的方式是会自动创建secrets

ClusterRole

每一个 Role 都基于 Create, Read, Update, Delete（CRUD）模型来构建，并使用“动词”来应用相应的权限。例如，动词 get 表示能够获取特定资源的详细信息。
创建一个集群角色ClusterRole，因为我们需要访问其他的namespace 资源所以需要设置clusterRole，不然会forbidden。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  labels:
    app.kubernetes.io/component: comcast
    app.kubernetes.io/instance: comcast
    app.kubernetes.io/name: comcast
  name: exceptionTesting:comcast
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - *
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - patch
  - create
- apiGroups:
  - ""
  resources:
  - configmaps #对configmaps资源操作的
  verbs:
  - '*'
- apiGroups: [""] # 指定api 分组,空字符串""表明使用 core API group
  resources: ["pods/exec"] # 指定资源，该资源表示可以使用exec 指令
  verbs: ["create"]
- apiGroups: ["extensions", "apps"] 
  resources: ["deployments","deployments/scale"] #deployments/scale 是一个资源
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

binding

将角色权限绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
  labels:
    app.kubernetes.io/component: comcast
    app.kubernetes.io/instance: comcast
    app.kubernetes.io/name: comcast
  name: exceptionTesting:comcast # 指定 ClusterRoleBinding 的名字
  resourceVersion: "7990095823"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: exceptionTesting:comcast
subjects:     # 将 ClusterRole绑定到指定的ServiceAccount
- kind: ServiceAccount
  name: comcast
  namespace: kube-system

参考

Kubernetes之ServiceAccount+Secret
exec的执行权限
RBAC鉴权