實(shí)踐中理解Kubernetes RBAC之Role
背景
172.16.99.128是的我k8s集群的master節(jié)點(diǎn),此處是從這里獲取集群的證書(shū)。
創(chuàng)建訪(fǎng)問(wèn)architechure命名空間的用戶(hù)
1.給用戶(hù)devops 創(chuàng)建一個(gè)私鑰
- openssl genrsa -out devops.key 2048
2.使用我們剛剛創(chuàng)建的私鑰創(chuàng)建一個(gè)證書(shū)簽名請(qǐng)求文件:devops.csr,要注意需要確保在-subj參數(shù)中指定用戶(hù)名和組(CN表示用戶(hù)名,O表示組)
- openssl req -new -key devops.key -out devops.csr -subj "/CN=devops/O=architechure"
3.然后找到我們的Kubernetes集群的CA,我們使用的是kubeadm安裝的集群,CA相關(guān)證書(shū)位于/etc/kubernetes/pki/目錄下面,如果你是二進(jìn)制方式搭建的,你應(yīng)該在最開(kāi)始搭建集群的時(shí)候就已經(jīng)指定好了CA的目錄,我們會(huì)利用該目錄下面的ca.crt和ca.key兩個(gè)文件來(lái)批準(zhǔn)上面的證書(shū)請(qǐng)求,生成最終的證書(shū)文件,我們這里設(shè)置證書(shū)的有效期為500天
- scp root@172.16.99.128:/etc/kubernetes/pki/ca.crt .
- scp root@172.16.99.128:/etc/kubernetes/pki/ca.key .
- openssl x509 -req -in devops.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out devops.crt -days 500
- ➜ ls -al
- total 72
- drwxr-xr-x 11 marion staff 352 Dec 25 11:32 .
- drwxr-xr-x 13 marion staff 416 Dec 25 11:26 ..
- -rw-r--r-- 1 marion staff 17 Dec 25 11:32 .srl
- -rw-r--r-- 1 marion staff 1156 Dec 25 11:32 README.md
- -rw-r--r-- 1 marion staff 1025 Dec 25 11:30 ca.crt
- -rw------- 1 marion staff 1675 Dec 25 11:30 ca.key
- -rw-r--r-- 1 marion staff 1009 Dec 25 11:32 devops.crt
- -rw-r--r-- 1 marion staff 924 Dec 25 11:30 devops.csr
- -rw-r--r-- 1 marion staff 1679 Dec 25 11:27 devops.key
4.現(xiàn)在我們可以使用剛剛創(chuàng)建的證書(shū)文件和私鑰文件在集群中創(chuàng)建新的憑證:
- kubectl config set-credentials devops --client-certificate=devops.crt --client-key=devops.key
5.通過(guò)剛才創(chuàng)建的用戶(hù)憑證創(chuàng)建新的上下文(Context)
- #如果你的電腦上正在管理多個(gè)集群的,可能你的集群名字會(huì)被改變,因此在下面的--cluster參數(shù)處指明實(shí)際的集群名稱(chēng),如下圖
- kubectl config set-context devops-context --cluster=cluster-tf26gt9mmk --namespace=architechure --user=devops
6.嘗試通過(guò)該用戶(hù)操作命令
- ➜ kubectl get pods --context=devops-context
- Error from server (Forbidden): pods is forbidden: User "devops" cannot list resource "pods" in API group "" in the namespace "architechure" # 因?yàn)樵揹evops-context還沒(méi)有操作API的權(quán)限
7.給用戶(hù)創(chuàng)建一個(gè)role的角色devops.role.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- name: devops-role
- namespace: architechure
- rules:
- - apiGroups: ["", "extensions", "apps"]
- resources: ["deployments", "replicasets", "pods"]
- verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 也可以使用['*']
然后在集群中創(chuàng)建該角色
- kubectl apply -f ./devops.role.yaml
8.創(chuàng)建權(quán)限與角色之間的綁定關(guān)系devops-rolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: devops-rolebinding
- namespace: architechure
- subjects:
- - kind: User
- name: devops
- apiGroup: ""
- roleRef:
- kind: Role
- name: devops-role # 上一步創(chuàng)建的devops-role實(shí)體
- apiGroup: ""
在集群中創(chuàng)建角色與用戶(hù)之間的綁定關(guān)系
- k apply -f ./devops-rolebinding.yaml
9.此時(shí)我們可以通過(guò)kubecm切換到該角色上
此時(shí),從下圖就可以查看到當(dāng)前集群的有一個(gè)新的用戶(hù)角色devops,上面用到的Kubecm我們之前也分享過(guò),如果需要可以點(diǎn)此跳轉(zhuǎn)
10.權(quán)限驗(yàn)證
- > kubectl get pods
- No resources found in architechure namespace.
- > kubectl get replicasets
- No resources found in architechure namespace.
- > kubectl get deploy
- No resources found in architechure namespace.
- > kubectl get svc
- Error from server (Forbidden): services is forbidden: User "devops" cannot list resource "services" in API group "" in the namespace "architechure"
總結(jié)一下就是:
- 根據(jù)集群的CA證書(shū)創(chuàng)建出來(lái)用戶(hù)證書(shū)
- 根據(jù)用戶(hù)證書(shū)創(chuàng)建該用戶(hù)在集群內(nèi)的憑證和上下文內(nèi)容
- 要想用戶(hù)能進(jìn)行基本的操作,需要對(duì)用戶(hù)針對(duì)apiGroup授權(quán)
為devops用戶(hù)增加指定命名空間的權(quán)限
1.我們先把當(dāng)前上下文切換到之前有權(quán)限操作的user-tf26gt9mmk用戶(hù)上
- kubecm switch
- # select dev
否則以下步驟會(huì)出錯(cuò):
2.首先需要?jiǎng)?chuàng)建針對(duì)指定命名空間的上下文
- kubectl config set-context devops-context --cluster=cluster-tf26gt9mmk --namespace=default --user=devops
此時(shí)查詢(xún)列舉default空間下的pods是不行的,因?yàn)檫€沒(méi)允許操作
- kubectl get pods --context=devops-context
- Error from server (Forbidden): pods is forbidden: User "devops" cannot list resource "pods" in API group "" in the namespace "default"
3.創(chuàng)建default空間下的role與rolebinding
devops-role-default.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- name: devops-role
- namespace: default
- rules:
- - apiGroups: ["", "extensions", "apps"]
- resources: ["deployments", "replicasets", "pods"]
- verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 也可以使用['*']
devops-rolebinding-default.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: devops-rolebinding
- namespace: default
- subjects:
- - kind: User
- name: devops
- apiGroup: ""
- roleRef:
- kind: Role
- name: devops-role
- apiGroup: ""
然后我們?cè)诩褐袆?chuàng)建這兩個(gè)對(duì)象
- kubectl apply -f devops-role-default.yaml
- kubectl apply -f devops-rolebinding-default.yaml
4.查看role資源對(duì)象是否創(chuàng)建
- kubectl get role -A |grep devops-role # 分別在architechure和default命名空間下
- architechure devops-role 2021-05-17T07:57:27Z
- default devops-role 2021-05-28T03:19:24Z
5.切換當(dāng)前上下文環(huán)境,驗(yàn)證是否可以操作資源
- kubecm switch
- # select devops-context
- kubectl get pods -n default
- kubectl get pods -n architechure
到這里就基本上說(shuō)清楚如何創(chuàng)建一個(gè)用戶(hù)、授權(quán)操作k8s集群的過(guò)程了。
