前言
现在RBAC主要解决的一个问题,就是:所有人都拿的是admin的config文件,因此所有人都拥有最高权限,他可以为所欲为,从而很有可能在不知情的情况下,破坏k8s集群。因此我们需要对其进行控制,给他创建admin之外的账号,让他无法操作k8s系统重要部分的namespace。

先不说原理,直接说操作步骤

一、创建证书
创建user私钥

[root@node-01 ~]cd /etc/kubernetes/pki/[root@node-01 pki](umask 077;openssl genrsa -out aideveloper.key 2048)Generating RSA private key, 2048 bit long modulus.................................................................................+++..................+++e is 65537 (0x10001)

创建证书签署请求
O=组织信息,CN=用户名

[root@node-01 pki]openssl req -new -key aideveloper.key -out aideveloper.csr -subj "/O=jbt/CN=aideveloper"

签署证书

[root@node-01 pki]openssl  x509 -req -in aideveloper.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out aideveloper.crt -days 365Signature oksubject=/O=jbt/CN=aideveloperGetting CA Private Key

二、创建配置文件
创建配置文件主要有以下几个步骤:

* kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE #集群配置* * kubectl config set-credentials NAME --kubeconfig=/PATH/TO/SOMEFILE #用户配置* * kubectl config set-context #context配置* * kubectl config use-context #切换context一些说明:* --embed-certs=true的作用是不在配置文件中显示证书信息。* --kubeconfig=/root/aideveloper.conf用于创建新的配置文件,如果不加此选项,则内容会添加到家目录下.kube/config文件中,可以使用use-context来切换不同的用户管理k8s集群。* context简单的理解就是用什么用户来管理哪个集群,即用户和集群的结合。

创建集群配置

[root@node-01 pki] kubectl config set-cluster kubernetes --server=https://tw-master.senses-ai.com:6443 --certificate-authority=ca.crt --embed-certs=true --kubeconfig=/root/aideveloper.confCluster "kubernetes" set.[root@node-01 pki]# kubectl config view --kubeconfig=/root/aideveloper.confapiVersion: v1clusters:- cluster:    certificate-authority-data: DATA+OMITTED    server: https://tw-master.senses-ai.com:6443  name: kubernetescontexts: nullcurrent-context: ""kind: Configpreferences: {}users: null

创建用户配置

[root@node-01 pki] kubectl config set-credentials aideveloper --client-certificate=aideveloper.crt --client-key=aideveloper.key --embed-certs=true --kubeconfig=/root/aideveloper.conf User "aideveloper" set.[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.confapiVersion: v1clusters:- cluster: certificate-authority-data: DATA+OMITTED server: https://tw-master.senses-ai.com:6443 name: kubernetescontexts: nullcurrent-context: ""kind: Configpreferences: {}users:- name: aideveloper user: client-certificate-data: REDACTED client-key-data: REDACTED

创建context配置

[root@node-01 pki] kubectl config set-context aideveloper@kubernetes --cluster=kubernetes --user=aideveloper --kubeconfig=/root/aideveloper.confContext "aideveloper@kubernetes" created.[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.confapiVersion: v1clusters:- cluster: certificate-authority-data: DATA+OMITTED server: https://tw-master.senses-ai.com:6443 name: kubernetescontexts:- context: cluster: kubernetes user: aideveloper name: aideveloper@kubernetescurrent-context: ""kind: Configpreferences: {}users:- name: aideveloper user: client-certificate-data: REDACTED client-key-data: REDACTED

切换context

[root@node-01 pki] kubectl config use-context aideveloper@kubernetes --kubeconfig=/root/aideveloper.confSwitched to context "aideveloper@kubernetes".[root@node-01 pki] kubectl config view --kubeconfig=/root/aideveloper.confapiVersion: v1clusters:- cluster: certificate-authority-data: DATA+OMITTED server: https://tw-master.senses-ai.com:6443 name: kubernetescontexts:- context: cluster: kubernetes user: aideveloper name: aideveloper@kubernetescurrent-context: aideveloper@kuberneteskind: Configpreferences: {}users:- name: aideveloper user: client-certificate-data: REDACTED client-key-data: REDACTED

创建系统用户及k8s验证文件

[root@node-01 ~] useradd test     #创建什么用户名都可以[root@node-01 ~] mkdir /home/test/.kube[root@node-01 ~] cp /root/aideveloper.conf /home/test/.kube/config [root@node-01 ~]# chown test.test -R /home/test/.kube/[root@node-01 ~] su - test[billy@node-01 ~]$ kubectl get podError from server (Forbidden): pods is forbidden: User "aideveloper" cannot list resource "pods" in API group "" in the namespace "default"

默认新用户是没有任何权限的。

创建Role
此role只有pod的get、list、watch权限

[root@node-01 rbac] vim aideveloper-role.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: aideveloper-rolerules:- apiGroups:  - ""  resources:  - pods  verbs:  - get  - list  - watch[root@node-01 rbac] kubectl apply -f aideveloper-role.yamlrole.rbac.authorization.k8s.io/aideveloper-role created

创建Rolebinding
用户aideveloper和role aideveloper-role的绑定

[root@node-01 rbac]# vim aideveloper-roleBinding.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: aideveloper-roleBindingroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: aideveloper-rolesubjects:- apiGroup: rbac.authorization.k8s.io  kind: User  name: aideveloper[root@node-01 rbac]# kubectl apply -f aideveloper-roleBinding.yamlrolebinding.rbac.authorization.k8s.io/aideveloper-roleBinding created

验证结果
如果没有指定命名空间的话,默认就是default命名空间。

[billy@node-01 ~]$ kubectl get podNAME                         READY   STATUS    RESTARTS   AGEnginx-demo-95bd675d5-66xrm   1/1     Running   0          18dtomcat-5c5dcbc885-7vr68      1/1     Running   0          18d[billy@node-01 ~]$ kubectl -n kube-system get podError from server (Forbidden): pods is forbidden: User "billy" cannot list resource "pods" in API group "" in the namespace "kube-system"

所以我们是可以查看查看default命名空间的pod,但是其他空间的pod是无法查看的。

创建ClusterRole

[root@node-01 rbac]# cat cluster-reader.yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: cluster-readerrules:- apiGroups:  - ""  resources:  - pods  verbs:  - get  - list  - watch[root@node-01 rbac]# kubectl apply -f cluster-reader.yamlclusterrole.rbac.authorization.k8s.io/cluster-reader created

创建ClusterRoleBinding

[root@node-01 rbac]# cat billy-read-all-pods.yamlapiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata:  name: billy-read-all-podsroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: cluster-readersubjects:- apiGroup: rbac.authorization.k8s.io  kind: User  name: billy[root@node-01 rbac]# kubectl apply -f billy-read-all-pods.yamlclusterrolebinding.rbac.authorization.k8s.io/billy-read-all-pods created

创建了ClusterRole和ClusterRoleBinding后就可以看到所有命名空间的pod了。

RBAC的补充

RBAC相关的内容rule下verbs有:"get", "list", "watch", "create", "update", "patch", "delete", "exec"rule下resource有:"services", "endpoints", "pods","secrets","configmaps","crontabs","deployments","jobs","nodes","rolebindings","clusterroles","daemonsets","replicasets","statefulsets","horizontalpodautoscalers","replicationcontrollers","cronjobs"rule下apiGroups有:"","apps", "autoscaling", "batch"

注意:
cluserRoleBinding只能绑定clusterRole
roleBinding既能绑定role,也能绑定clusterRole
想让一个Bingding绑定多个角色,那就多写几个文件

更多相关文章

  1. redis集群教程(一)
  2. 69.批量创建mysql用户
  3. 如何检测用户有关退出页面的信息?
  4. 如何在用户选择操作后获取当前日期和时间
  5. Symfony 2在用户站点上动态添加字段以形成
  6. Yii - 加载ajax表单元素的用户端验证
  7. EasyUI动态展示用户信息
  8. j2ee的web项目,有最终的html代码(即f12看到的最终给用户浏览器展示
  9. golang写服务端程序,作为文件上传与下载的服务器。配合HTML5以网

随机推荐

  1. Android - Activity的四种启动模式
  2. Android 混淆代码有关问题总结
  3. Android 开发常用代码
  4. 推荐一个android学习网站
  5. Android开发环境搭建流程
  6. Android用户界面 UI组件--TextView及其子
  7. Android Studio 清理缓存clean project与
  8. Android JNI使用方法
  9. Android Studio如何显示行号
  10. android Build类