k8s资源之role&rolebinding&clusterrole&clusterrolebinding

k8s资源之role&rolebinding&clusterrole&clusterrolebinding

​​istio多集群探秘，部署了50次多集群后我得出的结论​​

​​istio多集群链路追踪，附实操视频​​

​​istio防故障利器，你知道几个,istio新手不要读，太难！​​

​​istio业务权限控制，原来可以这么玩​​

​​istio实现非侵入压缩，微服务之间如何实现压缩​​

​​不懂envoyfilter也敢说精通istio系列-filter-再也不用再代码里写csrf逻辑了​​

​​不懂envoyfilter也敢说精通istio系列filter​​

​​不懂envoyfilter也敢说精通istio系列-network filter-redis proxy​​

​​不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager​​

​​不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册​​

————————————————

K8s的认证包含以下3种方式：

证书认证

设置apiserver的启动参数：

--client_ca_file=SOMEFILE。

Token认证

设置apiserver的启动参数：

--token_auth_file=SOMEFILE。

基本信息认证

设置apiserver的启动参数：

-- basic_auth_file=SOMEFILE

Kubectl config：

•clusters ：配置要访问的kubernetes集群

•contexts ：配置访问kubernetes集群的具体上下文环境

•current-context: 配置当前使用的上下文环境

•users： 配置访问的用户信息，用户名以及证书信息

•kubectl config view

• kubectl config set-cluster k8s-cluster2 --server=--certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true

•kubectl config set-context kube-system-ctx --cluster=k8s-cluster1 --user=kubectl --namespace=kube-system

•kubectl config unset [clusters | contexts | users | current-context]

•cfssl gencert -ca /etc/kubernetes/ssl/ca.pem -ca-key /etc/kubernetes/ssl/ca-key.pem -config /etc/kubernetes/ssl/ca-config.json -profile kubernetes kubectl-csr.json | cfssljson -bare kubectl

•kubectl config set-credentials mark --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true

•kubectl config --kubeconfig=config-demo set-credentials experimenter --username=exp --password=some-password

[root@master01 auth]# vi basic_auth_file

123456,mark,123,"group1,group2,group3“

Vi /etc/systemd/system/kube-apiserver.service

--basic-auth-file=/etc/kubernetes/auth/basic_auth_file \

K8s权限控制：

•在Kubernetes中，授权有ABAC（基于属性的访问控制）、RBAC（基于角色的访问控制）、Webhook、Node、AlwaysDeny（一直拒绝）和AlwaysAllow（一直允许）这6种模式。

RBAC

•Role-based access control(RBAC)基于企业内个人用户属于角色来访问计算和网络的常规访问控制方法。简单理解为权限与角色关联，用户通过成为角色的成员来得到角色的权限。K8S的RBAC使用rbac.authorization.k8s.io/v1 API组驱动认证决策，准许管理员通过API动态配置策略。为了启用RBAC，需要在apiserver启动参数添加--authorization-mode=RBAC。

支持的动作

create delete deletecollection get list patch update watch，bind等

支持的资源

“services”, “endpoints”, “pods“，"deployments“

“jobs”，“configmaps”，“nodes”，“rolebindings”，“clusterroles”，等

示例:

kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: namespace: default name: pod-readerrules:- apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: read-pods namespace: defaultsubjects:- kind: User name: mark apiGroup: rbac.authorization.k8s.ioroleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io

kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: svc-readerrules:- apiGroups: [""] resources: ["services"] verbs: ["get","watch","list"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: read-svc namespace: default subjects:- kind: User name: mark apiGroup: rbac.authorization.k8s.ioroleRef: kind: ClusterRole name: svc-reader apiGroup: rbac.authorization.k8s.io

kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: svc-readerrules:- apiGroups: [""] resources: ["services"] verbs: ["get","watch","list"]---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: read-svc-globalsubjects:- kind: User name: mark apiGroup: rbac.authorization.k8s.ioroleRef: kind: ClusterRole name: svc-reader apiGroup: rbac.authorization.k8s.io

kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: svc-readerrules:- apiGroups: [""] resources: ["services"] verbs: ["get","watch","list"]---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: read-svc-globalsubjects:- kind: Group name: group1 apiGroup: rbac.authorization.k8s.ioroleRef: kind: ClusterRole name: svc-reader apiGroup: rbac.authorization.k8s.io

子资源:

kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: namespace: default name: pod-and-pod-logs-readerrules:- apiGroups: [""] resources: ["pods","pods/log"] verbs: ["get","list"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: read-pods-log namespace: defaultsubjects:- kind: User name: mark apiGroup: rbac.authorization.k8s.ioroleRef: kind: Role name: pod-and-pod-logs-reader apiGroup: rbac.authorization.k8s.io

特定资源:

•kubectl create cm my-configmap --from-literal=username=mark --from-literal=pass=123456

kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: namespace: default name: configmap-updaterrules:- apiGroups: [""] resources: ["configmaps"] resourceNames: ["my-configmap"] verbs: ["update","get"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: configmap-updater-default namespace: defaultsubjects:- kind: User name: mark apiGroup: rbac.authorization.k8s.ioroleRef: kind: Role name: configmap-updater apiGroup: rbac.authorization.k8s.io

所有被认证的用户:

kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: namespace: default name: pod-readerrules:- apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: read-pods namespace: defaultsubjects:- kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.ioroleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io

serviceaccount:

kubectl create sa mysa

kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: namespace: default name: pod-readerrules:- apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: read-pods namespace: defaultsubjects:- kind: ServiceAccount name: mysa namespace: defaultroleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io

命令:

•kubectl create rolebinding

•kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acme

•$ kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=acme

•kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods

•kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

•kubectl create role foo --verb=get,list,watch --resource=replicasets.apps

•kubectl create role foo --verb=get,list,watch --resource=pods,pods/status

•kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods

•kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

•kubectl create clusterrole foo --verb=get,list,watch --resource=replicasets.apps

•kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status

•kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*

•kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"

•kubectl auth reconcile 子命令已经被添加用来应用 RBAC 资源。当传入一个文件包括 RBAC roles，rolebindings，clusterroles，或者 clusterrolebindings，该命令能够计算出覆盖的权限并且添加遗漏的规则。

•Kubectl auth can-i

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。