k8s集群中的rbac权限管理

k8s集群中的rbac权限管理

启用RBAC，需要在 apiserver 中添加参数--authorization-mode=RBAC，如果使用的kubeadm安装的集群，1.6 版本以上的都默认开启了RBAC查看是否开启：$ cat /etc/kubernetes/manifests/kube-apiserver.yaml

spec: containers: - command: - kube-apiserver - --advertise-address=192.168.1.243 - --allow-privileged=true - --authorization-mode=Node,RBAC

创建一个 User Account，只能访问 kube-system 这个命名空间1、创建私钥$ openssl genrsa -out dongyali.key 20482、创建证书签名请求文件CN表示要创建的用户名，O表示要创建的组penssl req -new -key dongyali.key -out dongyali.csr -subj "/CN=dongyali/O=booster"3、生成最终的证书文件，设置证书的有效期为1000天需要使用ca.crt和ca.key两个文件来批准证书请求，如果使用的是kubeadm安装的集群，这个两个文件位于/etc/kubernetes/pki/目录下面$ openssl x509 -req -in dongyali.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dongyali.crt -days 1000$ lsdongyali.csr dongyali.key dongyali.crt4、使用刚刚创建的证书文件和私钥文件在集群中创建用户dongyali$ kubectl config set-credentials dongyali --client-certificate=dongyali.crt --client-key=dongyali.key5、为用户创建上下文，并限制在kube-system空间内$ kubectl config set-context dongyali-context --cluster=kubernetes --namespace=kube-system --user=dongyali6、为用户dongyali创建角色创建一个允许用户操作 Deployment、Pod、ReplicaSets 的角色

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: dongyali-role namespace: kube-system rules: - apiGroups: ["", "extensions", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 也可以使用['*']

7、创建角色绑定，绑定用户dongyali和角色

apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dongyali-rolebinding namespace: kube-system subjects: - kind: User name: dongyali apiGroup: "" roleRef: kind: Role name: dongyali-role apiGroup: ""

8、测试$ kubectl get pods --context=dongyali-context$ kubectl --context=dongyali-context get pods --namespace=defaultError from server (Forbidden): pods is forbidden: User "dongyali" cannot list pods in the namespace "default"

创建一个只能访问某个 namespace 的ServiceAccount1、创建一个 ServiceAccount 对象$ kubectl create sa dongyali-sa -n kube-system2、创建role

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: dongyali-sa-role namespace: kube-system rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

3、创建一个 RoleBinding 对象

kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: dongyali-sa-rolebinding namespace: kube-system subjects: - kind: ServiceAccount name: dongyali-sa namespace: kube-system roleRef: kind: Role name: dongyali-sa-role apiGroup: rbac.authorization.k8s.io

创建一个可以访问所有 namespace 的ServiceAccount需要使用 ClusterRole 和 ClusterRoleBinding 这两种资源对象1、新建一个 ServiceAcount 对象

apiVersion: v1 kind: ServiceAccount metadata: name: dongyali-sa2 namespace: kube-system

2、创建一个 ClusterRoleBinding 对象使用现有的集群角色cluster-admin，不用创建新的了

kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: dongyali-sa2-clusterrolebinding subjects: - kind: ServiceAccount name: dongyali-sa2 namespace: kube-system roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。