k8s 使用 RBAC 鉴权
https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/ # 创建sa账号 kubectl create sa sa-test-20230408 # 使用sa 账号创建pod资源 [root@master01 sa]# cat pod.yaml apiVersion: v1 kind: Pod metadata: name: sa-test-pod-20230408 namespace: default labels: app: sa spec: serviceAccountName: sa-test-20230408 containers: - name: sa-nginx ports: - containerPort: 80 image: nginx imagePullPolicy: IfNotPresent command: ["/bin/sh","-c","sleep 3600"] # 进去pod容器访问资源,没授权访问 [root@master01 sa]# kubectl exec -it sa-test-pod-20230408 -- /bin/bash root@sa-test-pod-20230408:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/default 返回信息"code": 403 # 授权sa-test-20230408 有cluster-admin 权限后访问 kubectl create clusterrolebinding sa-test-20230408-clusterrolebinding --clusterrole=cluster-admin --serviceaccount=default:sa-test-20230408 root@sa-test-pod-20230408:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/default { "kind": "Namespace", "apiVersion": "v1", "metadata": { "name": "default", "uid": "f6ba86a9-b5ec-4850-a1d4-2afb7fc61083", "resourceVersion": "842384", "creationTimestamp": "2023-02-22T03:17:00Z", "labels": { "field.cattle.io/projectId": "p-hph99", "kubernetes.io/metadata.name": "default" }, # 查看clusterrolebinding 授权信息 [root@master01 ~]# kubectl get clusterrolebinding| grep 20230408 sa-test-20230408-clusterrolebinding ClusterRole/cluster-admin 2m28s [root@master01 ~]# kubectl describe clusterrolebinding sa-test-20230408-clusterrolebinding Name: sa-test-20230408-clusterrolebinding Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount sa-test-20230408 default
创建不同用户操作k8s
限制不同的用户操作 k8s 集群
ssl 认证
生成一个证书
(1)生成一个私钥
cd /etc/kubernetes/pki/
(umask 077; openssl genrsa -out k8s-test-20230408.key 2048)
(2)生成一个证书请求
openssl req -new -key k8s-test-20230408.key -out k8s-test-20230408.csr -subj "/CN=k8s-test-20230408"
(3)生成一个证书
openssl x509 -req -in k8s-test-20230408.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out k8s-test-20230408.crt -
days 3650
在 kubeconfig 下新增加一个 k8s-test-20230408 这个用户
[root@xuegod63 ~]# cp /root/.kube/config /root/.kube/config.bak
(1)把 k8s-test-20230408 这个用户添加到 kubernetes 集群中,可以用来认证 apiserver 的连接
kubectl config set-credentials k8s-test-20230408 --client-certificate=./k8s-test-20230408.crt --client-key=./k8s-test-20230408.key
--embed-certs=true
(2)在 kubeconfig 下新增加一个上下文
kubectl config set-context k8s-test-20230408@kubernetes --cluster=kubernetes --user=k8s-test-20230408
(3)切换账号到 k8s-test-20230408,默认没有任何权限
kubectl config use-context k8s-test-20230408@kubernetes
kubectl config use-context kubernetes-admin@kubernetes 这个是集群用户,有任何权限
把 user 这个用户通过 rolebinding 绑定到 clusterrole 上,授予权限,权限只是在 k8s-test-20230408 这个名称
空间有效
kubectl create ns k8s-test-20230408
(1)把 k8s-test-20230408 这个用户通过 rolebinding 绑定到 clusterrole 上
kubectl create rolebinding k8s-test-20230408 -n k8s-test-20230408 --clusterrole=cluster-admin --user=k8s-test-20230408
(2)切换到 k8s-test-20230408 这个用户
kubectl config use-context k8s-test-20230408@kubernetes
(3)测试是否有权限
kubectl get pods -n k8s-test-20230408
有权限操作这个名称空间
kubectl get pods
没有权限操作其他名称空间
添加一个 k8s-test-20230408 的普通用户
useradd k8s-test-20230408
cp -ar /root/.kube/ /home/k8s-test-20230408/
# 查看当前使用账号
[root@master01 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.10.202:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: k8s-test-20230408
name: k8s-test-20230408@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: k8s-test-20230408
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
# 编辑config文件,只留k8s-test-20230408 用户的配置信息
[root@master01 sa]# cat /home/k8stest/.kube/config
chown -R k8s-test-20230408.k8s-test-20230408 /home/k8s-test-20230408/
su - k8s-test-20230408
kubectl get pods -n k8s-test-20230408
[k8stest@master01 ~]$ kubectl apply -f pod2.yaml -n k8s-test-20230408
pod/tomcat-pod-20230408-2 created
[k8stest@master01 ~]$
[k8stest@master01 ~]$ kubectl get pod
Error from server (Forbidden): pods is forbidden: User "k8s-test-20230408" cannot list resource "pods" in API group "" in the namespace "default"
[k8stest@master01 ~]$ kubectl get pod -n k8s-test-20230408
NAME READY STATUS RESTARTS AGE
tomcat-pod-20230408 1/1 Running 0 64s
tomcat-pod-20230408-2 1/1 Running 0 17s
[k8stest@master01 ~]$
[k8stest@master01 ~]$
[k8stest@master01 ~]$ kubectl get pod -n k8s-test-20230408
NAME READY STATUS RESTARTS AGE
tomcat-pod-20230408 1/1 Running 0 2m23s
tomcat-pod-20230408-2 1/1 Running 0 96s
[k8stest@master01 ~]$ kubectl delete -f pod2.yaml -n k8s-test-20230408
pod "tomcat-pod-20230408-2" deleted
[k8stest@master01 ~]$ kubectl get pod -n k8s-test-20230408
NAME READY STATUS RESTARTS AGE
tomcat-pod-20230408 1/1 Running 0 2m42s
最后不要忘了切换回 kubernetes-admin 用户:
kubectl config use-context kubernetes-admin@kubernetes