k8sÖ®RBACÊÚȨģʽ

µ¼¶Á

ÉÏһƪ˵ÁËk8sµÄÊÚȨ¹ÜÀí£¬Õâһƪ¾ÍÀ´Ïêϸ¿´Ò»ÏÂRBACÊÚȨģʽµÄʹÓÃ

RBACÊÚȨģʽ

»ùÓÚ½ÇÉ«µÄ·ÃÎÊ¿ØÖÆ£¬ÆôÓôËģʽ£¬ÐèÒªÔÚAPI ServerµÄÆô¶¯²ÎÊýÉÏÌí¼ÓÈçÏÂÅäÖ㬣¨k8sĬȻ²ÉÓôËÊÚȨģʽ£©¡£

--authorization-mode=RBAC

¡¡¡¡

 

/etc/kubernetes/manifests/kube-apiserver.yaml

¡¡¡¡

£¨1£©¶Ô¼¯ÈºÖеÄ×ÊÔ´¼°·Ç×ÊԴȨÏÞ¾ùÓÐÍêÕûµÄ¸²¸Ç

£¨2£©Õû¸öRBACÍêÈ«Óɼ¸¸öAPI¶ÔÏóÍê³É£¬Í¬ÆäËûAPI¶ÔÏóÒ»Ñù£¬¿ÉÒÔÓÃkubelet»òAPI½øÐвÙ×÷¡£

£¨3£©¿ÉÔÚÔËÐÐʱ½øÐе÷Õû£¬ÎÞÐëÖØÆôAPI Server

1 RBAC×ÊÔ´¶ÔÏó˵Ã÷

RBACÓÐËĸö×ÊÔ´¶ÔÏ󣬷ֱðÊÇRole¡¢ClusterRole¡¢RoleBinding¡¢ClusterRoleBinding

1.1 Role£º½ÇÉ«

Ò»×éȨÏ޵ļ¯ºÏ£¬ÔÚÒ»¸öÃüÃû¿Õ¼äÖУ¬¿ÉÒÔÓÃÆäÀ´¶¨ÒåÒ»¸ö½ÇÉ«£¬Ö»ÄܶÔÃüÃû¿Õ¼äÄÚµÄ×ÊÔ´½øÐÐÊÚȨ¡£Èç¹ûÊǼ¯Èº¼¶±ðµÄ×ÊÔ´£¬ÔòÐèҪʹÓÃClusterRole¡£ÀýÈ磺¶¨ÒåÒ»¸ö½ÇÉ«ÓÃÀ´¶ÁÈ¡PodµÄȨÏÞ

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: rbac
  name: pod-read
rules:
- apiGroups: [""]
  resources: ["pods"]
  resourceNames: []
  verbs: ["get","watch","list"]

¡¡¡¡

rulesÖеIJÎÊý˵Ã÷£º

1¡¢apiGroups£ºÖ§³ÖµÄAPI×éÁÐ±í£¬ÀýÈ磺"apiVersion: batch/v1"µÈ

2¡¢resources£ºÖ§³ÖµÄ×ÊÔ´¶ÔÏóÁÐ±í£¬ÀýÈçpods¡¢deplayments¡¢jobsµÈ

3¡¢resourceNames: Ö¸¶¨resourceµÄÃû³Æ

3¡¢verbs£º¶Ô×ÊÔ´¶ÔÏóµÄ²Ù×÷·½·¨ÁÐ±í¡£

´´½¨ºó²é¿´£º

 

1.2 ClusterRole£º¼¯Èº½ÇÉ«

¾ßÓкͽÇɫһÖµÄÃüÃû¿Õ¼ä×ÊÔ´µÄ¹ÜÀíÄÜÁ¦£¬»¹¿ÉÓÃÓÚÒÔÏÂÌØÊâÔªËØµÄÊÚȨ

1¡¢¼¯Èº·¶Î§µÄ×ÊÔ´£¬ÀýÈçNode

2¡¢·Ç×ÊÔ´Ð͵Ä·¾¶£¬ÀýÈ磺/healthz

3¡¢°üº¬È«²¿ÃüÃû¿Õ¼äµÄ×ÊÔ´£¬ÀýÈçPods

ÀýÈ磺¶¨ÒåÒ»¸ö¼¯Èº½ÇÉ«¿ÉÈÃÓû§·ÃÎÊÈ365betÌåÓýÔÚÏßâsecrets

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secrets-clusterrole
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get","watch","list"]

¡¡¡¡

1.3 RoleBinding£º½ÇÉ«°ó¶¨£¬ClusterRoleBinding£º¼¯Èº½ÇÉ«°ó¶¨

½ÇÉ«°ó¶¨ºÍ¼¯Èº½ÇÉ«°ó¶¨ÓÃÓÚ°ÑÒ»¸ö½ÇÉ«°ó¶¨ÔÚÒ»¸öÄ¿±êÉÏ£¬¿ÉÒÔÊÇUser£¬Group£¬Service Account£¬Ê¹ÓÃRoleBindingΪij¸öÃüÃû¿Õ¼äÊÚȨ£¬Ê¹ÓÃClusterRoleBindingΪ¼¯Èº·¶Î§ÄÚÊÚȨ¡£

ÀýÈ磺½«ÔÚrbacÃüÃû¿Õ¼äÖаÑpod-read½ÇÉ«ÊÚÓèÓû§es

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-read-bind
  namespace: rbac
subjects:
- kind: User
  name: es
  apiGroup: rbac.authorization.k8s.io
roleRef:
- kind: Role
  name: pod-read
  apiGroup: rbac.authorizatioin.k8s.io

¡¡¡¡

´´½¨Ö®ºóÇл»µ½esÓû§£¬¿´ÄÜ·ñ²é¿´ÏàÓ¦PodµÄ×ÊÔ´

 

RoleBindingÒ²¿ÉÒÔÒýÓÃClusterRole£¬¶ÔÊôÓÚͬһÃüÃû¿Õ¼äÄÚµÄClusterRole¶¨ÒåµÄ×ÊÔ´Ö÷Ìå½øÐÐÊÚȨ£¬ ÀýÈ磺esÄÜ»ñÈ¡µ½¼¯ÈºÖÐËùÓеÄ×ÊÔ´ÐÅÏ¢

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: es-allresource
  namespace: rbac
subjects:
- kind: User
  name: es
  apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin 

¡¡¡¡

´´½¨Ö®ºó²é¿´£º

 

¼¯Èº½ÇÉ«°ó¶¨µÄ½ÇɫֻÄÜÊǼ¯Èº½ÇÉ«£¬ÓÃÓÚ½øÐм¯Èº¼¶±ð»ò¶ÔËùÓÐÃüÃû¿Õ¼ä¶¼ÉúЧµÄÊÚȨ

ÀýÈ磺ÔÊÐímanager×éµÄÓû§¶ÁÈ¡ËùÓÐnamaspaceµÄsecrets

apiVersion: rabc.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-secret-global
subjects:
- kind: Group
  name: manager
  apiGroup: rabc.authorization.k8s.io
ruleRef:
- kind: ClusterRole
  name: secret-read
  apiGroup: rabc.authorization.k8s.io

¡¡¡¡

2 ×ÊÔ´µÄÒýÓ÷½Ê½

¶àÊý×ÊÔ´¿ÉÒÔÓÃÆäÃû³ÆµÄ×Ö·û´®365ÌåÓýͶע£¬Ò²¾ÍÊÇEndpointÖеÄURLÏà¶Ô·¾¶£¬ÀýÈçpodÖеÄÈÕÖ¾ÊÇGET /api/v1/namaspaces/{namespace}/pods/{podname}/log

Èç¹ûÐèÒªÔÚÒ»¸öRBAC¶ÔÏóÖÐÌåÏÖÉÏϼ¶×ÊÔ´£¬¾ÍÐèҪʹÓá°/¡±·Ö¸î×ÊÔ´ºÍϼ¶×ÊÔ´¡£

ÀýÈ磺ÈôÏëÊÚȨÈÃij¸öÖ÷ÌåͬʱÄܹ»¶ÁÈ¡PodºÍPod log£¬Ôò¿ÉÒÔÅäÖà resourcesΪһ¸öÊý×é

apiVersion: rabc.authorization.k8s.io/v1
kind: Role
metadata: 
  name: logs-reader
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods","pods/log"]
  verbs: ["get","list"]

¡¡¡¡

×ÊÔ´»¹¿ÉÒÔͨ¹ýÃû³Æ£¨ResourceName£©½øÐÐÒýÓã¬ÔÚÖ¸¶¨ResourceNameºó£¬Ê¹ÓÃget¡¢delete¡¢update¡¢patchÇëÇ󣬾ͻᱻÏÞÖÆÔÚÕâ¸ö×ÊԴʵÀý·¶Î§ÄÚ

ÀýÈ磬ÏÂÃæµÄÉùÃ÷ÈÃÒ»¸öÖ÷ÌåÖ»ÄܶÔÃûΪmy-configmapµÄConFigmap½øÐÐgetºÍupdate²Ù×÷£º

apiVersion: rabc.authorization.k8s.io/v1
kind: Role
metadata:
  namaspace: default
  name: configmap-update
rules:
- apiGroups: [""]
  resources: ["configmap"]
  resourceNames: ["my-configmap"]
  verbs: ["get","update"]

¡¡¡¡

3 ³£¼û½ÇɫʾÀý

£¨1£©ÔÊÐí¶ÁÈ¡ºËÐÄAPI×éµÄPod×ÊÔ´

rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","list","watch"]

¡¡¡¡

£¨2£©ÔÊÐí¶ÁдextensionsºÍappsÁ½¸öAPI×éÖеÄdeployment×ÊÔ´

rules:
- apiGroups: ["extensions","apps"]
  resources: ["deployments"]
  verbs: ["get","list","watch","create","update","patch","delete"]

¡¡¡¡

£¨3£©ÔÊÐí¶ÁÈ¡PodÒÔ¼°¶ÁдjobÐÅÏ¢

rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","list","watch"]¡¢
- apiVersion: ["batch","extensions"]
  resources: ["jobs"]
  verbs: ["get","list","watch","create","update","patch","delete"]

¡¡¡¡

£¨4£©ÔÊÐí¶Áȡһ¸öÃûΪmy-configµÄConfigMap£¨±ØÐë°ó¶¨µ½Ò»¸öRoleBindingÀ´ÏÞÖÆµ½Ò»¸öNamespaceϵÄConfigMap£©£º

rules:
- apiGroups: [""]
  resources: ["configmap"]
  resourceNames: ["my-configmap"]
  verbs: ["get"]

¡¡¡¡

£¨5£©¶ÁÈ¡ºËÐÄ×éµÄNode×ÊÔ´£¨NodeÊôÓÚ¼¯Èº¼¶µÄ×ÊÔ´£¬365betÌåÓýÔÚÏß±ØÐë´æÔÚÓÚClusterRoleÖУ¬²¢Ê¹ÓÃClusterRoleBinding½øÐа󶨣©£º

rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]

¡¡¡¡

£¨6£©ÔÊÐí¶Ô·Ç×ÊÔ´¶Ëµã¡°/healthz¡±¼°ÆäËùÓÐ×Ó·¾¶½øÐÐGETºÍPOST²Ù×÷£¨±ØÐëʹÓÃClusterRoleºÍClusterRoleBinding£©£º

rules:
- nonResourceURLs: ["/healthz","/healthz/*"]
  verbs: ["get","post"]

¡¡¡¡

4 ³£¼ûµÄ½ÇÉ«°ó¶¨Ê¾Àý

£¨1£©Óû§Ãûalice

subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io

¡¡¡¡

£¨2£©×éÃûalice

subjects:
- kind: Group
  name: alice
  apiGroup: rbac.authorization.k8s.io

¡¡¡¡

£¨3£©kube-systemÃüÃû¿Õ¼äÖÐĬÈÏService Account

subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system

¡¡¡¡

£¨4£©qaÃüÃû¿Õ¼äÖеÄËùÓÐService Account£º

subjects:
- kind: Group
  name: systeml:serviceaccounts:qa
  apiGroup: rbac.authorization.k8s.io

¡¡¡¡

£¨5£©ËùÓÐService Account

subjects:
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io

¡¡¡¡

£¨6£©ËùÓÐÈÏÖ¤Óû§

subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

¡¡¡¡

£¨7£©ËùÓÐδÈÏÖ¤Óû§

subjects:
- kind: Group
  name: system:unauthenticated
  apiGroup: rbac.authorization.k8s.io

¡¡¡¡

£¨8£©È«²¿Óû§

subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: system:unauthenticated
  apiGroup: rbac.authorization.k8s.io

¡¡¡¡

5 ĬÈϵĽÇÉ«ºÍ½ÇÉ«°ó¶¨

API Server»á´´½¨Ò»Ì×ĬÈϵÄClusterRoleºÍClusterRoleBinding¶ÔÏ󣬯äÖкܶàÊÇÒÔ¡°system:¡±ÎªÇ°×ºµÄ£¬ÒÔ±íÃ÷ÕâЩ×ÊÔ´ÊôÓÚ»ù´¡¼Ü¹¹£¬¶ÔÕâЩ¶ÔÏóµÄ¸Ä¶¯¿ÉÄÜÔì³É¼¯Èº¹ÊÕÏ¡£ËùÓÐĬÈϵÄClusterRoleºÍRoleBinding¶¼»áÓñêÇ©kubernetes.io/boostrapping=rbac-default½øÐбê¼Ç¡£

6 ¶ÔService AccountµÄÊÚȨ¹ÜÀí

Service AccountÒ²ÊÇ365ÌåÓýͶעÕ˺ţ¬ÊǸøÔËÐÐÔÚPodÀïµÄ½ø³ÌÌṩÁ˱ØÒªµÄÉí·ÝÖ¤Ã÷¡£ÐèÒªÔÚPod¶¨ÒåÖÐÖ¸Ã÷ÒýÓõÄService Account£¬ÕâÑù¾Í¿ÉÒÔ¶ÔPodµÄ½øÐи³È¨²Ù×÷¡£ÀýÈ磺podÄÚ¿É»ñÈ¡rbacÃüÃû¿Õ¼äµÄËùÓÐPod×ÊÔ´£¬pod-reader-scµÄService AccountÊǰó¶¨ÁËÃûΪpod-readµÄRole

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  namespace: rbac
spec:
  serviceAccountName: pod-reader-sc
  containers:
  - name: nginx
    image: nginx
    imagePullPolicy: IfNotPresent
    ports:
    - containerPort: 80

¡¡¡¡

ĬÈϵÄRBAC²ßÂÔΪ¿ØÖÆÆ½Ì¨×é¼þ¡¢½ÚµãºÍ¿ØÖÆÆ÷ÊÚÓèÓÐÏÞ·¶Î§µÄȨÏÞ£¬µ«Êdzýkube-systemÍâµÄService AccountÊÇûÓÐÈκÎȨÏ޵ġ£

£¨1£©ÎªÒ»¸öÓ¦ÓÃרÊôµÄService Account¸³È¨

´ËÓ¦ÓÃÐèÒªÔÚPodµÄspecÖÐÖ¸¶¨Ò»¸öserviceAccountName£¬ÓÃÓÚAPI¡¢Application Manifest¡¢kubectl create serviceaccountµÈ´´½¨Service AccountµÄÃüÁî¡£

ÀýÈçΪmy-namespaceÖеÄmy-sa Service AccountÊÚÓèÖ»¶ÁȨÏÞ

kubectl create rolebinding my-sa-view --clusterrole=view --serviceaccount=my-namespace:my-sa --namespace=my-namespace

¡¡¡¡

£¨2£©ÎªÒ»¸öÃüÃû¿Õ¼äÖÐÃûΪdefaultµÄService AccountÊÚȨ

Èç¹ûÒ»¸öÓ¦ÓÃûÓÐÖ¸¶¨ serviceAccountName£¬Ôò»áʹÓÃÃûΪdefaultµÄService Account¡£×¢Ò⣬¸³ÓèService Account ¡°default¡±µÄȨÏÞ»áÈÃËùÓÐûÓÐÖ¸¶¨serviceAccountNameµÄPod¶¼¾ßÓÐÕâЩȨÏÞ

ÀýÈ磬ÔÚmy-namespaceÃüÃû¿Õ¼äÖÐΪService Account¡°default¡±ÊÚÓèÖ»¶ÁȨÏÞ£º

kubectl create rolebinding default-view --clusterrole=view --serviceaccount=my-namespace:default --namespace=my-namespace

¡¡¡¡

ÁíÍ⣬Ðí¶àϵͳ¼¶Add-Ons¶¼ÐèÒªÔÚkube-systemÃüÃû¿Õ¼äÖÐÔËÐУ¬ÒªÈÃÕâЩAdd-OnsÄܹ»Ê¹Ó󬼶Óû§È¨ÏÞ£¬Ôò¿ÉÒÔ°Ñcluster-adminȨÏÞ¸³Óèkube-systemÃüÃû¿Õ¼äÖÐÃûΪdefaultµÄService Account£¬ÕâÒ»²Ù ×÷Òâζ×Åkube-systemÃüÃû¿Õ¼ä°üº¬ÁËͨÏòAPI³¬¼¶Óû§µÄ½Ý¾¶¡£

kubectl create clusterrolebinding add-ons-add-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default

¡¡¡¡

£¨3£©ÎªÃüÃû¿Õ¼äÖÐËùÓÐService Account¶¼ÊÚÓèÒ»¸ö½ÇÉ«

Èç¹ûÏ£ÍûÔÚÒ»¸öÃüÃû¿Õ¼äÖУ¬ÈκÎService AccountÓ¦Óö¼¾ßÓÐÒ»¸ö½ÇÉ«£¬Ôò¿ÉÒÔΪÕâÒ»ÃüÃû¿Õ¼äµÄService AccountȺ×é½øÐÐÊÚȨ

kubectl create rolebinding serviceaccounts-view --clusterrole=view --group=system:serviceaccounts:my-namespace --namespace=my-namespace

¡¡¡¡

£¨4£©Îª¼¯Èº·¶Î§ÄÚËùÓÐService Account¶¼ÊÚÓèÒ»¸öµÍȨÏÞ½ÇÉ«

Èç¹û²»ÏëΪ365ÌåÓýͶעÃüÃû¿Õ¼ä¹ÜÀíÊÚȨ£¬Ôò¿ÉÒÔ°ÑÒ»¸ö¼¯Èº¼¶±ðµÄ½ÇÉ«¸³¸øËùÓÐService Account¡£

kubectl create clusterrolebinding serviceaccounts-view --clusterrole=view --group=system:serviceaccounts

¡¡¡¡

£¨5£©ÎªËùÓÐService AccountÊÚÓ賬¼¶Óû§È¨ÏÞ

kubectl create clusterrolebinding serviceaccounts-view --clusterrole=cluster-admin --group=system:serviceaccounts

¡¡¡¡

7 ʹÓÃkubectlÃüÁîÐй¤¾ß´´½¨×ÊÔ´¶ÔÏó

£¨1£©ÔÚÃüÃû¿Õ¼ärbacÖÐΪÓû§esÊÚȨadmin ClusterRole£º

kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=es --namespace=rbac

¡¡¡¡

£¨2£©ÔÚÃüÃû¿Õ¼ärbacÖÐΪÃûΪmyappµÄService AccountÊÚÓèview ClusterRole£º

kubctl create rolebinding myapp-role-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=rbac

¡¡¡¡

£¨3£©ÔÚÈ«¼¯Èº·¶Î§ÄÚΪÓû§rootÊÚÓècluster-admin ClusterRole£º

kubectl create clusterrolebinding cluster-binding --clusterrole=cluster-admin --user=root

¡¡¡¡

£¨4£©ÔÚÈ«¼¯Èº·¶Î§ÄÚΪÃûΪmyappµÄService AccountÊÚÓèview ClusterRole£º

kubectl create clusterrolebinding service-account-binding --clusterrole=view --serviceaccount=acme:myapp

¡¡¡¡

posted @ 2021-01-13 22:30  ÉϹÅαÉñ  ÔĶÁ(13)  ÆÀÂÛ(0±à¼­  ÊÕ²Ø