k8sÖ®RBACÊÚȨģʽ
µ¼¶Á
ÉÏһƪ˵ÁËk8sµÄÊÚȨ¹ÜÀí£¬Õâһƪ¾ÍÀ´Ïêϸ¿´Ò»ÏÂRBACÊÚȨģʽµÄʹÓÃ
RBACÊÚȨģʽ
»ùÓÚ½ÇÉ«µÄ·ÃÎÊ¿ØÖÆ£¬ÆôÓôËģʽ£¬ÐèÒªÔÚAPI ServerµÄÆô¶¯²ÎÊýÉÏÌí¼ÓÈçÏÂÅäÖ㬣¨k8sĬȻ²ÉÓôËÊÚȨģʽ£©¡£
--authorization-mode=RBAC
¡¡¡¡
/etc/kubernetes/manifests/kube-apiserver.yaml
¡¡¡¡
£¨1£©¶Ô¼¯ÈºÖеÄ×ÊÔ´¼°·Ç×ÊԴȨÏÞ¾ùÓÐÍêÕûµÄ¸²¸Ç
£¨2£©Õû¸öRBACÍêÈ«Óɼ¸¸öAPI¶ÔÏóÍê³É£¬Í¬ÆäËûAPI¶ÔÏóÒ»Ñù£¬¿ÉÒÔÓÃkubelet»òAPI½øÐвÙ×÷¡£
£¨3£©¿ÉÔÚÔËÐÐʱ½øÐе÷Õû£¬ÎÞÐëÖØÆôAPI Server
1 RBAC×ÊÔ´¶ÔÏó˵Ã÷
RBACÓÐËĸö×ÊÔ´¶ÔÏ󣬷ֱðÊÇRole¡¢ClusterRole¡¢RoleBinding¡¢ClusterRoleBinding
1.1 Role£º½ÇÉ«
Ò»×éȨÏ޵ļ¯ºÏ£¬ÔÚÒ»¸öÃüÃû¿Õ¼äÖУ¬¿ÉÒÔÓÃÆäÀ´¶¨ÒåÒ»¸ö½ÇÉ«£¬Ö»ÄܶÔÃüÃû¿Õ¼äÄÚµÄ×ÊÔ´½øÐÐÊÚȨ¡£Èç¹ûÊǼ¯Èº¼¶±ðµÄ×ÊÔ´£¬ÔòÐèҪʹÓÃClusterRole¡£ÀýÈ磺¶¨ÒåÒ»¸ö½ÇÉ«ÓÃÀ´¶ÁÈ¡PodµÄȨÏÞ
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: rbac name: pod-read rules: - apiGroups: [""] resources: ["pods"] resourceNames: [] verbs: ["get","watch","list"]
¡¡¡¡
rulesÖеIJÎÊý˵Ã÷£º
1¡¢apiGroups£ºÖ§³ÖµÄAPI×éÁÐ±í£¬ÀýÈ磺"apiVersion: batch/v1"µÈ
2¡¢resources£ºÖ§³ÖµÄ×ÊÔ´¶ÔÏóÁÐ±í£¬ÀýÈçpods¡¢deplayments¡¢jobsµÈ
3¡¢resourceNames: Ö¸¶¨resourceµÄÃû³Æ
3¡¢verbs£º¶Ô×ÊÔ´¶ÔÏóµÄ²Ù×÷·½·¨ÁÐ±í¡£
´´½¨ºó²é¿´£º
1.2 ClusterRole£º¼¯Èº½ÇÉ«
¾ßÓкͽÇÉ«Ò»ÖµÄÃüÃû¿Õ¼ä×ÊÔ´µÄ¹ÜÀíÄÜÁ¦£¬»¹¿ÉÓÃÓÚÒÔÏÂÌØÊâÔªËصÄÊÚȨ
1¡¢¼¯Èº·¶Î§µÄ×ÊÔ´£¬ÀýÈçNode
2¡¢·Ç×ÊÔ´Ð͵Ä·¾¶£¬ÀýÈ磺/healthz
3¡¢°üº¬È«²¿ÃüÃû¿Õ¼äµÄ×ÊÔ´£¬ÀýÈçPods
ÀýÈ磺¶¨ÒåÒ»¸ö¼¯Èº½ÇÉ«¿ÉÈÃÓû§·ÃÎÊÈ365betÌåÓýÔÚÏßâsecrets
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: secrets-clusterrole rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get","watch","list"]
¡¡¡¡
1.3 RoleBinding£º½ÇÉ«°ó¶¨£¬ClusterRoleBinding£º¼¯Èº½ÇÉ«°ó¶¨
½ÇÉ«°ó¶¨ºÍ¼¯Èº½ÇÉ«°ó¶¨ÓÃÓÚ°ÑÒ»¸ö½ÇÉ«°ó¶¨ÔÚÒ»¸öÄ¿±êÉÏ£¬¿ÉÒÔÊÇUser£¬Group£¬Service Account£¬Ê¹ÓÃRoleBindingΪij¸öÃüÃû¿Õ¼äÊÚȨ£¬Ê¹ÓÃClusterRoleBindingΪ¼¯Èº·¶Î§ÄÚÊÚȨ¡£
ÀýÈ磺½«ÔÚrbacÃüÃû¿Õ¼äÖаÑpod-read½ÇÉ«ÊÚÓèÓû§es
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pod-read-bind namespace: rbac subjects: - kind: User name: es apiGroup: rbac.authorization.k8s.io roleRef: - kind: Role name: pod-read apiGroup: rbac.authorizatioin.k8s.io
¡¡¡¡
´´½¨Ö®ºóÇл»µ½esÓû§£¬¿´ÄÜ·ñ²é¿´ÏàÓ¦PodµÄ×ÊÔ´
RoleBindingÒ²¿ÉÒÔÒýÓÃClusterRole£¬¶ÔÊôÓÚͬһÃüÃû¿Õ¼äÄÚµÄClusterRole¶¨ÒåµÄ×ÊÔ´Ö÷Ìå½øÐÐÊÚȨ£¬ ÀýÈ磺esÄÜ»ñÈ¡µ½¼¯ÈºÖÐËùÓеÄ×ÊÔ´ÐÅÏ¢
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: es-allresource namespace: rbac subjects: - kind: User name: es apiGroup: rbac.authorization.k8s.io roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
¡¡¡¡
´´½¨Ö®ºó²é¿´£º
¼¯Èº½ÇÉ«°ó¶¨µÄ½ÇÉ«Ö»ÄÜÊǼ¯Èº½ÇÉ«£¬ÓÃÓÚ½øÐм¯Èº¼¶±ð»ò¶ÔËùÓÐÃüÃû¿Õ¼ä¶¼ÉúЧµÄÊÚȨ
ÀýÈ磺ÔÊÐímanager×éµÄÓû§¶ÁÈ¡ËùÓÐnamaspaceµÄsecrets
apiVersion: rabc.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: read-secret-global subjects: - kind: Group name: manager apiGroup: rabc.authorization.k8s.io ruleRef: - kind: ClusterRole name: secret-read apiGroup: rabc.authorization.k8s.io
¡¡¡¡
2 ×ÊÔ´µÄÒýÓ÷½Ê½
¶àÊý×ÊÔ´¿ÉÒÔÓÃÆäÃû³ÆµÄ×Ö·û´®365ÌåÓýͶע£¬Ò²¾ÍÊÇEndpointÖеÄURLÏà¶Ô·¾¶£¬ÀýÈçpodÖеÄÈÕÖ¾ÊÇGET /api/v1/namaspaces/{namespace}/pods/{podname}/log
Èç¹ûÐèÒªÔÚÒ»¸öRBAC¶ÔÏóÖÐÌåÏÖÉÏϼ¶×ÊÔ´£¬¾ÍÐèҪʹÓá°/¡±·Ö¸î×ÊÔ´ºÍϼ¶×ÊÔ´¡£
ÀýÈ磺ÈôÏëÊÚȨÈÃij¸öÖ÷ÌåͬʱÄܹ»¶ÁÈ¡PodºÍPod log£¬Ôò¿ÉÒÔÅäÖà resourcesΪһ¸öÊý×é
apiVersion: rabc.authorization.k8s.io/v1 kind: Role metadata: name: logs-reader namespace: default rules: - apiGroups: [""] resources: ["pods","pods/log"] verbs: ["get","list"]
¡¡¡¡
×ÊÔ´»¹¿ÉÒÔͨ¹ýÃû³Æ£¨ResourceName£©½øÐÐÒýÓã¬ÔÚÖ¸¶¨ResourceNameºó£¬Ê¹ÓÃget¡¢delete¡¢update¡¢patchÇëÇ󣬾ͻᱻÏÞÖÆÔÚÕâ¸ö×ÊԴʵÀý·¶Î§ÄÚ
ÀýÈ磬ÏÂÃæµÄÉùÃ÷ÈÃÒ»¸öÖ÷ÌåÖ»ÄܶÔÃûΪmy-configmapµÄConFigmap½øÐÐgetºÍupdate²Ù×÷£º
apiVersion: rabc.authorization.k8s.io/v1 kind: Role metadata: namaspace: default name: configmap-update rules: - apiGroups: [""] resources: ["configmap"] resourceNames: ["my-configmap"] verbs: ["get","update"]
¡¡¡¡
3 ³£¼û½ÇɫʾÀý
£¨1£©ÔÊÐí¶ÁÈ¡ºËÐÄAPI×éµÄPod×ÊÔ´
rules: - apiGroups: [""] resources: ["pods"] verbs: ["get","list","watch"]
¡¡¡¡
£¨2£©ÔÊÐí¶ÁдextensionsºÍappsÁ½¸öAPI×éÖеÄdeployment×ÊÔ´
rules: - apiGroups: ["extensions","apps"] resources: ["deployments"] verbs: ["get","list","watch","create","update","patch","delete"]
¡¡¡¡
£¨3£©ÔÊÐí¶ÁÈ¡PodÒÔ¼°¶ÁдjobÐÅÏ¢
rules: - apiGroups: [""] resources: ["pods"] verbs: ["get","list","watch"]¡¢ - apiVersion: ["batch","extensions"] resources: ["jobs"] verbs: ["get","list","watch","create","update","patch","delete"]
¡¡¡¡
£¨4£©ÔÊÐí¶ÁÈ¡Ò»¸öÃûΪmy-configµÄConfigMap£¨±ØÐë°ó¶¨µ½Ò»¸öRoleBindingÀ´ÏÞÖƵ½Ò»¸öNamespaceϵÄConfigMap£©£º
rules: - apiGroups: [""] resources: ["configmap"] resourceNames: ["my-configmap"] verbs: ["get"]
¡¡¡¡
£¨5£©¶ÁÈ¡ºËÐÄ×éµÄNode×ÊÔ´£¨NodeÊôÓÚ¼¯Èº¼¶µÄ×ÊÔ´£¬365betÌåÓýÔÚÏß±ØÐë´æÔÚÓÚClusterRoleÖУ¬²¢Ê¹ÓÃClusterRoleBinding½øÐа󶨣©£º
rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get","list","watch"]
¡¡¡¡
£¨6£©ÔÊÐí¶Ô·Ç×ÊÔ´¶Ëµã¡°/healthz¡±¼°ÆäËùÓÐ×Ó·¾¶½øÐÐGETºÍPOST²Ù×÷£¨±ØÐëʹÓÃClusterRoleºÍClusterRoleBinding£©£º
rules: - nonResourceURLs: ["/healthz","/healthz/*"] verbs: ["get","post"]
¡¡¡¡
4 ³£¼ûµÄ½ÇÉ«°ó¶¨Ê¾Àý
£¨1£©Óû§Ãûalice
subjects: - kind: User name: alice apiGroup: rbac.authorization.k8s.io
¡¡¡¡
£¨2£©×éÃûalice
subjects: - kind: Group name: alice apiGroup: rbac.authorization.k8s.io
¡¡¡¡
£¨3£©kube-systemÃüÃû¿Õ¼äÖÐĬÈÏService Account
subjects: - kind: ServiceAccount name: default namespace: kube-system
¡¡¡¡
£¨4£©qaÃüÃû¿Õ¼äÖеÄËùÓÐService Account£º
subjects: - kind: Group name: systeml:serviceaccounts:qa apiGroup: rbac.authorization.k8s.io
¡¡¡¡
£¨5£©ËùÓÐService Account
subjects: - kind: Group name: system:serviceaccounts apiGroup: rbac.authorization.k8s.io
¡¡¡¡
£¨6£©ËùÓÐÈÏÖ¤Óû§
subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io
¡¡¡¡
£¨7£©ËùÓÐδÈÏÖ¤Óû§
subjects: - kind: Group name: system:unauthenticated apiGroup: rbac.authorization.k8s.io
¡¡¡¡
£¨8£©È«²¿Óû§
subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io - kind: Group name: system:unauthenticated apiGroup: rbac.authorization.k8s.io
¡¡¡¡
5 ĬÈϵĽÇÉ«ºÍ½ÇÉ«°ó¶¨
API Server»á´´½¨Ò»Ì×ĬÈϵÄClusterRoleºÍClusterRoleBinding¶ÔÏó£¬ÆäÖкܶàÊÇÒÔ¡°system:¡±ÎªÇ°×ºµÄ£¬ÒÔ±íÃ÷ÕâЩ×ÊÔ´ÊôÓÚ»ù´¡¼Ü¹¹£¬¶ÔÕâЩ¶ÔÏóµÄ¸Ä¶¯¿ÉÄÜÔì³É¼¯Èº¹ÊÕÏ¡£ËùÓÐĬÈϵÄClusterRoleºÍRoleBinding¶¼»áÓñêÇ©kubernetes.io/boostrapping=rbac-default½øÐбê¼Ç¡£
6 ¶ÔService AccountµÄÊÚȨ¹ÜÀí
Service AccountÒ²ÊÇ365ÌåÓýͶעÕ˺ţ¬ÊǸøÔËÐÐÔÚPodÀïµÄ½ø³ÌÌṩÁ˱ØÒªµÄÉí·ÝÖ¤Ã÷¡£ÐèÒªÔÚPod¶¨ÒåÖÐÖ¸Ã÷ÒýÓõÄService Account£¬ÕâÑù¾Í¿ÉÒÔ¶ÔPodµÄ½øÐи³È¨²Ù×÷¡£ÀýÈ磺podÄÚ¿É»ñÈ¡rbacÃüÃû¿Õ¼äµÄËùÓÐPod×ÊÔ´£¬pod-reader-scµÄService AccountÊÇ°ó¶¨ÁËÃûΪpod-readµÄRole
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: rbac
spec:
serviceAccountName: pod-reader-sc
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
¡¡¡¡
ĬÈϵÄRBAC²ßÂÔΪ¿ØÖÆƽ̨×é¼þ¡¢½ÚµãºÍ¿ØÖÆÆ÷ÊÚÓèÓÐÏÞ·¶Î§µÄȨÏÞ£¬µ«Êdzýkube-systemÍâµÄService AccountÊÇûÓÐÈκÎȨÏ޵ġ£
£¨1£©ÎªÒ»¸öÓ¦ÓÃרÊôµÄService Account¸³È¨
´ËÓ¦ÓÃÐèÒªÔÚPodµÄspecÖÐÖ¸¶¨Ò»¸öserviceAccountName£¬ÓÃÓÚAPI¡¢Application Manifest¡¢kubectl create serviceaccountµÈ´´½¨Service AccountµÄÃüÁî¡£
ÀýÈçΪmy-namespaceÖеÄmy-sa Service AccountÊÚÓèÖ»¶ÁȨÏÞ
kubectl create rolebinding my-sa-view --clusterrole=view --serviceaccount=my-namespace:my-sa --namespace=my-namespace
¡¡¡¡
£¨2£©ÎªÒ»¸öÃüÃû¿Õ¼äÖÐÃûΪdefaultµÄService AccountÊÚȨ
Èç¹ûÒ»¸öÓ¦ÓÃûÓÐÖ¸¶¨ serviceAccountName£¬Ôò»áʹÓÃÃûΪdefaultµÄService Account¡£×¢Ò⣬¸³ÓèService Account ¡°default¡±µÄȨÏÞ»áÈÃËùÓÐûÓÐÖ¸¶¨serviceAccountNameµÄPod¶¼¾ßÓÐÕâЩȨÏÞ
ÀýÈ磬ÔÚmy-namespaceÃüÃû¿Õ¼äÖÐΪService Account¡°default¡±ÊÚÓèÖ»¶ÁȨÏÞ£º
kubectl create rolebinding default-view --clusterrole=view --serviceaccount=my-namespace:default --namespace=my-namespace
¡¡¡¡
ÁíÍ⣬Ðí¶àϵͳ¼¶Add-Ons¶¼ÐèÒªÔÚkube-systemÃüÃû¿Õ¼äÖÐÔËÐУ¬ÒªÈÃÕâЩAdd-OnsÄܹ»Ê¹Ó󬼶Óû§È¨ÏÞ£¬Ôò¿ÉÒÔ°Ñcluster-adminȨÏÞ¸³Óèkube-systemÃüÃû¿Õ¼äÖÐÃûΪdefaultµÄService Account£¬ÕâÒ»²Ù ×÷Òâζ×Åkube-systemÃüÃû¿Õ¼ä°üº¬ÁËͨÏòAPI³¬¼¶Óû§µÄ½Ý¾¶¡£
kubectl create clusterrolebinding add-ons-add-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
¡¡¡¡
£¨3£©ÎªÃüÃû¿Õ¼äÖÐËùÓÐService Account¶¼ÊÚÓèÒ»¸ö½ÇÉ«
Èç¹ûÏ£ÍûÔÚÒ»¸öÃüÃû¿Õ¼äÖУ¬ÈκÎService AccountÓ¦Óö¼¾ßÓÐÒ»¸ö½ÇÉ«£¬Ôò¿ÉÒÔΪÕâÒ»ÃüÃû¿Õ¼äµÄService AccountȺ×é½øÐÐÊÚȨ
kubectl create rolebinding serviceaccounts-view --clusterrole=view --group=system:serviceaccounts:my-namespace --namespace=my-namespace
¡¡¡¡
£¨4£©Îª¼¯Èº·¶Î§ÄÚËùÓÐService Account¶¼ÊÚÓèÒ»¸öµÍȨÏÞ½ÇÉ«
Èç¹û²»ÏëΪ365ÌåÓýͶעÃüÃû¿Õ¼ä¹ÜÀíÊÚȨ£¬Ôò¿ÉÒÔ°ÑÒ»¸ö¼¯Èº¼¶±ðµÄ½ÇÉ«¸³¸øËùÓÐService Account¡£
kubectl create clusterrolebinding serviceaccounts-view --clusterrole=view --group=system:serviceaccounts
¡¡¡¡
£¨5£©ÎªËùÓÐService AccountÊÚÓ賬¼¶Óû§È¨ÏÞ
kubectl create clusterrolebinding serviceaccounts-view --clusterrole=cluster-admin --group=system:serviceaccounts
¡¡¡¡
7 ʹÓÃkubectlÃüÁîÐй¤¾ß´´½¨×ÊÔ´¶ÔÏó
£¨1£©ÔÚÃüÃû¿Õ¼ärbacÖÐΪÓû§esÊÚȨadmin ClusterRole£º
kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=es --namespace=rbac
¡¡¡¡
£¨2£©ÔÚÃüÃû¿Õ¼ärbacÖÐΪÃûΪmyappµÄService AccountÊÚÓèview ClusterRole£º
kubctl create rolebinding myapp-role-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=rbac
¡¡¡¡
£¨3£©ÔÚÈ«¼¯Èº·¶Î§ÄÚΪÓû§rootÊÚÓècluster-admin ClusterRole£º
kubectl create clusterrolebinding cluster-binding --clusterrole=cluster-admin --user=root
¡¡¡¡
£¨4£©ÔÚÈ«¼¯Èº·¶Î§ÄÚΪÃûΪmyappµÄService AccountÊÚÓèview ClusterRole£º
kubectl create clusterrolebinding service-account-binding --clusterrole=view --serviceaccount=acme:myapp
¡¡¡¡