前言:
kubernetes集群系统比较复杂的部分应该算是权限验证了,本文也主要就二进制安装的k8s集群的权限控制做一个简单的抛砖引玉。
主要还是根据前面所写的部署博客来分析,博文地址为:kubernetes二进制安装教程单master_zsk_john的博客-CSDN博客
一,
什么是权限控制?什么是RBAC?
一般我们认为RBAC就是权限控制,是基于角色来进行的细度话的权限控制,主要在于用户可能有一个,但,用户的属性,角色可能会有很多个,这样组合方式就非常多,也能做到更加的精细,细粒度很高。
- RBAC(Role-Based Access Control,基于角色的访问控制),允许通过Kubernetes API动态配置策略。也就是说整个用户系统是围绕角色来进行权限的分配划分。当然,也可以看做是一套复杂的访问控制策略。
如果对openstack等云平台有所了解,应该会知道,k8s的RBAC和它是十分相似的,还有MySQL等等数据库系统的权限验证也是基本一样的,特别是Oracle数据库(数据库少了clusterrole和clusterrolebinding)。
二,
权限控制的分类
在k8s中,大体可以分为六种权限控制:ABAC(基于属性的访问控制)、RBAC(基于角色的访问控制)、Webhook、Node、AlwaysDeny(一直拒绝)和AlwaysAllow(一直允许)这6种模式。
从1.6版本起,Kubernetes 默认启用RBAC访问控制策略。从1.8开始,RBAC已作为稳定的功能。通过设置–authorization-mode=RBAC,启用RABC。所以RBAC也就成了一种默认选用的授权模式。
webhook在k8s中的使用是在ingress插件中使用,最主要的也是最常用的就让RBAC。
二,
RBAC的构成要素
在RBAC模型里面,有3个基础组成部分,分别是:主体、角色和权限。
- User(用户):每个用户都有唯一的UID识别,并被授予不同的角色
- group(用户组):相同类型的用户组成的组
- serverAccount(服务账号):User,group,serverAccout都是主体类型对象
- Role(角色):不同角色具有不同的权限,角色,比较抽象的对象。是一系列权限的集合,例如一个Role可包含读取和列出 Pod的权限
- Permission(权限):访问权限(例如,get,update,list,也就是那些verbs)
- 用户-角色映射:用户和角色之间的映射关系
- 角色-权限映射:角色和权限之间的映射
那么,这里就有一个线性逻辑了,权限--->角色---->主体,也就是从权限开始,结束于主体了。权限指的是对于各种资源也可以称之为对象的动作定义,例如,列出pod名称,列出所有的deployment等等。
关于资源也就是对象,在k8s中是由apiserver定义的,其中关于权限认证的资源对象有这些:
[root@master cfg]# k api-resources NAME SHORTNAMES APIGROUP NAMESPACED KIND bindings true Binding configmaps cm true ConfigMap secrets true Secret serviceaccounts sa true ServiceAccount mutatingwebhookconfigurations admissionregistration.k8s.io false MutatingWebhookConfiguration validatingwebhookconfigurations admissionregistration.k8s.io false ValidatingWebhookConfiguration apiservices apiregistration.k8s.io false APIService tokenreviews authentication.k8s.io false TokenReview localsubjectaccessreviews authorization.k8s.io true LocalSubjectAccessReview selfsubjectaccessreviews authorization.k8s.io false SelfSubjectAccessReview selfsubjectrulesreviews authorization.k8s.io false SelfSubjectRulesReview subjectaccessreviews authorization.k8s.io false SubjectAccessReview certificatesigningrequests csr certificates.k8s.io false CertificateSigningRequest poddisruptionbudgets pdb policy true PodDisruptionBudget podsecuritypolicies psp policy false PodSecurityPolicy clusterrolebindings rbac.authorization.k8s.io false ClusterRoleBinding clusterroles rbac.authorization.k8s.io false ClusterRole rolebindings rbac.authorization.k8s.io true RoleBinding roles rbac.authorization.k8s.io true Role
认证「Authentication」
认证有如下几种方式:
1、HTTP Token认证:通过一个Token来识别合法用户。
HTTP Token的认证是用一个很长的特殊编码方式的并且难以被模仿的字符串来表达客户的一种方式。每一个Token对应一个用户名,存储在API Server能访问的文件中。当客户端发起API调用请求时,需要在HTTP Header里放入Token。
2、HTTP Base认证:通过用户名+密码的方式认证
用户名:密码 用base64算法进行编码后的字符串放在HTTP Request中的Heather Authorization 域里发送给服务端,服务端收到后进行解码,获取用户名和密码。
3、最严格的HTTPS证书认证:基于CA根证书签名的客户端身份认证方式
授权「Authorization」
认证只是确认通信的双方都是可信的,可以相互通信。而授权是确定请求方有哪些资源的权限。API Server目前支持如下几种授权策略(通过API Server的启动参数 --authorization-mode 设置)
- AlwaysDeny:表示拒绝所有请求。仅用于测试
- AlwaysAllow:表示允许所有请求。如果有集群不需要授权流程,则可以采用该策略
- Node:节点授权是一种特殊用途的授权模式,专门授权由 kubelet 发出的 API 请求
- Webhook:是一种 HTTP 回调模式,允许使用远程 REST 端点管理授权
- ABAC:基于属性的访问控制,表示使用用户配置的授权规则对用户请求进行匹配和控制
- RBAC:基于角色的访问控制,默认使用该规则
localsubjectaccessreviews authorization.k8s.io true LocalSubjectAccessReview selfsubjectaccessreviews authorization.k8s.io false SelfSubjectAccessReview selfsubjectrulesreviews authorization.k8s.io false SelfSubjectRulesReview subjectaccessreviews authorization.k8s.io false SubjectAccessReview
例如这些资源就是授权,但很少使用。
那么,RBAC的开启是在apiserver的配置文件内,例如,我前面写的二进制安装部署文档内:
[root@master cfg]# cat /opt/kubernetes/cfg/kube-apiserver.conf KUBE_APISERVER_OPTS="--v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/logs \ --etcd-servers=https://192.168.217.16:2379,https://192.168.217.17:2379,https://192.168.217.18:2379 \ --bind-address=192.168.217.16 \ --secure-port=6443 \ --advertise-address=192.168.217.16 \ --allow-privileged=true \ --service-cluster-ip-range=10.0.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ 。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
可以看到,--authorization-mode可以定义多个,也就是授权模式可以混用。
RBAC【RBAC】
clusterrolebindings rbac.authorization.k8s.io false ClusterRoleBinding clusterroles rbac.authorization.k8s.io false ClusterRole rolebindings rbac.authorization.k8s.io true RoleBinding roles rbac.authorization.k8s.io true Role
其实,本文主要要讨论的就是这四个:角色,角色绑定,集群角色,集群角色绑定,这里需要注意,角色和角色绑定是被限定在namespace里的。
三,
(1)角色的建立
role定义只是定义权限,无关主体也就是用户,组,sa这些,是权限的集合。例如,建立一个名字叫test的角色,role和namespace是绑定的:
命令行方式:
[root@master cfg]# k create role test --verb=list,get,watch --resource=pods role.rbac.authorization.k8s.io/test created
yaml文件形式:
[root@master cfg]# cat test-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: test rules: - apiGroups: [""] resources: ["nodes", "pods", "services", "resourcequotas", "replicationcontrollers", "limitranges", "persistentvolumeclaims", "persistentvolumes", "namespaces", "endpoints"] verbs: ["list", "watch","get","update","create","ptach"] - apiGroups: ["extensions"] resources: ["daemonsets", "deployments", "replicasets"] verbs: ["list", "watch"] - apiGroups: ["apps"] resources: ["statefulsets"] verbs: ["list", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["list", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["list", "watch"]
以yaml文件形式为例详解:
这个新建的role是没有定义namespace,因此,是默认default这个namespace下,这个可以随意定义一个namespace,role是仍然可以建立的。
- apiGroups: [""] # apiGroups 就是api资源组,使用kubectl api-resources 第三列可以查看到 例如,k api-resources 里查到的jobs是属于batch 这个apigroup的 --verb=* 用星号可表示全部权限
resources 指的就是资源对象了,比如,这个角色就对很多的资源有权限,例如pod,namespace,--resource=* 同样也可以用星号表示所有资源
verbs 就是指的权限了,所有权限是verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
[root@master cfg]# k describe role test
Name: test
Labels: <none>
Annotations: PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
endpoints [] [] [list watch get update create ptach]
limitranges [] [] [list watch get update create ptach]
namespaces [] [] [list watch get update create ptach]
nodes [] [] [list watch get update create ptach]
persistentvolumeclaims [] [] [list watch get update create ptach]
persistentvolumes [] [] [list watch get update create ptach]
pods [] [] [list watch get update create ptach]
replicationcontrollers [] [] [list watch get update create ptach]
resourcequotas [] [] [list watch get update create ptach]
services [] [] [list watch get update create ptach]
statefulsets.apps [] [] [list watch]
horizontalpodautoscalers.autoscaling [] [] [list watch]
cronjobs.batch [] [] [list watch]
jobs.batch [] [] [list watch]
daemonsets.extensions [] [] [list watch]
deployments.extensions [] [] [list watch]
replicasets.extensions [] [] [list watch]
(2)集群角色 clusterrole
clusterrole是不和namespace绑定的,适用范围是整个集群,很明显是比role的使用范围大的。别的和role都基本一致,例如:
定义一个clusterrole:
[root@master ~]# kubectl create clusterrole testclusterrole --verb=get,list,watch --resource=pods --dry-run -o yaml W0904 20:27:52.564182 19827 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: testclusterrole rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
(3)
创建rolebinding
命令行形式:
kubectl create rolebinding test-pods --role=test --user=zsk
yaml文件形式:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: test-pods roleRef: # 涉及到的role apiGroup: rbac.authorization.k8s.io kind: Role name: test subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: zsk
可以绑定一个不存在的role,但显然是没有任何意义的
角色绑定将一个角色中定义的各种权限授予一个或者一组用户。角色绑定包含了一组相关主体(即 subject, 包括用户——User、用户组——Group、或者服务账户——Service Account)以及对被授予角色的引用。在命名空间中可以通过 RoleBinding 对象授予权限,而集群范围的权限授予则通过 ClusterRoleBinding 对象完成。上例是对用户zsk授权,此用户不用手动去创建。
subjects下面的kind当然也可以是serveraccount或者是group。
现在zsk这个用户对default这个namespace内的pod拥有verbs: ["list", "watch","get","update","create","ptach"] 这些权限。对statefulsets有 verbs: ["list", "watch"]这些权限了。
(4)
创建clusterrolebinding
和rolebinding是一样的,没什么区别,只是只能绑定clusterrole到user,group,serveraccount,下面就演示一下如何绑定用户到clusterrolebinding:
绑定集群角色cluster-admin 到用户kubernetes上,绑定的形式是clusterrolebinding,绑定的名称是kubernetes,这个名字可以任意
k create clusterrolebinding kubernetes --clusterrole=cluster-admin --user=kubernetes [root@k8s-master ~]# k create clusterrolebinding my --clusterrole=cluster-admin --user=kubernetes clusterrolebinding.rbac.authorization.k8s.io/my created
OK,查询绑定情况:
[root@k8s-master ~]# k get clusterrolebindings.rbac.authorization.k8s.io -A |grep cluster-ad cluster-admin ClusterRole/cluster-admin 31d kubelet-bootstrap ClusterRole/cluster-admin 31d kubernetes ClusterRole/cluster-admin 154m my ClusterRole/cluster-admin 72s system:kube-proxy ClusterRole/cluster-admin 31d system:node:k8s-node2 ClusterRole/cluster-admin 31d zsk ClusterRole/cluster-admin 6h10m
四,
集群内的系统内置role和clusterrole
内置的role:
NAMESPACE NAME CREATED AT kube-public system:controller:bootstrap-signer 2022-08-27T01:22:55Z kube-system extension-apiserver-authentication-reader 2022-08-27T01:22:55Z kube-system system::leader-locking-kube-controller-manager 2022-08-27T01:22:55Z kube-system system::leader-locking-kube-scheduler 2022-08-27T01:22:55Z kube-system system:controller:bootstrap-signer 2022-08-27T01:22:55Z kube-system system:controller:cloud-provider 2022-08-27T01:22:55Z kube-system system:controller:token-cleaner 2022-08-27T01:22:55Z kubernetes-dashboard kubernetes-dashboard 2022-09-04T02:39:34Z
这些role有一个共同点,同时建立的,建立的时间是kube-apiserver服务第一次启动的时候,随机挑选一个,看看它的权限吧:
[root@master ~]# k describe role system:controller:token-cleaner -n kube-system Name: system:controller:token-cleaner Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- events [] [] [create patch update] events.events.k8s.io [] [] [create patch update] secrets [] [] [delete get list watch]
可以看到,system:controller:token-cleaner这个role的权限针对的是events和secrets和events.events.k8s.io,并且只作用于kube-system这个namespace里。
内置的clusterrole:
集群角色比较多,挑重点的来说,主要是cluster-admin admin edit view 这几个集群角色。
[root@master ~]# k get clusterrole -A NAME CREATED AT admin 2022-08-27T01:22:54Z cluster-admin 2022-08-27T01:22:53Z edit 2022-08-27T01:22:54Z flannel 2022-08-27T08:05:45Z kubernetes-dashboard 2022-09-04T02:39:34Z system:aggregate-to-admin 2022-08-27T01:22:54Z system:aggregate-to-edit 2022-08-27T01:22:54Z system:aggregate-to-view 2022-08-27T01:22:54Z system:auth-delegator 2022-08-27T01:22:54Z system:basic-user 2022-08-27T01:22:54Z system:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-08-27T01:22:54Z system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-08-27T01:22:54Z system:certificates.k8s.io:kube-apiserver-client-approver 2022-08-27T01:22:54Z system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-08-27T01:22:54Z system:certificates.k8s.io:kubelet-serving-approver 2022-08-27T01:22:54Z system:certificates.k8s.io:legacy-unknown-approver 2022-08-27T01:22:54Z system:controller:attachdetach-controller 2022-08-27T01:22:54Z system:controller:certificate-controller 2022-08-27T01:22:54Z system:controller:clusterrole-aggregation-controller 2022-08-27T01:22:54Z system:controller:cronjob-controller 2022-08-27T01:22:54Z system:controller:daemon-set-controller 2022-08-27T01:22:54Z system:controller:deployment-controller 2022-08-27T01:22:54Z system:controller:disruption-controller 2022-08-27T01:22:54Z system:controller:endpoint-controller 2022-08-27T01:22:54Z system:controller:endpointslice-controller 2022-08-27T01:22:54Z system:controller:expand-controller 2022-08-27T01:22:54Z system:controller:generic-garbage-collector 2022-08-27T01:22:54Z system:controller:horizontal-pod-autoscaler 2022-08-27T01:22:54Z system:controller:job-controller 2022-08-27T01:22:54Z system:controller:namespace-controller 2022-08-27T01:22:54Z system:controller:node-controller 2022-08-27T01:22:54Z system:controller:persistent-volume-binder 2022-08-27T01:22:54Z system:controller:pod-garbage-collector 2022-08-27T01:22:54Z system:controller:pv-protection-controller 2022-08-27T01:22:54Z system:controller:pvc-protection-controller 2022-08-27T01:22:54Z system:controller:replicaset-controller 2022-08-27T01:22:54Z system:controller:replication-controller 2022-08-27T01:22:54Z system:controller:resourcequota-controller 2022-08-27T01:22:54Z system:controller:route-controller 2022-08-27T01:22:54Z system:controller:service-account-controller 2022-08-27T01:22:54Z system:controller:service-controller 2022-08-27T01:22:54Z system:controller:statefulset-controller 2022-08-27T01:22:54Z system:controller:ttl-controller 2022-08-27T01:22:54Z system:coredns 2022-08-27T12:45:57Z system:discovery 2022-08-27T01:22:54Z system:heapster 2022-08-27T01:22:54Z system:kube-aggregator 2022-08-27T01:22:54Z system:kube-apiserver-to-kubelet 2022-08-28T02:23:48Z system:kube-controller-manager 2022-08-27T01:22:54Z system:kube-dns 2022-08-27T01:22:54Z system:kube-scheduler 2022-08-27T01:22:54Z system:kubelet-api-admin 2022-08-27T01:22:54Z system:node 2022-08-27T01:22:54Z system:node-bootstrapper 2022-08-27T01:22:54Z system:node-problem-detector 2022-08-27T01:22:54Z system:node-proxier 2022-08-27T01:22:54Z system:persistent-volume-provisioner 2022-08-27T01:22:54Z system:public-info-viewer 2022-08-27T01:22:54Z system:volume-scheduler 2022-08-27T01:22:54Z testclusterrole 2022-09-04T12:30:29Z view 2022-08-27T01:22:54Z
查看admin 的权限,茫茫多的权限,说明该角色权限非常大:
[root@master ~]# k describe clusterrole admin Name: admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] configmaps [] [] [create delete deletecollection patch update get list watch] endpoints [] [] [create delete deletecollection patch update get list watch] persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch] pods [] [] [create delete deletecollection patch update get list watch] replicationcontrollers/scale [] [] [create delete deletecollection patch update get list watch] replicationcontrollers [] [] [create delete deletecollection patch update get list watch] services [] [] [create delete deletecollection patch update get list watch] daemonsets.apps [] [] [create delete deletecollection patch update get list watch] deployments.apps/scale [] [] [create delete deletecollection patch update get list watch] deployments.apps [] [] [create delete deletecollection patch update get list watch] replicasets.apps/scale [] [] [create delete deletecollection patch update get list watch] replicasets.apps [] [] [create delete deletecollection patch update get list watch] statefulsets.apps/scale [] [] [create delete deletecollection patch update get list watch] statefulsets.apps [] [] [create delete deletecollection patch update get list watch] horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection patch update get list watch] cronjobs.batch [] [] [create delete deletecollection patch update get list watch] jobs.batch [] [] [create delete deletecollection patch update get list watch] daemonsets.extensions [] [] [create delete deletecollection patch update get list watch] deployments.extensions/scale [] [] [create delete deletecollection patch update get list watch] deployments.extensions [] [] [create delete deletecollection patch update get list watch] ingresses.extensions [] [] [create delete deletecollection patch update get list watch] networkpolicies.extensions [] [] [create delete deletecollection patch update get list watch] replicasets.extensions/scale [] [] [create delete deletecollection patch update get list watch] replicasets.extensions [] [] [create delete deletecollection patch update get list watch] replicationcontrollers.extensions/scale [] [] [create delete deletecollection patch update get list watch] ingresses.networking.k8s.io [] [] [create delete deletecollection patch update get list watch] networkpolicies.networking.k8s.io [] [] [create delete deletecollection patch update get list watch] poddisruptionbudgets.policy [] [] [create delete deletecollection patch update get list watch] deployments.apps/rollback [] [] [create delete deletecollection patch update] deployments.extensions/rollback [] [] [create delete deletecollection patch update] localsubjectaccessreviews.authorization.k8s.io [] [] [create] pods/attach [] [] [get list watch create delete deletecollection patch update] pods/exec [] [] [get list watch create delete deletecollection patch update] pods/portforward [] [] [get list watch create delete deletecollection patch update] pods/proxy [] [] [get list watch create delete deletecollection patch update] secrets [] [] [get list watch create delete deletecollection patch update] services/proxy [] [] [get list watch create delete deletecollection patch update] bindings [] [] [get list watch] events [] [] [get list watch] limitranges [] [] [get list watch] namespaces/status [] [] [get list watch] namespaces [] [] [get list watch] persistentvolumeclaims/status [] [] [get list watch] pods/log [] [] [get list watch] pods/status [] [] [get list watch] replicationcontrollers/status [] [] [get list watch] resourcequotas/status [] [] [get list watch] resourcequotas [] [] [get list watch] services/status [] [] [get list watch] controllerrevisions.apps [] [] [get list watch] daemonsets.apps/status [] [] [get list watch] deployments.apps/status [] [] [get list watch] replicasets.apps/status [] [] [get list watch] statefulsets.apps/status [] [] [get list watch] horizontalpodautoscalers.autoscaling/status [] [] [get list watch] cronjobs.batch/status [] [] [get list watch] jobs.batch/status [] [] [get list watch] daemonsets.extensions/status [] [] [get list watch] deployments.extensions/status [] [] [get list watch] ingresses.extensions/status [] [] [get list watch] replicasets.extensions/status [] [] [get list watch] ingresses.networking.k8s.io/status [] [] [get list watch] poddisruptionbudgets.policy/status [] [] [get list watch] serviceaccounts [] [] [impersonate create delete deletecollection patch update get list watch]
cluste-admin 这个角色是给其它角色赋权,并使用其它所有资源,比admin还要牛 比的存在,真正的生杀予夺的角色(狠角色)
[root@master ~]# k describe clusterrole cluster-admin Name: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.* [] [] [*] [*] [] [*]
view角色,查看一切的角色:
[root@master ~]# k describe clusterrole view Name: view Labels: kubernetes.io/bootstrapping=rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit=true Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- bindings [] [] [get list watch] configmaps [] [] [get list watch] endpoints [] [] [get list watch] events [] [] [get list watch] 、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、。、、、、、、、、、、。。
edit角色,修改一切的角色:
root@master ~]# k describe clusterrole edit Name: edit Labels: kubernetes.io/bootstrapping=rbac-defaults rbac.authorization.k8s.io/aggregate-to-admin=true Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- configmaps [] [] [create delete deletecollection patch update get list watch] endpoints [] [] [create delete deletecollection patch update get list watch] persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch] pods [] [] [create delete deletecollection patch update get list watch] 、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、
这些内置的角色存在的意义是为了维护系统的和平(像不像说维护世界和平?),其实有时候不知道怎么分配权限了,看看它们也就会配置了。
我可以明确的说,k8s的权限管理系统和数据库尤其是Oracle数据库是非常非常相似的,如果对数据库比较熟悉的话,上手这个k8s的权限管理系统也是非常容易的哦。
