文章目录
- 1. 介绍
- 2. Practice - Pod uses custom ServiceAccount
- 3. Practice - Disable ServiceAccount mounting
- 4. Practice - Limit ServiceAccounts using RBAC
1. 介绍
2. Practice - Pod uses custom ServiceAccount
root@master:~/cks/RBAC# k get sa,secrets NAME SECRETS AGE serviceaccount/default 1 9m50s NAME TYPE DATA AGE secret/default-token-9srgx kubernetes.io/service-account-token 3 9m50s root@master:~/cks/RBAC# k describe sa default Name: default Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: default-token-9srgx Tokens: default-token-9srgx Events: <none> root@master:~/cks/RBAC# k create sa accessor serviceaccount/accessor created root@master:~/cks/RBAC# k get sa,secrets NAME SECRETS AGE serviceaccount/accessor 1 5s serviceaccount/default 1 17m NAME TYPE DATA AGE secret/accessor-token-bnd4s kubernetes.io/service-account-token 3 5s secret/default-token-9srgx kubernetes.io/service-account-token 3 17m root@master:~/cks/RBAC# k describe secret accessor-token-bnd4s Name: accessor-token-bnd4s Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name: accessor kubernetes.io/service-account.uid: 9e763e70-71da-431a-a813-df838420341b Type: kubernetes.io/service-account-token Data ==== ca.crt: 1066 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkJhb1NtQ21TRlpKWHBYbUV3VHZ6OW9FOFZoOV9BSlNrLUN1WEJ4SjZtc1EifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFjY2Vzc29yLXRva2VuLWJuZDRzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFjY2Vzc29yIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOWU3NjNlNzAtNzFkYS00MzFhLWE4MTMtZGY4Mzg0MjAzNDFiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YWNjZXNzb3IifQ.lAy_-h3rMcZSNHtwm2THelbj-2O635N75Hx92-4t9Ulaplk0WOg9Ja72LlReasU39VS1DMAwYfgNgsyurDme2HVolO4IEeyl56BrOgKC73LWLQ1d6waNqPVzU_GRKuzXqpDXJID3CODcuNBOld1VHyIbmK2YNzgPMaR0CLexpx_p_wU5mg_XZpfccL4KvFBNmWh_cj3eFz4t1yxsP2TycwC2WKkXMvpaVqY_YFFpge2ddTwBf-xgtcpoRAQpfEkxZSVWqA12ZTi0I2wdK--XMcJcqmTTor1rcAws_aLUxT7VajL4sgd4LT_OuJk4iQdLmQZzwDYS4-Ca354pNIK0PA root@master:~/cks/RBAC# k run accessor --image=nginx --dry-run=client -oyaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: accessor name: accessor spec: containers: - image: nginx name: accessor resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} root@master:~/cks/RBAC# k run accessor --image=nginx --dry-run=client -oyaml > accessor.yaml root@master:~/cks/RBAC# vim accessor.yaml root@master:~/cks/RBAC# cat accessor.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: accessor name: accessor spec: serviceAccountName: accessor #添加此行 containers: - image: nginx name: accessor resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} root@master:~/cks/RBAC# k create -f accessor.yaml pod/accessor created root@master:~/cks/RBAC# k exec -ti accessor -- bash root@accessor:/# mount |grep sec tmpfs on /run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime) root@accessor:/# cd /run/secrets/kubernetes.io/serviceaccount root@accessor:/run/secrets/kubernetes.io/serviceaccount# cat token eyJhbGciOiJSUzI1NiIsImtpZCI6IkJhb1NtQ21TRlpKWHBYbUV3VHZ6OW9FOFZoOV9BSlNrLUN1WEJ4SjZtc1EifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFjY2Vzc29yLXRva2VuLWJuZDRzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFjY2Vzc29yIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOWU3NjNlNzAtNzFkYS00MzFhLWE4MTMtZGY4Mzg0MjAzNDFiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YWNjZXNzb3IifQ.lAy_-h3rMcZSNHtwm2THelbj-2O635N75Hx92-4t9Ulaplk0WOg9Ja72LlReasU39VS1DMAwYfgNgsyurDme2HVolO4IEeyl56BrOgKC73LWLQ1d6waNqPVzU_GRKuzXqpDXJID3CODcuNBOld1VHyIbmK2YNzgPMaR0CLexpx_p_wU5mg_XZpfccL4KvFBNmWh_cj3eFz4t1yxsP2TycwC2WKkXMvpaVqY_YFFpge2ddTwBf-xgtcpoRAQpfEkxZSVWqA12ZTi0I2wdK--XMcJcqmTTor1rcAws_aLUxT7VajL4sgd4LT_OuJk4iQdLmQZzwDYS4-Ca354pNIK0PA tes.io/serviceaccount# curl https://kubernetes curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. root@accessor:/run/secrets/kubernetes.io/serviceaccount# curl https://kubernetes -k { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"", "reason": "Forbidden", "details": { }, "code": 403 } #以serviceaccount用户accessor访问 root@accessor:/run/secrets/kubernetes.io/serviceaccount# curl https://kubernetes -k -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtZCI6IkJhb1NtQ21TRlpKWHBYbUV3VHZ6OW9FOFZoOV9BSlNrLUN1WEJ4SjZtc1EifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFjY2Vzc29yLXRva2VuLWJuZDRzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFjY2Vzc29yIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOWU3NjNlNzAtNzFkYS00MzFhLWE4MTMtZGY4Mzg0MjAzNDFiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6YWNjZXNzb3IifQ.lAy_-h3rMcZSNHtwm2THelbj-2O635N75Hx92-4t9Ulaplk0WOg9Ja72LlReasU39VS1DMAwYfgNgsyurDme2HVolO4IEeyl56BrOgKC73LWLQ1d6waNqPVzU_GRKuzXqpDXJID3CODcuNBOld1VHyIbmK2YNzgPMaR0CLexpx_p_wU5mg_XZpfccL4KvFBNmWh_cj3eFz4t1yxsP2TycwC2WKkXMvpaVqY_YFFpge2ddTwBf-xgtcpoRAQpfEkxZSVWqA12ZTi0I2wdK--XMcJcqmTTor1rcAws_aLUxT7VajL4sgd4LT_OuJk4iQdLmQZzwDYS4-Ca354pNIK0PA" { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "forbidden: User \"system:serviceaccount:default:accessor\" cannot get path \"/\"", "reason": "Forbidden", "details": { }, "code": 403
3. Practice - Disable ServiceAccount mounting
参考链接:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
root@master:~/cks/serviceaccount# vim accessor.yaml root@master:~/cks/serviceaccount# cat accessor.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: accessor name: accessor spec: serviceAccountName: accessor automountServiceAccountToken: false #添加此行 containers: - image: nginx name: accessor resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} root@master:~/cks/serviceaccount# k -f accessor.yaml replace --force pod "accessor" deleted pod/accessor replaced root@master:~/cks/serviceaccount# k get pods NAME READY STATUS RESTARTS AGE accessor 1/1 Running 0 13s root@master:~/cks/serviceaccount# k exec -ti accessor -- bash root@accessor:/# mount |grep ser root@master:~/cks/serviceaccount# vim accessor.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: accessor name: accessor spec: serviceAccountName: accessor automountServiceAccountToken: true #false改为true containers: - image: nginx name: accessor resources: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {} #pod文件含挂载的token root@master:~/cks/serviceaccount# k edit pod accessor ..... volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: accessor-token-bnd4s readOnly: true ..... volumes: - name: accessor-token-bnd4s secret: defaultMode: 420 secretName: accessor-token-bnd4s .....
4. Practice - Limit ServiceAccounts using RBAC
root@master:~/cks/serviceaccount# k get pod NAME READY STATUS RESTARTS AGE accessor 1/1 Running 0 5m2s root@master:~/cks/serviceaccount# k auth can-i delete secrets --as system:serviceaccount:default:accessor no root@master:~/cks/serviceaccount# k create clusterrolebinding accessor --clusterrole edit --serviceaccount default:accessor clusterrolebinding.rbac.authorization.k8s.io/accessr created root@master:~/cks/serviceaccount# k auth can-i delete secrets --as system:serviceaccount:default:accessor yes
总结
