kubernetes学习笔记之十:RBAC(二)

本文涉及的产品
容器服务 Serverless 版 ACK Serverless,952元额度 多规格
容器服务 Serverless 版 ACK Serverless,317元额度 多规格
简介: kubernetes学习笔记之十:RBAC(二)

    上一章中我们简单讲解了k8s集群用户使用Role/ClusterRole/RoleBingding/ClusterRoleBingding设置不同的权限,但是kubeconfig文件使用的admin,实际部署过程中用户应该使用自己的kubeconfig文件,下面我们参照实际使用配置用户权限.

一、创建 dev namespace

[root@k8s-master-155-221 rbac]# cat create-namespace.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: dev
[root@k8s-master-155-221 rbac]# kubectl apply -f create-namespace.yaml 
namespace/dev created
[root@k8s-master-155-221 rbac]# kubectl get namespaces 
NAME              STATUS   AGE
default           Active   51d
dev               Active   5s
ingress-nginx     Active   8d
kube-node-lease   Active   51d
kube-public       Active   51d
kube-system       Active   51d

二、在dev namesapce中创建测试pod

[root@k8s-master-155-221 rbac]# cat pod-demo.yaml 
apiVersion: v1
kind: Pod
metadata: 
  name: dev-pod-demo
  namespace: dev
  labels:
    app: dev-myapp
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
[root@k8s-master-155-221 rbac]# kubectl apply -f pod-demo.yaml
pod/dev-pod-demo created
[root@k8s-master-155-221 rbac]# kubectl get pods -n dev
NAME           READY   STATUS    RESTARTS   AGE
dev-pod-demo   1/1     Running   0          5s

三、创建dev-read/dev-admin/cluster-read/cluster-admin四个用户,分别对应namespace和cluster的读取和管理

创建dev-read csr文件

[root@k8s-master-155-221 cert]# cat dev-read-csr.json 
{
  "CN": "dev-read",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "4Paradigm"
    }
  ]
}

创建dev-read用户的证书和秘钥

[root@k8s-master-155-221 cert]# cfssl gencert -ca=/mnt/k8s/cert/ca.pem -ca-key=/mnt/k8s/cert/ca-key.pem dev-read-csr.json  | cfssljson -bare dev-read
2020/01/20 15:59:20 [INFO] generate received request
2020/01/20 15:59:20 [INFO] received CSR
2020/01/20 15:59:20 [INFO] generating key: rsa-2048
2020/01/20 15:59:21 [INFO] encoded CSR
2020/01/20 15:59:21 [INFO] signed certificate with serial number 5387334044569180330097517551617071931
2020/01/20 15:59:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

创建dev-read用户kubecofnig文件

[root@k8s-master-155-221 cert]# cat tem.kubeconfig 
#!/bin/bash
# 设置集群参数
export KUBE_APISERVER="https://172.16.155.220:8443"
kubectl config set-cluster kubernetes \
--certificate-authority=/mnt/k8s/cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=dev-read.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials dev-read \
--client-certificate=/mnt/k8s/cert/dev-read.pem \
--client-key=/mnt/k8s/cert/dev-read-key.pem \
--embed-certs=true \
--kubeconfig=dev-read.kubeconfig
# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=dev-read \
--kubeconfig=dev-read.kubeconfig
# 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=dev-read.kubeconfig
[root@k8s-master-155-221 cert]# sh tem.kubeconfig 
Cluster "kubernetes" set.
User "dev-read" set.
Context "kubernetes" created.
Switched to context "kubernetes".

四、对用户设置不同的权限

1.配置dev-read用户可以对dev namespace具有读取pod的权限

拷贝dev-read用户的kubeconfig文件,并查看默认权限

#master上

[root@k8s-master-155-221 cert]# scp dev-read.kubeconfig 172.16.155.224:/root  #在master上拷贝dev-read用户的kubeconfig到集群某个节点上
#测试节点上

[root@k8s-node-155-224 ~]# mkdir .kube #创建kubeconfig默认目录并重命名文默认文件名config

[root@k8s-node-155-224 ~]# mv dev-read.kubeconfig .kube/config

[root@k8s-node-155-224 ~]# kubectl get pods

Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default"  #当前dev-read没有任何权限

[root@k8s-node-155-224 ~]# kubectl get pods -n dev

Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "dev"

创建一个对dev namespace具有读取权限的role

[root@k8s-master-155-221 rbac]# cat role-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dev-pods-reader
  namespace: dev
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
[root@k8s-master-155-221 rbac]# kubectl apply -f role-demo.yaml 
role.rbac.authorization.k8s.io/dev-pods-reader created
[root@k8s-master-155-221 rbac]# kubectl get role -n dev
NAME              AGE
dev-pods-reader   10s

创建一个rolebingding,将dev-read用户和pods-reader

[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-read-pods
  namespace: dev
roleRef:  
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev-read
[root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/dev-read-pods created
[root@k8s-master-155-221 rbac]# kubectl get rolebindings.rbac.authorization.k8s.io -n dev
NAME            AGE
dev-read-pods   7s

测试:

[root@k8s-node-155-224 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.16.155.220:8443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: dev-read
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: dev-read
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
[root@k8s-node-155-224 ~]# kubectl get pods -n dev
NAME           READY   STATUS    RESTARTS   AGE
dev-pod-demo   1/1     Running   0          30m
[root@k8s-node-155-224 ~]# kubectl get pods -n default
Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default"

2.配置dev-read用户可以对dev namespace具有admin权限

[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-read-pods
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev-read
[root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/dev-read-pods created

测试,查看是否可以删除和创建pod

[root@k8s-node-155-224 ~]# cat deploy-demo.yaml 
apiVersion: apps/v1
kind: Deployment
metadata: 
  name: myapp-deploy
  namespace: dev
spec:
  replicas: 3
  selector: 
    matchLabels:
      app: myapp
      release: canary
  template:
    metadata:
      labels:
        app: myapp
        release: canary
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
        ports:
        - name: httpd
          containerPort: 80
[root@k8s-node-155-224 ~]# kubectl apply -f deploy-demo.yaml 
deployment.apps/myapp-deploy created
[root@k8s-node-155-224 ~]# kubectl get  deploy -n dev
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
myapp-deploy   3/3     3            3           17s
[root@k8s-node-155-224 ~]# kubectl get  pods  -n dev
NAME                            READY   STATUS    RESTARTS   AGE
myapp-deploy-5c67ffb9fb-5cntq   1/1     Running   0          4m21s
myapp-deploy-5c67ffb9fb-mvpkb   1/1     Running   0          4m21s
myapp-deploy-5c67ffb9fb-rj5qp   1/1     Running   0          4m21s

集群只读ClusterRole样例清单(用户名字自定义)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

  name: cluster-read

rules:

- apiGroups:

  ""

  resources:

  - configmaps

  - endpoints

  - persistentvolumeclaims

  - pods

  - replicationcontrollers

  - replicationcontrollers/scale

  - serviceaccounts

  - services

  - nodes

  - secrets

  - persistentvolumeclaims

  - persistentvolumes

  verbs:

  get

  - list

  - watch

- apiGroups:

  ""

  resources:

  - bindings

  - events

  - limitranges

  - namespaces/status

  - pods/log

  - pods/status

  - replicationcontrollers/status

  - resourcequotas

  - resourcequotas/status

  verbs:

  get

  - list

  - watch

- apiGroups:

  ""

  resources:

  - namespaces

  verbs:

  get

  - list

  - watch

- apiGroups:

  - apps

  resources:

  - daemonsets

  - deployments

  - deployments/scale

  - replicasets

  - replicasets/scale

  - statefulsets

  verbs:

  get

  - list

  - watch

- apiGroups:

  - autoscaling

  resources:

  - horizontalpodautoscalers

  verbs:

  get

  - list

  - watch

- apiGroups:

  - batch

  resources:

  - cronjobs

  - jobs

  verbs:

  get

  - list

  - watch

- apiGroups:

  - extensions

  resources:

  - daemonsets

  - deployments

  - deployments/scale

  - ingresses

  - networkpolicies

  - replicasets

  - replicasets/scale

  - replicationcontrollers/scale

  verbs:

  get

  - list

  - watch

- apiGroups:

  - policy

  resources:

  - poddisruptionbudgets

  verbs:

  get

  - list

  - watch

- apiGroups:

  - networking.k8s.io

  resources:

  - networkpolicies

  verbs:

  get

  - list

  - watch

- apiGroups:

  - storage.k8s.io

  resources:

  - storageclasses

  - volumeattachments

  verbs:

  get

  - list

  - watch

- apiGroups:

  - rbac.authorization.k8s.io

  resources:

  - clusterrolebindings

  - clusterroles

  - roles

  - rolebindings

  verbs:

  get

  - list

  - watch

#对于集群,可以通过绑定ClusterRoleBinding和ClusterRole来实现,具体过程类似,不再赘述

相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
相关文章
|
3月前
|
Kubernetes 安全 API
在k8S中,Kubernetes RBAC及其特点(优势)是什么?
在k8S中,Kubernetes RBAC及其特点(优势)是什么?
|
6月前
|
Kubernetes 应用服务中间件 nginx
Kubernetes v1.12/v1.13 二进制部署集群(HTTPS+RBAC)
Kubernetes v1.12/v1.13 二进制部署集群(HTTPS+RBAC)
|
6月前
|
Kubernetes Cloud Native API
猿创征文|云原生|kubernetes学习之RBAC(六)
猿创征文|云原生|kubernetes学习之RBAC(六)
48 0
|
6月前
|
Kubernetes 数据安全/隐私保护 容器
k8s学习-CKA真题-基于角色的访问控制-RBAC
k8s学习-CKA真题-基于角色的访问控制-RBAC
213 0
|
6月前
|
Kubernetes API 数据安全/隐私保护
k8s学习-基于角色的权限控制RBAC(概念,模版,创建,删除等)
k8s学习-基于角色的权限控制RBAC(概念,模版,创建,删除等)
212 0
|
存储 Kubernetes 数据安全/隐私保护
kubernetes dashboard 2.0版本安装及RBAC授权
kubernetes dashboard 2.0版本安装及RBAC授权
|
Kubernetes 容器
Kubernetes RBAC【2】实战应用
Kubernetes RBAC【2】实战应用
Kubernetes RBAC【2】实战应用
|
Kubernetes API 容器
kubernetes RBAC 入门(3)
kubernetes RBAC 入门(3)
|
Kubernetes API 容器
kubernetes RBAC 入门(2)
kubernetes RBAC 入门(2)
kubernetes RBAC 入门(2)
|
Kubernetes API 数据安全/隐私保护
kubernetes RBAC 入门(1)
kubernetes RBAC 入门(1)
kubernetes RBAC 入门(1)