K8S實踐Ⅶ(RBAC)

原創 一語成讖灬 2019-07-18 14:25

一、User --> Rolebinding --> Role

一個Role對象只能用於授予對某一單一命名空間中資源的訪問權限

1.創建命名空間

# cat namespace-dev.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: development
# kubectl get ns
development       Active   56s

2.在該命名空間是創建一個實例

kubectl create -f nginx-deployment.yaml -n development
kubectl get pod -n development
NAME                               READY   STATUS    RESTARTS   AGE
nginx-deployment-6dd86d77d-pqndm   1/1     Running   0          20s
nginx-deployment-6dd86d77d-q268r   1/1     Running   0          20s
nginx-deployment-6dd86d77d-zn4f4   1/1     Running   0          20s

3.使用當前系統的ca證書認證一個私有證書

# cd /etc/kubernetes/pki/
# openssl genrsa -out dev.key 2048
# openssl req -new -key dev.key -out dev.csr -subj "/CN=dev"
# openssl x509 -req -in dev.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out dev.crt -days 3650
# openssl x509 -noout -text -in ./dev.crt

4.使用生成的證書創建一個用戶

# kubectl config set-credentials dev --client-certificate=./dev.crt --client-key=./dev.key --embed-certs=true
User "dev" set.

5.定義一個context

# kubectl config set-context dev@kubernetes --cluster=kubernetes --user=dev --namespace=development
Context "dev@kubernetes" created.

6.role的創建

一個Role對象只能用於授予對某一單一命名空間中資源的訪問權限,此處定義了role訪問空間爲development

kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
# cat role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
  namespace: development
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

# kubectl apply -f role-demo.yaml

7.創建rolebinding綁定角色

kubectl create rolebinding dev-read-pods --role=pods-reader --user=dev --dry-run -o yaml > rolebinding-demo.yaml
# cat rolebinding-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: dev-read-pods
  namespace: development
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev
# kubectl apply -f rolebinding-demo.yaml

8.切換context

# kubectl config use-context dev@kubernetes
Switched to context "dev@kubernetes".
# kubectl get pods
NAME                               READY   STATUS    RESTARTS   AGE
nginx-deployment-6dd86d77d-pqndm   1/1     Running   0          22m
nginx-deployment-6dd86d77d-q268r   1/1     Running   0          22m
nginx-deployment-6dd86d77d-zn4f4   1/1     Running   0          22m
# kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" in the namespace "default"

# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".

二、User --> Clusterrolebinding --> Clusterrole

1.創建clusterrole

# kubectl create clusterrole cluster-read --verb=get,list,watch --resource=pods,node --dry-run -o yaml > clusterrole-demo.yaml
# cat clusterrole-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: cluster-read
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch

2.clusterrolebinding定義

# kubectl create clusterrolebinding dev-read-all-pods --clusterrole=cluster-read --user=dev --dry-run -o yaml > clusterrolebinding-demo.yaml
# cat clusterrolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: dev-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-read
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev

3.刪除前面的rolebinding的綁定

# kubectl delete rolebinding -n development dev-read-pods
rolebinding.rbac.authorization.k8s.io "dev-read-pods" deleted
# kubeclt create -f clusterrole-demo.yaml -f clusterrolebinding-demo.yaml 
clusterrole.rbac.authorization.k8s.io/cluster-read created
clusterrolebinding.rbac.authorization.k8s.io/dev-read-all-pods created

4.定義context

# kubectl config set-context devcluster@kubernetes --cluster=kubernetes --user=dev
Context "devcluster@kubernetes" created.

5.切換context測試

# kubectl config use-context devcluster@kubernetes
Switched to context "devcluster@kubernetes".

# kubectl get pod -n ingress-nginx
NAME                                        READY   STATUS    RESTARTS   AGE
nginx-ingress-controller-5694ccb578-9m8j8   1/1     Running   0          20d
# kubectl get node
NAME    STATUS   ROLES    AGE   VERSION
k8s-1   Ready    master   49d   v1.14.2
k8s-2   Ready    <none>   48d   v1.14.2
k8s-3   Ready    <none>   48d   v1.14.2
k8s-4   Ready    <none>   15d   v1.14.2
k8s-5   Ready    <none>   15d   v1.14.2
# kubectl get svc
Error from server (Forbidden): services is forbidden: User "dev" cannot list resource "services" in API group "" in the namespace "default"

# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://20.0.20.101:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: development
    user: dev
  name: dev@kubernetes
- context:
    cluster: kubernetes
    user: dev
  name: devcluster@kubernetes
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: devcluster@kubernetes
kind: Config
preferences: {}
users:
- name: dev
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

# kubectl config use-context  kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes"

三、User --> Rolebinding --> Clusterrole

1.刪除前面綁定的cluster

# kubectl delete clusterrolebinding dev-read-all-pods
clusterrolebinding.rbac.authorization.k8s.io "dev-read-all-pods" deleted

2.定義clusterrole

# kubectl create clusterrole clusterrole-role --verb=get,list,watch --resource=pods,node --dry-run -o yaml > clusterrole-rolebinding.yaml
# vim clusterrole-rolebinding.yaml 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: clusterrole-role
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  verbs:
  - get
  - list
  - watch

3.定義rolebinding

# kubectl create rolebinding dev-read-pn --clusterrole=clusterrole-role --user=dev --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
# vim rolebinding-clusterrole-demo.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: dev-read-pod
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: clusterrole-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev

# kubectl apply -f clusterrole-rolebinding.yaml -f rolebinding-clusterrole-demo.yaml 
clusterrole.rbac.authorization.k8s.io/clusterrole-role created
rolebinding.rbac.authorization.k8s.io/dev-read-pn created

4.切換context

# kubectl config use-context  devcluster@kubernetes
Switched to context "devcluster@kubernetes".
# kubectl get pod
No resources found.
# kubectl get pod -A
Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" at the cluster scope
# kubectl get svc
NAME                                                     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
glusterfs-dynamic-db9abc87-9e0a-11e9-a2f3-00505694834d   ClusterIP   10.103.125.206   <none>        1/TCP     13d

集羣級別的資源nodes、persistentvolumes等資源,以及非資源型的URL不屬於名稱空間級別,故此不能使用rolebinding來綁定授權,所有非名稱空間級別的資源都無法通過rolebinding綁定至用戶並賦予用戶相關的權限,這寫都是屬於clusterrolebinding 的功能

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

電腦宕機後恢復K8s Pod啓動

1. 先開機看看集羣狀態是不是正常的 kubectl get cs 2. 看看pod狀態: kubectl -n xxx get pod 3. 進到nfs目錄內modeling mariab的文件夾 /dockerdata-nfs 4

liuskyter 2020-07-08 11:16:26

k8s(二)

佔位

6moji6 2020-07-08 10:26:30

利用 kubeadm 簡單搭建k8s(已更新爲V1.13.0版本)

1. 基本系統環境 1.1 系統內核 查看當前系統內核(我這裏是5.0.5-1.el7.elrepo.x86_64): uname -a 版本必須大於等於3.10,否則需要升級內核: # ELRepo 倉庫(可以先看一下 /et

jacksonary 2020-07-08 10:04:33

3.2 控制器——副本控制器(ReplicationController)

3.2 副本控制器(ReplicationController)  ReplicationController(在kubectl命令中經常縮寫爲rc或rcs)是實際確保特定數量的Pod副本在任意時刻的運行。如果Pod副本超過指定數

jacksonary 2020-07-08 10:04:33

3.5 控制器——DaemonSet(守護線程集)

3.5 控制器——DaemonSet(守護線程集)  每個DaemonSet可以確保某些甚至全部節點運行一個Pod的副本,當node加入集羣時,Pod就會加入這些節點,同樣的,當節點從集羣中移除時,這些pods被垃圾回收。刪除一個

jacksonary 2020-07-08 10:04:33

3.3 控制器——Deployments(部署)

3.3 Deployments(部署)  Deployments控制器(Deployment controller,Deployment應該也是控制器的一種吧)提供了Pod和ReplicaSets的聲明式更新。在Deploymen

jacksonary 2020-07-08 10:04:33

3.1 控制器——ReplicaSet

3. 控制器(Controller) 3.1 副本集(ReplicaSet) 定義:副本集(ReplicaSet)的目的是爲了保證一組穩定的Pod副本在任意給定時刻都在運行。因此,它通常用於保證特定數量的相同Pod的可用性。  副

jacksonary 2020-07-08 10:04:33

centos7搭建kubernetes v1.17.1集羣

機器 hostname 10.211.55.64 k8sMaster 10.211.55.65 k8sNode1 10.211.55.66 k8sNode2 所有機器執行以下操作 (1-13) 配置y

夜幕.思年华 2020-07-08 06:16:44

雲原生Tekton之觸發器Trigger

背景 前面的文章講了tekton中pipeline的教程和使用案例,大家有沒有想過,每次都要運行taskrun或者pipelineRun才能真正運行流水線。那怎麼做到自動化執行taskrun和pipelineRun呢?我想了下有

云原生手记 2020-07-08 03:27:17

kubernetes -- 結點調度控制的幾種方式

簡介 調度器通過 kubernetes 的 watch 機制來發現集羣中新創建且尚未被調度到 Node上的 Pod。調度器會將發現的每一個未調度的 Pod 調度到一個合適的 Node 上來運行。 kube-scheduler 是

生命热力٩( 'ω' )و 2020-07-08 02:17:36

k8s創建資源的兩種方式、訪問pod

創建資源 1.用kubectl命令直接創建,   #kubectl run httpd-app --image=reg.yunwei.edu/learn/httpd:latest --replicas=2 在命令行中通過參數指定資源的

PpikachuP 2020-07-08 01:52:27

O-RAN notes(3)---Bronze SMO deployment (2)

(continued) Most of the problems are related to 'docker pull'. Before you execute the install script(./dep/smo/bin/inst

zhenggao2 2020-07-07 23:48:07

centos安裝k8s集羣

一、集羣方式 機器配置:centos 4.4內核以上,cpu大於1核 1.主機配置 配置 規格 內存配置 2G CPU配置 2核 系統版本 Centos7.7 kubelet版本 1.5.1 do

意林飞笑 2020-07-07 18:12:18

kubernetes存儲 -- Volumes管理(三)StatefulSet控制器、StatefulSet部署mysql主從集羣

StatefulSet控制器 StatefulSet可以通過Headless Service維持Pod的拓撲狀態. StatefulSet將應用狀態抽象成了兩種情況: 拓撲狀態:應用實例必須按照某種順序啓動。新創建的Pod必須

生命热力٩( 'ω' )و 2020-07-07 02:59:20

使用kubeadm安裝kubenetes1.17.3

我們使用centos7的系統,內核升級到5.5.4,爲什麼使用升級後的內核,這是因爲centos7.4的內核是3.10,在docker運行時,有內核bug,導致運行緩慢,出現一堆錯誤異常,可以查閱我另外一個博客文章。 一、安裝前的準備工作

Blue_Tear 2020-07-07 01:26:46