kubernetes学习笔记之十:RBAC(二)
2021-12-23 本文已影响0人
祁小彬
原文:kubernetes学习笔记之十:RBAC(二) - 百衲本 - 博客园 (cnblogs.com)
上一章中我们简单讲解了k8s集群用户使用Role/ClusterRole/RoleBingding/ClusterRoleBingding设置不同的权限,但是kubeconfig文件使用的admin,实际部署过程中用户应该使用自己的kubeconfig文件,下面我们参照实际使用配置用户权限.
一、创建 dev namespace
[root@k8s-master-155-221 rbac]# cat create-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: dev [root@k8s-master-155-221 rbac]# kubectl apply -f create-namespace.yaml namespace/dev created [root@k8s-master-155-221 rbac]# kubectl get namespaces
NAME STATUS AGE default Active 51d
dev Active 5s
ingress-nginx Active 8d
kube-node-lease Active 51d
kube-public Active 51d
kube-system Active 51d
二、在dev namesapce中创建测试pod
[root@k8s-master-155-221 rbac]# cat pod-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: dev-pod-demo namespace: dev
labels:
app: dev-myapp
spec:
containers: - name: myapp
image: ikubernetes/myapp:v1
[root@k8s-master-155-221 rbac]# kubectl apply -f pod-demo.yaml
pod/dev-pod-demo created
[root@k8s-master-155-221 rbac]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
dev-pod-demo 1/1 Running 0 5s
三、创建dev-read/dev-admin/cluster-read/cluster-admin四个用户,分别对应namespace和cluster的读取和管理
创建dev-read csr文件
[root@k8s-master-155-221 cert]# cat dev-read-csr.json
{ "CN": "dev-read", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [
{ "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "4Paradigm" }
]
}
创建dev-read用户的证书和秘钥
[root@k8s-master-155-221 cert]# cfssl gencert -ca=/mnt/k8s/cert/ca.pem -ca-key=/mnt/k8s/cert/ca-key.pem dev-read-csr.json | cfssljson -bare dev-read 2020/01/20 15:59:20 [INFO] generate received request 2020/01/20 15:59:20 [INFO] received CSR 2020/01/20 15:59:20 [INFO] generating key: rsa-2048
2020/01/20 15:59:21 [INFO] encoded CSR 2020/01/20 15:59:21 [INFO] signed certificate with serial number 5387334044569180330097517551617071931
2020/01/20 15:59:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
创建dev-read用户kubecofnig文件
[root@k8s-master-155-221 cert]# cat tem.kubeconfig
#!/bin/bash
# 设置集群参数
export KUBE_APISERVER="https://172.16.155.220:8443" kubectl config set-cluster kubernetes \ --certificate-authority=/mnt/k8s/cert/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=dev-read.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials dev-read \ --client-certificate=/mnt/k8s/cert/dev-read.pem \ --client-key=/mnt/k8s/cert/dev-read-key.pem \ --embed-certs=true \ --kubeconfig=dev-read.kubeconfig
# 设置上下文参数
kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=dev-read \ --kubeconfig=dev-read.kubeconfig
# 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=dev-read.kubeconfig
[root@k8s-master-155-221 cert]# sh tem.kubeconfig
Cluster "kubernetes" set.
User "dev-read" set.
Context "kubernetes" created.
Switched to context "kubernetes".
四、对用户设置不同的权限
1.配置dev-read用户可以对dev namespace具有读取pod的权限
拷贝dev-read用户的kubeconfig文件,并查看默认权限
#master上
[root@k8s-master-155-221 cert]# scp dev-read.kubeconfig 172.16.155.224:/root #在master上拷贝dev-read用户的kubeconfig到集群某个节点上
#测试节点上
[root@k8s-node-155-224 ~]# mkdir .kube #创建kubeconfig默认目录并重命名文默认文件名config
[root@k8s-node-155-224 ~]# mv dev-read.kubeconfig .kube/config
[root@k8s-node-155-224 ~]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default" #当前dev-read没有任何权限 [root@k8s-node-155-224 ~]# kubectl get pods -n dev
Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "dev"
创建一个对dev namespace具有读取权限的role
[root@k8s-master-155-221 rbac]# cat role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-pods-reader namespace: dev
rules: - apiGroups: - "" resources: - pods
verbs: - get
- list - watch
[root@k8s-master-155-221 rbac]# kubectl apply -f role-demo.yaml
role.rbac.authorization.k8s.io/dev-pods-reader created [root@k8s-master-155-221 rbac]# kubectl get role -n dev
NAME AGE
dev-pods-reader 10s
创建一个rolebingding,将dev-read用户和pods-reader
[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-read-pods namespace: dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dev-pods-reader
subjects: - apiGroup: rbac.authorization.k8s.io
kind: User
name: dev-read
[root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/dev-read-pods created
[root@k8s-master-155-221 rbac]# kubectl get rolebindings.rbac.authorization.k8s.io -n dev
NAME AGE
dev-read-pods 7s
测试:
[root@k8s-node-155-224 ~]# kubectl config view
apiVersion: v1
clusters: - cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.16.155.220:8443
name: kubernetes
contexts: - context:
cluster: kubernetes
user: dev-read
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users: - name: dev-read
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-node-155-224 ~]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
dev-pod-demo 1/1 Running 0 30m
[root@k8s-node-155-224 ~]# kubectl get pods -n default Error from server (Forbidden): pods is forbidden: User "dev-read" cannot list resource "pods" in API group "" in the namespace "default"
2.配置dev-read用户可以对dev namespace具有admin权限
[root@k8s-master-155-221 rbac]# cat rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-read-pods namespace: dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects: - apiGroup: rbac.authorization.k8s.io
kind: User
name: dev-read
[root@k8s-master-155-221 rbac]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/dev-read-pods created
测试,查看是否可以删除和创建pod
[root@k8s-node-155-224 ~]# cat deploy-demo.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy namespace: dev
spec:
replicas: 3 selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers: - name: myapp
image: ikubernetes/myapp:v1
ports: - name: httpd
containerPort: 80 [root@k8s-node-155-224 ~]# kubectl apply -f deploy-demo.yaml
deployment.apps/myapp-deploy created
[root@k8s-node-155-224 ~]# kubectl get deploy -n dev
NAME READY UP-TO-DATE AVAILABLE AGE
myapp-deploy 3/3 3 3 17s
[root@k8s-node-155-224 ~]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
myapp-deploy-5c67ffb9fb-5cntq 1/1 Running 0 4m21s
myapp-deploy-5c67ffb9fb-mvpkb 1/1 Running 0 4m21s
myapp-deploy-5c67ffb9fb-rj5qp 1/1 Running 0 4m21s
