用户密码访问api
配置apiserver
- apiserver添加启动参数 --basic-auth-file=SOMEFILE
- 新增 SOMEFILE 文件,文件内容如下
admin,admin,user-1
pwd,base-user,user-2
pwd,super-user,user-3
- 重启 kube-apiserver
通过RBAC为admin base-user super-user赋予不同的权限
apiserver添加入参 --authorization-mode=RBAC启动RBAC授权模式
在启动RBAC前,通过kubectl是可以访问api的,再这之后调用失败
[root@test-build ~]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "admin" cannot list pods in the namespace "default"
但是http的请求不受影响
- 创建角色
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: app
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","log","describe","pods/exec","list"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- 绑定用户
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: app-rolebinding
namespace: default
subjects:
- kind: User
name: app
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: app
apiGroup: rbac.authorization.k8s.io
- 测试
- kubectl get pods:测试
- kubectl exec -it pod sh:异常
Error from server (Forbidden): pods "busybox-786cfc6cb7-6trsz" is forbidden: User "admin" cannot create pods/exec in the namespace "default"
认识 Kubernetes 中的用户
Kubernetes 集群中包含两类用户:一类是由 Kubernetes 管理的 service account,另一类是普通用户。
普通用户被假定为由外部独立服务管理。管理员分发私钥,用户存储(如 Keystone 或 Google 帐户),甚至包含用户名和密码列表的文件,即--basic-auth-file指定的文件。在这方面,Kubernetes 没有代表普通用户帐户的对象。无法通过 API 调用的方式向集群中添加普通用户。
相对的,service account 是由 Kubernetes API 管理的帐户。它们都绑定到了特定的 namespace,并由 API server 自动创建,或者通过 API 调用手动创建。Service account 关联了一套凭证,存储在 Secret,这些凭证同时被挂载到 pod 中,从而允许 pod 与 kubernetes API 之间的调用。
通过sa访问
- 创建 sa
kubectl create sa test-sa - 获取sa的token及ca证书[详见kubelet]
- 通过kubectl config set-credentials test-sa --token=
cat ./token,在.kube/config中添加用户test-sa
.kube/config内容如下:
apiVersion: v1
clusters:
- cluster:
certificate-authority: ca.crt
server: https://10.254.0.78:6443
#insecure-skip-tls-verify: true #替换 certificate-authority: /etc/kubernetes/ssl/ca.crt 以跳过集群验证。
name: test-cluster
contexts:
- context:
cluster: test-cluster
user: test-sa
name: default-system
current-context: default-system
kind: Config
preferences: {}
users:
- name: test-sa
user:
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRlc3Qtc2EtdG9rZW4tampjYnIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidGVzdC1zYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjA3YTFiMzQ5LWYwNmYtMTFlOC04NTdkLTA4MDAyNzFhMTM1MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnRlc3Qtc2EifQ.eBKpsNs3J5AO5ZPU025lGlx9lSi1KMeGKanxqp9v70WLp-vsQmMDgJifeR3LXf7y8cCB2EAWOymKwYt9YVOrk3UFz821S0PAWHTcfBMsm6TqfB5QHpcgJbQ7vA_vGNBlg7oYDEhWcHKJTCmuCoLJr3fXmuppme-J4y8Y_aYLGcnd_EjhIPGCrX-z3i6jDDrnPe4XFoeo-G6F2gqmNrM-aeo7dqIgtONoiOdP21oL9gOguMtWAjFEacA2MnUvFG1_wA5HXDpmBo69vaABAgOYJfCUK95dYBSdmEpacLQ9NEC_gygHGLehSZRt_My21_qdBe8RFLX8wWIxnuJ70xHOsQ
- 新建文件test-sa-rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: test-sa-rolebinding
namespace: default
subjects:
- kind: User
name: system:serviceaccount:default:test-sa
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: app
apiGroup: rbac.authorization.k8s.io
- 执行kubectl create -f test-sa-rolebinding.yaml为test-sa赋权
- 在node上执行kubectl get pods 成功
若生成的sa无secret
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-node
namespace: default
secrets:
- name: kube-node-token-bvbk5
角色及角色绑定介绍
[角色 role]
[角色绑定 rolebinding]
[集群角色 clusterrole]
[集群角色绑定 clusterrolebinding]
role
[root@yixin-build .kube]# kubectl get role --all-namespaces
NAMESPACE NAME AGE
kube-public system:controller:bootstrap-signer 309d
kube-system extension-apiserver-authentication-reader 309d
kube-system system::leader-locking-kube-controller-manager 309d
kube-system system::leader-locking-kube-scheduler 309d
kube-system system:controller:bootstrap-signer 309d
kube-system system:controller:cloud-provider 309d
kube-system system:controller:token-cleaner 309d
rolebinding
[root@yixin-build .kube]# kubectl get rolebinding --all-namespaces
NAMESPACE NAME AGE
kube-public system:controller:bootstrap-signer 309d
kube-system system::leader-locking-kube-controller-manager 309d
kube-system system::leader-locking-kube-scheduler 309d
kube-system system:controller:bootstrap-signer 309d
kube-system system:controller:cloud-provider 309d
kube-system system:controller:token-cleaner 309d
clusterrole
[root@yixin-build .kube]# kubectl get clusterrole
NAME AGE
admin 309d
cluster-admin 309d
edit 309d
lb-ingress-clusterrole 309d
log-collector 299d
system:auth-delegator 309d
system:basic-user 309d
system:controller:attachdetach-controller 309d
system:controller:certificate-controller 309d
system:controller:cronjob-controller 309d
system:controller:daemon-set-controller 309d
system:controller:deployment-controller 309d
system:controller:disruption-controller 309d
system:controller:endpoint-controller 309d
system:controller:generic-garbage-collector 309d
system:controller:horizontal-pod-autoscaler 309d
system:controller:job-controller 309d
system:controller:namespace-controller 309d
system:controller:node-controller 309d
system:controller:persistent-volume-binder 309d
system:controller:pod-garbage-collector 309d
system:controller:replicaset-controller 309d
system:controller:replication-controller 309d
system:controller:resourcequota-controller 309d
system:controller:route-controller 309d
system:controller:service-account-controller 309d
system:controller:service-controller 309d
system:controller:statefulset-controller 309d
system:controller:ttl-controller 309d
system:discovery 309d
system:heapster 309d
system:kube-aggregator 309d
system:kube-controller-manager 309d
system:kube-dns 309d
system:kube-scheduler 309d
system:node 309d
system:node-bootstrapper 309d
system:node-problem-detector 309d
system:node-proxier 309d
system:persistent-volume-provisioner 309d
view 309d
clusterrolebinding
[root@yixin-build .kube]# kubectl get clusterrolebinding
NAME AGE
ccs-log-collector-role-binding 299d
cluster-admin 309d
lb-ingress-clusterrole-nisa-binding 309d
system:basic-user 309d
system:controller:attachdetach-controller 309d
system:controller:certificate-controller 309d
system:controller:cronjob-controller 309d
system:controller:daemon-set-controller 309d
system:controller:deployment-controller 309d
system:controller:disruption-controller 309d
system:controller:endpoint-controller 309d
system:controller:generic-garbage-collector 309d
system:controller:horizontal-pod-autoscaler 309d
system:controller:job-controller 309d
system:controller:namespace-controller 309d
system:controller:node-controller 309d
system:controller:persistent-volume-binder 309d
system:controller:pod-garbage-collector 309d
system:controller:replicaset-controller 309d
system:controller:replication-controller 309d
system:controller:resourcequota-controller 309d
system:controller:route-controller 309d
system:controller:service-account-controller 309d
system:controller:service-controller 309d
system:controller:statefulset-controller 309d
system:controller:ttl-controller 309d
system:discovery 309d
system:kube-controller-manager 309d
system:kube-dns 309d
system:kube-scheduler 309d
system:node 309d
system:node-proxier 309d
https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions
