kubernetes authorization settings
Authorization and authentication are separate parts in kubernetes. For the authentication section, see kubernetes authentication .
Authorization operations apply to all http requests to the kubernetes api.
Authorization will check the attribute information (such as user, resource, namespace, etc.) in the comparison request according to the access policy for each request. An API request must satisfy the specified policy in order to proceed.
There are several strategies as follows:
- --authorization_mode=AlwaysDeny
- --authorization_mode=AlwaysAllow
- --authorization_mode=ABAC
AlwaysDeny blocks all requests (usually used in test environments); AlwaysAllow allows all requests, if you don't want to use the authorization mechanism, you can set it up; ABAC allows user-defined authorization policies, ABAC's full writing is: Attribute-Based Access Control (attribute-oriented access control authorization control).
ABAC Mode
request attribute
In the authorization settings, there are 4 attribute settings that can be used:
- user , the user who has been authenticated;
- whether the request is read-only;
- What is the requested resource? Only requests for api endpoints are accepted, such as /api/v1/namespaces/default/pods. For other endpoints, such as /version, the resource description is an empty string;
- Access the namespace of the object, or an empty string if the accessed object does not support namespace
Authorization file format
Set the parameters to: --authorization_policy_file=SOME_FILENAME, so that ABAC mode is turned on. In the specified file, one line is a json object. This json object contains several map formats. These map objects are as follows:
- user, string type, corresponding to the user attribute in --token_auth_file;
- readonly, bool type, when set to true, only GET requests are accepted;
- resource, string type, the corresponding resource type in the request URL, such as pod;
- namespace, string type, corresponding to namespace.
If the property is not set, the default value is 0 or false or an empty string.
Authorization algorithm
The attributes set in a request determine the characteristics that the request can have
When a request is received, the corresponding properties that the request should have are obtained. If some properties are not set, they will be set to the null value corresponding to the property type by default, such as 0, false, empty string, etc.
If an attribute is repeatedly defined in the authorization file, as long as one of the attributes satisfies the authorization conditions, the request is considered authorized.
If the user is set to be empty in the authorization conditions, then no restriction will be imposed on any user; if the namespace in the authorization condition is set to be empty, then no restriction will be imposed on any namespace.
Examples
- {"user":"alice"}:
User alice can do anything! - {"user":"kubelet", "resource": "pods", "readonly": true}:
kubelet can get information about any pod. - {"user":"kubelet", "resource": "events"}:
kubelet can do any read and write operations on events. - {"user":"bob", "resource": "pods", "readonly": true, "ns": "projectCaribou"}:
Bob 仅仅能GET处于namespace projectCaribou下的pod。
kubernetes认证设置kubernetes中,验证用户是否有权限操作api的方式有三种:证书认证,token认证,基本信息认证。证书认证设置apiserver的启动参数:--client_ca_file=SOMEFILE ,这个被引用的文件中包含的验证client的证书,如果被验证通过,那么这个验证记录中的主体对象将会作为请求的username。token认证设置apiserver的启动参数:--token_auth_file=SOMEFILE,目前使用token还存在争议,而且如果变更了这个文件内容,只有重启apiserver才能使配置生效。token file的格式包含三列:token,username,userid。当使用token作为验证方式时,在对apiserver的http请求中,增加一个Header字段:Authorization ,将它的值设置为:Bearer SOMETOKEN。基本信息认证设置apiserver的启动参数:--basic_auth_file=SOMEFILE,如果更改了文件中的密码,只有重新启动apiserver使其重新生效。其文件的基本格式包含三列:passwork,username,userid。当使用此作为认证方式时,在对apiserver的http请求中,增加一个Header字段:Authorization ,将它的值设置为: Basic BASE64ENCODEDUSER:PASSWORD.
https://segmentfault.com/a/1190000002919433?utm_source=tuicool
http://www.coin163.com/it/x2700960886745827433/kubernetes-authentication-herman-liu