Introduction to this article
1. Overview of Cluster Security Mechanisms
Be aware that there are three steps required to access a Kubernetes cluster, namely:
- Certification
- Authentication (authorization)
- admission control
And this access process needs to go through the apiserver, and the main function of the apiserver is to coordinate. In addition, certificates, tokens, username/password and other "procedures" are required during the access process.
1. Certification
There are usually several ways of client authentication:
- HTTPS certificate authentication: Authentication based on CA certificate.
- HTTP Token Authentication: Identify users through tokens.
- HTTP basic authentication: Authentication is performed through username + password, which is less secure.
In addition, there is a concept in the authentication process 传输安全, which means that the 8080 port is not exposed to the outside world, and can only be accessed internally. Externally, port 6443 is used uniformly.
2. Authentication (authorization)
Currently authentication is based RBACon operations.
RBAC: Role-Based Access Control.
3. Admission Control
This is actually a list of record admission controllers. If the list contains the content you want to request, it will be passed, otherwise it will be rejected.
2. Overview of RBAC
RBAC (Role Based Access Control). During the access process of the Kubernetes cluster, some resources that are controlled to be accessed are allowed to be accessed. When the access content is set for a role, the user and the role are bound, so that the content that the role can access can also be accessed by the user .
Not only in k8s, in fact, RBAC mechanism is used in many fields.
3. RBAC role binding operation demonstration
Step 1: Create a namespace;
#创建命名空间
kubectl create ns xiaoma
Step 2: Create a Pod under the newly created namespace;
#新建Pod
kubectl run nginx --image=nginx -n xiaoma
Step 3: Create a role, vim a yaml file rbac-xiaoma.yaml, and set the relevant attributes of the role in it;
apiVersion: rbac.authorization.k8s.io/v1
kind: xiaoma
metadata:
namespace: xiaoma
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
Code meaning: Create the role xiaoma, which has get, watch, and list permissions for pods.
Step 4: Execute the file. After the role is successfully created, you can also view the role
#执行文件,即创建角色
kubectl apply -f rbac-xiaoma.yaml
#查看角色
kubectl get xiaoma -n xiaoma
Step 5: Create character binding, vim a yaml file rbac-xiaomabinding.yaml;
apiVersion: rbac.authorization.k8s.io/v1
kind: xiaomabinding
metadata:
namespace: xiaomatest
name: read-pods
subjects:
- kind: user
name: majinjian
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: xiaoma
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Code meaning: Bind the user majinjian to the role xiaoma.
Step 6: Execute the file and view the role bound user;
#执行绑定文件
kubectl apply -f rbac-xiaomabinding.yaml
#查看绑定情况
kubectl get xiaoma,xiaomabinding -n xiaomatest