Thanks for likes and attention, a little progress every day! come on!
Table of contents
1. Kubernetes Security Overview
2. Authentication, authorization and access control
3. Role-based access control: RBAC
4. Case: Authorize access to different namespace permissions for specified users
1. Kubernetes Security Overview
The K8S security control framework is mainly controlled by the following three stages. Each stage supports the plug-in mode, and the plug-in is enabled through the API Server configuration.
1. Authentication
2. Authorization
3. Admission Control
2. Authentication, authorization and access control
2.1 Authentication
If the client wants to access the K8s cluster API Server, it generally needs a certificate, Token or username + password; if the Pod accesses, a ServiceAccount is required
Three types of client authentication:
• HTTPS certificate authentication: digital certificate authentication based on CA certificate signature
• HTTP Token authentication: identify users through a Token
• HTTP Base authentication: user name + password authentication
2.2 Authorization
K8s currently supports multiple authorization strategies. At present, enterprises mainly use RBAC (Role-Based Access Control, role-based access control) to complete the authorization work.
RBAC decides to allow or deny based on the API request attributes.
More common authorization dimensions:
• user: username
• group: user grouping
• Resources such as pods, deployments
• Resource operation methods: get , list , create , update , patch , watch , delete
• Namespaces
• API group
2.3 Admission Control
Adminssion Control is actually a list of admission controller plug-ins. Requests sent to the API Server need to be checked by each admission controller plug-in in this list. If the check fails, the request is rejected.
3. Role-based access control: RBAC
RBAC (Role-Based Access Control) allows dynamic configuration of policies through the Kubernetes API.
Role
• Role: authorizes access to a specific namespace
• ClusterRole: Grants access to all namespaces
role binding
• RoleBinding: bind the role to the subject (ie subject)
• ClusterRoleBinding: binds a cluster role to a principal
subject
• User: user
• Group: user group
• ServiceAccount: service account
4. Case: Authorize access to different namespace permissions for specified users
Example: Authorize the default namespace Pod read permission for the kangll user
1. Use the K8S CA to issue a client certificate
2. Generate kubeconfig authorization file
3. Create RBAC permission policy
cluster information
| Role |
IP |
components |
| k8s-master1 |
192.168.2.119 |
apiServer , controller, schedule, etcd |
| k8s-node1 |
192.168.2.118 |
kubelet, kube-proxy, docker, etcd |
| k8s-node2 |
192.168.2.210 |
kubelet, kube-proxy, docker, etcd |
Install the cfssl tool for generating certificates
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl
chmod +x /usr/local/bin/cfssljson
chmod +x /usr/bin/cfssl-certinfoRun the following command to generate a certificate
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
cat > kangll-csr.json <<EOF
{
"CN": "kangll",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes kangll-csr.json | cfssljson -bare kangll
As shown below:
To generate the kubeconfig authorization file, run the following command:
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=https://192.168.2.119:6443 \
--kubeconfig=kangll.kubeconfig
# 设置客户端认证
kubectl config set-credentials kangll \
--client-key=kangll-key.pem \
--client-certificate=kangll.pem \
--embed-certs=true \
--kubeconfig=kangll.kubeconfig
# 设置默认上下文
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=kangll \
--kubeconfig=kangll.kubeconfig
# 设置当前使用配置
kubectl config use-context kubernetes --kubeconfig=kangll.kubeconfigRun rbac.yaml to create RBAC permission policy
Run rbac.yaml to create RBAC permission policy
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: kangll
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.iokangll user successfully read pod information
There is no delete pod permission error
