RBAC is enabled, you need to add in apiserver parameters --authorization-mode = RBAC, if you are using kubeadm installation of a cluster, more than 1.6 versions are enabled by default RBAC
to see whether to open:
$ CAT / etc / Kubernetes / manifests / Kube-apiserver .yaml
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=192.168.1.243
- --allow-privileged=true
- --authorization-mode=Node,RBACKubernetes have a very basic feature is its all resource objects are allowed to perform CRUD (Create, Read, Update, Delete) operations (that is, we often say add, delete, change, check operation)
and rbac related resource objects include :
. 1, the rule: rule, a rule is a set of operations belonging to the group set on the different resources of API group
2, role and ClusterRole: role and the role of the cluster, which contains the above two objects rules element, difference between them is in Role, the definition of the rule only applies to a single namespace, and a namespace is associated, and ClusterRole is therefore not rule definition namespace cluster-wide constraints.
3, Subject: theme, the corresponding object attempt to operate in the cluster, the cluster defines three types of theme resources:
the User the Account: This is an external independent service management, resources for internal users manage the cluster is not an associated objects, so users can not through internal cluster API to manage
group: this is used to associate multiple accounts, some of the cluster there are groups created by default, such as ADMIN-cluster
Service the account: by Kubernetes API to manage some user accounts , and namespace association, the applications for running inside a cluster, you need to complete the API certification authority
4: RoleBinding and ClusterRoleBinding
is simply a statement of the Subject and our Role binding process (to a user permission to operate on the binding), the difference between the two is the difference between the scope of: RoleBinding will only affect the current resource operating authority namespace below, and ClusterRoleBinding will affect all namespace.
Create a User Account, can only access kube-system namespace
1, create a private key
$ OpenSSL genrsa -out dongyali.key 2048
2, create a certificate signing request file
CN the user name to be created, O for the group to be created
penssl -new -out dongyali.csr the -key dongyali.key REQ -subj "/ = dongyali the CN / O = Booster"
. 3, to generate the final certificate file, provided the certificate is valid for 1000 days
required ca.crt and two ca.key file to approve the certificate request, if you are using kubeadm cluster installation, the two files are located in / etc / kubernetes / pki / directory below
$ openssl x509 -req -in dongyali.csr -CA / etc / kubernetes / pki / ca -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dongyali.crt .crt -days 1000
$ LS
dongyali.csr dongyali.key dongyali.crt
4, using just created certificate file and private key file in a cluster creating user dongyali
$ config kubectl SET-Credentials dongyali --client-Key-Certificate = dongyali.crt --client = dongyali.key
. 5, to create a context for the user, and confined space kube-system
SET-config context kubectl $ dongyali-context = --cluster = Kubernetes --namespace --user = dongyali Kube-System
. 6, the user dongyali create roles for
creating a user operation to allow Deployment, Pod, ReplicaSets role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dongyali-role
namespace: kube-system
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 也可以使用['*']7, create a role binding, binding users and roles dongyali
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dongyali-rolebinding
namespace: kube-system
subjects:
- kind: User
name: dongyali
apiGroup: ""
roleRef:
kind: Role
name: dongyali-role
apiGroup: ""8、测试
$ kubectl get pods --context=dongyali-context
$ kubectl --context=dongyali-context get pods --namespace=default
Error from server (Forbidden): pods is forbidden: User "dongyali" cannot list pods in the namespace "default"
Create a namespace can only access one of ServiceAccount
1, create a ServiceAccount target
$ kubectl the Create SA dongyali-System SA -n Kube-
2, create role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dongyali-sa-role
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]3. Create a RoleBinding objects
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dongyali-sa-rolebinding
namespace: kube-system
subjects:
- kind: ServiceAccount
name: dongyali-sa
namespace: kube-system
roleRef:
kind: Role
name: dongyali-sa-role
apiGroup: rbac.authorization.k8s.ioCreate a namespace can access all of ServiceAccount
need ClusterRole and ClusterRoleBinding both resource object
1, a new target ServiceAcount
apiVersion: v1
kind: ServiceAccount
metadata:
name: dongyali-sa2
namespace: kube-system2, create a ClusterRoleBinding objects
using an existing cluster role cluster-admin, without creating a new one
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: dongyali-sa2-clusterrolebinding
subjects:
- kind: ServiceAccount
name: dongyali-sa2
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io