Twelve, k8s cluster of RBAC access control

Others 2019-10-16 23:46:19 views: null

table of Contents

Role-based access control RBAC (Role-Based Access Control)

Common authorization plug-ins:

  1. Node: Node Authentication
  2. ABAC: property-based access control
  3. RBAC: Role-based access control
  4. Webhook: HTTP-based callback mechanism

RBAC control:

RBAC main function is to provide role-based (Role) access control license (permission)

解释: 让一个用户扮演一个角色(Role),而角色(Role)拥有某些操作的权限,那么这么用户就拥有了该角色的操作权限。

So, after all of the operating license, it is authorized to direct role (Role), rather than directly to the authorized user.

对象
对象列表
虚拟对象,通常是URL,非对象资源,

An object of an act applying to become Action.

role 和 clusterrole

In RBAC API, one role contains a set of rules represents a set of permissions. Permissions cumulative (not "deny" rule) to accumulate pure form. Roles may be made within the namespace (namespace) Roledefine objects, and effective role over the entire range through the cluster Kubernetes ClusterRoleobject implementation.

role中,定义对象和动作,决定此role的权限边界。
在role中,只能定义那些对象的动作被允许,不能定义决绝。
意思就是说,只要没有定义允许的,都会被拒绝。

Roles are divided into two types:

1. role         名称空间级别角色
2. clusterrole  集群级别角色

rolebinding 和 clusterrolebinding

用于用户和角色之间的绑定关系。role和useraccount火service account之间的绑定

Binding divided into two types:

1. rolebinding          名称空间界别的角色绑定,针对的边界是名称空间
2. clusterrolebinding   集群级别的基色绑定,针对的变边界是集群

Question: When rolebindingcoming to user1the binding clusterrole, then the user1permissions are?

Answer: user1 The authority is limited to the name space, because using rolebindingto bind, and not to break the name space.

Public role clusterrole

Conventional practice

Under each name space, user are bound by rolebinding role, the definition has the authority to operate a ClusterRole cluster level, by ClusterRolebinding and user bind, the user will have a user's authority to operate the cluster level

Convenient practice

Further assume at multiple pod, if at this time a well-defined clusterrolerights and role of clusters corresponding to the use Rolebindingof cluster role clusterrolebind, then all of the namespace can not define your own role, direct use clusterrolecan be.

Several of the above diagram of the relationship

Create a test user

Create a role Case

help:

[root@master ~]# kubectl create role --help
Create a role with single rule.

Examples:
  # Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
  kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
  
  # Create a Role named "pod-reader" with ResourceName specified
  kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
  
  # Create a Role named "foo" with API Group specified
  kubectl create role foo --verb=get,list,watch --resource=rs.extensions
  
  # Create a Role named "foo" with SubResource specified
  kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
  1. By --dry-runparameter, the command is not actually executed, but the simulation test command is normal.
  2. Through -o yamlto the output format yaml

Then the following use of these two parameters, a yaml export file formats.

[root@master rbac]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run
role.rbac.authorization.k8s.io/pods-reader created (dry run)
[root@master rbac]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: pods-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
[root@master rbac]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
[root@master rbac]# ll
total 4
-rw-r--r-- 1 root root 193 Aug 21 16:56 role-demo.yaml
[root@master rbac]# cat role-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: pods-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

Create a role

[root@master rbac]# kubectl apply -f role-demo.yaml 
role.rbac.authorization.k8s.io/pods-reader created
[root@master rbac]# kubectl get role
NAME          AGE
pods-reader   2s
[root@master rbac]# kubectl describe role pods-reader
Name:         pods-reader
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules...
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]    # 这里显示的权限等详细信息

Before you create a user jerry, this time since you can just created a binding role.

rolebinding binding jerry users

The same way:

[root@master rbac]# kubectl create rolebinding jerry-read-pods --role=pods-reader --user=jerry --dry-run -o yaml > rolebinding-demo.yaml
[root@master rbac]# cat rolebinding-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: jerry-read-pods
roleRef:            #  表示引用那个角色(role)
  apiGroup: rbac.authorization.k8s.io
  kind: Role            #表示绑定角色为role
  name: pods-reader     # 绑定的role名称
subjects:               # 绑定的用户账号
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: jerry           # 绑定的具体用户名

create:

[root@master rbac]# kubectl apply -f rolebinding-demo.yaml 
rolebinding.rbac.authorization.k8s.io/jerry-read-pods created
[root@master rbac]# kubectl get rolebinding
NAME              AGE
jerry-read-pods   5s
[root@master rbac]# kubectl describe rolebinding/jerry-read-pods
Name:         jerry-read-pods
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"jerry-read...
Role:
  Kind:  Role
  Name:  pods-reader
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  jerry

Test jerry rights

At this time, switching to the next test jerry user rights:

[root@master rbac]# kubectl config use-context jerry@kubernetes
Switched to context "jerry@kubernetes".
[root@master rbac]# kubectl get pods
NAME          READY   STATUS    RESTARTS   AGE
pod-sa-demo   1/1     Running   0          5d3h
[root@master rbac]# kubectl delete pods/pod-sa-demo
Error from server (Forbidden): pods "pod-sa-demo" is forbidden: User "jerry" cannot delete resource "pods" in API group "" in the namespace "default"
[root@master rbac]# kubectl get pods -n kube-system
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "kube-system"

As can be seen from the above presentation, only to see the default namespace for the rights, no other rights such as delete, but also do not come to see the resources of other namespaces.

clusterrole test

Almost the same way and role definitions, see the help as follows:

[root@master ~]# kubectl create clusterrole --help
Create a ClusterRole.

Examples:
  # Create a ClusterRole named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
  kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
  
  # Create a ClusterRole named "pod-reader" with ResourceName specified
  kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod
--resource-name=anotherpod
  
  # Create a ClusterRole named "foo" with API Group specified
  kubectl create clusterrole foo --verb=get,list,watch --resource=rs.extensions
  
  # Create a ClusterRole named "foo" with SubResource specified
  kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
  
  # Create a ClusterRole name "foo" with NonResourceURL specified
  kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
  
  # Create a ClusterRole name "monitoring" with AggregationRule specified
  kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"

Creating clusterrole

[root@master rbac]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > clusterrole-demo.yaml
[root@master rbac]# cat clusterrole-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: cluster-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
[root@master rbac]# kubectl apply -f clusterrole-demo.yaml 
clusterrole.rbac.authorization.k8s.io/cluster-reader created
[root@master rbac]# kubectl describe clusterrole/cluster-reader
Name:         cluster-reader
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"creationTimestamp":null,"name":"cluster-re...
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]

Binding test user jerry

Before jerry bound a role, this time need to put this rolebinding delete, and then bind clusterrole

[root@master rbac]# kubectl create clusterrolebinding jerry-read-all-pods --clusterrole=cluster-reader --user=jerry --dry-run -o yaml > clusterrolebinding-demo.yaml
[root@master rbac]# cat clusterrolebinding-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: jerry-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: jerry
[root@master rbac]# kubectl apply -f clusterrolebinding-demo.yaml 
clusterrolebinding.rbac.authorization.k8s.io/jerry-read-all-pods created
[root@master rbac]# kubectl describe clusterrolebinding/jerry-read-all-pods
Name:         jerry-read-all-pods
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name"...
Role:
  Kind:  ClusterRole
  Name:  cluster-reader
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  jerry

Test jerry rights

Switch to jerry, then access the test:

[root@master rbac]# kubectl get pods
NAME          READY   STATUS    RESTARTS   AGE
pod-sa-demo   1/1     Running   0          5d4h
[root@master rbac]# kubectl get pods -n kube-system
NAME                                        READY   STATUS    RESTARTS   AGE
coredns-5c98db65d4-8mzfz                    1/1     Running   0          43d
coredns-5c98db65d4-spjx8                    1/1     Running   0          43d
etcd-master.kubernetes                      1/1     Running   0          43d
kube-apiserver-master.kubernetes            1/1     Running   0          43d
kube-controller-manager-master.kubernetes   1/1     Running   0          43d
kube-flannel-ds-amd64-4szk7                 1/1     Running   0          43d
kube-flannel-ds-amd64-b4ssp                 1/1     Running   1          43d
kube-flannel-ds-amd64-nmklz                 1/1     Running   0          43d
kube-flannel-ds-amd64-wjczq                 1/1     Running   0          43d
kube-proxy-8fqsz                            1/1     Running   0          43d
kube-proxy-bkrw4                            1/1     Running   0          43d
kube-proxy-n75g8                            1/1     Running   1          43d
kube-proxy-rmckk                            1/1     Running   0          43d
kube-scheduler-master.kubernetes            1/1     Running   0          43d
kubernetes-dashboard-7d75c474bb-8kzrl       1/1     Running   0          9d
[root@master rbac]# kubectl get service
Error from server (Forbidden): services is forbidden: User "jerry" cannot list resource "services" in API group "" in the namespace "default"
[root@master rbac]# kubectl get service -n kube-system
Error from server (Forbidden): services is forbidden: User "jerry" cannot list resource "services" in API group "" in the namespace "kube-system"

It can be seen from the above tests:

  1. Pods can access the resource default namespace, but can not access the service resource.
  2. Can access resources kube-system name space, you can not access kube-system namespace service resources.

Test rolebinding binding clusterrole

Jerry just delete the binding of clusterrolebinding

[root@master rbac]# kubectl delete -f clusterrolebinding-demo.yaml 
clusterrolebinding.rbac.authorization.k8s.io "jerry-read-all-pods" deleted
[root@master rbac]# kubectl config use-context jerry@kubernetes
Switched to context "jerry@kubernetes".
[root@master rbac]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "default"

It can be seen after deleting clusterrolebinding, jerry user does not get permission.

Use the following rolebinding binding clusterrole

[root@master rbac]# kubectl create rolebinding jerry-read-pods --clusterrole=cluster-reader --user=jerry --dry-run
rolebinding.rbac.authorization.k8s.io/jerry-read-pods created (dry run)
[root@master rbac]# kubectl create rolebinding jerry-read-pods --clusterrole=cluster-reader --user=jerry --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
[root@master rbac]# cat rolebinding-clusterrole-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding                           # 这里的类型是rolebinding
metadata:
  name: jerry-read-pods
  namespace: default                        # 编辑增加可访问的名称空间
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole                         # 而这里绑定的是clusterrole
  name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: jerry                               # 绑定的用户
[root@master rbac]# kubectl apply -f rolebinding-clusterrole-demo.yaml 
rolebinding.rbac.authorization.k8s.io/jerry-read-pods created

Test Access

[root@master rbac]# kubectl get pods
NAME          READY   STATUS    RESTARTS   AGE
pod-sa-demo   1/1     Running   0          5d19h
[root@master rbac]# kubectl get pods -n kube-system
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "kube-system"

Testing can only access the resource default namespace, but can not access resources from other namespaces.

clusterrole admin default role

In clusterrole, there are two default admin roles, admin, cluster-admin

These are two roles in a cluster administrator, then when there is a cluster of multiple namespaces, you do not need to manually create an administrator role, you can directly use the admin role models rolebinding, so save a lot of duplication of work .

Binding test

Test the admin role clusterrole is bound to jerry users.

We have been bound before a clusterrole, this time bind again, will not be affected, the equivalent of one play multiple roles.

[root@master rbac]# kubectl create rolebinding defult-ns-admin --clusterrole=admin --user=jerry
rolebinding.rbac.authorization.k8s.io/defult-ns-admin created
[root@master rbac]# kubectl config use-context jerry@kubernetes         # 切换到jerry用户
Switched to context "jerry@kubernetes".
[root@master rbac]# kubectl get pods                                    # 能够读
NAME          READY   STATUS    RESTARTS   AGE
pod-sa-demo   1/1     Running   0          5d20h
[root@master rbac]# kubectl delete pods pod-sa-demo
pod "pod-sa-demo" deleted                                               # 删除成功
[root@master rbac]# kubectl get pods
No resources found.
[root@master rbac]# kubectl get pods -n kube-system                     # 但这里不能访问其他名称空间
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "kube-system"

Guess you like

Origin www.cnblogs.com/peng-zone/p/11689017.html
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com