table of Contents
Role-based access control RBAC (Role-Based Access Control)
Common authorization plug-ins:
- Node: Node Authentication
- ABAC: property-based access control
- RBAC: Role-based access control
- Webhook: HTTP-based callback mechanism
RBAC control:
RBAC main function is to provide role-based (Role) access control license (permission)
解释: 让一个用户扮演一个角色(Role),而角色(Role)拥有某些操作的权限,那么这么用户就拥有了该角色的操作权限。
So, after all of the operating license, it is authorized to direct role (Role), rather than directly to the authorized user.
对象
对象列表
虚拟对象,通常是URL,非对象资源,
An object of an act applying to become Action.
role 和 clusterrole
In RBAC API, one role contains a set of rules represents a set of permissions. Permissions cumulative (not "deny" rule) to accumulate pure form. Roles may be made within the namespace (namespace) Role
define objects, and effective role over the entire range through the cluster Kubernetes ClusterRole
object implementation.
role中,定义对象和动作,决定此role的权限边界。
在role中,只能定义那些对象的动作被允许,不能定义决绝。
意思就是说,只要没有定义允许的,都会被拒绝。
Roles are divided into two types:
1. role 名称空间级别角色
2. clusterrole 集群级别角色
rolebinding 和 clusterrolebinding
用于用户和角色之间的绑定关系。role和useraccount火service account之间的绑定
Binding divided into two types:
1. rolebinding 名称空间界别的角色绑定,针对的边界是名称空间
2. clusterrolebinding 集群级别的基色绑定,针对的变边界是集群
Question: When rolebinding
coming to user1
the binding clusterrole
, then the user1
permissions are?
Answer:
user1
The authority is limited to the name space, because usingrolebinding
to bind, and not to break the name space.
Public role clusterrole
Conventional practice
Under each name space, user are bound by rolebinding role, the definition has the authority to operate a ClusterRole cluster level, by ClusterRolebinding and user bind, the user will have a user's authority to operate the cluster level
Convenient practice
Further assume at multiple pod, if at this time a well-defined
clusterrole
rights and role of clusters corresponding to the useRolebinding
of cluster roleclusterrole
bind, then all of the namespace can not define your ownrole
, direct useclusterrole
can be.
Several of the above diagram of the relationship
Create a test user
Create a role Case
help:
[root@master ~]# kubectl create role --help
Create a role with single rule.
Examples:
# Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
# Create a Role named "pod-reader" with ResourceName specified
kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
# Create a Role named "foo" with API Group specified
kubectl create role foo --verb=get,list,watch --resource=rs.extensions
# Create a Role named "foo" with SubResource specified
kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
- By
--dry-run
parameter, the command is not actually executed, but the simulation test command is normal. - Through
-o yaml
to the output format yaml
Then the following use of these two parameters, a yaml export file formats.
[root@master rbac]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run
role.rbac.authorization.k8s.io/pods-reader created (dry run)
[root@master rbac]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: pods-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@master rbac]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
[root@master rbac]# ll
total 4
-rw-r--r-- 1 root root 193 Aug 21 16:56 role-demo.yaml
[root@master rbac]# cat role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: pods-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
Create a role
[root@master rbac]# kubectl apply -f role-demo.yaml
role.rbac.authorization.k8s.io/pods-reader created
[root@master rbac]# kubectl get role
NAME AGE
pods-reader 2s
[root@master rbac]# kubectl describe role pods-reader
Name: pods-reader
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch] # 这里显示的权限等详细信息
Before you create a user jerry, this time since you can just created a binding role.
rolebinding binding jerry users
The same way:
[root@master rbac]# kubectl create rolebinding jerry-read-pods --role=pods-reader --user=jerry --dry-run -o yaml > rolebinding-demo.yaml
[root@master rbac]# cat rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: jerry-read-pods
roleRef: # 表示引用那个角色(role)
apiGroup: rbac.authorization.k8s.io
kind: Role #表示绑定角色为role
name: pods-reader # 绑定的role名称
subjects: # 绑定的用户账号
- apiGroup: rbac.authorization.k8s.io
kind: User
name: jerry # 绑定的具体用户名
create:
[root@master rbac]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/jerry-read-pods created
[root@master rbac]# kubectl get rolebinding
NAME AGE
jerry-read-pods 5s
[root@master rbac]# kubectl describe rolebinding/jerry-read-pods
Name: jerry-read-pods
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"jerry-read...
Role:
Kind: Role
Name: pods-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User jerry
Test jerry rights
At this time, switching to the next test jerry user rights:
[root@master rbac]# kubectl config use-context jerry@kubernetes
Switched to context "jerry@kubernetes".
[root@master rbac]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-sa-demo 1/1 Running 0 5d3h
[root@master rbac]# kubectl delete pods/pod-sa-demo
Error from server (Forbidden): pods "pod-sa-demo" is forbidden: User "jerry" cannot delete resource "pods" in API group "" in the namespace "default"
[root@master rbac]# kubectl get pods -n kube-system
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "kube-system"
As can be seen from the above presentation, only to see the default namespace for the rights, no other rights such as delete, but also do not come to see the resources of other namespaces.
clusterrole test
Almost the same way and role definitions, see the help as follows:
[root@master ~]# kubectl create clusterrole --help
Create a ClusterRole.
Examples:
# Create a ClusterRole named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
# Create a ClusterRole named "pod-reader" with ResourceName specified
kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod
--resource-name=anotherpod
# Create a ClusterRole named "foo" with API Group specified
kubectl create clusterrole foo --verb=get,list,watch --resource=rs.extensions
# Create a ClusterRole named "foo" with SubResource specified
kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
# Create a ClusterRole name "foo" with NonResourceURL specified
kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
# Create a ClusterRole name "monitoring" with AggregationRule specified
kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
Creating clusterrole
[root@master rbac]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > clusterrole-demo.yaml
[root@master rbac]# cat clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@master rbac]# kubectl apply -f clusterrole-demo.yaml
clusterrole.rbac.authorization.k8s.io/cluster-reader created
[root@master rbac]# kubectl describe clusterrole/cluster-reader
Name: cluster-reader
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"creationTimestamp":null,"name":"cluster-re...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
Binding test user jerry
Before jerry bound a role, this time need to put this rolebinding delete, and then bind clusterrole
[root@master rbac]# kubectl create clusterrolebinding jerry-read-all-pods --clusterrole=cluster-reader --user=jerry --dry-run -o yaml > clusterrolebinding-demo.yaml
[root@master rbac]# cat clusterrolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: jerry-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: jerry
[root@master rbac]# kubectl apply -f clusterrolebinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io/jerry-read-all-pods created
[root@master rbac]# kubectl describe clusterrolebinding/jerry-read-all-pods
Name: jerry-read-all-pods
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name"...
Role:
Kind: ClusterRole
Name: cluster-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User jerry
Test jerry rights
Switch to jerry, then access the test:
[root@master rbac]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-sa-demo 1/1 Running 0 5d4h
[root@master rbac]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-5c98db65d4-8mzfz 1/1 Running 0 43d
coredns-5c98db65d4-spjx8 1/1 Running 0 43d
etcd-master.kubernetes 1/1 Running 0 43d
kube-apiserver-master.kubernetes 1/1 Running 0 43d
kube-controller-manager-master.kubernetes 1/1 Running 0 43d
kube-flannel-ds-amd64-4szk7 1/1 Running 0 43d
kube-flannel-ds-amd64-b4ssp 1/1 Running 1 43d
kube-flannel-ds-amd64-nmklz 1/1 Running 0 43d
kube-flannel-ds-amd64-wjczq 1/1 Running 0 43d
kube-proxy-8fqsz 1/1 Running 0 43d
kube-proxy-bkrw4 1/1 Running 0 43d
kube-proxy-n75g8 1/1 Running 1 43d
kube-proxy-rmckk 1/1 Running 0 43d
kube-scheduler-master.kubernetes 1/1 Running 0 43d
kubernetes-dashboard-7d75c474bb-8kzrl 1/1 Running 0 9d
[root@master rbac]# kubectl get service
Error from server (Forbidden): services is forbidden: User "jerry" cannot list resource "services" in API group "" in the namespace "default"
[root@master rbac]# kubectl get service -n kube-system
Error from server (Forbidden): services is forbidden: User "jerry" cannot list resource "services" in API group "" in the namespace "kube-system"
It can be seen from the above tests:
- Pods can access the resource default namespace, but can not access the service resource.
- Can access resources kube-system name space, you can not access kube-system namespace service resources.
Test rolebinding binding clusterrole
Jerry just delete the binding of clusterrolebinding
[root@master rbac]# kubectl delete -f clusterrolebinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io "jerry-read-all-pods" deleted
[root@master rbac]# kubectl config use-context jerry@kubernetes
Switched to context "jerry@kubernetes".
[root@master rbac]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "default"
It can be seen after deleting clusterrolebinding, jerry user does not get permission.
Use the following rolebinding binding clusterrole
[root@master rbac]# kubectl create rolebinding jerry-read-pods --clusterrole=cluster-reader --user=jerry --dry-run
rolebinding.rbac.authorization.k8s.io/jerry-read-pods created (dry run)
[root@master rbac]# kubectl create rolebinding jerry-read-pods --clusterrole=cluster-reader --user=jerry --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
[root@master rbac]# cat rolebinding-clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding # 这里的类型是rolebinding
metadata:
name: jerry-read-pods
namespace: default # 编辑增加可访问的名称空间
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole # 而这里绑定的是clusterrole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: jerry # 绑定的用户
[root@master rbac]# kubectl apply -f rolebinding-clusterrole-demo.yaml
rolebinding.rbac.authorization.k8s.io/jerry-read-pods created
Test Access
[root@master rbac]# kubectl get pods
NAME READY STATUS RESTARTS AGE
pod-sa-demo 1/1 Running 0 5d19h
[root@master rbac]# kubectl get pods -n kube-system
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "kube-system"
Testing can only access the resource default namespace, but can not access resources from other namespaces.
clusterrole admin default role
In clusterrole, there are two default admin roles, admin, cluster-admin
These are two roles in a cluster administrator, then when there is a cluster of multiple namespaces, you do not need to manually create an administrator role, you can directly use the admin role models rolebinding, so save a lot of duplication of work .
Binding test
Test the admin role clusterrole is bound to jerry users.
We have been bound before a clusterrole, this time bind again, will not be affected, the equivalent of one play multiple roles.
[root@master rbac]# kubectl create rolebinding defult-ns-admin --clusterrole=admin --user=jerry
rolebinding.rbac.authorization.k8s.io/defult-ns-admin created
[root@master rbac]# kubectl config use-context jerry@kubernetes # 切换到jerry用户
Switched to context "jerry@kubernetes".
[root@master rbac]# kubectl get pods # 能够读
NAME READY STATUS RESTARTS AGE
pod-sa-demo 1/1 Running 0 5d20h
[root@master rbac]# kubectl delete pods pod-sa-demo
pod "pod-sa-demo" deleted # 删除成功
[root@master rbac]# kubectl get pods
No resources found.
[root@master rbac]# kubectl get pods -n kube-system # 但这里不能访问其他名称空间
Error from server (Forbidden): pods is forbidden: User "jerry" cannot list resource "pods" in API group "" in the namespace "kube-system"