This event was held on the public micro-channel number [my] little bowl of soup, there are activities to send the book! Here the answer can not participate in the activities involved in delivering books Oh!
Yesterday exam
Creating a Role (only cka namespace pods under all operating authority) and RoleBinding (using serviceaccount certification authentication), using the corresponding serviceaccount as authentication information to operate the pod under cka namespace of the pods and operate under the default namespace.
- Role and RoleBinding name name is cka-1202-role, cka- 1202-rb
Note: Please attach command used to create the Role, RoleBinding and complete yaml serviceaccount, and can be divided into multiple comments.
Yesterday's answer
Create a Service Account:
[root@liabio cka]# kubectl create serviceaccount cka-1202-sa -n cka -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2019-12-02T23:37:42Z"
name: cka-1202-sa
namespace: cka
resourceVersion: "15159020"
selfLink: /api/v1/namespaces/cka/serviceaccounts/cka-1202-sa
uid: 6764e90c-cb28-4de1-9109-6e3d56941fcb
Creating Role:
[root@liabio cka]# kubectl create role cka-1202-role -n cka --verb=* --resource=pods -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2019-12-02T23:40:26Z"
name: cka-1202-role
namespace: cka
resourceVersion: "15159247"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/cka/roles/cka-1202-role
uid: fc2c5593-2fd9-46d7-a809-99bcee32249e
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- '*'
Creating RoleBinding:
[root@liabio cka]# kubectl create rolebinding cka-1202-rb -n cka --role=cka-1202-role --serviceaccount=cka:cka-1202-sa -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2019-12-02T23:46:50Z"
name: cka-1202-rb
namespace: cka
resourceVersion: "15159794"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/cka/rolebindings/cka-1202-rb
uid: c00d104e-a531-4781-90f4-2821651492bf
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cka-1202-role
subjects:
- kind: ServiceAccount
name: cka-1202-sa
namespace: cka
verification:
Get to cka-1202-sa
this Service Account
binding secret
and base64 -d
decoding token
fields:
[root@liabio ~]# kubectl get secret -n cka
NAME TYPE DATA AGE
cka-1202-sa-token-9rgp4 kubernetes.io/service-account-token 3 42m
default-token-r77xn kubernetes.io/service-account-token 3 4d14h
[root@liabio ~]# kubectl get secret -n cka cka-1202-sa-token-9rgp4 -ojson | jq .data.token
"ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmphMkVpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxZM0psZEM1dVlXMWxJam9pWTJ0aExURXlNREl0YzJFdGRHOXJaVzR0T1hKbmNEUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2lZMnRoTFRFeU1ESXRjMkVpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUkyTnpZMFpUa3dZeTFqWWpJNExUUmtaVEV0T1RFd09TMDJaVE5rTlRZNU5ERm1ZMklpTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNlkydGhPbU5yWVMweE1qQXlMWE5oSW4wLnFXanJUcTdEbVZTU01TM0h4YzR0bFd4ODdUNGtvUkNvVmkxMjVzZXNWRWJ2QUtEaTJ6MFhvNjJaNzAza2htQ1dsWTU1TkxPYWVKS2taWXhYOWZMTEdYMnpPVWVFdzFvbUpmRkZpTm41NGxjOUhRTjlRXzVmTjRyYS1WNFZSaU5uQkFUeW43Yzc2aGk2Nks1aUh5WjB4bFRNcnBNQThXN1l2TmJnU1pIOXhnaFdSenpkSElKYWF1UXBTY0xtSk5MNmxGNGd5ZG9Xd0dDQy1QU0VjdGpKTkRtMF8zSTZoUkhEZkJzd3k2d0t4VGx4T3lIdE9yeUc0ckUzZzVqUWZOdV9BNTdTNVlocmEwWVM0emM0X0RvdXBmUC1zVjU3R0FQS1JxODZsRGdlOHo4cWFIaDRyb0k3RTNJbC1DRU9HS1JJeE52SWZVX3d0aHRrMG95aW5HR2wydw=="
[root@liabio ~]# echo ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmphMkVpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxZM0psZEM1dVlXMWxJam9pWTJ0aExURXlNREl0YzJFdGRHOXJaVzR0T1hKbmNEUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2lZMnRoTFRFeU1ESXRjMkVpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUkyTnpZMFpUa3dZeTFqWWpJNExUUmtaVEV0T1RFd09TMDJaVE5rTlRZNU5ERm1ZMklpTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNlkydGhPbU5yWVMweE1qQXlMWE5oSW4wLnFXanJUcTdEbVZTU01TM0h4YzR0bFd4ODdUNGtvUkNvVmkxMjVzZXNWRWJ2QUtEaTJ6MFhvNjJaNzAza2htQ1dsWTU1TkxPYWVKS2taWXhYOWZMTEdYMnpPVWVFdzFvbUpmRkZpTm41NGxjOUhRTjlRXzVmTjRyYS1WNFZSaU5uQkFUeW43Yzc2aGk2Nks1aUh5WjB4bFRNcnBNQThXN1l2TmJnU1pIOXhnaFdSenpkSElKYWF1UXBTY0xtSk5MNmxGNGd5ZG9Xd0dDQy1QU0VjdGpKTkRtMF8zSTZoUkhEZkJzd3k2d0t4VGx4T3lIdE9yeUc0ckUzZzVqUWZOdV9BNTdTNVlocmEwWVM0emM0X0RvdXBmUC1zVjU3R0FQS1JxODZsRGdlOHo4cWFIaDRyb0k3RTNJbC1DRU9HS1JJeE52SWZVX3d0aHRrMG95aW5HR2wydw== | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJja2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2thLTEyMDItc2EtdG9rZW4tOXJncDQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2thLTEyMDItc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NzY0ZTkwYy1jYjI4LTRkZTEtOTEwOS02ZTNkNTY5NDFmY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6Y2thOmNrYS0xMjAyLXNhIn0.qWjrTq7DmVSSMS3Hxc4tlWx87T4koRCoVi125sesVEbvAKDi2z0Xo62Z703khmCWlY55NLOaeJKkZYxX9fLLGX2zOUeEw1omJfFFiNn54lc9HQN9Q_5fN4ra-V4VRiNnBATyn7c76hi66K5iHyZ0xlTMrpMA8W7YvNbgSZH9xghWRzzdHIJaauQpScLmJNL6lF4gydoWwGCC-PSEctjJNDm0_3I6hRHDfBswy6wKxTlxOyHtOryG4rE3g5jQfNu_A57S5Yhra0YS4zc4_DoupfP-sV57GAPKRq86lDge8z8qaHh4roI7E3Il-CEOGKRIxNvIfU_wthtk0oyinGGl2w[root@liabio ~]#
Add the decoded information to add to ~/.kube/config
, the following notice addedname为coderaction的context和name为coderaction的user
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDLQo=
server: https://10.0.0.0:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: coderaction
name: coderaction
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: coderaction
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJja2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2thLTEyMDItc2EtdG9rZW4tOXJncDQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2thLTEyMDItc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NzY0ZTkwYy1jYjI4LTRkZTEtOTEwOS02ZTNkNTY5NDFmY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6Y2thOmNrYS0xMjAyLXNhIn0.qWjrTq7DmVSSMS3Hxc4tlWx87T4koRCoVi125sesVEbvAKDi2z0Xo62Z703khmCWlY55NLOaeJKkZYxX9fLLGX2zOUeEw1omJfFFiNn54lc9HQN9Q_5fN4ra-V4VRiNnBATyn7c76hi66K5iHyZ0xlTMrpMA8W7YvNbgSZH9xghWRzzdHIJaauQpScLmJNL6lF4gydoWwGCC-PSEctjJNDm0_3I6hRHDfBswy6wKxTlxOyHtOryG4rE3g5jQfNu_A57S5Yhra0YS4zc4_DoupfP-sV57GAPKRq86lDge8z8qaHh4roI7E3Il-CEOGKRIxNvIfU_wthtk0oyinGGl2w
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiB1M1Y2NDTnpPUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CBS0NBUUVBdjNpTkx5eUEwaVdmOU1hUjA3cVFTOEtFWS0tLS0tCg==
By switching to coderaction this use-context
can be found under the Pod prompted to get the default partition system:serviceaccount:cka:cka-1202-sa
does not have permission, but you can get Pods under normal cka namespace
[root@liabio cka]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@liabio cka]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cka-1128-01-7b8b8cb79-mll6d 1/1 Running 118 32h
[root@liabio cka]#
[root@liabio cka]#
[root@liabio cka]# kubectl get node
NAME STATUS ROLES AGE VERSION
liabio Ready master 141d v1.15.2
[root@liabio cka]# kubectl config use-context coderaction
Switched to context "coderaction".
[root@liabio cka]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:cka:cka-1202-sa" cannot list resource "pods" in API group "" in the namespace "default"
[root@liabio cka]# kubectl get pod -n cka
No resources found.
Yesterday analysis
k8s provides a two-step security measures for access to the API is: authentication and authorization. Certified resolve the issue of who the user is, authorized to resolve the question of what the user can do. Reasonable rights management, to ensure safe and reliable system.
All operations are carried out substantially k8s cluster kube-apiserver through this component, which provides for HTTP RESTful API for the cluster forms of client calls. Note that: there is only HTTPS authentication and authorization process in the form of API. In other words, if the client uses HTTP to connect to kube-apiserver, it is not going to authentication and authorization. So, so to set up the communication used between the internal components of the cluster HTTP, outside the cluster on the use of HTTPS, so as to enhance safety, not be too complicated.
The main question is to investigate the authorization: role-based access control (RBAC) exam.
RBAC official document:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Creating RoleBinding, Role, Service Account command guidance official website:
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#-em-rolebinding-em-
Use kubeconfig cluster file organization visit:
https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
context related operations command official guide:
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config
Role-based access control (RBAC) is based on each user's role within the enterprise to regulate access to the computer or network resource approach.
RBAC uses the rbac.authorization.k8s.io
API set of drive authorization decision, allowing administrators to dynamically configure policies by Kubernetes API.
1.8 From the beginning, RBAC model is stable by rbac.authorization.k8s.io/v1 API support.
To enable RBAC, please start byapiserver --authorization-mode=RBAC
RBAC API declares four top-level type:
Role和ClusterRole
In the RBAC API, Role contains rules on behalf of a group of privileges. Authority is purely cumulative (not "deny" rule). Role ClusterRole or may be used within a cluster with the namespace.
Role can only be used to grant access to resources within a single namespace.
ClusterRole because they are cluster-wide, they can also be used to grant the following rights:
- Cluster-wide resource (e.g., node)
- Non-resource endpoint (eg "/ healthz")
- All namespace in the namespace resources (such as pod)
RoleBinding和ClusterRoleBinding
RoleBinding
Granted to a user or group Role
permissions defined. It contains subjects
(User, Group or Service Account), as well as references to the role granted. May be used in the namespace RoleBinding ClusterRoleBinding or within a cluster.
RoleBinding can refer Role under the same namespace.
roleRef is actually creating a binding way. This kind can be Role or ClusterRole, and the name will refer to a specific name or ClusterRole Role
ClusterRoleBinding can grant permissions at the cluster level and all of the namespace.
Creating Role command:
kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]
-Verb specified, the operation of the operating set of resources, including get、delete、update、create、patch、watch、list
, all operation is a *
designated set of resource type operable -resource;
-resource-name specifies the name of the resource set is operable;
such as:
[root@liabio ~]# kubectl create role pod-reader-cka -n cka --verb=get --verb=list --resource=pods --resource-name=readablepod --resource-name=anotherpod -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2019-12-03T03:50:34Z"
name: pod-reader-cka
namespace: cka
resourceVersion: "15179947"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/cka/roles/pod-reader-cka
uid: 16742721-4890-43de-9725-d6c721c6e4cf
rules:
- apiGroups:
- ""
resourceNames:
- readablepod
- anotherpod
resources:
- pods
verbs:
- get
- list
Creating RoleBinding
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run]
Role of the specified name RoleBinding -role in roleRef;
-clusterrole ClusterRole name specified in RoleBinding of roleRef;
-serviceaccount RoleBinding specified set of subjects;
the -user specified RoleBinding User name of the subjects;
such as:
[root@liabio ~]# kubectl create rolebinding admin-cka -n cka --clusterrole=admin --user=user1 --user=user2 --group=group1 -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2019-12-03T03:47:55Z"
name: admin-cka
namespace: cka
resourceVersion: "15179732"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/cka/rolebindings/admin-cka
uid: 4d4eacfb-3ba0-4fa1-96c3-c624fbafb12c
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: user1
- apiGroup: rbac.authorization.k8s.io
kind: User
name: user2
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: group1
Creating ServiceAccount
kubectl create serviceaccount NAME [--dry-run]
Such as:
[root@liabio cka]# kubectl create serviceaccount cka-1202-sa -n cka -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2019-12-02T23:37:42Z"
name: cka-1202-sa
namespace: cka
resourceVersion: "15159020"
selfLink: /api/v1/namespaces/cka/serviceaccounts/cka-1202-sa
uid: 6764e90c-cb28-4de1-9109-6e3d56941fcb
Exam today
Create two deployment name-1203-01 were CKA, CKA-1203-02;
CKA-1203-01 plus the Pod label: cka: cka-1203-01;
CKA-1203-02 plus the Pod label: cka: cka -1203-02;Please use kubectl label selector command to detect both deployment, and sorted by creation time.
E.g:
NAME READY UP-TO-DATE AVAILABLE AGE
cka-1203-01 1/1 1 1 8m40s
cka-1203-02 1/1 1 1 8m38
About the Author
Author: a small bowl of soup, a love, a serious guy writing, currently maintaining the original number public: "My little bowl of soup," focus on writing linux, golang, docker, kubernetes and other articles to enhance the knowledge of hard power, you look forward to s concern. Reprinted Note: Be sure to indicate the source (note: from public number: My little bowl of soup, author: small bowl of soup)