Myluzh Blog

K8S笔记-集群安全机制(RBAC权限管理)

发布时间: 2023-9-14 文章作者: myluzh 分类名称: Kubernetes 朗读文章

0x00 概述
一、访问k8s集群的时候,需要经过三个步骤完成具体操作:
第一步 认证
    1.传输安全: 
        对外不暴露8080端口,只能内部访问,对外使用端口6443
    2.认证:
        客户端身份认证常用方式:
            (1)htts证书认证,基于ca证书
            (2)http token认证,通过token识别用户
            (3)http基本认证,用户名+密码认证
第二步 鉴权(授权)
    基于RBAC鉴权(基于角色访问控制):
第三步 准入控制

    就是准入控制器的列表,如果列表有请求内容就通过,没有就拒绝。

二、进行访问的时候,过程中都需要经过apiserver(做统一协调)
    访问过程中需要证书、token、或者用户名+密码
    如果访问pod需要serviceAccount

0x02 RBAC介绍

基于角色的访问控制

点击查看原图 

[root@master ~]# kubectl run nginx --image=nginx -n roledemo
pod/nginx created
-角色
role:特定命名空间访问权限
ClusterRole:所有命名空间访问权限
-角色绑定
roleBinding:角色绑定到主体
ClusterRoleBinding:集群角色绑定到主体
-主体
user:用户
group:用户组
serviceAccount:服务账号


0x03 RBAC实现鉴权

1、首先创建一个roledemo命名空间 

[root@master ~]# kubectl create ns roledemo
namespace/roledemo created

2、在roledemo命名空间里面创建一个pod nginx 

[root@master ~]# kubectl run nginx --image=nginx -n roledemo
pod/nginx created
3、创建角色 rbac-role.yaml 
# 这个角色对pod有 get watch list权限
[root@master ~]# vi rbac-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: roledemo
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
[root@master ~]# kubectl apply -f rbac-role.yaml 
role.rbac.authorization.k8s.io/pod-reader created

# 查看当前命名空间的角色
[root@master ~]# kubectl get role -n roledemo
NAME         CREATED AT
pod-reader   2023-09-14T07:19:01Z
4、用户绑定 
# 将用户mary绑定到名为pod-reader的Role上
[root@master ~]# vim rbac-rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: roledemo
subjects:
- kind: User
  name: mary
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the Role name
  apiGroup: rbac.authorization.k8s.io
[root@master ~]# kubectl apply -f rbac-rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/read-pods created

5、使用证书来识别身份 

[root@master ~]# mkdir mary
[root@master ~]# cd mary/
[root@master mary]# vi rbac-user.sh
cat > mary-csr.json <<EOF
{
  "CN": "mary",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Beijing",
      "ST": "Beijing"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes mary-csr.json | cfssljson -bare mary

kubectl config set-cluster kubernetes \
    --certificate-authority=ca.pem \
    --embed-certs=true \
    --server=https://172.16.10.20:6443 \
    --kubeconfig=mary-kubeconfig

kubectl config set-credentials mary \
    --client-key=mary-key.pem \
    --client-certificate=mary.pem \
    --embed-certs=true \
    --kubeconfig=mary-kubeconfig

[root@master mary]# chmod +x rbac-user.sh 
[root@master mary]# cp /opt/kubernetes/ssl/* .

[root@master mary]# ./rbac-user.sh 
2023/09/14 16:30:33 [INFO] generate received request
2023/09/14 16:30:33 [INFO] received CSR
2023/09/14 16:30:33 [INFO] generating key: rsa-2048
2023/09/14 16:30:33 [INFO] encoded CSR
2023/09/14 16:30:33 [INFO] signed certificate with serial number 106693260765716901830504905832891526428234876649
2023/09/14 16:30:33 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Cluster "kubernetes" set.
User "mary" set.

6、测试下,可以发现get pod可以看到,但是get svc不行,证明权限配置是正确的。 

[root@master mary]# kubectl get pod -n roledemo
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          76m
[root@master mary]# kubectl get svc -n roledemo
No resources found in roledemo namespace.


标签: k8s 安全 rbac

« Linux安装Go1.20版本 | K8S笔记-Controller-Job和Cronjob(单次任务与定时任务)»

发表评论