k8s 使用 RBAC 鉴权
https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/
# 创建sa账号
kubectl create sa sa-test-20230408
# 使用sa 账号创建pod资源
[root@master01 sa]# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: sa-test-pod-20230408
namespace: default
labels:
app: sa
spec:
serviceAccountName: sa-test-20230408
containers:
- name: sa-nginx
ports:
- containerPort: 80
image: nginx
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","sleep 3600"]
# 进去pod容器访问资源,没授权访问
[root@master01 sa]# kubectl exec -it sa-test-pod-20230408 -- /bin/bash
root@sa-test-pod-20230408:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/default
返回信息"code": 403
# 授权sa-test-20230408 有cluster-admin 权限后访问
kubectl create clusterrolebinding sa-test-20230408-clusterrolebinding --clusterrole=cluster-admin --serviceaccount=default:sa-test-20230408
root@sa-test-pod-20230408:/var/run/secrets/kubernetes.io/serviceaccount# curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://kubernetes/api/v1/namespaces/default
{
"kind": "Namespace",
"apiVersion": "v1",
"metadata": {
"name": "default",
"uid": "f6ba86a9-b5ec-4850-a1d4-2afb7fc61083",
"resourceVersion": "842384",
"creationTimestamp": "2023-02-22T03:17:00Z",
"labels": {
"field.cattle.io/projectId": "p-hph99",
"kubernetes.io/metadata.name": "default"
},
# 查看clusterrolebinding 授权信息
[root@master01 ~]# kubectl get clusterrolebinding| grep 20230408
sa-test-20230408-clusterrolebinding ClusterRole/cluster-admin 2m28s
[root@master01 ~]# kubectl describe clusterrolebinding sa-test-20230408-clusterrolebinding
Name: sa-test-20230408-clusterrolebinding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount sa-test-20230408 default
创建不同用户操作k8s
限制不同的用户操作 k8s 集群
ssl 认证
生成一个证书
(1)生成一个私钥
cd /etc/kubernetes/pki/
(umask 077; openssl genrsa -out k8s-test-20230408.key 2048)
(2)生成一个证书请求
openssl req -new -key k8s-test-20230408.key -out k8s-test-20230408.csr -subj "/CN=k8s-test-20230408"
(3)生成一个证书
openssl x509 -req -in k8s-test-20230408.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out k8s-test-20230408.crt -
days 3650
在 kubeconfig 下新增加一个 k8s-test-20230408 这个用户
[root@xuegod63 ~]# cp /root/.kube/config /root/.kube/config.bak
(1)把 k8s-test-20230408 这个用户添加到 kubernetes 集群中,可以用来认证 apiserver 的连接
kubectl config set-credentials k8s-test-20230408 --client-certificate=./k8s-test-20230408.crt --client-key=./k8s-test-20230408.key
--embed-certs=true
(2)在 kubeconfig 下新增加一个上下文
kubectl config set-context k8s-test-20230408@kubernetes --cluster=kubernetes --user=k8s-test-20230408
(3)切换账号到 k8s-test-20230408,默认没有任何权限
kubectl config use-context k8s-test-20230408@kubernetes
kubectl config use-context kubernetes-admin@kubernetes 这个是集群用户,有任何权限
把 user 这个用户通过 rolebinding 绑定到 clusterrole 上,授予权限,权限只是在 k8s-test-20230408 这个名称
空间有效
kubectl create ns k8s-test-20230408
(1)把 k8s-test-20230408 这个用户通过 rolebinding 绑定到 clusterrole 上
kubectl create rolebinding k8s-test-20230408 -n k8s-test-20230408 --clusterrole=cluster-admin --user=k8s-test-20230408
(2)切换到 k8s-test-20230408 这个用户
kubectl config use-context k8s-test-20230408@kubernetes
(3)测试是否有权限
kubectl get pods -n k8s-test-20230408
有权限操作这个名称空间
kubectl get pods
没有权限操作其他名称空间
添加一个 k8s-test-20230408 的普通用户
useradd k8s-test-20230408
cp -ar /root/.kube/ /home/k8s-test-20230408/
# 查看当前使用账号
[root@master01 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.10.202:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: k8s-test-20230408
name: k8s-test-20230408@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: k8s-test-20230408
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
# 编辑config文件,只留k8s-test-20230408 用户的配置信息
[root@master01 sa]# cat /home/k8stest/.kube/config
chown -R k8s-test-20230408.k8s-test-20230408 /home/k8s-test-20230408/
su - k8s-test-20230408
kubectl get pods -n k8s-test-20230408
[k8stest@master01 ~]$ kubectl apply -f pod2.yaml -n k8s-test-20230408
pod/tomcat-pod-20230408-2 created
[k8stest@master01 ~]$
[k8stest@master01 ~]$ kubectl get pod
Error from server (Forbidden): pods is forbidden: User "k8s-test-20230408" cannot list resource "pods" in API group "" in the namespace "default"
[k8stest@master01 ~]$ kubectl get pod -n k8s-test-20230408
NAME READY STATUS RESTARTS AGE
tomcat-pod-20230408 1/1 Running 0 64s
tomcat-pod-20230408-2 1/1 Running 0 17s
[k8stest@master01 ~]$
[k8stest@master01 ~]$
[k8stest@master01 ~]$ kubectl get pod -n k8s-test-20230408
NAME READY STATUS RESTARTS AGE
tomcat-pod-20230408 1/1 Running 0 2m23s
tomcat-pod-20230408-2 1/1 Running 0 96s
[k8stest@master01 ~]$ kubectl delete -f pod2.yaml -n k8s-test-20230408
pod "tomcat-pod-20230408-2" deleted
[k8stest@master01 ~]$ kubectl get pod -n k8s-test-20230408
NAME READY STATUS RESTARTS AGE
tomcat-pod-20230408 1/1 Running 0 2m42s
最后不要忘了切换回 kubernetes-admin 用户:
kubectl config use-context kubernetes-admin@kubernetes
标签:kubectl,kubernetes,20230408,RBAC,test,sa,k8s,鉴权 From: https://www.cnblogs.com/liuyoushui/p/17298511.html