k8s安全管理认证

1、SA

Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的。

• 是为Pod中的进程调用Kubernetes API而设计；

• 仅局限它所在的namespace；

• 每个namespace都会自动创建一个default service account；

• Token controller检测service account的创建，并为它们创建secret；

开启ServiceAccount Admission Controller后，每个Pod在创建后都会自动设置spec.serviceAccount为default（除非指定了其他ServiceAccout）；验证Pod引用的service account已经存在，否则拒绝创建；如果Pod没有指定ImagePullSecrets，则把service account的ImagePullSecrets加到Pod中；每个container启动后都会挂载该service account的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/

创建SA用户

# vim 01_k8s_pod_test.yml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: superopsmsb-sa
---
apiVersion: v1
kind: Pod
metadata:
  name: my-nginx-1
spec:
  containers:
  - image: nginx:1.23.0
    name: my-nginx
  serviceAccountName: superopsmsb-sa

# kubectl apply -f 01_k8s_pod_test.yml 
# kubectl get sa
# kubectl get pods -o wide
# kubectl describe pod my-nginx-1

2、UA

创建UA

# vim test-csr.json 
 {
  "CN": "test",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Beijing",
      "L": "Beijing",
      "O": "system:test",             
      "OU": "system"
    }
  ]
}


# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes test-csr.json | cfssljson -bare test
      
# cp test*.pem /etc/kubernetes/ssl/

# kubectl config set-cluster kubernetes --certificate-authority=ca.pem  --embed-certs=true --server=https://192.168.16.250:16443 --kubeconfig=test.kubeconfig

# kubectl config set-credentials test --client-certificate=test.pem --client-key=test-key.pem --embed-certs=true --kubeconfig=test.kubeconfig

# kubectl config set-context kubernetes --cluster=kubernetes --user=test --kubeconfig=test.kubeconfig

# kubectl config use-context kubernetes --kubeconfig=test.kubeconfig

# kubectl --kubeconfig=test.kubeconfig get pods
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
      
# kubectl --kubeconfig=kube.config get pods
NAME                READY   STATUS    RESTARTS   AGE
my-nginx-1          1/1     Running   0          4h26m
pod-cm1             1/1     Running   3          4d22h
pod-harbor          1/1     Running   2          26h
pod-mysql-secret1   1/1     Running   5          4d21h
pod-mysql-secret2   1/1     Running   2          4d21h