kubernetes RBAC實戰 kubernetes 使用者角色存取控制，dashboard訪問，kubectl配置產生

這是一個建立於 的文章，其中的資訊可能已經有所發展或是發生改變。

kubernetes RBAC實戰

環境準備

先用kubeadm安裝好kubernetes叢集，包地址在此 好用又方便，服務周到，童叟無欺

本文目的，讓名為devuser的使用者只能有許可權訪問特定namespace下的pod

命令列kubectl訪問

安裝cfssl

此工具產生認證非常方便, pem認證與crt認證,編碼一致可直接使用

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64chmod +x cfssl_linux-amd64mv cfssl_linux-amd64 /bin/cfsslwget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64chmod +x cfssljson_linux-amd64mv cfssljson_linux-amd64 /bin/cfssljsonwget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmod +x cfssl-certinfo_linux-amd64mv cfssl-certinfo_linux-amd64 /bin/cfssl-certinfo

簽發用戶端認證

根據ca認證與麼鑰簽發使用者認證
根憑證已經在/etc/kubernetes/pki目錄下了

[root@master1 ~]# ls /etc/kubernetes/pki/apiserver.crt                 ca-config.json  devuser-csr.json    front-proxy-ca.key      sa.pubapiserver.key                 ca.crt          devuser-key.pem     front-proxy-client.crtapiserver-kubelet-client.crt  ca.key          devuser.pem         front-proxy-client.keyapiserver-kubelet-client.key  devuser.csr     front-proxy-ca.crt  sa.key

注意以下幾個檔案： ca.crt ca.key ca-config.json devuser-csr.json

建立ca-config.json檔案

cat > ca-config.json <<EOF{  "signing": {    "default": {      "expiry": "87600h"    },    "profiles": {      "kubernetes": {        "usages": [            "signing",            "key encipherment",            "server auth",            "client auth"        ],        "expiry": "87600h"      }    }  }}EOF

建立devuser-csr.json檔案：
k8s的使用者名稱就是從CN上擷取的。 組是從O上擷取的。這個使用者或者組用於後面的角色綁定使用

cat > devuser-csr.json <<EOF{  "CN": "devuser",  "hosts": [],  "key": {    "algo": "rsa",    "size": 2048  },  "names": [    {      "C": "CN",      "ST": "BeiJing",      "L": "BeiJing",      "O": "k8s",      "OU": "System"    }  ]}EOF

產生user的認證：

$ cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser

就會產生下面的檔案：

devuser.csr  devuser-key.pem  devuser.pem

校正認證

# cfssl-certinfo -cert kubernetes.pem

產生config檔案

kubeadm已經產生了admin.conf，我們可以直接利用這個檔案，省的自己再去配置叢集參數

$  cp /etc/kubernetes/admin.conf devuser.kubeconfig

設定用戶端認證參數:

kubectl config set-credentials devuser \--client-certificate=/etc/kubernetes/ssl/devuser.pem \--client-key=/etc/kubernetes/ssl/devuser-key.pem \--embed-certs=true \--kubeconfig=devuser.kubeconfig

設定上下文參數：

kubectl config set-context kubernetes \--cluster=kubernetes \--user=devuser \--namespace=kube-system \--kubeconfig=devuser.kubeconfig

設定莫認上下文：

kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig

以上執行一個步驟就可以看一下 devuser.kubeconfig的變化。裡面最主要的三個東西

• cluster: 叢集資訊，包含叢集地址與公開金鑰
• user: 使用者資訊，用戶端認證與私密金鑰，正真的資訊是從認證裡讀取出來的，人能看到的只是給人看的。
• context: 維護一個三元組，namespace cluster 與 user

建立角色

建立一個叫pod-reader的角色

[root@master1 ~]# cat pod-reader.yamlkind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:  namespace: kube-system  name: pod-readerrules:- apiGroups: [""] # "" indicates the core API group  resources: ["pods"]  verbs: ["get", "watch", "list"]

kubectl create -f pod-reader.yaml

綁定使用者

建立一個角色綁定，把pod-reader角色綁定到 devuser上

[root@master1 ~]# cat devuser-role-bind.yamlkind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:  name: read-pods  namespace: kube-systemsubjects:- kind: User  name: devuser   # 目標使用者  apiGroup: rbac.authorization.k8s.ioroleRef:  kind: Role  name: pod-reader  # 角色資訊  apiGroup: rbac.authorization.k8s.io

kubectl create -f devuser-role-bind.yaml

使用新的config檔案

$ rm .kube/config && cp devuser.kubeconfig .kube/config

效果, 已經沒有別的namespace的許可權了，也不能訪問node資訊了：

[root@master1 ~]# kubectl get nodeError from server (Forbidden): nodes is forbidden: User "devuser" cannot list nodes at the cluster scope[root@master1 ~]# kubectl get pod -n kube-systemNAME                                       READY     STATUS    RESTARTS   AGEcalico-kube-controllers-55449f8d88-74x8f   1/1       Running   0          8dcalico-node-clpqr                          2/2       Running   0          8dkube-apiserver-master1                     1/1       Running   2          8dkube-controller-manager-master1            1/1       Running   1          8dkube-dns-545bc4bfd4-p6trj                  3/3       Running   0          8dkube-proxy-tln54                           1/1       Running   0          8dkube-scheduler-master1                     1/1       Running   1          8d[root@master1 ~]# kubectl get pod -n defaultError from server (Forbidden): pods is forbidden: User "devuser" cannot list pods in the namespace "default": role.rbac.authorization.k8s.io "pod-reader" not found

dashboard訪問

service account原理

k8s裡面有兩種使用者，一種是User，一種就是service account，User給人用的，service account給進程用的，讓進程有相關的許可權。

如dasboard就是一個進程，我們就可以建立一個service account給它，讓它去訪問k8s。

我們看一下是如何把admin許可權賦給dashboard的：

╰─➤  cat dashboard-admin.yamlapiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata:  name: kubernetes-dashboard  labels:    k8s-app: kubernetes-dashboardroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: cluster-adminsubjects:- kind: ServiceAccount  name: kubernetes-dashboard  namespace: kube-system

把 kubernetes-dashboard 這個ServiceAccount綁定到cluster-admin這個ClusterRole上，這個cluster role非常牛逼，啥許可權都有

[root@master1 ~]# kubectl describe clusterrole cluster-admin -n kube-systemName:         cluster-adminLabels:       kubernetes.io/bootstrapping=rbac-defaultsAnnotations:  rbac.authorization.kubernetes.io/autoupdate=truePolicyRule:  Resources  Non-Resource URLs  Resource Names  Verbs  ---------  -----------------  --------------  -----             [*]                []              [*]  *.*        []                 []              [*]

而建立dashboard時建立了這個service account:

apiVersion: v1kind: ServiceAccountmetadata:  labels:    k8s-app: kubernetes-dashboard  name: kubernetes-dashboard  namespace: kube-system

然後deployment裡指定service account

      volumes:      - name: kubernetes-dashboard-certs        secret:          secretName: kubernetes-dashboard-certs      - name: tmp-volume        emptyDir: {}      serviceAccountName: kubernetes-dashboard

更安全的做法

[root@master1 ~]# cat admin-token.yamlkind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: admin  annotations:    rbac.authorization.kubernetes.io/autoupdate: "true"roleRef:  kind: ClusterRole  name: cluster-admin  apiGroup: rbac.authorization.k8s.iosubjects:- kind: ServiceAccount  name: admin  namespace: kube-system---apiVersion: v1kind: ServiceAccountmetadata:  name: admin  namespace: kube-system  labels:    kubernetes.io/cluster-service: "true"    addonmanager.kubernetes.io/mode: Reconcile

[root@master1 ~]# kubectl get secret -n kube-system|grep adminadmin-token-7rdhf                        kubernetes.io/service-account-token   3         14m

[root@master1 ~]# kubectl describe secret admin-token-7rdhf -n kube-systemName:         admin-token-7rdhfNamespace:    kube-systemLabels:       <none>Annotations:  kubernetes.io/service-account.name=admin              kubernetes.io/service-account.uid=affe82d4-d10b-11e7-ad03-00163e01d684Type:  kubernetes.io/service-account-tokenData====ca.crt:     1025 bytesnamespace:  11 bytestoken:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi03cmRoZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFmZmU4MmQ0LWQxMGItMTFlNy1hZDAzLTAwMTYzZTAxZDY4NCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.jSfQhFsY7V0ZmfqxM8lM_UUOoUhI86axDSeyVVtldSUY-BeP2Nw4q-ooKGJTBBsrOWvMiQePcQxJTKR1K4EIfnA2FOnVm4IjMa40pr7-oRVY37YnR_1LMalG9vrWmqFiqIsKe9hjkoFDuCaP7UIuv16RsV7hRlL4IToqmJMyJ1xj2qb1oW4P1pdaRr4Pw02XBz9yBpD1fs-lbwheu1UKcEnbHS_0S3zlmAgCrpwDFl2UYOmgUKQVpJhX4wBRRQbwo1Sn4rEFVI1NIa9l_lM7Mf6YEquLHRu3BCZTdu9YfY9pevQz4OfHE0NOvDIqmGRL8Z9kPADAXbljWzcD1m1xCQ

用此token在介面上登入即可