我是靠谱客的博主 苹果冬天,最近开发中收集的这篇文章主要介绍理论+实操:K8S之安全机制——创建相应的权限用户一:kubernetes的安全框架二:第一模块,认证authentication三:第二模块授权——authorization四:第三模块:准入控制(admission control)五:基于授权机制创建新用户,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
文章目录
- 一:kubernetes的安全框架
- 1.1 结构分析:
- 1.2 工作流程:
- 1.3 apiserver使用的是token认证
- 1.4 ServiceAccount
- 二:第一模块,认证authentication
- 2.1 K8S集群的证书认证
- 2.2 httpd的token认证
- 三:第二模块授权——authorization
- 四:第三模块:准入控制(admission control)
- 五:基于授权机制创建新用户
- 5.1 使用RBAC授权
- 5.2 创建新的命名空间以供验证
- 5.3 在ns为gsy下创建nginx的pod
- 5.4 使用scale副本操作扩容副本
- 5.5 创建role
- 5.6 创建rolebinding
- 3.7 为用户gsy创建证书
- 3.8 将之前的K8S的ca证书及相关材料复制到gsy目录下
- 3.9 查看gsy的kubeconfig信息
- 3.10 使用gsy身份去管理资源
- 3.11 使用gsy-kubeconfig访问svc资源会被拒绝
- 3.12 UI访问
- 3.13 这里使用令牌登录,首先要先给gsy一个令牌
- 3.14 查看生成的token
- 3.15 登录
1.kubernetes的安全框架
2.传输安全,认证,授权,准入控制
3.使用RBAC授权
一:kubernetes的安全框架
三层:认证,授权,绑定角色
第一关是认证(authentication),第二关是授权(authorization),第三关是准入控制(admission control),
1.1 结构分析:
kubectl、API、UI ,是访问管理K8S的方式,api用于二次开发时调用,https协议,6443端口
在kubectl处提交需求,请求调用/api/v1、/apis、/healthz等,然后经过安全框架
安全框架有认证(authentication),验证身份,使用【用户名密码】或者【token令牌】验证
授权(authorization),绑定权限,授权过程,分配到指定空间中
准入控制(admission control),空间准入控制,可以使用下面哪些资源,调用哪些插件
使用插件前先与etcd去验证,查看etcd是否授权,若是允许,会执行,并将操作记录到etcd中
1.2 工作流程:
kubectl 首先请求api资源,然后是过三关,第一关是认证(authentication),第二关是授权(authorization),第三关是准入控制(admission control),只有通过这三关才可能会被K8S创建资源
K8s安全控制框架主要由下面三个阶段进行控制,每一个阶段都支持插件方式,通过API Server配置来启用插件
普通用户若要安全访问集群api server,往往需要证书、token或者用户名+密码验证;
pod访问,需要serivceaccount
1.3 apiserver使用的是token认证
–enable-bootstrap-token-auth --token-auth-file=/k8s/cfg/token.csv
[root@master1 ~]# ps aux | grep apiserver
root
56055
2.0
6.5 401116 254068 ?
Ssl
May08 261:28 /k8s/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.247.149:2379,https://192.168.247.143:2379,https://192.168.247.144:2379 --bind-address=192.168.247.149 --secure-port=6443 --advertise-address=192.168.247.149 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/k8s/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/k8s/ssl/server.pem --tls-private-key-file=/k8s/ssl/server-key.pem --client-ca-file=/k8s/ssl/ca.pem --service-account-key-file=/k8s/ssl/ca-key.pem --etcd-cafile=/k8s/etcd/ssl/ca.pem --etcd-certfile=/k8s/etcd/ssl/server.pem --etcd-keyfile=/k8s/etcd/ssl/server-key.pem
root
62506
0.0
0.0 112712
964 pts/1
S+
20:16
0:00 grep --color=auto apiserver
1.4 ServiceAccount
为Pod中的进程和外部用户提供身份信息,系统账户
可以通过serviceaccount在pod中区访问apiserver
[root@master1 ~]# kubectl get sa #sa就是serviceaccount的简写
NAME
SECRETS
AGE
default
1
17d
web页面安全访问需要使用证书验证
外部传输安全:不再是8080,而是使用6443
内部传输监听8080,供master及其他组件连接使用
[root@master1 ~]# netstat -natp | grep 8080 | grep LISTEN
tcp
0
0 127.0.0.1:8080
0.0.0.0:*
LISTEN
56055/kube-apiserve
对外提供的6443端口
[root@master1 ~]# netstat -natp | grep 6443 | grep LISTEN
tcp
0
0 192.168.247.149:6443
0.0.0.0:*
LISTEN
56055/kube-apiserve
二:第一模块,认证authentication
三种客户端身份认证
- HTTPS证书认证:基于CA证书签名的数字证书认证
- HTTP token 认证:通过一个token来识别用户——在生产环境中使用广泛
- HTTP base认证:用户名+密码的方式认证
2.1 K8S集群的证书认证
https://blog.csdn.net/Lfwthotpt/article/details/105892377
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.247.149",
#master1ip
"192.168.247.148",
#master2ip
"192.168.247.145",
#lb1ip
"192.168.247.146",
#lb2ip
"192.168.247.100",
#vip
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
2.2 httpd的token认证
[root@master1 ~]# cat /k8s/cfg/token.csv
a031b816095ddada590b24c54a505a9e,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
三:第二模块授权——authorization
RBAC(role-based access control,基于角色的访问控制),负责完成授权(authorization)工作
kubernetes reviews only the following API request attributes:
- user——The user string provided during authentication
- 身份验证期间提供的用户字符串
- group——the list of group names to which the authenticated user belongs
- 已验证用户所属的组名列表
- extra—— a map of arbitrary string keys to string values,provided by the authentication layer
- 任意字符串键到字符串值的映射,由身份验证层提供
- API——indicates whether the request is for an API resource
- 指示请求是否针对API资源
- request path—— path to miscellaneous non-resource endpoints like /ap1 or /healthz
- 到其他非资源端点(如/ap1或/healthz)的路径
- api request verb- api verbs get,list,create,update,patch,watch,proxy,redirect,delete,and deletecollection are used for resource requests. To determine the request verb for a resouce api endpoint, see determine the request verb below.
- api动词get、list、create、update、patch、watch、proxy、redirect、delete和deletecollection用于资源请求。要确定resouce api端点的请求谓词,请参见下面的确定请求谓词。
- http request verb—— http verbs get,post,and delete are used for non-resource requests.
- http动词get、post和delete用于非资源请求。
- resource——the id or name of the resouce that is being accessed (for resource requests only) - for resource requests using get,update,patch and delete verbs,you must provide the resource name
- 正在访问的资源的id或名称(仅用于资源请求)——对于使用get、update、patch和delete谓词的资源请求,您必须提供资源名称
- subresource —— the subresource that is being accessed (for resource requests only)
- 正在访问的子资源(仅用于资源请求)
- namespace—— the subresource that is being accessed ( for resource requests only)
- 正在访问的子资源(仅用于资源请求)
- api group —— the api group being accessed (for resource requests only),an empty string designates the core api group
- 被访问的api组(仅用于资源请求),一个空字符串指定核心api组
RBAC是基于角色进行控制,所以:
- 要先创建角色
- 然后创建要绑定的资源
- 将角色与目标用户甚至api和请求等绑定
绑定api模式适用于二次开发
四:第三模块:准入控制(admission control)
admission control 实际上是一个准入控制器插件列表,发送到 api server的请求都需要经过这个列表中的每个准入控制器插件的检查,检查不通过,则拒绝请求
–enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction
NamespaceLifecycle:命令空间回收
LimitRanger:配额管理
ServiceAccount:每个pod中导入方便访问API
ResourceQuota:基于命名空间的高级配额管理
NodeRestriction:Node加入到K8S集群中以最小权限运行
–authorization-mode=RBAC,Node
[root@master1 ~]# ps aux | grep apiserver
root
9973
0.0
0.0 112712
964 pts/1
S+
10:45
0:00 grep --color=auto apiserver
root
56055
2.0
6.6 401116 256536 ?
Ssl
May12 262:21 /k8s/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.247.149:2379,https://192.168.247.143:2379,https://192.168.247.144:2379 --bind-address=192.168.247.149 --secure-port=6443 --advertise-address=192.168.247.149 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/k8s/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/k8s/ssl/server.pem --tls-private-key-file=/k8s/ssl/server-key.pem --client-ca-file=/k8s/ssl/ca.pem --service-account-key-file=/k8s/ssl/ca-key.pem --etcd-cafile=/k8s/etcd/ssl/ca.pem --etcd-certfile=/k8s/etcd/ssl/server.pem --etcd-keyfile=/k8s/etcd/ssl/server-key.pem
以下是官方推荐插件(1.11版本以上推荐使用):
-enable-admission-plugins= NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds, ResourceQuota
五:基于授权机制创建新用户
创建用户,用户名为gsy,拥有的权限是查看pod
5.1 使用RBAC授权
RBAC(Role-Based Access Control,基于角色的访问控制),允许通过kubernetes API 动态配置策略
动态意味着灵活
基于主体的角色绑定
- 角色:
Role——授权特定命名空间的访问权限
CluserRole——授权所有命名空间的访问权限
- 角色绑定
RoleBinding——将角色绑定到主体(即subject)
CluesterRoleBinding——将集群角色绑定到主体(即subject)
- 主体(subject)
User——用户
Group——用户组
ServiceAccount——服务账号
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
5.2 创建新的命名空间以供验证
[root@master1 ~]# kubectl get ns
NAME
STATUS
AGE
default
Active
21d
kube-public
Active
21d
kube-system
Active
21d
[root@master1 ~]# kubectl create ns gsy
namespace/gsy created
[root@master1 ~]# kubectl get ns
NAME
STATUS
AGE
default
Active
21d
gsy
Active
3s
kube-public
Active
21d
kube-system
Active
21d
5.3 在ns为gsy下创建nginx的pod
[root@master1 ~]# kubectl run nginxgsy1 --image=nginx -n gsy
kubectl run --generator=deployment/apps.v1beta1 is DEPRECATED and will be removed in a future version. Use kubectl create instead.
deployment.apps/nginxgsy1 created
[root@master1 ~]# kubectl get pods -n gsy
NAME
READY
STATUS
RESTARTS
AGE
nginxgsy1-74b78c5f6d-grq29
1/1
Running
0
13s
5.4 使用scale副本操作扩容副本
演示弹性扩展
[root@master1 ~]# kubectl scale deploy/nginxgsy1 --replicas=3 -n gsy
deployment.extensions/nginxgsy1 scaled
- 查看
[root@master1 ~]# kubectl get all -n gsy
NAME
READY
STATUS
RESTARTS
AGE
pod/nginxgsy1-74b78c5f6d-4q2ds
1/1
Running
0
18s
pod/nginxgsy1-74b78c5f6d-c6zwg
1/1
Running
0
18s
pod/nginxgsy1-74b78c5f6d-grq29
1/1
Running
0
111s
NAME
DESIRED
CURRENT
UP-TO-DATE
AVAILABLE
AGE
deployment.apps/nginxgsy1
3
3
3
3
111s
NAME
DESIRED
CURRENT
READY
AGE
replicaset.apps/nginxgsy1-74b78c5f6d
3
3
3
111s
5.5 创建role
Role——授权特定命名空间的访问权限
- 指定角色权限
[root@master1 ~]# vim rbac-role-1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: gsy
name: pod-reader
rules:
- apiGroups: [""] # "" 指示核心API组
resources: ["pods"]
verbs: ["get", "watch", "list"]
[root@master1 ~]# kubectl apply -f rbac-role-1.yaml
role.rbac.authorization.k8s.io/pod-reader created
- 查看
[root@master1 ~]# kubectl get role -n gsy
NAME
AGE
pod-reader
29s
5.6 创建rolebinding
RoleBinding——将角色绑定到主体(即subject)
可以理解为:创建一个用户,名叫gsy,这个用户在K8S担任Role的职位为pod-reader,pod-reader的权限有
- apiGroups: [""] # "" 指示核心API组
resources: ["pods"]
verbs: ["get", "watch", "list"]
- 编辑yaml文件,创建rolebinding绑定
[root@master1 ~]# vim rbac-rolebinding-1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: gsy
subjects:
- kind: User
name: gsy
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
- 执行yaml文件
[root@master1 ~]# kubectl apply -f rbac-rolebinding-1.yaml
rolebinding.rbac.authorization.k8s.io/read-pods created
- 查看生成结果
[root@master1 ~]# kubectl get role,rolebinding -n gsy
NAME
AGE
role.rbac.authorization.k8s.io/pod-reader
3m15s
NAME
AGE
rolebinding.rbac.authorization.k8s.io/read-pods
21s
3.7 为用户gsy创建证书
[root@master1 ~]# mkdir gsy
[root@master1 ~]# cd gsy/
[root@master1 gsy]# vim rbac-gsy.sh
cat > gsy-csr.json <<EOF
{
"CN": "gsy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes gsy-csr.json | cfssljson -bare gsy
kubectl config set-cluster kubernetes
--certificate-authority=ca.pem
--embed-certs=true
--server=https://192.168.247.100:6443
--kubeconfig=zhangsan-kubeconfig
kubectl config set-credentials gsy
--client-key=gsy-key.pem
--client-certificate=gsy.pem
--embed-certs=true
--kubeconfig=gsy-kubeconfig
kubectl config set-context default
--cluster=kubernetes
--user=gsy
--kubeconfig=gsy-kubeconfig
kubectl config use-context default --kubeconfig=gsy-kubeconfig
3.8 将之前的K8S的ca证书及相关材料复制到gsy目录下
[root@master1 gsy]# cp /root/k8s/k8s-cert/ca* .
[root@master1 gsy]# ls
ca-config.json
ca.csr
ca-csr.json
ca-key.pem
ca.pem
rbac-gsy.sh
- 执行证书脚本
备注:若是在windows中将这个文件先写好然后再导入到linux中,就需要使用dos2unix工具去转化一下。dos2unix 文件名
基本上从Windows拖到Linux上的文件都要用一下dos2unix
[root@master1 gsy]# ll
total 24
-rw-r--r--. 1 root root
294 May 21 12:05 ca-config.json
-rw-r--r--. 1 root root 1001 May 21 12:05 ca.csr
-rw-r--r--. 1 root root
263 May 21 12:05 ca-csr.json
-rw-------. 1 root root 1675 May 21 12:05 ca-key.pem
-rw-r--r--. 1 root root 1359 May 21 12:05 ca.pem
-rw-r--r--. 1 root root
826 May 21 12:08 rbac-gsy.sh
[root@master1 gsy]# bash rbac-gsy.sh
2020/05/21 12:11:20 [INFO] generate received request
2020/05/21 12:11:20 [INFO] received CSR
2020/05/21 12:11:20 [INFO] generating key: rsa-2048
2020/05/21 12:11:20 [INFO] encoded CSR
2020/05/21 12:11:20 [INFO] signed certificate with serial number 381291725503683566914286086248484446753078376014
2020/05/21 12:11:20 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Cluster "kubernetes" set.
User "gsy" set.
Context "default" created.
Switched to context "default".
- 查看生成结果
[root@master1 gsy]# ll
total 48
-rw-r--r--. 1 root root
294 May 21 12:05 ca-config.json
-rw-r--r--. 1 root root 1001 May 21 12:05 ca.csr
-rw-r--r--. 1 root root
263 May 21 12:05 ca-csr.json
-rw-------. 1 root root 1675 May 21 12:05 ca-key.pem
-rw-r--r--. 1 root root 1359 May 21 12:05 ca.pem
-rw-r--r--. 1 root root
948 May 21 12:11 gsy.csr
-rw-r--r--. 1 root root
176 May 21 12:11 gsy-csr.json
-rw-------. 1 root root 1679 May 21 12:11 gsy-key.pem
-rw-------. 1 root root 6181 May 21 12:11 gsy-kubeconfig
-rw-r--r--. 1 root root 1342 May 21 12:11 gsy.pem
-rw-r--r--. 1 root root
826 May 21 12:08 rbac-gsy.sh
3.9 查看gsy的kubeconfig信息
[root@master1 gsy]# cat gsy-kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVYk55WXFBQ2RjTW4rK0lKOVRlUUNpbUFGRU9Jd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURRek1EQXhOVGt3TUZvWERUSTFNRFF5T1RBeE5Ua3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbmw1WU1XeEQ5YWJjbCs3UVNRK0IKMTZxNnVOOFNXK3pWYW5nR1JiS2dmeStQN05PZjhJOFBrRkFjdjFSaFNNWWxWRTVnZGZibmw0VW5nY1E3bE5mUgpIcjM1eVdGZk01SnlzNnN4TXVYZlZ3dFZFZkV5aWNiL2JCNnQwTXd0ZGpQU2hqdUNCaW9sVE5tUXkrM2FpcHZtCnhkaHJ0OVNtcXRWcDNiZjdCR29lb0tmbU1wSWxyNWZRQ2tsOC9RandDK05GK2Y5aDlvOU03UFVCZE5mUkxla0YKaU1IT0k0NnUxUW8wLzNsclFKblBqb3A5TnJBSHlVUTNzNUoybXdiUk1VTEdEWFJiNmNwWUN5L20zZTZHZU1kRwp6U051RDAzN1Q3M01QYVRXeGJPbjQvSXMyZUlpOExZWEF5amt3blRvMUk1NFcwa2hkay9yMWVFVk0yVnlSMVNZCjB3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVNmV0RzdvWkVnZWhTcVNqZENhWFpVM2Z1ZzlJd0h3WURWUjBqQkJnd0ZvQVU2ZXRHN29aRQpnZWhTcVNqZENhWFpVM2Z1ZzlJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHQzFWWUtyckNNS3RsYXlnZHUyCitnTGNTMXg0eGJPdlRlOG5tKysvY01QWjhlcVVJdFJEUEhYcEo5NlJ0bmM3c1Q0VXhadndJZnpIL1dSZ2tpUUsKSlVWWGU2UGN1dTZqNFFhZGdEcTN5NDcxOFg3UVBoODFGTjRXcUZpMVlXekszSmZtU3h0VDF5cTRGTUczbE5qZQplYmZXVmJ3NzhqMWxCYlNoVENGNmRVZzgwb29Nd2xicldudmdjTVZpRys4SDlKSzZjK25PWWNWOHlQUkFicitKCnRvdUFYYmNHT01oUHMvRnRhTWhaNmlmdHR3RlpKZ3hMdm1meXRkUzI2YTZQa3MwS05BTnJROUd0ajl0VmRDYkwKUVJ0YWRCcUtMWnRud1RNM3dzUlI3Ym1IQmxmQmFXOTV3dXFjSmM3NlppcDUvblZYNmRmOFZKQS8zYmhRN1BMbQpXbEU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.247.100:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: gsy
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: gsy
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzVENDQXBtZ0F3SUJBZ0lVUXNtMldWeTJQOEVsNTZSQnFzcjN1Zlp6OWs0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURVeU1UQTBNRFl3TUZvWERUTXdNRFV4T1RBME1EWXdNRm93UHpFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFNVEEyZHplVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOcXFzNzc1CmxKN2FYSmg4MGViNEpZT3FBcDdmUzJXQWUxQ0pDdE9lSUVHeUNTSEpMdEc5NDJDR0lYZ1dBZUZBc3p3Ym1qcjYKcTVZdTJkVjhaOGRxVi9qNk5YR1ZmYXJ3a1VMNXpZY0krVElrNW9rNVoyWE5DMzZVc2VqT1hvNmJxMXlRZkgzQQpwZVBnZzV2eXRKd2xXNVJQRE1SNUNpN1paQmVSZ0o0cEIxTkFOQ0syVE9zc3BnSWtkdUpUdGJJTGl6S0RCNVN0CkpOb2tHazdEaitrdnNiUTFhSDI1MFljSlhhaE5NWlFmcjNJM1UxYytXbEFndEpLcG1xNHFpdVBxcXU2YnpXZGkKMUI5ZGF3c3pJUjV6azJTcXgwbGw4WWpadmllbXhsdUFWK3lxckpzcDlYNENaQ2swV2pQZ0FxV3Awck9rOHB6QQpCMm9Idm9iOUt3RGRtSnNDQXdFQUFhTi9NSDB3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHCkNDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJUeE1JeVUKbk5IQ1JzK01nWFFreUN6UERyWEZBVEFmQmdOVkhTTUVHREFXZ0JUcDYwYnVoa1NCNkZLcEtOMEpwZGxUZCs2RAowakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBTVo4Z043SC9SZVpPdTdHbjhhSHQwMTRodWZmTjBQNUVoaG5MClN2RFFGWmYwQThjN2JER2tKMHYrQkVLL214Q0xXd2UxZFVVRTN4SnhpNDRydzNjeWpEdDdXT2ZLM3gzVksxZ3oKTytGTVg0ODMwdjdXRFllWHRXWFR4dXdJYjJHZEFiT1V2bFpNUXIwWUY2NytoMUw0OTJXVC9MczU2dytpZUNIYwpDVnlzUmJhUWprQUJCODZxWmlpV0hEY2V0L1Uxdm1Eb2xEaG81cGdpNWVrU1lGeW9TMzVhc1N6TkQzT04xZ2R5CitiakNBZm9jV2wxYitMWVR2TXl2amxGTDNiZGRVbHhWTkFZTmlTbUlYQUplbG80Y2xFci9kYmNzcW5IU0x6a1cKUjl5Zjk1dFUyUnpDM3F2NFN5cW1NeFo3Uldmb1JmSWNvUHN5QVo4Z0wyM085c3dKS3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBMnFxenZ2bVVudHBjbUh6UjV2Z2xnNm9DbnQ5TFpZQjdVSWtLMDU0Z1FiSUpJY2t1CjBiM2pZSVloZUJZQjRVQ3pQQnVhT3ZxcmxpN1oxWHhueDJwWCtQbzFjWlY5cXZDUlF2bk5od2o1TWlUbWlUbG4KWmMwTGZwU3g2TTVlanB1clhKQjhmY0NsNCtDRG0vSzBuQ1ZibEU4TXhIa0tMdGxrRjVHQW5pa0hVMEEwSXJaTQo2eXltQWlSMjRsTzFzZ3VMTW9NSGxLMGsyaVFhVHNPUDZTK3h0RFZvZmJuUmh3bGRxRTB4bEIrdmNqZFRWejVhClVDQzBrcW1hcmlxSzQrcXE3cHZOWjJMVUgxMXJDek1oSG5PVFpLckhTV1h4aU5tK0o2YkdXNEJYN0txc215bjEKZmdKa0tUUmFNK0FDcGFuU3M2VHluTUFIYWdlK2h2MHJBTjJZbXdJREFRQUJBb0lCQVFDL1AwTmNTVjlpSEN1VwpOcjFDM0UrN095dDFsbWlVQ3U1UGZyeVlYeGxwTy9SZXQxMmFsaERUTUJ6L3NZZk5ZZEFoUnliNlpKbEVEZy81CmR3Z3hVbUpFNFZseTBVT0xDVUtUS0haSW4yR01LTmYwdHQ4bkcxSHRVTkhWZ3dFU2l6WXlERERGcjRPbnJZcU8KRDVWRmFDc1RxSnZMRHU0SUVaeElQTHNZR1Z4Tnd5Q0Q1MTh0RUh2dWJIOXZlaDV1bS9rL2J6STVEUURKRWRmbQoycU10dXA1ZU0wd2ttUFJlSjNRR2pxSmdzRm9mbnFxNDYrZEhudmZaUEFjS1dBN3FEb3ZONHRKSWVCVGtyZEprCk1MMm9qMTRFakNLSncwSkdLVDFLWFVFcmsxR1psYUV4UDBNK3BnZHJpRVdrRHBOemdQNks3UTZYWVM1Q0RNUEcKaGxkd0RXZ2hBb0dCQU9WRW5hcHZBQlRXNkQ4MGxBVlFCdHB4VUR6aWV3RzRKVXR0RThHRVpjS2s3NmxGUzl3Ngo0VThYUFBFVTBXN2NnTzBHc2dwQXVIU2NIMm1CRTdFTDh0bjY2UWRSNkRuL1JkQjhQRU0rQzRoZS8wUTh6bFRwCmZnMDhvbEt1dVVFMG9HN1NWT29yeVVucTFrSklnTVlpMWFoN1ZqcU9HczAzZnluS09zODhHcWF4QW9HQkFQUXAKcHVraFJqMHVpYzliUnY1eDVmL0hSQnE3L1VIOVd5U2w0L0hqd3A5R2t5aWNUOW42SUQvR2l5NUtubVVzSFNPdApBbjBFOS9HLzNWL2NLU0p5T2FZc0pPNFBVcVFieEFTVDdQdk5zRFhZUXRkRTkwZEI3QnJPSlMyUzNNZkw2ZWxKCjFCQmRMRXdxSjU0MmpqeWF2M2ZiV1YrREh3OFE0b09McHdlZVdSOExBb0dCQUpFSk5rQ2lWY2ZaS0RVTDJ2UDkKYTBoM1ZJNGZyRGNyT2hTY0hWcFhtbFJuS09ISlg3TWpZSE03UFNjNXh6KzlxS1hKalluazVZdUhWR3ZXNXhFaQpnUEFheFo0RzE4VVEweWFQNFVPY2xZa2dwNVdRYmVyVGh4VnluVEYzTE9TdUdTdmlUU3VTcFpUb1JjREt3d1FVCjkxck5JNENKY3pVTmZabC9RSExuRCtrUkFvR0JBTFZVdWNFcUZTQWJELzRQckFvTVRPUkkrU3Roc2hUd05HQmoKVTRheHdEaktFVUIzMWxYc2pVYlFEVTJ6M1M4R05CM3F2NDVad2txb1U2Qjl3WTd6aGgwRGErbmhOMTdwd0FvbQpVam92NkU0VTdvOHhpUFJDNFRhSEl0VlYzT0lGYnhMeTRhdkZoc0NLRGlKU0loQ2dYTktHOVRrYUNGY0lFekhlCjVZMmk3RTFCQW9HQUlTKzJxa2hHNjFlVW8rbzdzc2JjNnN6N3dTSUdNcWI3clhTTUhiVmxKaWNvTlVWbkJzQ1IKRmFOcHZ0ckFQRHpXa2MxNHBZUkJVRURIMjlnNjl2eWhjSUkxYUpkaDFmUzA0bGRadkNwdzNObnY2ZndOYWx1ZgpXUGdzVjBYQmZ3YjVXb2V2ODhnWUxKd3luaVZaTklmaXk5RElia1RYY1F3ZlNhNUNQc2RXSGd3PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
3.10 使用gsy身份去管理资源
指定kubeconifg的文件,会发现权限部分受限
[root@master1 gsy]# kubectl --kubeconfig=gsy-kubeconfig get pods
Error from server (Forbidden): pods is forbidden: User "gsy" cannot list resource "pods" in API group "" in the namespace "default"
[root@master1 gsy]# kubectl --kubeconfig=gsy-kubeconfig get pods -n gsy
NAME
READY
STATUS
RESTARTS
AGE
nginxgsy1-74b78c5f6d-4q2ds
1/1
Running
0
33m
nginxgsy1-74b78c5f6d-c6zwg
1/1
Running
0
33m
nginxgsy1-74b78c5f6d-grq29
1/1
Running
0
34m
3.11 使用gsy-kubeconfig访问svc资源会被拒绝
[root@master1 gsy]# kubectl --kubeconfig=gsy-kubeconfig get svc -n gsy
Error from server (Forbidden): services is forbidden: User "gsy" cannot list resource "services" in API group "" in the namespace "gsy"
3.12 UI访问
使用gsy的身份去登陆
- 查看ui的IP地址
[root@master1 gsy]# kubectl get svc -n kube-system
NAME
TYPE
CLUSTER-IP
EXTERNAL-IP
PORT(S)
AGE
kube-dns
ClusterIP
10.0.0.2
<none>
53/UDP,53/TCP
4d2h
kubernetes-dashboard
NodePort
10.0.0.237
<none>
443:30001/TCP
13d
[root@master1 gsy]# kubectl get all -n kube-system -o wide
NAME
READY
STATUS
RESTARTS
AGE
IP
NODE
NOMINATED NODE
pod/coredns-56684f94d6-ckxz7
1/1
Running
1
4d2h
172.17.57.3
192.168.247.143
<none>
pod/kubernetes-dashboard-7dffbccd68-l4tcd
1/1
Running
3
13d
172.17.88.2
192.168.247.144
<none>
NAME
TYPE
CLUSTER-IP
EXTERNAL-IP
PORT(S)
AGE
SELECTOR
service/kube-dns
ClusterIP
10.0.0.2
<none>
53/UDP,53/TCP
4d2h
k8s-app=kube-dns
service/kubernetes-dashboard
NodePort
10.0.0.237
<none>
443:30001/TCP
13d
k8s-app=kubernetes-dashboard
NAME
DESIRED
CURRENT
UP-TO-DATE
AVAILABLE
AGE
CONTAINERS
IMAGES
SELECTOR
deployment.apps/coredns
1
1
1
1
4d2h
coredns
coredns/coredns:1.2.2
k8s-app=kube-dns
deployment.apps/kubernetes-dashboard
1
1
1
1
13d
kubernetes-dashboard
siriuszg/kubernetes-dashboard-amd64:v1.8.3
k8s-app=kubernetes-dashboard
NAME
DESIRED
CURRENT
READY
AGE
CONTAINERS
IMAGES
SELECTOR
replicaset.apps/coredns-56684f94d6
1
1
1
4d2h
coredns
coredns/coredns:1.2.2
k8s-app=kube-dns,pod-template-hash=56684f94d6
replicaset.apps/kubernetes-dashboard-65f974f565
0
0
0
13d
kubernetes-dashboard
siriuszg/kubernetes-dashboard-amd64:v1.8.3
k8s-app=kubernetes-dashboard,pod-template-hash=65f974f565
replicaset.apps/kubernetes-dashboard-7dffbccd68
1
1
1
13d
kubernetes-dashboard
siriuszg/kubernetes-dashboard-amd64:v1.8.3
k8s-app=kubernetes-dashboard,pod-template-hash=7dffbccd68
- 访问192.168.247.144:30001
3.13 这里使用令牌登录,首先要先给gsy一个令牌
先查看现有token
token是sercet安全资源
[root@master1 gsy]# kubectl get secret -n kube-system
NAME
TYPE
DATA
AGE
coredns-token-lszn8
kubernetes.io/service-account-token
3
4d2h
dashboard-admin-token-dmlzw
kubernetes.io/service-account-token
3
13d
default-token-w9vck
kubernetes.io/service-account-token
3
21d
kubernetes-dashboard-certs
Opaque
11
13d
kubernetes-dashboard-key-holder
Opaque
2
13d
kubernetes-dashboard-token-7dhnw
kubernetes.io/service-account-token
3
13d
[root@master1 gsy]# kubectl describe secret dashboard-admin-token-dmlzw
-n kube-system
Name:
dashboard-admin-token-dmlzw
Namespace:
kube-system
Labels:
<none>
Annotations:
kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 34604321-90de-11ea-a668-000c29db840b
Type:
kubernetes.io/service-account-token
Data
====
ca.crt:
1359 bytes
namespace:
11 bytes
token:
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tZG1senciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzQ2MDQzMjEtOTBkZS0xMWVhLWE2NjgtMDAwYzI5ZGI4NDBiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.iK6wXehw9ZlK4Qjln4uiPR5Ww1K14t23rvJ-pmn56ynHw1KXow1Pg1Qi2hUY01ncCBjbyjaJBtcVNez-XFr7VQXO7lCPbnxlXat0euD2Qg8DPy-PQBnyAd2Jgh_y1e_OIgcrMowhyKUhkqaNPxDG4HWUqIFzcnHdaxOtCPZQ3GTV8XfoAe4aLemCdIHsZHoCeWKbwFJgnczvbBnzyZ0w91JdoAYK6xVc-fpVz4Pin5IodQ81TOFS2uwLyTQ8aGyrK-HuOs-mTPqDMBS8fWvsJttRtgI2UUwdsSodxEgRREXWUNg15swcVVF9_fiO7wsoXk7IhXAaAnNCd7gIF419Lw
[root@master1 gsy]#
-
编辑yaml文件
创建K8S系统账户,名为pod-reader,系统账户与角色(权限)绑定
serviceaccount 可以理解为程序用户
[root@master1 gsy]# vim sa.yaml #做权限设定
apiVersion: v1
kind: ServiceAccount
metadata:
name: pod-reader
namespace: gsy
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sa-read-pods
namespace: gsy
subjects:
- kind: ServiceAccount
name: pod-reader
roleRef:
#roleref 绑定规则
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
- 执行脚本
[root@master1 gsy]# kubectl apply -f sa.yaml
serviceaccount/pod-reader created
rolebinding.rbac.authorization.k8s.io/sa-read-pods created
- 查看生成结果
[root@master1 gsy]#
kubectl get sa -n gsy
NAME
SECRETS
AGE
default
1
46m
pod-reader
1
18s
3.14 查看生成的token
[root@master1 gsy]# kubectl describe secret pod-reader -n gsy
Name:
pod-reader-token-g748p
Namespace:
gsy
Labels:
<none>
Annotations:
kubernetes.io/service-account.name: pod-reader
kubernetes.io/service-account.uid: 51718e1a-9b1b-11ea-a668-000c29db840b
Type:
kubernetes.io/service-account-token
Data
====
ca.crt:
1359 bytes
namespace:
3 bytes
token:
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJnc3kiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoicG9kLXJlYWRlci10b2tlbi1nNzQ4cCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJwb2QtcmVhZGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTE3MThlMWEtOWIxYi0xMWVhLWE2NjgtMDAwYzI5ZGI4NDBiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmdzeTpwb2QtcmVhZGVyIn0.Qpskpt__S1e6Bk2u1CBKw2ZGi737EQhLgNems2c3AcvfEENS8XIVlb-5rixsd9c_Do9IA_hzVf47nFEqWuuGae8-wYNloknq0Qa0tQd6jsPH8W_r8n807YDwO7l0WB_j1_-XVxSxntHr3tZZqErIkgUCylLQESvftXBnVcHWHnVIj5-daKfWi-stM7UeRf2QGND5gntNeSyzXMI427dgDFrUNYr7kKcgVhOzHRI1W8L0gknWAHkDOXkNAn-ABSd_lGuoRlNxpsFkPz_MuSvI1Wk6fYdZZKqWDrBgSIlZ0EGrQ5YUIs22V9CTW3WgzqzDWaZX1sCamJFuyQNdW6pEsg
3.15 登录
- 可以发现权限会受限
- 只有在gsy的命名空间内的pod可以查看
最后
以上就是苹果冬天为你收集整理的理论+实操:K8S之安全机制——创建相应的权限用户一:kubernetes的安全框架二:第一模块,认证authentication三:第二模块授权——authorization四:第三模块:准入控制(admission control)五:基于授权机制创建新用户的全部内容,希望文章能够帮你解决理论+实操:K8S之安全机制——创建相应的权限用户一:kubernetes的安全框架二:第一模块,认证authentication三:第二模块授权——authorization四:第三模块:准入控制(admission control)五:基于授权机制创建新用户所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复