抚州市建设局官方网站,好的建筑设计公司,做网站 怎么推广,大庆加油app老版本------ 课程视频同步分享在今日头条和B站
大家好#xff0c;我是博哥爱运维#xff0c;在k8s上我们如何控制访问权限呢#xff0c;答案就是Role-based access control (RBAC) - 基于角色#xff08;Role#xff09;的访问控制#xff0c;#xff08;RBAC#xff0…------ 课程视频同步分享在今日头条和B站
大家好我是博哥爱运维在k8s上我们如何控制访问权限呢答案就是Role-based access control (RBAC) - 基于角色Role的访问控制RBAC是一种基于组织中用户的角色来调节控制对 计算机或网络资源的访问的方法。
在早期的K8s版本RBAC还未出现的时候整个K8s的安全是较为薄弱的有了RBAC后我们可以对K8s集群的访问人员作非常明细化的控制控制他们能访问什么资源以只读还是可以读写的形式来访问目前RBAC是K8s默认的安全授权标准所以我们非常有必要来掌握RBAC的使用这样才有更有力的保障我们的K8s集群的安全使用下面我们将以生产中的实际使用来大家了解及掌握RBAC的生产应用。
RBAC里面的几种资源关系图下面将用下面的资源来演示生产中经典的RBAC应用 |--- Role --- RoleBinding 只在指定namespace中生效
ServiceAccount ---||--- ClusterRole --- ClusterRoleBinding 不受namespace限制在整个K8s集群中生效在我看来RBAC在K8s上的用途主要分为两大类
第一类是保证在K8s上运行的pod服务具有相应的集群权限如gitlab的CI/CD它需要能访问除自身以外其他pod比如gitlab-runner的pod的权限再比如gitlab-runner的pod需要拥有创建新的临时pod的权限用以来构建CI/CD自动化流水线这里大家没用过不懂没关系先简单了解下就可以了在本课程后面基于K8s及gitlab的生产实战CI/CD内容会给大家作详细实战讲解
第二类是创建能访问K8s相应资源、拥有对应权限的kube-config配置给到使用K8s的人员来作为连接K8s的授权凭证
第一类的实战这里先暂时以早期的helm2来作下讲解helm是一个快捷安装K8s各类资源的管理工具通过之前给大家讲解的一个较为完整的服务可能会存在deploymentserviceconfigmapsecretingress等资源来组合使用大家在用的过程中可能会觉得配置使用较为麻烦这时候helm就出现了它把这些资源都打包封装成它自己能识别的内容我们在安装一个服务的时候就只需要作下简单的配置一条命令即可完成上述众多资源的配置安装titller相当于helm的服务端它是需要有权限在K8s中创建各类资源的在初始安装使用时如果没有配置RBAC权限我们会看到如下报错
rootnode1:~# helm install stable/mysql
Error: no available release name found这时我们可以来快速解决这个问题创建sa关联K8s自带的最高权限的ClusterRole生产中建议不要这样做权限太高有安全隐患这个就和linux的root管理帐号一样一般都是建议通过sudo来控制帐号权限
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrolecluster-admin --serviceaccountkube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p {spec:{template:{spec:{serviceAccount:tiller}}}}第二类我这里就直接以我在生产中实施的完整脚本来做讲解及实战相信会给大家带来一个全新的学习感受并能很快掌握它们
创建对指定namespace有只读权限的kube-config
#!/bin/bashexport KUBECONFIG/root/.kube/configBASEDIR$(dirname $0)
folder$BASEDIR/kube_configecho -e All namespaces is here: \n$(kubectl get ns|awk NR!1{print $1})
echo endpoint server if local network you can use $(kubectl cluster-info |awk /Kubernetes/{print $NF})clustername$1
endpoint$(echo $2 | sed -e s,https\?://,,g)if [[ -z $endpoint || -z $clustername ]]; thenecho Use $(basename $0) CLUSTERNAME ENDPOINT;exit 1;
fi# https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes
echo ---
apiVersion: v1
kind: ServiceAccount
metadata:name: all-readonly-${clustername}namespace: kube-system
---
apiVersion: v1
kind: Secret
metadata:name: all-readonly-secret-sa-$clustername-usernamespace: kube-systemannotations:kubernetes.io/service-account.name: all-readonly-${clustername}
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: all-readonly-${clustername}
rules:
- apiGroups:- resources:- configmaps- endpoints- persistentvolumes- persistentvolumeclaims- pods- replicationcontrollers- replicationcontrollers/scale- serviceaccounts- services- nodesverbs:- get- list- watch
- apiGroups:- resources:- bindings- events- limitranges- namespaces/status- pods/log- pods/status- replicationcontrollers/status- resourcequotas- resourcequotas/statusverbs:- get- list- watch
- apiGroups:- resources:- namespacesverbs:- get- list- watch
- apiGroups:- appsresources:- controllerrevisions- daemonsets- deployments- deployments/scale- replicasets- replicasets/scale- statefulsets- statefulsets/scaleverbs:- get- list- watch
- apiGroups:- autoscalingresources:- horizontalpodautoscalersverbs:- get- list- watch
- apiGroups:- batchresources:- cronjobs- jobsverbs:- get- list- watch
- apiGroups:- extensionsresources:- daemonsets- deployments- deployments/scale- ingresses- networkpolicies- replicasets- replicasets/scale- replicationcontrollers/scaleverbs:- get- list- watch
- apiGroups:- policyresources:- poddisruptionbudgetsverbs:- get- list- watch
- apiGroups:- networking.k8s.ioresources:- networkpoliciesverbs:- get- list- watch
- apiGroups:- metrics.k8s.ioresources:- podsverbs:- get- list- watch
- apiGroups:- storage.k8s.ioresources:- storageclassesverbs:- get- list- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: all-readonly-${clustername}
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: all-readonly-${clustername}
subjects:
- kind: ServiceAccountname: all-readonly-${clustername}namespace: kube-system | kubectl apply -f -mkdir -p $folder
#tokenName$(kubectl get sa all-readonly-${clustername} -n $namespace -o jsonpath{.secrets[0].name})
tokenNameall-readonly-secret-sa-$clustername-user
token$(kubectl get secret $tokenName -n kube-system -o jsonpath{.data.token} | base64 --decode)
certificate$(kubectl get secret $tokenName -n kube-system -o jsonpath{.data[ca\.crt]})echo apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:certificate-authority-data: $certificateserver: https://$endpointname: all-readonly-${clustername}
users:
- name: all-readonly-${clustername}user:as-user-extra: {}client-key-data: $certificatetoken: $token
contexts:
- context:cluster: all-readonly-${clustername}user: all-readonly-${clustername}name: ${clustername}
current-context: ${clustername} $folder/${clustername}-all-readonly.conf
创建对指定namespace有所有权限的kube-config在已有的namespace中创建
#!/bin/bashexport KUBECONFIG/root/.kube/configBASEDIR$(dirname $0)
folder$BASEDIR/kube_configecho -e All namespaces is here: \n$(kubectl get ns|awk NR!1{print $1})
echo endpoint server if local network you can use $(kubectl cluster-info |awk /Kubernetes/{print $NF})namespace$1
endpoint$(echo $2 | sed -e s,https\?://,,g)if [[ -z $endpoint || -z $namespace ]]; thenecho Use $(basename $0) NAMESPACE ENDPOINT;exit 1;
fi# https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes
echo ---
apiVersion: v1
kind: ServiceAccount
metadata:name: $namespace-usernamespace: $namespace
---
apiVersion: v1
kind: Secret
metadata:name: secret-sa-$namespace-usernamespace: $namespaceannotations:kubernetes.io/service-account.name: $namespace-user
type: kubernetes.io/service-account-token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: $namespace-user-full-accessnamespace: $namespace
rules:
- apiGroups: [, extensions, apps, metrics.k8s.io, networking.k8s.io]resources: [*]verbs: [*]
- apiGroups: [batch]resources:- jobs- cronjobsverbs: [*]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: $namespace-user-viewnamespace: $namespace
subjects:
- kind: ServiceAccountname: $namespace-usernamespace: $namespace
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: $namespace-user-full-access | kubectl apply -f -mkdir -p $folder
#tokenName$(kubectl get sa $namespace-user -n $namespace -o jsonpath{.secrets[0].name})
tokenNamesecret-sa-$namespace-user
token$(kubectl get secret $tokenName -n $namespace -o jsonpath{.data.token} | base64 --decode)
certificate$(kubectl get secret $tokenName -n $namespace -o jsonpath{.data[ca\.crt]})echo apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:certificate-authority-data: $certificateserver: https://$endpointname: $namespace-cluster
users:
- name: $namespace-useruser:as-user-extra: {}client-key-data: $certificatetoken: $token
contexts:
- context:cluster: $namespace-clusternamespace: $namespaceuser: $namespace-username: $namespace
current-context: $namespace $folder/$namespace.kube.conf
在已有sa上附加其他命名空间的权限
# same ServiceAccount: test-a-user default can contorl my own namespace: test-a and config later to contorl other namespace: test-bapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:name: test-b-user-full-accessnamespace: test-b
rules:
- apiGroups: [, extensions, apps, metrics.k8s.io, networking.k8s.io]resources: [*]verbs: [*]
- apiGroups: [batch]resources:- jobs- cronjobsverbs: [*]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: test-b-user-full-access-both-test-a-usernamespace: test-b
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: test-b-user-full-access
subjects:
- kind: ServiceAccountname: test-a-usernamespace: test-a
