通过用户账号的方式分配单独Namespace的权限

1.案例描述

创建一个用户,仅拥有对know-system命名空间下的pods、deployments资源操作权限,采用RoleBinding绑定CLusterRole的方式来实现。

大致实现思路:

​ 1.生成用户的证书文件key

​ 2.通过apiserver生成证书请求

​ 3.通过k8s的api的ca证书签发用户的证书请求

​ 4.配置k8s设置集群、创建用户、配置上下文信息

​ 5.创建ClusterRole、RoleBinding资源

2.创建用户账号

1.创建证书文件
[root@k8s-master ~]# cd /etc/kubernetes/pki/
[root@k8s-master /etc/kubernetes/pki]# (umask 077;openssl genrsa -out knowman.key 2048)
Generating RSA private key, 2048 bit long modulus
....................................................................................+++
................+++
e is 65537 (0x10001)

2.使用apiserver的证书签发证书请求

2-1.申请签名,证书请求,申请的用户名是knowman,组是knowgroup
[root@k8s-master /etc/kubernetes/pki]# openssl req -new -key knowman.key -out knowman.csr -subj "/CN=knowman/O=knowgroup"
[root@k8s-master /etc/kubernetes/pki]# ll knowman.*
-rw-r--r-- 1 root root  915 4月  20 13:27 knowman.csr
-rw------- 1 root root 1679 4月  20 13:25 knowman.key

2-2.签发证书(使用apiserver的ca证书签发用户证书)
[root@k8s-master /etc/kubernetes/pki]# openssl x509 -req -in knowman.csr -CA ca.crt  -CAkey ca.key  -CAcreateserial -out knowman.crt -days 3650
Signature ok
subject=/CN=knowman/O=knowgroup
Getting CA Private Key

3.配置集群、用户、上下文信息
#配置集群
[root@k8s-master /etc/kubernetes/pki]# kubectl config set-cluster kubernetes --embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.81.210:6443
Cluster "kubernetes" set.

#配置用户信息
[root@k8s-master /etc/kubernetes/pki]# kubectl config set-credentials knowman --embed-certs=true --client-certificate=/etc/kubernetes/pki/knowman.crt --client-key=/etc/kubernetes/pki/knowman.key 
User "knowman" set.

#配置上下文信息
[root@k8s-master /etc/kubernetes/pki]# kubectl config set-context knowman@kubernetes --cluster=kubernetes --user=knowman
Context "knowman@kubernetes" created.

4.查看配置的集群信息
[root@k8s-master /etc/kubernetes/pki]# kubectl config view

Kubernetes集群RBAC授权案例(一)通过用户账号的方式分配单独Namespace的权限(四十)_kubernetes

5)切换到knowman用户
[root@k8s-master /etc/kubernetes/pki]# kubectl config use-context knowman@kubernetes
Switched to context "knowman@kubernetes".

6)试着查看下know-system命名空间下的资源
[root@k8s-master /etc/kubernetes/pki]# kubectl get pod -n know-system
Error from server (Forbidden): pods is forbidden: User "knowman" cannot list resource "pods" in API group "" in the namespace "know-system"
#可以看到没有权限访问

7)切换到admin用户进行授权
[root@k8s-master ~]# kubectl config use-context kubernetes-admin@kubernetes 
Switched to context "kubernetes-admin@kubernetes"

3.创建ClusterRole资源设置权限

创建一个ClusterRole,针对资源做一些授权,由于ClusterRole是集群级别的角色授权,可以多次复用

1.编写ClusterRole资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# vim knowman-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: knowman-clusterrole
rules:											#定义角色
- apiGroups: ["","apps"]						#对哪个api组进行授权,""核心资源组,apps组是deployment控制器所在的api组
  resources: ["pods","deployments"]				  #对什么资源进行授权
  verbs:										#具体的权限列表
  - get
  - list
  - watch

2.创建资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl create -f knowman-clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/knowman-clusterrole created

3.查看资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl get clusterrole knowman-clusterrole
NAME                  CREATED AT
knowman-clusterrole   2021-04-20T06:26:20Z

4.查看资源的详细信息
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl describe clusterrole knowman-clusterrole

Kubernetes集群RBAC授权案例(一)通过用户账号的方式分配单独Namespace的权限(四十)_用户账号_02

4.创建RoleBinding资源将用户和角色绑定

通过RoleBinding角色绑定将用户与集群角色进行绑定

1.编写yaml
[root@k8s-master ~/k8s_1.19_yaml/rbac]# vim knowman-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: knowman-rolebinding
  namespace: know-system
subjects:												#关联用户信息
- kind: User											#类型为用户
  name: knowman											#用户名称
  namespace: know-system								#角色所能控制的命名空间
  apiGroup: rbac.authorization.k8s.io
roleRef:											#关联角色信息
  kind: ClusterRole									 #类型为ClusterRole
  name: knowman-clusterrole							  #角色名称
  apiGroup: rbac.authorization.k8s.io

2.创建资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl create -f knowman-rolebinding.yaml
rolebinding.rbac.authorization.k8s.io/knowman-rolebinding created

3.查看资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl get rolebinding knowman-rolebinding -n know-system
NAME                  ROLE                              AGE
knowman-rolebinding   ClusterRole/knowman-clusterrole   17s

4.查看资源的详细信息
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl describe rolebinding knowman-rolebinding -n know-system

Kubernetes集群RBAC授权案例(一)通过用户账号的方式分配单独Namespace的权限(四十)_容器_03

5.切换knowman用户查看权限

1.切换用户
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl config use-context knowman@kubernetes 
Switched to context "knowman@kubernetes".

2.查看可以操作的pod/deployment资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl get pod,deployment -n know-system
NAME                                READY   STATUS    RESTARTS   AGE
pod/deploy-nginx-5cfd6fd7bd-79z4t   1/1     Running   1          6d3h
pod/deploy-nginx-5cfd6fd7bd-b67wf   1/1     Running   1          6d3h
pod/deploy-nginx-5cfd6fd7bd-qpl2w   1/1     Running   1          6d3h

NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/deploy-nginx   3/3     3            3           6d5h

3.删除pod查看是否有权限
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl delete pod deploy-nginx-5cfd6fd7bd-79z4t -n know-system
Error from server (Forbidden): pods "deploy-nginx-5cfd6fd7bd-79z4t" is forbidden: User "knowman" cannot delete resource "pods" in API group "" in the namespace "know-system"
#无权删除

除了deployment、pod资源之前无权操作其他资源

Kubernetes集群RBAC授权案例(一)通过用户账号的方式分配单独Namespace的权限(四十)_docker_04