通过用户账号的方式分配单独Namespace的权限
文章目录
1.案例描述
创建一个用户,仅拥有对know-system命名空间下的pods、deployments资源操作权限,采用RoleBinding绑定CLusterRole的方式来实现。
大致实现思路:
1.生成用户的证书文件key
2.通过apiserver生成证书请求
3.通过k8s的api的ca证书签发用户的证书请求
4.配置k8s设置集群、创建用户、配置上下文信息
5.创建ClusterRole、RoleBinding资源
2.创建用户账号
1.创建证书文件
[root@k8s-master ~]# cd /etc/kubernetes/pki/
[root@k8s-master /etc/kubernetes/pki]# (umask 077;openssl genrsa -out knowman.key 2048)
Generating RSA private key, 2048 bit long modulus
....................................................................................+++
................+++
e is 65537 (0x10001)
2.使用apiserver的证书签发证书请求
2-1.申请签名,证书请求,申请的用户名是knowman,组是knowgroup
[root@k8s-master /etc/kubernetes/pki]# openssl req -new -key knowman.key -out knowman.csr -subj "/CN=knowman/O=knowgroup"
[root@k8s-master /etc/kubernetes/pki]# ll knowman.*
-rw-r--r-- 1 root root 915 4月 20 13:27 knowman.csr
-rw------- 1 root root 1679 4月 20 13:25 knowman.key
2-2.签发证书(使用apiserver的ca证书签发用户证书)
[root@k8s-master /etc/kubernetes/pki]# openssl x509 -req -in knowman.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out knowman.crt -days 3650
Signature ok
subject=/CN=knowman/O=knowgroup
Getting CA Private Key
3.配置集群、用户、上下文信息
#配置集群
[root@k8s-master /etc/kubernetes/pki]# kubectl config set-cluster kubernetes --embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.81.210:6443
Cluster "kubernetes" set.
#配置用户信息
[root@k8s-master /etc/kubernetes/pki]# kubectl config set-credentials knowman --embed-certs=true --client-certificate=/etc/kubernetes/pki/knowman.crt --client-key=/etc/kubernetes/pki/knowman.key
User "knowman" set.
#配置上下文信息
[root@k8s-master /etc/kubernetes/pki]# kubectl config set-context knowman@kubernetes --cluster=kubernetes --user=knowman
Context "knowman@kubernetes" created.
4.查看配置的集群信息
[root@k8s-master /etc/kubernetes/pki]# kubectl config view
5)切换到knowman用户
[root@k8s-master /etc/kubernetes/pki]# kubectl config use-context knowman@kubernetes
Switched to context "knowman@kubernetes".
6)试着查看下know-system命名空间下的资源
[root@k8s-master /etc/kubernetes/pki]# kubectl get pod -n know-system
Error from server (Forbidden): pods is forbidden: User "knowman" cannot list resource "pods" in API group "" in the namespace "know-system"
#可以看到没有权限访问
7)切换到admin用户进行授权
[root@k8s-master ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes"
3.创建ClusterRole资源设置权限
创建一个ClusterRole,针对资源做一些授权,由于ClusterRole是集群级别的角色授权,可以多次复用
1.编写ClusterRole资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# vim knowman-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: knowman-clusterrole
rules: #定义角色
- apiGroups: ["","apps"] #对哪个api组进行授权,""核心资源组,apps组是deployment控制器所在的api组
resources: ["pods","deployments"] #对什么资源进行授权
verbs: #具体的权限列表
- get
- list
- watch
2.创建资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl create -f knowman-clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/knowman-clusterrole created
3.查看资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl get clusterrole knowman-clusterrole
NAME CREATED AT
knowman-clusterrole 2021-04-20T06:26:20Z
4.查看资源的详细信息
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl describe clusterrole knowman-clusterrole
4.创建RoleBinding资源将用户和角色绑定
通过RoleBinding角色绑定将用户与集群角色进行绑定
1.编写yaml
[root@k8s-master ~/k8s_1.19_yaml/rbac]# vim knowman-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: knowman-rolebinding
namespace: know-system
subjects: #关联用户信息
- kind: User #类型为用户
name: knowman #用户名称
namespace: know-system #角色所能控制的命名空间
apiGroup: rbac.authorization.k8s.io
roleRef: #关联角色信息
kind: ClusterRole #类型为ClusterRole
name: knowman-clusterrole #角色名称
apiGroup: rbac.authorization.k8s.io
2.创建资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl create -f knowman-rolebinding.yaml
rolebinding.rbac.authorization.k8s.io/knowman-rolebinding created
3.查看资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl get rolebinding knowman-rolebinding -n know-system
NAME ROLE AGE
knowman-rolebinding ClusterRole/knowman-clusterrole 17s
4.查看资源的详细信息
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl describe rolebinding knowman-rolebinding -n know-system
5.切换knowman用户查看权限
1.切换用户
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl config use-context knowman@kubernetes
Switched to context "knowman@kubernetes".
2.查看可以操作的pod/deployment资源
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl get pod,deployment -n know-system
NAME READY STATUS RESTARTS AGE
pod/deploy-nginx-5cfd6fd7bd-79z4t 1/1 Running 1 6d3h
pod/deploy-nginx-5cfd6fd7bd-b67wf 1/1 Running 1 6d3h
pod/deploy-nginx-5cfd6fd7bd-qpl2w 1/1 Running 1 6d3h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/deploy-nginx 3/3 3 3 6d5h
3.删除pod查看是否有权限
[root@k8s-master ~/k8s_1.19_yaml/rbac]# kubectl delete pod deploy-nginx-5cfd6fd7bd-79z4t -n know-system
Error from server (Forbidden): pods "deploy-nginx-5cfd6fd7bd-79z4t" is forbidden: User "knowman" cannot delete resource "pods" in API group "" in the namespace "know-system"
#无权删除
除了deployment、pod资源之前无权操作其他资源