RBAC聚合

原创

Super孙文波 2021-01-17 01:21:41 博主文章分类：kubernetes ©著作权

文章标签 kubernetes rbac聚合 rbac权限管理 文章分类 运维

©著作权归作者所有：来自51CTO博客作者Super孙文波的原创作品，请联系作者获取转载授权，否则将追究法律责任

一个例子我们想要达到的目的：限制该用户只能查看集群的资源，并且能够查看监控图（monitoring）

role文件

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: aideveloper-role
  namespace: monitoring
rules:
- apiGroups:
  - ""
  resources:
  - pods/proxy
  - services/proxy
  verbs:
  - get
  - list
  - watch

roleBinding文件

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: aideveloper-roleBinding
  namespace: monitoring
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: aideveloper-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: aideveloper

clusterRoleBinding文件

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: aideveloper-view-roleBinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: aideveloper
	```

接下来需要看怎么把monitoring这个只读角色聚合到view中?

如果我们要实现让一个用户既能查看集群所有资源，又能查看集群的监控信息，那么就需要给某个user做两次roleBinding。那么问题来了：如果我们需要的权限比较复杂，比如有几十种，那么要写几十个roleBinding吗？肯定不会那么蠢。从k8s1.9开始，就有一个rbac的聚合机制——aggregate。  
  

聚合的方法是通过matchLabels（即rbac.example.com/aggregate-to-monitoring: "true"），来匹配所有metadata符合该label的ClusterRole。aggregationRule不需要配置 rules 段，它是由controller收集所有匹配的ClusterRole的rules后填充的。
  
比如：

kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: roleTest001 aggregationRule: clusterRoleSelectors:

matchLabels: rbac.authorization.k8s.io/aggregate-to-roletest001: "true" rules: [] # Rules are automatically filled in by the controller manager.

创建新的符合matchLabel的clusterRole，controller会将新的rules添加到aggregationRule。如下会将roleTest002的rules添加到上面的ClusterRoleroleTest001，因此这里的rule是不需要填写的。

kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: roleTest002 labels: rbac.authorization.k8s.io/aggregate-to-roletest001: "true"

These rules will be added to the "monitoring" role.

rules:

apiGroups: [""] Resources: ["services", "endpoints", "pods"] verbs: ["get", "list", "watch"]

那么我们现在就可以改良上一篇做的RBAC了——我们只需要把monitoring的权限内容聚合到view中，然后只需要给aideveloper这个user分配view这个role即可。就算后面有100个错综复杂的权限，我们也只需要加标签即可，无需再过多的写roleBinding。
  
首先，我们查看一下view这个role的属性：

kubectl edit clusterrole view aggregationRule: clusterRoleSelectors:

matchLabels: rbac.authorization.k8s.io/aggregate-to-view: "true" apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2021-01-06T10:11:00Z" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" managedFields:
apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:aggregationRule: .: {} f:clusterRoleSelectors: {} f:metadata: f:annotations: .: {} f:rbac.authorization.kubernetes.io/autoupdate: {} f:labels: .: {} f:kubernetes.io/bootstrapping: {} f:rbac.authorization.k8s.io/aggregate-to-edit: {} manager: kube-apiserver operation: Update time: "2021-01-06T10:11:00Z"
apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:rules: {} manager: kube-controller-manager operation: Update time: "2021-01-07T05:56:44Z" name: view


我们惊喜的发现，这个view天生可聚合——包含aggregationRule。这里我们看到 rbac.authorization.k8s.io/aggregate-to-view: "true" 这个aggregationRule，因此我们把之前做好的monitoring的role里面，加上 rbac.authorization.k8s.io/aggregate-to-view: "true" 标签即可。

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: aideveloper-role namespace: monitoring labels: rbac.authorization.k8s.io/aggregate-to-view: "true" rules: