一、概述
Kubernetes集群的所有操作基本上都是通过kube-apiserver这个组件进行的,它提供HTTP RESTful形式的API供集群内外客户端调用。这就引发了安全问题:假如别人知道你的API地址,那么你的服务器就很容易遭到恶意破坏。所以k8s 认证授权过程不支持HTTP连接到kube-apiserver。
使用kubectl cluster-info 可以看到API server的Endpoint地址,如下:

[root@k8s-master-dev ~]# kubectl cluster-info
Kubernetes master is running at https://192.168.20.79:6443
KubeDNS is running at https://192.168.20.79:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[root@k8s-master-dev ~]# 

对APIServer的访问要经过的三个步骤,前面两个是认证和授权,第三个是 Admission Control,它也能在一定程度上提高安全性,不过更多是资源管理方面的作用。

client --> | authentication(认证 验证用户名与密码是否正确)
          | authorization (授权 控制当前用户的权限)
          | admissionControl (资源依赖、关联及环境检查)      --> Resources

k8s模块化程度非常高,认证、授权、准入控制都是由用户指定某种插件实现相应功能。

Authentication
kubernetes提供了多种认证方式,比如客户端证书、静态token、静态密码文件、ServiceAccountTokens等等,都是以插件(plugin)的形式由用户指定。可以同时指定使用一种或多种认证方式。client 经过任何一种plugin的成功认证 即表示认证成功,无需再经过其它额外认证。
常见如下两种:
1) token(例预共享密钥,是通过http首部Restful方式传递密钥)
2) SSL/TLS(authentication、双向身份验证、https通信)

Authorization
k8s 1.6之后支持 RBAC、node、ABAC、webhook等plugins。 RBAC(Role-Based Access)只有许可授权(默认拒绝所有),kubeadm安装的k8s默认都是使用RBAC的授权。 RBAC让集群管理员可以针对特定使用者或服务账号的角色,进行更精确的资源访问控制。在RBAC中,权限与角色相关联,用户通过成为适当角色的成员而得到这些角色的权限。这就极大地简化了权限的管理。在一个组织中,角色是为了完成各种工作而创造,用户则依据它的责任和资格来被指派相应的角色,用户可以很容易地从一个角色被指派到另一个角色。

AdmissionControl
准入控制:本质上为一段准入代码,在对kubernetes api的请求过程中,顺序为:先经过认证 & 授权,然后执行准入操作,最后对目标对象进行操作。这个准入代码在api-server中,而且必须被编译到二进制文件中才能被执行。在对集群进行请求时,每个准入控制代码都按照一定顺序执行。如果有一个准入控制拒绝了此次请求,那么整个请求的结果将会立即返回,并提示用户相应的error信息。
常用组件(控制代码)如下:

  • AlwaysAdmit:允许所有请求
  • AlwaysDeny:禁止所有请求,多用于测试环境
  • ServiceAccount:它将serviceAccounts实现了自动化,它会辅助serviceAccount做一些事情,比如如果pod没有serviceAccount属性,它会自动添加一个default,并确保pod的serviceAccount始终存在
  • LimitRanger:他会观察所有的请求,确保没有违反已经定义好的约束条件,这些条件定义在namespace中LimitRange对象中。如果在kubernetes中使用LimitRange对象,则必须使用这个插件。
  • NamespaceExists:它会观察所有的请求,如果请求尝试创建一个不存在的namespace,则这个请求被拒绝

二、访问API server的方式
k8s API server 提供了丰富的Restful接口 提用户访问 。
REST request path: http://apiServerName:port/apis/apps/version_name/namespaces/default/deployments/myapp-deploy/(add/delete/edit/get)
API request verb : get/list/create/update/patch/watch/proxy/redirect/delete/deletecollection/

使用kubectl 命令时默认调用${HOME}/.kube/目录中的认证信息,但其它访问方式则不能调用这些认证信息(例curl),如果希望通过curl方式访问API server,可以使用代理功能。
在本地启用代理:

[root@k8s-master-dev ~]# ls .kube/
cache  config  http-cache
[root@k8s-master-dev ~]# kubectl proxy --port=8080
Starting to serve on 127.0.0.1:8080

然后在另一个终端使用curl 的方式访问,如下所示:

[root@k8s-master-dev ~]# curl http://localhost:8080/api/v1/namespaces
{
  "kind": "NamespaceList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/namespaces",
    "resourceVersion": "768383"
  }
    ...

[root@k8s-master-dev ~]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments
{
  "kind": "DeploymentList",
  "apiVersion": "apps/v1",
  "metadata": {
    "selfLink": "/apis/apps/v1/namespaces/kube-system/deployments",
    "resourceVersion": "768654"
  },
    ...

三、Authentication
哪些client需要与API server 交互?cluster 外部的client (kubectl)和cluster内部的 client(Pod)都需要与API server交互。

[root@k8s-master-dev ~]# kubectl get svc
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)     AGE
kubernetes   ClusterIP   10.96.0.1            443/TCP     5d
mongo        ClusterIP   None                 27017/TCP   1d
[root@k8s-master-dev ~]# kubectl describe svc kubernetes
Name:              kubernetes
Namespace:         default
Labels:            component=apiserver
                   provider=kubernetes
Annotations:       
Selector:          
Type:              ClusterIP
IP:                10.96.0.1
Port:              https  443/TCP
TargetPort:        6443/TCP
Endpoints:         192.168.20.79:6443
Session Affinity:  None
Events:            
[root@k8s-master-dev ~]#

以上显示 cluster内部的各pods 、及其它组件访问API server时使用 10.96.0.1; 而 kubectl 命令及外部访问API server时使用 172.16.20.79:6443 。

访问API server 时的认证用户也分为两类:
1) serviceAccountName (cluster内部pod客户端)
2) UserAccount (cluster外部访问)

1、serviceAccountName
ServiceAccount(服务帐户)是由Kubernetes API管理的用户。它们绑定到特定的命名空间,并由API服务器自动创建或通过API调用手动创建。服务帐户与存储为Secrets的一组证书相关联,这些凭据被挂载到pod中,以便集群进程与Kubernetes API通信。(登录dashboard时我们使用的就是ServiceAccount)
当kubernetes集群搭建好后,系统中就存在多个ServiceAccount,它们隶属于不同的名称空间,不同名称空间之间的ServiceAccount名称可以相同。通过下面的命令查看当前系统的ServiceAccount

[root@k8s-master-dev ~]# kubectl get sa
NAME      SECRETS   AGE
default   1         5d
[root@k8s-master-dev ~]#

使用kubectl get sa --all-namespaces 查看所有名称空间的sa 。
手工创建ServiceAccount,语法如下:
kubectl create serviceaccount my-service-account
例:

[root@k8s-master-dev ~]# kubectl create sa admin
serviceaccount/admin created
[root@k8s-master-dev ~]#  kubectl get sa
NAME      SECRETS   AGE
admin     1         23h
default   1         5d

ServiceAccount创建的同时会自动创建secrets,名称以account的名称为前缀。例:

[root@k8s-master-dev ~]# kubectl get secrets
NAME                  TYPE                                  DATA      AGE
admin-token-q99pz     kubernetes.io/service-account-token   3         23h
default-token-m66jg   kubernetes.io/service-account-token   3         5d
[root@k8s-master-dev ~]#

ServiceAccount中主要用于保存token,而token又属于 secrets 资源,如下:

[root@k8s-master-dev ~]# kubectl describe sa admin
Name:                admin
Namespace:           default
Labels:              
Annotations:         
Image pull secrets:  
Mountable secrets:   admin-token-q99pz
Tokens:              admin-token-q99pz
Events:              
[root@k8s-master-dev ~]#

可以使用 kubectl describe secrets admin-token-q99pz 命令查看该token的信息。例:

[root@k8s-master-dev ~]# kubectl describe secrets/admin-token-q99pz
Name:         admin-token-q99pz
Namespace:    default
Labels:       
Annotations:  kubernetes.io/service-account.name=admin
              kubernetes.io/service-account.uid=3f0f0199-4539-11e9-ac19-000c295011ce

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJ..............
[root@k8s-master-dev ~]#

每一个Pod创建的时候,都会被分配到指定的ServiceAccount下面,通常是default,也可以在编写Pod的manifest文件的时候指定。例:

[root@k8s-master-dev ~]# vim pod-sa-demo.yaml
[root@k8s-master-dev ~]# cat pod-sa-demo.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-sa-demo
  namespace: default
  labels:
    app: myapp
    tier: frontend
  annotations:
    inspiry.com/author: "cluster admin"
spec:
  containers:
  - name: myapp
    image: ikubernetes/myapp:v1
    ports:
    - name: http
      containerPort: 80
  serviceAccountName: admin
[root@k8s-master-dev ~]#  kubectl apply -f pod-sa-demo.yaml
pod/pod-sa-demo created
[root@k8s-master-dev ~]# 

在Pod创建时,相关的认证文件会被以volume的形式挂载进Pod,目的是方便在Pod里访问API SERVER(例如kubernetes的dashboard)。例:

[root@k8s-master-dev ~]# kubectl describe pods pod-sa-demo
Name:               pod-sa-demo
Namespace:          default
Priority:           0
PriorityClassName:  
Node:               k8s-node1-dev/192.168.20.78
Start Time:         Wed, 13 Mar 2019 10:41:59 +0800
Labels:             app=myapp
                    tier=frontend
Annotations:        inspiry.com/author=cluster admin
                    kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"inspiry.com/author":"cluster admin"},"labels":{"app":"myapp","tier":"frontend"},"name":"pod..."
Status:             Running
IP:                 10.244.1.107
Containers:
  myapp:
    Container ID:   docker://729b24ee03040b09a0d93a977e65e206bd434b6c35003f0fea953b661c635af2
    Image:          ikubernetes/myapp:v1
    Image ID:       docker-pullable://ikubernetes/myapp@sha256:9c3dc30b5219788b2b8a4b065f548b922a34479577befb54b03330999d30d513
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Wed, 13 Mar 2019 10:42:00 +0800
    Ready:          True
    Restart Count:  0
    Environment:    
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from admin-token-q99pz (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  admin-token-q99pz:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  admin-token-q99pz
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:          
[root@k8s-master-dev ~]#

2、UserAccount
是用于 k8s集群 外部或独立服务 管理访问集群使用的,由管理员分配私钥。平时常用的kubectl命令就是UserAccount执行的。
kubeconfig 称为认证配置,就是为集群外部client访问k8s集群所作的认证配置。
外部用户访问k8s集群(例使用kubectl命令)时,需要配置用户访问k8s集群所用到的账户、证书、私钥、集群名、API server地址等,这些信息被存放在kubeconfig 中。
可以使用kubectl config 命令对 访问k8s集群的认证配置文件 进行各种操作。具体可参考:kubectl config --help 。
使用kubectl config view 可查看认证配置,如下所示:

[root@k8s-master-dev ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://192.168.20.79:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
[root@k8s-master-dev ~]#

说明:
apiVersion: v1
clusters: [] #配置要访问的kubernetes集群名称列表。
contexts: [] #配置访问kubernetes集群的具体上下文列表。定义哪个集群被哪个用户访问
current-context: "" #配置当前使用的上下文环境
kind: Config
preferences: {}
users: [] #配置访问的用户信息列表,用户名以及证书信息 (其中REDACTED表示私密数据)

创建UserAccount所需要的访问密钥及证书,利用当前k8s的CA证书进行签名

[root@k8s-master-dev ~]# cd /etc/kubernetes/pki/
[root@k8s-master-dev pki]# ls
apiserver.crt              apiserver.key                 ca.crt  front-proxy-ca.crt      front-proxy-client.key
apiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.key  front-proxy-ca.key      sa.key
apiserver-etcd-client.key  apiserver-kubelet-client.key  etcd    front-proxy-client.crt  sa.pub
[root@k8s-master-dev pki]# (umask 077; openssl genrsa -out meteor.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................+++
.............+++
e is 65537 (0x10001)
[root@k8s-master-dev pki]# openssl req -new -key meteor.key -out meteor.csr -subj "/CN=meteor"
[root@k8s-master-dev pki]# openssl x509 -req -in meteor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out meteor.crt -days 365
Signature ok
subject=/CN=meteor
Getting CA Private Key
[root@k8s-master-dev pki]# openssl x509 -in meteor.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            b2:d2:50:2a:92:52:e0:63
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Mar 13 07:35:17 2019 GMT
            Not After : Mar 12 07:35:17 2020 GMT
        Subject: CN=meteor
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d0:69:52:bd:c8:f2:43:39:3c:5e:b3:49:f7:5a:
                    29:17:1d:80:f9:b8:b1:f5:dc:1a:72:d9:96:7b:96:
                    77:bd:cc:73:ac:88:dd:be:8f:32:d5:7f:37:f7:57:
                    d8:c1:ae:bd:04:1a:5f:9f:64:8a:34:49:9b:06:96:
                    91:16:2e:1e:af:b7:9a:e0:c8:ca:1f:73:12:54:0d:
                    ff:95:c1:c0:b0:8c:e5:0c:fe:c1:20:9d:32:fb:2b:
                    09:59:7e:9b:39:17:9c:83:4f:a5:34:4a:4c:4f:e4:
                    22:ef:ee:ba:ee:80:21:49:ca:62:6c:3b:46:45:a5:
                    98:bd:37:4b:3b:b0:eb:4b:63:1a:f2:9d:1a:f9:19:
                    9d:22:43:70:83:1b:c9:a8:70:de:45:e1:9c:89:e3:
                    db:a9:41:47:83:cc:38:1e:f3:16:17:4d:91:b1:44:
                    b3:8a:ee:5f:77:aa:db:9c:de:50:c7:c2:be:9e:9d:
                    a9:ff:a6:a7:e1:0a:8d:b3:48:c5:34:e2:c3:2d:ac:
                    8c:e0:ed:fa:2c:03:7e:05:ce:df:ba:66:24:bc:4c:
                    8b:36:a1:1a:90:7b:11:3d:54:ba:22:c9:58:ce:de:
                    8a:07:3c:ca:50:df:4e:6b:e3:3b:62:77:88:99:c2:
                    a8:b5:48:f2:cd:93:20:3b:7e:46:e4:ba:ef:8d:86:
                    ac:a9
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         1c:02:98:15:57:e1:60:c7:90:7f:6d:c0:d4:2c:f5:5e:33:9e:
         c1:23:48:91:9f:8d:d1:20:4c:17:8d:c6:b5:fe:09:e7:92:5f:
         7f:5a:5a:c0:13:d7:03:4e:a9:03:be:a2:09:56:90:06:ef:47:
         94:29:13:81:61:f0:c7:9b:de:c6:89:7d:c6:43:8a:9b:89:d6:
         10:b5:cb:1e:46:16:3f:89:8f:70:4a:28:33:05:84:61:d3:ed:
         88:fd:ab:63:d4:33:c8:1b:b5:bf:36:b1:84:a4:a0:24:20:ec:
         cd:35:d1:82:57:fa:09:ff:48:07:a2:04:c3:90:2b:ba:c0:f9:
         4b:ea:2e:55:45:79:f3:d9:7c:8c:e5:08:f8:0a:b2:51:3e:11:
         16:6d:e1:ec:8c:03:f0:b6:c4:a1:77:80:22:aa:48:b1:40:e5:
         61:3d:3c:9f:cf:d3:d0:3e:e3:73:46:84:96:0d:f8:3a:4e:6f:
         cf:cd:97:ea:d6:25:98:af:3e:b7:15:f1:17:30:56:be:32:a5:
         45:bb:8d:53:bb:4c:00:ef:b2:94:5f:da:da:72:f7:da:81:09:
         3e:47:15:a0:d8:ff:79:af:9c:42:8d:da:e4:44:6f:a9:38:e0:
         b4:8d:58:fb:15:7a:39:cb:87:b7:db:fe:4a:af:8e:b7:7c:fc:
         ab:77:eb:c0
[root@k8s-master-dev pki]# ls
apiserver.crt              apiserver-kubelet-client.crt  ca.srl              front-proxy-client.crt  meteor.key
apiserver-etcd-client.crt  apiserver-kubelet-client.key  etcd                front-proxy-client.key  sa.key
apiserver-etcd-client.key  ca.crt                        front-proxy-ca.crt  meteor.crt              sa.pub
apiserver.key              ca.key                        front-proxy-ca.key  meteor.csr
[root@k8s-master-dev pki]#

创建一个访问凭证(UserAccount),并指定相应的证书及私钥
如果指定了一个已存在的名字,将合并新字段并覆盖旧字段

[root@k8s-master-dev pki]# kubectl config set-credentials meteor --client-certificate=meteor.crt --client-key=meteor.key --embed-certs=true
User "meteor" set.

修改kubeconfig(认证配置),创建一个新的Context及指定访问凭据(UserAccount)

[root@k8s-master-dev pki]# kubectl config set-context meteor@kubernetes --cluster=kubernetes --user=meteor
Context "meteor@kubernetes" created.
[root@k8s-master-dev pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://192.168.20.79:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:                    #上下文创建成功
    cluster: kubernetes
    user: meteor
  name: meteor@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: meteor
  user:                            #meteor用户凭据(证书)成功
    client-certificate-data: REDACTED
    client-key-data: REDACTED
[root@k8s-master-dev pki]#

切换并测试新的上下文配置

[root@k8s-master-dev pki]# kubectl config use-context meteor@kubernetes
Switched to context "meteor@kubernetes".
[root@k8s-master-dev pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://192.168.20.79:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    user: meteor
  name: meteor@kubernetes
current-context: meteor@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: meteor
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
[root@k8s-master-dev pki]#

[root@k8s-master-dev pki]# kubectl get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "default"
[root@k8s-master-dev pki]# 

当然也可以在当前新定义一个集群的认证配置(kubeconfig),例:
需要指定ca的证书、API service地址、隐藏证书选项、配置文件的路径(不指定默认在当前家目录),如下所示:

[root@k8s-master-dev pki]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://192.168.20.79:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "mycluster" set.
[root@k8s-master-dev pki]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://192.168.20.79:6443
  name: mycluster
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
[root@k8s-master-dev pki]# cd

四、Authorization
当认证通过,下一步要做的就是授权,授权决定一个用户可以干什么。Kubernetes可以配置多种授权方式,其中目前使用的是RBAC(Role Based Access Control)。RBAC涉及几个重要概念,它们是: Role/ RoleBinding / ClusterRole / ClusterRoleBinding
首先必须清楚一点:授权离不开认证,授权是基于ServiceAccount/UserAccount的。Role可以理解为权限(例如get,list,update,delete,add),它决定了ServiceAccount可以干什么,RoleBinding用于把Role绑定到指定的ServiceAccount。
下图是Role的绑定
Kebernetes 学习总结(9)认证-授权-RBAC_第1张图片
ClusterRole和ClusterRoleBinding的作用一样,不同的是,它们的作用域是整个集群,而Role和RoleBinding的作用域是namespace。
Kebernetes 学习总结(9)认证-授权-RBAC_第2张图片

创建角色role

[root@k8s-master-dev ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > manifests/role-demo.yaml
[root@k8s-master-dev ~]# vim manifests/role-demo.yaml
[root@k8s-master-dev ~]# cat manifests/role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
[root@k8s-master-dev ~]# kubectl apply -f manifests/role-demo.yaml
role.rbac.authorization.k8s.io/pods-reader created
[root@k8s-master-dev ~]#

[root@k8s-master-dev ~]# kubectl get roles
NAME          AGE
pods-reader   14m
[root@k8s-master-dev ~]# kubectl describe roles/pods-reader
Name:         pods-reader
Labels:       
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pods-reader","namespace":"default"},"rules":[{"apiGroup..."
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]
[root@k8s-master-dev ~]#

创建角色绑定rolebinding,并绑定用户到角色

[root@k8s-master-dev ~]# kubectl create rolebinding meteor-read-pods --role=pods-reader --user=meteor --dry-run -o yaml > manifests/rolebinding-demo.yaml
[root@k8s-master-dev ~]# vim manifests/rolebinding-demo.yaml
[root@k8s-master-dev ~]# cat manifests/rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: meteor-read-pods
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: meteor
[root@k8s-master-dev ~]# kubectl apply -f manifests/rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/meteor-read-pods created
[root@k8s-master-dev ~]# kubectl get rolebinding
NAME               AGE
meteor-read-pods   13s
[root@k8s-master-dev ~]# kubectl describe rolebinding/meteor-read-pods
Name:         meteor-read-pods
Labels:       
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"meteor-read-pods","namespace":"default"},"roleRe..."
Role:
  Kind:  Role
  Name:  pods-reader
Subjects:
  Kind  Name    Namespace
  ----  ----    ---------
  User  meteor
[root@k8s-master-dev ~]#

创建新用户,测试新的配置

[root@k8s-master-dev ~]# useradd k8suser01
[root@k8s-master-dev ~]# cp -rp .kube ~k8suser01/
[root@k8s-master-dev ~]# chown -R k8suser01.k8suser01 ~k8suser01/.kube
[root@k8s-master-dev ~]# su - k8suser01
[k8suser01@k8s-master-dev ~]$ kubectl config use-context meteor@kubernetes
Switched to context "meteor@kubernetes".
[k8suser01@k8s-master-dev ~]$ kubectl get pods
NAME          READY     STATUS    RESTARTS   AGE
mongo-0       2/2       Running   0          6h
mongo-1       2/2       Running   0          6h
mongo-2       2/2       Running   0          6h
pod-sa-demo   1/1       Running   0          5h
[k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "kube-system"
[k8suser01@k8s-master-dev ~]$ logout

由于Role和RoleBinding的作用域namespace 为default,所以meteor@kubernetes上下文无法访问kube-system 名称空间中的资源。如果希望该上下文可以访问kube-system名称空间内的资源 ,需要使用ClusterRole和ClusterRoleBinding。如下所示:

[root@k8s-master-dev ~]# kubectl get rolebinding
NAME               AGE
meteor-read-pods   4m
[root@k8s-master-dev ~]# kubectl delete rolebinding meteor-read-pods
rolebinding.rbac.authorization.k8s.io "meteor-read-pods" deleted
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run > manifests/clusterRole-demo.yaml
[root@k8s-master-dev ~]# vim manifests/clusterRole-demo.yaml
[root@k8s-master-dev ~]# cat manifests/clusterRole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
[root@k8s-master-dev ~]# kubectl apply -f manifests/clusterRole-demo.yaml
clusterrole.rbac.authorization.k8s.io/cluster-reader created
[root@k8s-master-dev ~]# kubectl get clusterrole
NAME                                                                   AGE
admin                                                                  5d
cluster-admin                                                          5d
cluster-reader                                                         8s
edit                                                                   5d
flannel                                                                5d
......
[root@k8s-master-dev ~]# kubectl describe clusterrole cluster-reader
Name:         cluster-reader
Labels:       
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"cluster-reader","namespace":""},"rules":[{"apiGr..."
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl create clusterrolebinding meteor-read-all-pods --clusterrole=cluster-reader --user=meteor --dry-run -o yaml >> manifests/clusterRoleBinding-demo.yaml
[root@k8s-master-dev ~]# vim manifests/clusterRoleBinding-demo.yaml
[root@k8s-master-dev ~]# cat manifests/clusterRoleBinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: meteor-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: meteor
[root@k8s-master-dev ~]# kubectl apply -f manifests/clusterRoleBinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io/meteor-read-all-pods created
[root@k8s-master-dev ~]# kubectl get clusterrolebinding meteor-read-all-pods
NAME                   AGE
meteor-read-all-pods   16s
[root@k8s-master-dev ~]#

再次测试meteor@kubernetes 上下文 ,如下所示:

[root@k8s-master-dev ~]# su - k8suser01
上一次登录:三 3月 13 16:09:07 CST 2019pts/0 上
[k8suser01@k8s-master-dev ~]$ kubectl get pods
NAME          READY     STATUS    RESTARTS   AGE
mongo-0       2/2       Running   0          1d
mongo-1       2/2       Running   0          1d
mongo-2       2/2       Running   0          1d
pod-sa-demo   1/1       Running   0          1d
[k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-system
NAME                                     READY     STATUS    RESTARTS   AGE
coredns-78fcdf6894-9t2x5                 1/1       Running   0          5d
coredns-78fcdf6894-tvbtd                 1/1       Running   0          5d
etcd-k8s-master-dev                      1/1       Running   0          5d
kube-apiserver-k8s-master-dev            1/1       Running   0          5d
kube-controller-manager-k8s-master-dev   1/1       Running   1          5d
kube-flannel-ds-amd64-9tmns              1/1       Running   0          5d
kube-flannel-ds-amd64-cn8v5              1/1       Running   0          5d
kube-flannel-ds-amd64-gwf76              1/1       Running   0          5d
kube-flannel-ds-amd64-v4g6w              1/1       Running   0          5d
kube-proxy-4ks89                         1/1       Running   0          5d
kube-proxy-b47qm                         1/1       Running   0          5d
kube-proxy-dz778                         1/1       Running   0          5d
kube-proxy-mg5rr                         1/1       Running   0          5d
kube-scheduler-k8s-master-dev            1/1       Running   1          5d
[k8suser01@k8s-master-dev ~]$ logout
[root@k8s-master-dev ~]#

RoleBinding也可以引用ClusterRole,对属于同一命名空间内ClusterRole定义的资源主体进行授权。但ClusterRoleBinding中的角色只能是ClusterRole。如下meter用户仅能对它所在的名称空间进行操作。

[root@k8s-master-dev rbac]# kubectl delete -f clusterRoleBinding-demo.yaml
clusterrolebinding.rbac.authorization.k8s.io "meteor-read-all-pods" deleted
[root@k8s-master-dev rbac]# kubectl create rolebinding meteor-read-pods --clusterrole=cluster-reader --user=meteor --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
[root@k8s-master-dev rbac]# vim rolebinding-clusterrole-demo.yaml
[root@k8s-master-dev rbac]# cat rolebinding-clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: meteor-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: meteor
[root@k8s-master-dev rbac]# kubectl apply -f rolebinding-clusterrole-demo.yaml
rolebinding.rbac.authorization.k8s.io/meteor-read-pods created
[root@k8s-master-dev rbac]# kubectl get rolebinding
NAME               AGE
meteor-read-pods   10s
[root@k8s-master-dev rbac]#
[root@k8s-master-dev rbac]# su - k8suser01
上一次登录:四 3月 14 15:33:42 CST 2019pts/0 上
[k8suser01@k8s-master-dev ~]$ kubectl get pods
NAME          READY     STATUS    RESTARTS   AGE
mongo-0       2/2       Running   0          1d
mongo-1       2/2       Running   0          1d
mongo-2       2/2       Running   0          1d
pod-sa-demo   1/1       Running   0          1d
[k8suser01@k8s-master-dev ~]$ kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "meteor" cannot list pods in the namespace "kube-system"
[k8suser01@k8s-master-dev ~]$ logout
[root@k8s-master-dev rbac]#

k8s集群内置了一些clusterRole ,可以利用上述方法为某个名称空间指定特定管理员。操作如下:

kubectl create rolebinding default-ns-admin --clusterrole=admin --user=meteor