1.
开始前,想个问题?
在部署kubectl,kube-scheduler,kube-controller-manager,kubelet,都创建了user或者sa(service account).
创建的user和sa都具有rbac分配的权限操作api.
这个权限是怎么生成分配的呢?
2.
新建一个user记录整个过程
向ca申请证书,私钥,csr(自动生成&&证书签名请求&&用于交叉签名或者重新签名)
需要证书签名请求文件,文件参考见下:
cat am1-csr.json
{
"CN": "am1",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GD",
"L": "SZ",
"O": "system:masters",
"OU": "k8s"
}
]
} 参数详细说明:
CN ##Common Name,通用名称.
##k8s集群里的特殊用法:kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法,网站一般使用域名或者ip;
hosts ##如果 hosts 字段不为空则需要指定授权使用该证书的 IP 或域名列表,现在创建的是执行kubectl命令的用户,该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空;
C ##Country 国家
ST ##State 州,省
L ##Locality 地区,城市
O ##Organization Name 组织名称,公司名称,
##k8s里的特殊用法:用这个参数指定使用证书的用户Group,比如这里"system:masters",通过证书认证后,用户在rbac群组为system:masters,从而拥有这个群组的所有权限.
##k8s集群kube-apiserver预定义了部分rbac的rolebindings.这个后面检索
OU ##Organization Unit Name 组织单位名称,公司部门
##k8s里的特殊用法:kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group),可以随意自定义.执行命令,向ca申请证书,见下:
[root@k8s-master1 am]# cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes am1-csr.json | cfssljson -bare am1
2019/03/05 14:03:45 [INFO] generate received request
2019/03/05 14:03:45 [INFO] received CSR
2019/03/05 14:03:45 [INFO] generating key: rsa-2048
2019/03/05 14:03:47 [INFO] encoded CSR
2019/03/05 14:03:47 [INFO] signed certificate with serial number 298701151984123590557480669424567076050696231266
2019/03/05 14:03:47 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master1 am]# ls
am1.csr am1-csr.json am1-key.pem am1.pem
[root@k8s-master1 am]#执行kubectl config命令,具体解释,参考kubectl config命令篇
[root@k8s-master1 am]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.32.127:8443 --kubeconfig=am1config
Cluster "kubernetes" set.
[root@k8s-master1 am]# kubectl config set-credentials am1 --client-certificate=/root/k8s/key/am/am1.pem --client-key=/root/k8s/key/am/am1-key.pem --embed-certs=true --kubeconfig=am1config
User "am1" set.
[root@k8s-master1 am]# kubectl config set-context kubernetes --cluster=kubernetes --user=am1 --kubeconfig=am1config
Context "kubernetes" created.
[root@k8s-master1 am]# kubectl config use-context kubernetes --kubeconfig=am1config
Switched to context "kubernetes".
[root@k8s-master1 am]# ls
am1config am1.csr am1-csr.json am1-key.pem am1.pem
[root@k8s-master1 am]#把am1config文件复制到~/.kube/目录下(注意:k8s改变用户默认就是改变~/.kube/config文件)
[root@k8s-master1 am]# cp am1config ~/.kube
[root@k8s-master1 .kube]# ls
am1config cache config http-cache
[root@k8s-master1 .kube]#把am1config替换成config,
root@k8s-master1 .kube]# mv config config.bk
[root@k8s-master1 .kube]# ls
am1config cache config.bk http-cache
[root@k8s-master1 .kube]# mv am1config config
[root@k8s-master1 .kube]# ls
cache config config.bk http-cache
[root@k8s-master1 .kube]#到这里,已经创建好用户am1,并且已经使用成功.
3.
检索k8s现在使用的用户
[root@k8s-master1 am]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.32.127:8443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: am1
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: am1
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master1 am]#检索am1使用k8s的权限
[root@k8s-master1 am]# kubectl get all
NAME READY STATUS RESTARTS AGE
pod/dnsutils-ds-4lslb 1/1 Running 17 4d
pod/dnsutils-ds-4svcr 1/1 Running 16 4d
pod/dnsutils-ds-7wqxf 1/1 Running 16 4d
pod/dnsutils-ds-f6qkj 1/1 Running 16 4d
pod/httpd-app-bbcbfb6cd-65phh 1/1 Running 7 5d
pod/httpd-app-bbcbfb6cd-6blv4 1/1 Running 4 5d
pod/httpd-app-bbcbfb6cd-pk9tk 1/1 Running 3 5d
pod/httpd-app-bbcbfb6cd-rl4w8 1/1 Running 4 5d
pod/httpd-app-bbcbfb6cd-rnhk8 1/1 Running 4 5d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dnsutils-ds NodePort 10.254.173.49 80:8977/TCP 4d
service/httpd-svc NodePort 10.254.120.185 80:8416/TCP 5d
service/kubernetes ClusterIP 10.254.0.1 443/TCP 5d
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/dnsutils-ds 4 4 4 4 4 4d
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/httpd-app 5 5 5 5 5d
NAME DESIRED CURRENT READY AGE
replicaset.apps/httpd-app-bbcbfb6cd 5 5 5 5d [root@k8s-master1 am]# kubectl get all -n kube-system
NAME READY STATUS RESTARTS AGE
pod/coredns-779ffd89bd-cwjt9 1/1 Running 3 4d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kube-dns ClusterIP 10.254.0.2 53/UDP,53/TCP 4d
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/coredns 1 1 1 1 4d
NAME DESIRED CURRENT READY AGE
replicaset.apps/coredns-779ffd89bd 1 1 1 4d
[root@k8s-master1 am]# 可以看到am1这个用户,实现了我们预设的权限要求,拥有了system:masters群组的所有权限.
4.
检索system:masters这个群组的权限
检索预设rbac的clusterrolebindings
[root@k8s-master1 am]# kubectl get clusterrolebindings
NAME AGE
auto-approve-csrs-for-group 5d
cluster-admin 5d
kube-apiserver 5d
kubelet-bootstrap 5d
node-client-cert-renewal 5d
node-server-cert-renewal 5d
system:aws-cloud-provider 5d
system:basic-user 5d
system:controller:attachdetach-controller 5d
system:controller:certificate-controller 5d
system:controller:clusterrole-aggregation-controller 5d
system:controller:cronjob-controller 5d
system:controller:daemon-set-controller 5d
system:controller:deployment-controller 5d
system:controller:disruption-controller 5d
system:controller:endpoint-controller 5d
system:controller:expand-controller 5d
system:controller:generic-garbage-collector 5d
system:controller:horizontal-pod-autoscaler 5d
system:controller:job-controller 5d
system:controller:namespace-controller 5d
system:controller:node-controller 5d
system:controller:persistent-volume-binder 5d
system:controller:pod-garbage-collector 5d
system:controller:pv-protection-controller 5d
system:controller:pvc-protection-controller 5d
system:controller:replicaset-controller 5d
system:controller:replication-controller 5d
system:controller:resourcequota-controller 5d
system:controller:route-controller 5d
system:controller:service-account-controller 5d
system:controller:service-controller 5d
system:controller:statefulset-controller 5d
system:controller:ttl-controller 5d
system:coredns 5d
system:discovery 5d
system:kube-controller-manager 5d
system:kube-dns 5d
system:kube-scheduler 5d
system:node 5d
system:node-proxier 5d
system:volume-scheduler 5d在哪个里面呢?
[root@k8s-master1 am]# kubectl describe clusterrolebindings |grep -B 10 "system:masters"
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters 检索下cluster-admin的权限
[root@k8s-master1 am]# kubectl describe clusterroles cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]5.
疑问:user am1加入到了system:masters群组,可以不可以检索system:masters群组绑定了哪些用户呢?
暂时没有找到方法.