25,k8s 之RBAC

安全机制：
	1. Kubernetes的安全框架
	2. 传输安全，认证，授权，准入控制
	3. 使用RBAC授权

访问K8S集群的资源需要过三关：认证、鉴权、准入控制
普通用户若要安全访问集群API Server，往往需要证书、Token或者用户名+密码；Pod访问，需要ServiceAccount
K8S安全控制框架主要由下面3个阶段进行控制，每一个阶段都支持插件方式，通过API Server配置来启用插件。
		1. Authentication
		2. Authorization
		3. Admission Control

阶段一：传输安全和认证
阶段二：授权
阶段三：准入控制
阶段四：使用RBAC授权


使用RBAC授权：
	角色
		Role：授权特定命名空间的访问权限
		ClusterRole：授权所有命名空间的访问权限
	角色绑定
		RoleBinding：将角色绑定到主体（即subject） 
		ClusterRoleBinding：将集群角色绑定到主体
	主体（subject） 
		User：用户
		Group：用户组
		ServiceAccount：服务账号

1先创建角色：
2角色绑定：
3这个用户是基于什么认证方式识别身份


[root@centos7 demo2]# kubectl create ns ctnrs
namespace/ctnrs created
[root@centos7 demo2]# kubectl run nginx --images=nginx -n ctnrs
[root@centos7 demo2]# kubectl get pods -n ctnrs
NAME                     READY   STATUS    RESTARTS   AGE
nginx-6db489d4b7-7qpq7   1/1     Running   0          39s
[root@centos7 demo2]# 
[root@centos7 demo2]# 
[root@centos7 demo2]# cat rbac-role.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: ctnrs
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
[root@centos7 demo2]# 
[root@centos7 demo2]# 
[root@centos7 demo2]# 
[root@centos7 demo2]# kubectl apply -f rbac-role.yaml 
role.rbac.authorization.k8s.io/pod-reader created
[root@centos7 demo2]# 
[root@centos7 demo2]# kubectl get role -n ctnrs
NAME         AGE
pod-reader   26s
[root@centos7 demo2]# 
[root@centos7 demo2]# 
[root@centos7 demo2]# cat rbac-rolebinding.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: ctnrs
subjects:
- kind: User
  name: aliang # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
[root@centos7 demo2]# 
[root@centos7 demo2]# 
[root@centos7 demo2]# 
[root@centos7 demo2]# 
[root@centos7 demo2]# kubectl apply -f rbac-rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/read-pods created
[root@centos7 demo2]# 
[root@centos7 demo2]# kubectl get role -n ctnrs
NAME         AGE
pod-reader   3m4s
[root@centos7 demo2]# kubectl get rolebinding -n ctnrs
NAME        AGE
read-pods   3m25s
[root@centos7 demo2]# 

认证
三种客户端身份认证： 
	HTTPS 证书认证：基于CA证书签名的数字证书认证
	HTTP Token认证：通过一个Token来识别用户
	HTTP Base认证：用户名+密码的方式认证

如下是基于HTTPS 证书认证：

[root@centos7 demo3]# 
[root@centos7 demo3]# ll
total 24
-rw-r--r-- 1 root root  294 Dec  9  2018 ca-config.json
-rw-r--r-- 1 root root 1001 Dec  9  2018 ca.csr
-rw-r--r-- 1 root root  263 Dec  9  2018 ca-csr.json
-rw-r--r-- 1 root root 1675 Dec  9  2018 ca-key.pem
-rw-r--r-- 1 root root 1359 Dec  9  2018 ca.pem
-rw-r--r-- 1 root root  860 Jul  9 21:49 rabc-user.sh
[root@centos7 demo3]# cat rabc-user.sh 
cat > aliang-csr.json <
Annotations:  kubernetes.io/service-account.name: pod-reader
              kubernetes.io/service-account.uid: 57f087a2-6f3e-44e3-9615-f46c7f1121e3

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1359 bytes
namespace:  5 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkUwa0p0aC1TMDBoTU1OZ3Y2SWRWaVd5NGRYLTdSTlY3TUVHUXJsRV9NY2sifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjdG5ycyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJwb2QtcmVhZGVyLXRva2VuLXJjZ3ZkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InBvZC1yZWFkZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1N2YwODdhMi02ZjNlLTQ0ZTMtOTYxNS1mNDZjN2YxMTIxZTMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6Y3RucnM6cG9kLXJlYWRlciJ9.ltqpH-WktEiitFrVkui7WkQx4f_B3cJEMpUQ3Q3du-nLej8rrk-FTMZUXpiXr0lDgJmKo6sf0aL0Vs3q8kX7TfuuWomToc2B4A5sUh5w-eGEQReghD01Z1wRANh3c3IhcCuRnMvvQIxHDzY83LGYwtdCVtMrxINYnuRCYqeDFJz9q0Q53hjBMx2m-rFprFkG3otTI4GeHNv14EQF8chJ8GD6NC1KA1mvZrU5ATFnh8_cgDB66EalbVKFYxEyGm5syg32LTaPT3aWZd4DO4Z0SWlWt_a8tfMHY2K1iDUrLNPTHjhX3NX8NuZQevZRP8Qcg1fpuIjSyjBP_yT_4sElbw
[root@centos7 demo3]#