kubernetes创建只读用户
The One Way
kubernetes中有一个默认的的clusterrole:view。它就是一个只有只读权限的角色。进行查看kubectl describe clusterrole view,显示结果如下:
[centos@aaa test]$ sudo kubectl describe clusterrole view
Name: view
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
bindings [] [] [get list watch]
configmaps [] [] [get list watch]
endpoints [] [] [get list watch]
events [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
namespaces [] [] [get list watch]
persistentvolumeclaims [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
pods [] [] [get list watch]
replicationcontrollers/scale [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
replicationcontrollers [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
serviceaccounts [] [] [get list watch]
services [] [] [get list watch]
controllerrevisions.apps [] [] [get list watch]
daemonsets.apps [] [] [get list watch]
deployments.apps/scale [] [] [get list watch]
deployments.apps [] [] [get list watch]
replicasets.apps/scale [] [] [get list watch]
replicasets.apps [] [] [get list watch]
statefulsets.apps/scale [] [] [get list watch]
statefulsets.apps [] [] [get list watch]
horizontalpodautoscalers.autoscaling [] [] [get list watch]
cronjobs.batch [] [] [get list watch]
jobs.batch [] [] [get list watch]
daemonsets.extensions [] [] [get list watch]
deployments.extensions/scale [] [] [get list watch]
deployments.extensions [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
networkpolicies.extensions [] [] [get list watch]
replicasets.extensions/scale [] [] [get list watch]
replicasets.extensions [] [] [get list watch]
replicationcontrollers.extensions/scale [] [] [get list watch]
nodes.metrics.k8s.io [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
ingresses.networking.k8s.io [] [] [get list watch]
networkpolicies.networking.k8s.io [] [] [get list watch]
poddisruptionbudgets.policy [] [] [get list watch]
可以创建一个新用户,然后绑定到默认的view role上
创建用户kubectl create sa readonly -n kube-system (#示例readonly账号)。
将其进行绑定kubectl create clusterrolebinding readonly --clusterrole=view --serviceaccount=kube-system:readonly。
之后查看其token,用其登录后验证即可
The Two Way
使用证书方式创建只读权限用户,下载证书工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
拷贝文件
cd /etc/kubernetes/pki && sudo mkdir test
sudo cp ca.crt test
sudo cp ca.key test
进入test目录生成如下文件,内容如下:
readonly.json
{
"CN": "readonly",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "HangZhou",
"L": "HangZhou",
"O": "develop:readonly",
"OU": "develop"
}
]
}
ca-config-readonly.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
创建只读用户证书
sudo cfssl gencert --ca ca.crt --ca-key ca.key --config ca-config-readonly.json --profile=kubernetes readonly.json | cfssljson --bare readonly
拷贝文件
cp /etc/kubernetes/admin.conf pki/test/readonly.kubeconfig
创建环境准备脚本kubeconfig.sh并执行
#!/bin/bash
kubectl config set-credentials develop-readonly \
--certificate-authority=/etc/kubernetes/pki/test/ca.crt \
--embed-certs=true \
--client-key=/etc/kubernetes/pki/test/readonly-key.pem \
--client-certificate=/etc/kubernetes/pki/test/readonly.pem \
--kubeconfig=/etc/kubernetes/pki/test/readonly.kubeconfig
kubectl config set-context default-system --cluster=kubernetes \
--user=develop-readonly \
--kubeconfig=readonly.kubeconfig
kubectl config use-context default-system --kubeconfig=readonly.kubeconfig
创建clusterrole以及将其绑定到readonly这个serviceaccount上,文件如下
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cluster-readonly
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: develop:readonly
进行验证
kubectl --kubeconfig=/etc/kubernetes/pki/test/readonly.kubeconfig get nodes #没有查看node的权限
Error from server (Forbidden): nodes is forbidden: User "readonly" cannot list resource "nodes" in API group "" at the cluster scope
kubectl --kubeconfig=/etc/kubernetes/pki/test/readonly.kubeconfig get pod #可以查看pod的权限
尝试验证下启动新的Pod(发现没有权限进行创建)
[centos@aaa test]$ kubectl --kubeconfig=readonly.kubeconfig create -f readonly-rbac.yml
Error from server (Forbidden): error when creating "readonly-rbac.yml": clusterroles.rbac.authorization.k8s.io is forbidden: User "readonly" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): error when creating "readonly-rbac.yml": clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "readonly" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope