RBAC 访问控制 Users Accounts
前言:
前面已经对ServiceAccount、Users Account认证进行了介绍与创建,但最后的测试发现是Users Account并没有访问权限,本节介绍RBAC授权 对ServiceAccount、Users Account认证进行授权
RBAC是什么?
RBAC 是基于角色的访问控制(Role-Based Access Control )在 RBAC 中,权限与角色相关联,用户通过成为适当角色的成员而得到这些角色的权限。这就极大地简化了权限的管理。这样管理都是层级相互依赖的,权限赋予给角色,而把角色又赋予用户,这样的权限设计很清楚,管理起来很方便。
角色
Role:角色,名称空间级别;授权特定命名空间的访问权限
ClusterRole:集群角色,全局级别;授权所有命名空间的访问权限
角色绑定
RoleBinding:将角色绑定到主体(即subject),意味着,用户仅得到了特定名称空间下的Role的权限,作用范围也限于该名称空间;
ClusterRoleBinding:将集群角色绑定到主体,让用户扮演指定的集群角色;意味着,用户得到了是集群级别的权限,作用范围也是集群级别;
主体(subject)
User:用户
Group:用户组
ServiceAccount:服务账号
绑定对应关系
主体(Subject) --> RoleBinding --> Role #主体获得名称空间下的Role的权限
主体(Subject) --> ClusterRoleBinding --> clusterRoles #主体获得集群级别clusterRoles的权限
主体(Subject) --> Rolebindig -->ClusterRole #权限降级 主体获得名称空间下的clusterRoles的权限
- rules中的参数说明:
1、apiGroups:支持的API组列表,例如:"apiVersion: batch/v1"等
2、resources:支持的资源对象列表,例如pods、deplayments、jobs等
3、resourceNames: 指定resource的名称
3、verbs:对资源对象的操作方法列表。
- RBAC使用rbac.authorization.k8s.io API Group 来实现授权决策,允许管理员通过 Kubernetes API 动态配置策略,要启用RBAC,需要在 apiserver 中添加参数--authorization-mode=RBAC,如果使用的kubeadm安装的集群,都默认开启了RBAC,可以通过查看 Master 节点上 apiserver 的静态Pod定义文件:
[root@k8s-master usercerts]# cat /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
...
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=192.168.4.170
- --allow-privileged=true
- --authorization-mode=Node,RBAC #默认支持BRAC 基于角色的访问控制
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
...
- 查看 kube-system名称空间下的role角色详情
[root@k8s-master ~]# kubectl get role -n kube-system
NAME CREATED AT
extension-apiserver-authentication-reader 2021-06-28T17:43:31Z
kube-proxy 2021-06-28T17:43:33Z
kubeadm:kubelet-config-1.19 2021-06-28T17:43:31Z
kubeadm:nodes-kubeadm-config 2021-06-28T17:43:31Z
system::leader-locking-kube-controller-manager 2021-06-28T17:43:31Z
system::leader-locking-kube-scheduler 2021-06-28T17:43:31Z
system:controller:bootstrap-signer 2021-06-28T17:43:31Z
system:controller:cloud-provider 2021-06-28T17:43:31Z
system:controller:token-cleaner 2021-06-28T17:43:31Z
[root@k8s-master ~]# kubectl get role kube-proxy -n kube-system -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2021-06-28T17:43:33Z"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:rules: {}
manager: kubeadm
operation: Update
time: "2021-06-28T17:43:33Z"
name: kube-proxy
namespace: kube-system
resourceVersion: "195"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/kube-proxy
uid: a5404b1f-90f0-447f-b104-86fcbdd388e0
rules: #角色规则详细信息
- apiGroups:
- ""
resourceNames:
- kube-proxy
resources:
- configmaps
verbs: #能执行的操作
- get
- role角色绑定
- RoleBinding 角色绑定
[root@k8s-master ~]# kubectl explain rolebinding
KIND: RoleBinding
VERSION: rbac.authorization.k8s.io/v1
...
roleRef 示例1: 创建role角色绑定 作用域为名称空间
[root@k8s-master authfiles]# cat pods-reader-rbac.yaml
kind : Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pods-reader
rules:
- apiGroups: [""] #空表示默认群组
resources: ["pods","services","pods/log"] #对象资源
verbs: ["get","list","watch"] #权限
[root@k8s-master authfiles]# cat tom-pods-reader.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tom-pods-reader
namespace: default
subjects:
- kind: User
name: tom #绑定的用户名
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pods-reader #绑定之前的角色
apiGroup: rbac.authorization.k8s.io
[root@k8s-master authfiles]# kubectl apply -f pods-reader-rbac.yaml
[root@k8s-master authfiles]# kubectl apply -f tom-pods-reader.yaml
[root@k8s-master authfiles]# kubectl get role
NAME CREATED AT
pods-reader 2021-08-24T07:33:54Z
[root@k8s-master authfiles]# kubectl get rolebinding
NAME ROLE AGE
tom-pods-reader Role/pods-reader 15m
- 使用tom用户验证权限 pod、svc
[root@k8s-master authfiles]# kubectl config get-contexts --kubeconfig=/tmp/mykubeconfig #查看当前用户
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* tom@kubernetes kubernetes tom
[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
NAME READY STATUS RESTARTS AGE
centos-deployment-66d8cd5f8b-bnnw6 1/1 Running 0 7m8s
[root@k8s-master authfiles]# kubectl get svc --kubeconfig=/tmp/mykubeconfig
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demoapp ClusterIP 10.97.26.1 80/TCP 10d
demoapp-svc ClusterIP 10.99.170.77 80/TCP 10d
demodb ClusterIP None 9907/TCP 5d22h
kubernetes ClusterIP 10.96.0.1 443/TCP 10d
- 验证deployment、nodes权限 没有授权访问失败
[root@k8s-master authfiles]# kubectl get deployment --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"
[root@k8s-master authfiles]# kubectl get nodes --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope
内建管理员admin
名称空间管理员admin
clusterrole admin 名称空间级别资源 拥有所有名称空间下的资源 所有操作权限
集群管理员 cluster-admin
clusterrole cluster-admin 集群级别资源 拥有集群所有空的资源 所有操作权限
之前绑定的rolebinding只对默认名称空间有一定的权限
[root@k8s-master authfiles]# kubectl get pod -n longhorn-system --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "longhorn-system"
- clusterrole admin 对所有名称空间下的资源权限
[root@k8s-master authfiles]# kubectl get clusterrole admin
NAME CREATED AT
admin 2021-06-28T17:43:30Z
[root@k8s-master authfiles]# kubectl get clusterrole admin -o yaml
- 删除绑定,重新绑定到clusterrole admin
[root@k8s-master authfiles]# kubectl get rolebinding
NAME ROLE AGE
tom-pods-reader Role/pods-reader 35m
[root@k8s-master authfiles]# kubectl delete Role/pods-reader
role.rbac.authorization.k8s.io "pods-reader" deleted
[root@k8s-master authfiles]# kubectl delete rolebinding/tom-pods-reader
rolebinding.rbac.authorization.k8s.io "tom-pods-reader" deleted
[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"
示例2: 绑定admin 并验证权限,作用域为名称空间
[root@k8s-master authfiles]# kubectl create --help
...
Available Commands:
clusterrole Create a ClusterRole.
clusterrolebinding Create a ClusterRoleBinding for a particular ClusterRole
configmap Create a configmap from a local file, directory or literal value
cronjob Create a cronjob with the specified name.
deployment Create a deployment with the specified name.
job Create a job with the specified name.
namespace Create a namespace with the specified name
poddisruptionbudget Create a pod disruption budget with the specified name.
priorityclass Create a priorityclass with the specified name.
quota Create a quota with the specified name.
role Create a role with single rule.
rolebinding Create a RoleBinding for a particular Role or ClusterRole
secret Create a secret using specified subcommand
service Create a service using specified subcommand.
serviceaccount Create a service account with the specified name
- 可以分别对--user、--group、--serviceaccount进行授权
[root@k8s-master authfiles]# kubectl create clusterrolebinding --help
Create a ClusterRoleBinding for a particular ClusterRole.
....
Usage:
kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
- 绑定并进行权限验证
[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-admin --user=tom --clusterrole=admin
clusterrolebinding.rbac.authorization.k8s.io/tom-admin created
[root@k8s-master authfiles]# kubectl get pod -n longhorn-system --kubeconfig=/tmp/mykubeconfig
NAME READY STATUS RESTARTS AGE
csi-attacher-54c7586574-bh88g 1/1 Running 5 7d
csi-attacher-54c7586574-fvv4p 1/1 Running 7 19d
csi-attacher-54c7586574-zkzrg 1/1 Running 10 19d
csi-provisioner-5ff5bd6b88-9tqnh 1/1 Running 5 7d
csi-provisioner-5ff5bd6b88-bs687 1/1 Running 8 19d
csi-provisioner-5ff5bd6b88-qkzt4 1/1 Running 12 19d
csi-resizer-7699cdfc4-4w49w 1/1 Running 8 19d
......
[root@k8s-master authfiles]# kubectl get pod -n kube-system --kubeconfig=/tmp/mykubeconfig
NAME READY STATUS RESTARTS AGE
coredns-f9fd979d6-l9zck 1/1 Running 16 56d
coredns-f9fd979d6-s8fp5 1/1 Running 15 56d
etcd-k8s-master 1/1 Running 12 56d
kube-apiserver-k8s-master 1/1 Running 16 56d
kube-controller-manager-k8s-master 1/1 Running 39 56d
kube-flannel-ds-6sppx 1/1 Running 1 6d22h
kube-flannel-ds-j5g9s 1/1 Running 3 6d22h
kube-flannel-ds-nfz77 1/1 Running 1 6d22h
kube-flannel-ds-sqhq2 1/1 Running 1 6d22h
[root@k8s-master authfiles]# kubectl get deployment --kubeconfig=/tmp/mykubeconfig
NAME READY UP-TO-DATE AVAILABLE AGE
centos-deployment 1/1 1 1 6d22h
- node是集群级别资源 无权限
[root@k8s-master authfiles]# kubectl get node --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope
[root@k8s-master authfiles]# kubectl get pv --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): persistentvolumes is forbidden: User "tom" cannot list resource "persistentvolumes" in API group "" at the cluster scope
示例3: 绑定cluster-admin 并验证权限 作用域为集群级别资源
[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-admin" deleted
[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-cluste-admin --user=tom --clusterrole=cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/tom-cluste-admin created
[root@k8s-master authfiles]# kubectl get pv --kubeconfig=/tmp/mykubeconfig
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pv-nfs-demo002 10Gi RWX Retain Available 21d
pv-nfs-demo003 1Gi RWO Retain Available 21d
pvc-33e9acff-afd9-417e-bbfb-293cb6305fb1 1Gi RWX Retain Bound default/data-demodb-1 longhorn 5d23h
pvc-c5a0bfaa-6948-4814-886f-8bf079b00dd1 1Gi RWX Retain Bound default/data-demodb-0 longhorn 5d23h
[root@k8s-master authfiles]# kubectl get node --kubeconfig=/tmp/mykubeconfig
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 56d v1.19.9
k8s-node1 Ready 56d v1.19.9
k8s-node2 Ready 56d v1.19.9
k8s-node3 Ready 20d v1.19.9
- 需要注意的是 cluster-admin 是通过system:masters组方式进行授权,如果我们在创建用户证书时,/CN=XX/O=system:masters;那么这个用户就拥有超级管理员的权限
[root@k8s-master authfiles]# kubectl describe clusterrolebinding cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters #通过组授权所有system:masters都拥有超级管理员权限
示例4: rolebinding 绑定admin 并验证权限 权限降级
前面有提到
User --> Rolebindig -->ClusterRole:权限降级,
ClusterRole,用户得到的权限仅是ClusterRole的权限在Rolebinding所属的名称空间上的一个子集;删除之前绑定
[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-cluste-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-cluste-admin" deleted
- 创建角色绑定集群角色 权限降级 只对指定名称空间有权限
[root@k8s-master authfiles]# kubectl create rolebinding tom-admin --user=tom -n longhorn-system --clusterrole=admin
rolebinding.rbac.authorization.k8s.io/tom-admin created
- 测试权限 作用域尽为longhorn-system名称空间
[root@k8s-master authfiles]# kubectl get pod -n kube-system --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system"
[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"
[root@k8s-master authfiles]# kubectl get deployment --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"
[root@k8s-master authfiles]# kubectl get pod -n longhorn-system --kubeconfig=/tmp/mykubeconfig
NAME READY STATUS RESTARTS AGE
csi-attacher-54c7586574-bh88g 1/1 Running 5 7d
csi-attacher-54c7586574-fvv4p 1/1 Running 7 19d
csi-attacher-54c7586574-zkzrg 1/1 Running 10 19d
csi-provisioner-5ff5bd6b88-9tqnh 1/1 Running 5 7d
csi-provisioner-5ff5bd6b88-bs687 1/1 Running 8 19d
csi-provisioner-5ff5bd6b88-qkzt4 1/1 Running 12 19d
csi-resizer-7699cdfc4-4w49w 1/1 Running 8 19d
csi-resizer-7699cdfc4-f5jph 1/1 Running 6 7d
csi-resizer-7699cdfc4-l2j49 1/1 Running 9 19d
...