k8s权限配置(ServiceAccount、Role、ClusterRole)

一、在RBAC中的几个概念:

1、什么是RBAC

RBAC全称Role-Based Access Control,是Kubernetes集群基于角色的访问控制,实现授权决策,允许通过Kubernetes API动态配置策略。

2、什么是Role

Role是一组权限的集合,例如Role可以包含列出Pod权限及列出Deployment权限,Role用于给某个NameSpace中的资源进行鉴权。

3、什么是ClusterRole

ClusterRole是一组权限的集合,但与Role不同的是,ClusterRole可以在包括所有NameSpace和集群级别的资源或非资源类型进行鉴权。

4、什么是Subject

Subject:有三种Subjects,分别是Service Account、User Account、Groups,参照官方文档主要区别是User Account针对人,Service Accounts针对运行在Pods中运行的进程。

5、什么是RoleBinding与ClusterRoleBinding

RoleBinding与ClusterRoleBindin:将Subject绑定到Role或ClusterRole。其区别在于:RoleBinding将使规则在命名空间内生效,而ClusterRoleBinding将使规则在所有命名空间中生效。

二、创建一个sa,并绑定Role和ClusterRole:

1、创建ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: minio
  name: service-minio
[root@app01 k8s-user]# vim service-account.yaml
[root@app01 k8s-user]# kubectl apply -f service-account.yaml
serviceaccount/service-minio created

[root@app01 k8s-user]#  kubectl get sa -n minio -owide
NAME            SECRETS   AGE
default         1         17m
service-minio   1         14m

[root@app01 k8s-user]#  kubectl get serviceaccount -n minio -owide
NAME            SECRETS   AGE
default         1         18m
service-minio   1         14m
[root@app01 k8s-user]#
2、查找ServiceAccount的token用以登录
[root@app01 k8s-user]# kubectl describe sa service-minio -n minio
Name:                service-minio
Namespace:           minio
Labels:              
Annotations:         kubectl.kubernetes.io/last-applied-configuration:
                       {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"service-minio","namespace":"minio"}}
Image pull secrets:  
Mountable secrets:   service-minio-token-wzfsj
Tokens:              service-minio-token-wzfsj
Events:              
[root@app01 k8s-user]# kubectl describe secret service-minio-token-wzfsj -n minio
Name:         service-minio-token-wzfsj
Namespace:    minio
Labels:       
Annotations:  kubernetes.io/service-account.name: service-minio
              kubernetes.io/service-account.uid: df5c9f0d-1211-11ec-b7b2-00505697af9d

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  5 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtaW5pbyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJzZXJ2aWNlLW1pbmlvLXRva2VuLXd6ZnNqIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InNlcnZpY2UtbWluaW8iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkZjVjOWYwZC0xMjExLTExZWMtYjdiMi0wMDUwNTY5N2FmOWQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bWluaW86c2VydmljZS1taW5pbyJ9.W06Umb1XXD3xSsWY2GMzct9NXvFrEYDHV1WsqHotho2cW3azOUyPRHX2nrLTg2WmwKrw6oV0dbD3W1cNFSZ7yQebLhLnvfGRZn2WLO6Arkue7VUJ5Iy1N7ev3l7wQpZj8gWTIi-Ju1DeQYoudOHodjSnqz6g5i18hYs_xnd6UuwTioqeaFyRtP2lST_JyuFM3gXuFq5_PRYjvHZuKleoMqmwdq96nmX5GRuGwR6EOnB2uGUxOC0eKwC58PJ0vy_aavAqiPp7d_X0sbgZtPcbq1qfpWz9-_xmHj50NhZN8E4Qp25EpLQIZfED8HpveeqaHo96fn2BD29Dpv46-4FRBg
[root@app01 k8s-user]#

kuboard就可以登录了
k8s权限配置(ServiceAccount、Role、ClusterRole)_第1张图片
也可以用管理员查找token:
k8s权限配置(ServiceAccount、Role、ClusterRole)_第2张图片

3、创建role
[root@app01 k8s-user]# vim role-minio-service-minio.yaml

[root@app01 k8s-user]# kubectl apply -f role-minio-service-minio.yaml
role.rbac.authorization.k8s.io/role-minio-service-minio created

[root@app01 k8s-user]# kubectl get role -n minio
NAME                       AGE
role-minio-service-minio   15s
[root@app01 k8s-user]# 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # 限定可访问的命名空间为 minio
  namespace: minio
  # 角色名称
  name: role-minio-service-minio

# 控制 dashboard 中 命名空间模块 中的面板是否有权限查看
rules:
- apiGroups: [""] # 空字符串""表明使用core API group
  #resources: ["pods","pods/log","pods/exec", "pods/attach", "pods/status", "events", "replicationcontrollers", "services", "configmaps", "persistentvolumeclaims"]
  resources: ["namespaces","pods","pods/log","pods/exec", "pods/attach", "pods/status","services"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]

- apiGroups: [ "apps"]
  resources: ["deployments", "daemonsets", "statefulsets","replicasets"]
  verbs: ["get", "list", "watch"]

提示:role资源没有spec字段,它的群组是rbac.authorization.k8s.io/v1,对应类型为Role;metadata字段中的name用于指定对应role的名称;namespace用户指定对应的名称空间;roles字段用来描述对资源和权限,该字段为一个列表对象,一个对象必须有apiGroup,resources和verbs字段;其中apiGroup字段用来描述对应资源所属群组,默认不写任何群组表示核心群组v1;如果是匹配所有群组可以写成“*”;该字段是一个列表类型数据,所以必须用中括号将其括起来,即便没有值;resources字段用来描述对应的资源,这里的资源如果可以使用复数形式的必须使用复数形式;所谓复数是指对应资源名称单词的复数形式;该字段也是一个列表,可以使用中括号,也可以直接使用-开头写对应的值;verbs字段用来描述对应的权限,该字段也是一个列表,可以使用中括号或者“-”开头从下一行直接写值的方式

4、创建ServiceAccount和Role的绑定
[root@app01 k8s-user]# vim role-bind-minio-service-minio.yaml

[root@app01 k8s-user]# kubectl apply -f role-bind-minio-service-minio.yaml
rolebinding.rbac.authorization.k8s.io/role-bind-minio-service-monio created

[root@app01 k8s-user]# kubectl get rolebinding -n minio -owide
NAME                            AGE   ROLE                            USERS   GROUPS   SERVICEACCOUNTS
role-bind-minio-service-monio   29s   Role/role-minio-service-minio                    minio/service-minio
[root@app01 k8s-user]#
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: minio
  name: role-bind-minio-service-monio

subjects:
- kind: ServiceAccount
  namespace: minio
  # 用户名称
  name: service-minio

roleRef:
  kind: Role
  # 角色名称
  name: role-minio-service-minio
  apiGroup: rbac.authorization.k8s.io
5、创建ClusterRole
[root@app01 k8s-user]# vim cluster-role-paas-basic-service-minio.yaml

[root@app01 k8s-user]# kubectl apply -f cluster-role-paas-basic-service-minio.yaml
clusterrole.rbac.authorization.k8s.io/cluster-role-kube-system-service-minio created

[root@app01 k8s-user]# kubectl get clusterrole|grep cluster-role
cluster-role-paas-basic-service-minio                                  12m
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # 鉴于ClusterRole是集群范围对象,所以这里不需要定义"namespace"字段
  # 角色名称
  name: cluster-role-paas-basic-service-minio
# 控制 dashboard 中 命名空间模块 中的面板是否有权限查看
rules:
- apiGroups: ["rbac.authorization.k8s.io",""] # 空字符串""表明使用core API group
  #resources: ["pods","pods/log","pods/exec", "pods/attach", "pods/status", "events", "replicationcontrollers", "services", "configmaps", "persistentvolumeclaims"]
  resources: ["pods","pods/log","pods/exec", "pods/attach", "pods/status","services"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
- apiGroups: [ "apps"]
  resources: ["namespaces","deployments", "daemonsets", "statefulsets"]
  verbs: ["get", "list", "watch"]
6、创建ServiceAccount和ClusterRole的绑定
[root@app01 k8s-user]# vim cluster-role-bind-paas-basic-service-minio.yaml

[root@app01 k8s-user]# kubectl apply -f cluster-role-bind-paas-basic-service-minio.yaml
rolebinding.rbac.authorization.k8s.io/cluster-role-bind-paas-basic-service-monio created
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-role-bind-paas-basic-service-monio

subjects:
- kind: ServiceAccount
  namespace: minio
  # 用户名称
  name: service-minio

roleRef:
  kind: ClusterRole
  # 角色名称
  name: cluster-role-paas-basic-service-minio
  apiGroup: rbac.authorization.k8s.io
7、ClusterRole和Role的参数值说明

1、apiGroups可配置参数
“”,“apps”, “autoscaling”, “batch”

2、resources可配置参数
“services”, “endpoints”,“pods”,“secrets”,“configmaps”,“crontabs”,“deployments”,“jobs”,“nodes”,“rolebindings”,“clusterroles”,“daemonsets”,“replicasets”,“statefulsets”,“horizontalpodautoscalers”,“replicationcontrollers”,“cronjobs”

3、verbs可配置参数
“get”,“list”,“watch”, “create”,“update”, “patch”, “delete”,“exec”

4、apiGroups和resources对应关系

- apiGroups: [""]                                       # 空字符串""表明使用core API group
  resources: ["pods","pods/log","pods/exec", "pods/attach", "pods/status", "events", "replicationcontrollers", "services", "configmaps", "persistentvolumeclaims"]

- apiGroups: [ "apps"]
  resources: ["deployments", "daemonsets", "statefulsets","replicasets"]
[root@app01 k8s-user]# kubectl api-resources
NAME                              SHORTNAMES   APIGROUP                       NAMESPACED   KIND
bindings                                                                      true         Binding
componentstatuses                 cs                                          false        ComponentStatus
configmaps                        cm                                          true         ConfigMap
endpoints                         ep                                          true         Endpoints
events                            ev                                          true         Event
limitranges                       limits                                      true         LimitRange
namespaces                        ns                                          false        Namespace
nodes                             no                                          false        Node
persistentvolumeclaims            pvc                                         true         PersistentVolumeClaim
persistentvolumes                 pv                                          false        PersistentVolume
pods                              po                                          true         Pod
podtemplates                                                                  true         PodTemplate
replicationcontrollers            rc                                          true         ReplicationController
resourcequotas                    quota                                       true         ResourceQuota
secrets                                                                       true         Secret
serviceaccounts                   sa                                          true         ServiceAccount
services                          svc                                         true         Service
mutatingwebhookconfigurations                  admissionregistration.k8s.io   false        MutatingWebhookConfiguration
validatingwebhookconfigurations                admissionregistration.k8s.io   false        ValidatingWebhookConfiguration
customresourcedefinitions         crd,crds     apiextensions.k8s.io           false        CustomResourceDefinition
apiservices                                    apiregistration.k8s.io         false        APIService
controllerrevisions                            apps                           true         ControllerRevision
daemonsets                        ds           apps                           true         DaemonSet
deployments                       deploy       apps                           true         Deployment
replicasets                       rs           apps                           true         ReplicaSet
statefulsets                      sts          apps                           true         StatefulSet
tokenreviews                                   authentication.k8s.io          false        TokenReview
localsubjectaccessreviews                      authorization.k8s.io           true         LocalSubjectAccessReview
selfsubjectaccessreviews                       authorization.k8s.io           false        SelfSubjectAccessReview
selfsubjectrulesreviews                        authorization.k8s.io           false        SelfSubjectRulesReview
subjectaccessreviews                           authorization.k8s.io           false        SubjectAccessReview
horizontalpodautoscalers          hpa          autoscaling                    true         HorizontalPodAutoscaler
cronjobs                          cj           batch                          true         CronJob
jobs                                           batch                          true         Job
certificatesigningrequests        csr          certificates.k8s.io            false        CertificateSigningRequest
leases                                         coordination.k8s.io            true         Lease
events                            ev           events.k8s.io                  true         Event
daemonsets                        ds           extensions                     true         DaemonSet
deployments                       deploy       extensions                     true         Deployment
ingresses                         ing          extensions                     true         Ingress
networkpolicies                   netpol       extensions                     true         NetworkPolicy
podsecuritypolicies               psp          extensions                     false        PodSecurityPolicy
replicasets                       rs           extensions                     true         ReplicaSet
kuboardlicenses                   klcs         kuboard.cn                     false        KuboardLicense
networkpolicies                   netpol       networking.k8s.io              true         NetworkPolicy
poddisruptionbudgets              pdb          policy                         true         PodDisruptionBudget
podsecuritypolicies               psp          policy                         false        PodSecurityPolicy
clusterrolebindings                            rbac.authorization.k8s.io      false        ClusterRoleBinding
clusterroles                                   rbac.authorization.k8s.io      false        ClusterRole
rolebindings                                   rbac.authorization.k8s.io      true         RoleBinding
roles                                          rbac.authorization.k8s.io      true         Role
priorityclasses                   pc           scheduling.k8s.io              false        PriorityClass
storageclasses                    sc           storage.k8s.io                 false        StorageClass
volumeattachments                              storage.k8s.io                 false        VolumeAttachment

你可能感兴趣的:(kubernetes,kubernetes)