RBAC全称Role-Based Access Control,是Kubernetes集群基于角色的访问控制,实现授权决策,允许通过Kubernetes API动态配置策略。
Role是一组权限的集合,例如Role可以包含列出Pod权限及列出Deployment权限,Role用于给某个NameSpace中的资源进行鉴权。
ClusterRole是一组权限的集合,但与Role不同的是,ClusterRole可以在包括所有NameSpace和集群级别的资源或非资源类型进行鉴权。
Subject:有三种Subjects,分别是Service Account、User Account、Groups,参照官方文档主要区别是User Account针对人,Service Accounts针对运行在Pods中运行的进程。
RoleBinding与ClusterRoleBindin:将Subject绑定到Role或ClusterRole。其区别在于:RoleBinding将使规则在命名空间内生效,而ClusterRoleBinding将使规则在所有命名空间中生效。
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: minio
name: service-minio
[root@app01 k8s-user]# vim service-account.yaml
[root@app01 k8s-user]# kubectl apply -f service-account.yaml
serviceaccount/service-minio created
[root@app01 k8s-user]# kubectl get sa -n minio -owide
NAME SECRETS AGE
default 1 17m
service-minio 1 14m
[root@app01 k8s-user]# kubectl get serviceaccount -n minio -owide
NAME SECRETS AGE
default 1 18m
service-minio 1 14m
[root@app01 k8s-user]#
[root@app01 k8s-user]# kubectl describe sa service-minio -n minio
Name: service-minio
Namespace: minio
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"service-minio","namespace":"minio"}}
Image pull secrets:
Mountable secrets: service-minio-token-wzfsj
Tokens: service-minio-token-wzfsj
Events:
[root@app01 k8s-user]# kubectl describe secret service-minio-token-wzfsj -n minio
Name: service-minio-token-wzfsj
Namespace: minio
Labels:
Annotations: kubernetes.io/service-account.name: service-minio
kubernetes.io/service-account.uid: df5c9f0d-1211-11ec-b7b2-00505697af9d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 5 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtaW5pbyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJzZXJ2aWNlLW1pbmlvLXRva2VuLXd6ZnNqIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InNlcnZpY2UtbWluaW8iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkZjVjOWYwZC0xMjExLTExZWMtYjdiMi0wMDUwNTY5N2FmOWQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bWluaW86c2VydmljZS1taW5pbyJ9.W06Umb1XXD3xSsWY2GMzct9NXvFrEYDHV1WsqHotho2cW3azOUyPRHX2nrLTg2WmwKrw6oV0dbD3W1cNFSZ7yQebLhLnvfGRZn2WLO6Arkue7VUJ5Iy1N7ev3l7wQpZj8gWTIi-Ju1DeQYoudOHodjSnqz6g5i18hYs_xnd6UuwTioqeaFyRtP2lST_JyuFM3gXuFq5_PRYjvHZuKleoMqmwdq96nmX5GRuGwR6EOnB2uGUxOC0eKwC58PJ0vy_aavAqiPp7d_X0sbgZtPcbq1qfpWz9-_xmHj50NhZN8E4Qp25EpLQIZfED8HpveeqaHo96fn2BD29Dpv46-4FRBg
[root@app01 k8s-user]#
[root@app01 k8s-user]# vim role-minio-service-minio.yaml
[root@app01 k8s-user]# kubectl apply -f role-minio-service-minio.yaml
role.rbac.authorization.k8s.io/role-minio-service-minio created
[root@app01 k8s-user]# kubectl get role -n minio
NAME AGE
role-minio-service-minio 15s
[root@app01 k8s-user]#
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# 限定可访问的命名空间为 minio
namespace: minio
# 角色名称
name: role-minio-service-minio
# 控制 dashboard 中 命名空间模块 中的面板是否有权限查看
rules:
- apiGroups: [""] # 空字符串""表明使用core API group
#resources: ["pods","pods/log","pods/exec", "pods/attach", "pods/status", "events", "replicationcontrollers", "services", "configmaps", "persistentvolumeclaims"]
resources: ["namespaces","pods","pods/log","pods/exec", "pods/attach", "pods/status","services"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
- apiGroups: [ "apps"]
resources: ["deployments", "daemonsets", "statefulsets","replicasets"]
verbs: ["get", "list", "watch"]
提示:role资源没有spec字段,它的群组是rbac.authorization.k8s.io/v1,对应类型为Role;metadata字段中的name用于指定对应role的名称;namespace用户指定对应的名称空间;roles字段用来描述对资源和权限,该字段为一个列表对象,一个对象必须有apiGroup,resources和verbs字段;其中apiGroup字段用来描述对应资源所属群组,默认不写任何群组表示核心群组v1;如果是匹配所有群组可以写成“*”;该字段是一个列表类型数据,所以必须用中括号将其括起来,即便没有值;resources字段用来描述对应的资源,这里的资源如果可以使用复数形式的必须使用复数形式;所谓复数是指对应资源名称单词的复数形式;该字段也是一个列表,可以使用中括号,也可以直接使用-开头写对应的值;verbs字段用来描述对应的权限,该字段也是一个列表,可以使用中括号或者“-”开头从下一行直接写值的方式
[root@app01 k8s-user]# vim role-bind-minio-service-minio.yaml
[root@app01 k8s-user]# kubectl apply -f role-bind-minio-service-minio.yaml
rolebinding.rbac.authorization.k8s.io/role-bind-minio-service-monio created
[root@app01 k8s-user]# kubectl get rolebinding -n minio -owide
NAME AGE ROLE USERS GROUPS SERVICEACCOUNTS
role-bind-minio-service-monio 29s Role/role-minio-service-minio minio/service-minio
[root@app01 k8s-user]#
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: minio
name: role-bind-minio-service-monio
subjects:
- kind: ServiceAccount
namespace: minio
# 用户名称
name: service-minio
roleRef:
kind: Role
# 角色名称
name: role-minio-service-minio
apiGroup: rbac.authorization.k8s.io
[root@app01 k8s-user]# vim cluster-role-paas-basic-service-minio.yaml
[root@app01 k8s-user]# kubectl apply -f cluster-role-paas-basic-service-minio.yaml
clusterrole.rbac.authorization.k8s.io/cluster-role-kube-system-service-minio created
[root@app01 k8s-user]# kubectl get clusterrole|grep cluster-role
cluster-role-paas-basic-service-minio 12m
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# 鉴于ClusterRole是集群范围对象,所以这里不需要定义"namespace"字段
# 角色名称
name: cluster-role-paas-basic-service-minio
# 控制 dashboard 中 命名空间模块 中的面板是否有权限查看
rules:
- apiGroups: ["rbac.authorization.k8s.io",""] # 空字符串""表明使用core API group
#resources: ["pods","pods/log","pods/exec", "pods/attach", "pods/status", "events", "replicationcontrollers", "services", "configmaps", "persistentvolumeclaims"]
resources: ["pods","pods/log","pods/exec", "pods/attach", "pods/status","services"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
- apiGroups: [ "apps"]
resources: ["namespaces","deployments", "daemonsets", "statefulsets"]
verbs: ["get", "list", "watch"]
[root@app01 k8s-user]# vim cluster-role-bind-paas-basic-service-minio.yaml
[root@app01 k8s-user]# kubectl apply -f cluster-role-bind-paas-basic-service-minio.yaml
rolebinding.rbac.authorization.k8s.io/cluster-role-bind-paas-basic-service-monio created
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-role-bind-paas-basic-service-monio
subjects:
- kind: ServiceAccount
namespace: minio
# 用户名称
name: service-minio
roleRef:
kind: ClusterRole
# 角色名称
name: cluster-role-paas-basic-service-minio
apiGroup: rbac.authorization.k8s.io
1、apiGroups可配置参数
“”,“apps”, “autoscaling”, “batch”
2、resources可配置参数
“services”, “endpoints”,“pods”,“secrets”,“configmaps”,“crontabs”,“deployments”,“jobs”,“nodes”,“rolebindings”,“clusterroles”,“daemonsets”,“replicasets”,“statefulsets”,“horizontalpodautoscalers”,“replicationcontrollers”,“cronjobs”
3、verbs可配置参数
“get”,“list”,“watch”, “create”,“update”, “patch”, “delete”,“exec”
4、apiGroups和resources对应关系
- apiGroups: [""] # 空字符串""表明使用core API group
resources: ["pods","pods/log","pods/exec", "pods/attach", "pods/status", "events", "replicationcontrollers", "services", "configmaps", "persistentvolumeclaims"]
- apiGroups: [ "apps"]
resources: ["deployments", "daemonsets", "statefulsets","replicasets"]
[root@app01 k8s-user]# kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
pods po true Pod
podtemplates true PodTemplate
replicationcontrollers rc true ReplicationController
resourcequotas quota true ResourceQuota
secrets true Secret
serviceaccounts sa true ServiceAccount
services svc true Service
mutatingwebhookconfigurations admissionregistration.k8s.io false MutatingWebhookConfiguration
validatingwebhookconfigurations admissionregistration.k8s.io false ValidatingWebhookConfiguration
customresourcedefinitions crd,crds apiextensions.k8s.io false CustomResourceDefinition
apiservices apiregistration.k8s.io false APIService
controllerrevisions apps true ControllerRevision
daemonsets ds apps true DaemonSet
deployments deploy apps true Deployment
replicasets rs apps true ReplicaSet
statefulsets sts apps true StatefulSet
tokenreviews authentication.k8s.io false TokenReview
localsubjectaccessreviews authorization.k8s.io true LocalSubjectAccessReview
selfsubjectaccessreviews authorization.k8s.io false SelfSubjectAccessReview
selfsubjectrulesreviews authorization.k8s.io false SelfSubjectRulesReview
subjectaccessreviews authorization.k8s.io false SubjectAccessReview
horizontalpodautoscalers hpa autoscaling true HorizontalPodAutoscaler
cronjobs cj batch true CronJob
jobs batch true Job
certificatesigningrequests csr certificates.k8s.io false CertificateSigningRequest
leases coordination.k8s.io true Lease
events ev events.k8s.io true Event
daemonsets ds extensions true DaemonSet
deployments deploy extensions true Deployment
ingresses ing extensions true Ingress
networkpolicies netpol extensions true NetworkPolicy
podsecuritypolicies psp extensions false PodSecurityPolicy
replicasets rs extensions true ReplicaSet
kuboardlicenses klcs kuboard.cn false KuboardLicense
networkpolicies netpol networking.k8s.io true NetworkPolicy
poddisruptionbudgets pdb policy true PodDisruptionBudget
podsecuritypolicies psp policy false PodSecurityPolicy
clusterrolebindings rbac.authorization.k8s.io false ClusterRoleBinding
clusterroles rbac.authorization.k8s.io false ClusterRole
rolebindings rbac.authorization.k8s.io true RoleBinding
roles rbac.authorization.k8s.io true Role
priorityclasses pc scheduling.k8s.io false PriorityClass
storageclasses sc storage.k8s.io false StorageClass
volumeattachments storage.k8s.io false VolumeAttachment