【K8s】²安全认证---授权管理
授权:授权发生在认证成功后,通过认证就可以知道请求用户是谁, 然后Kubernetes会根据事先定义的授权策略来决定用户是否有权限访问。
>我们首先先查看以下指定命名空间下的pod,svc
目录
创建一个只能管理ddd空间下Pod资源的账号
1.创建账号
2.切换账户
3.创建role.yaml文件为devman授权
4.切换账户再次验证
5.扩展
创建一个只能管理ddd空间下Pod资源的账号
1.创建账号
# 1.创建证书
[root@k8s-master ~]# cd /etc/kubernetes/pki/
[root@k8s-master pki]# (umask 077;openssl genrsa -out devman.key 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
.................+++
e is 65537 (0x10001)
# 2.1签名申请,申请用户是:devman;申请组:devgroup
[root@k8s-master pki]# openssl req -new -key devman.key -out devman.csr -subj "/CN=devman/O=devgroup"
# 2.2签署证书
[root@k8s-master pki]# openssl x509 -req -in devman.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out devman.crt -days 3650
Signature ok
subject=/CN=devman/O=devgroup
Getting CA Private Key
# 3.设置集群、用户、上下文信息(自己主机ip)
# 设置集群
[root@k8s-master pki]# kubectl config set-cluster kubernetes --embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.171.160:6443
Cluster "kubernetes" set.
# 设置用户
[root@k8s-master pki]# kubectl config set-credentials devman --embed-certs=true --client-certificate=/etc/kubernetes/pki/devman.crt --client-key=/etc/kubernetes/pki/devman.key
User "devman" set.
# 设置上下文
[root@k8s-master pki]# kubectl config set-context devman@kubernetes --cluster=kubernetes --user=devman
Context "devman@kubernetes" created.
2.切换账户
切换到devman账户
# 切换到devman账户
[root@k8s-master pki]# kubectl config use-context devman@kubernetes
Switched to context "devman@kubernetes".查看dev下的pod,发现没有权限
切换到admin账户
[root@k8s-master pki]# kubectl config use-context kubernetes-admin@kubernetes
# 再次查看pod发现可以看到东西
kubectl get pod -n dev
3.创建role.yaml文件为devman授权
RBAC基于角色的访问控制,作用:给哪些对象授予了哪些权限
# Role只能对命名空间内的资源进行授权,需要指定nameapce
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: dev
name: dev-role
rules:
- apiGroups: [""] # 支持的API组列表,"" 空字符串,表示核心API群
resources: ["pods"] # 支持的资源对象列表
verbs: ["get"] # 允许的对资源对象的操作方法列表
---
# RoleBinding可以将同一namespace中的subject绑定到某个Role下,则此subject即具有该Role定义的权限
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: authorization-role-binding
namespace: dev
subjects:
- kind: User
name: devman
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: dev-role
apiGroup: rbac.authorization.k8s.io[root@k8s-master pki]# kubectl create -f role.yaml
role.rbac.authorization.k8s.io/dev-role created
rolebinding.rbac.authorization.k8s.io/authorization-role-binding created
[root@k8s-master pki]# kubectl config use-context devman@kubernetes
Switched to context "devman@kubernetes".
4.切换账户再次验证
# 切换到devman账户
[root@k8s-master pki]# kubectl config use-context devman@kubernetes
Switched to context "devman@kubernetes".
# 再次查看pod
[root@k8s-master pki]# kubectl get pod -n dev
5.扩展
-
apiGroups: 支持的API组列表
"","apps", "autoscaling", "batch"-
resources:支持的资源对象列表
"services", "endpoints", "pods","secrets","configmaps","crontabs","deployments","jobs",
"nodes","rolebindings","clusterroles","daemonsets","replicasets","statefulsets",
"horizontalpodautoscalers","replicationcontrollers","cronjobs"-
verbs:对资源对象的操作方法列表
"get", "list", "watch", "create", "update", "patch", "delete", "exec"