k8s中的认证授权
目次一、kubernetes API 访问控制
1.1 UserAccount与ServiceAccount
1.1.1 ServiceAccount
1.1.2 ServiceAccount示例
二、认证(在k8s中创建认证用户)
2.1 创建UserAccount
2.2 RBAC(Role Based Access Control)
2.2.1 基于脚色访问控制授权:
2.2.2 role授权实行
2.2.3 clusterrole授权实行
2.2.4 服务账户的自动化
一、kubernetes API 访问控制
Authentication(认证)
[*] 认证方式现共有8种,可以启用一种或多种认证方式,只要有一种认证方式通过,就不再进行别的方式的认证。通常启用X509 Client Certs和Service Accout Tokens两种认证方式。
[*] Kubernetes集群有两类用户:由Kubernetes管理的Service Accounts (服务账户)和(Users Accounts) 普通账户。k8s中账号的概念不是我们理解的账号,它并不真的存在,它只是形式上存在。
Authorization(授权)
[*] 必须经过认证阶段,才到授权请求,根据全部授权策略匹配请求资源属性,决定允许或拒绝请求。授权方式现共有6种,AlwaysDeny、AlwaysAllow、ABAC、RBAC、Webhook、Node。默认集群逼迫开启RBAC。
Admission Control(准入控制)
[*] 用于拦截请求的一种方式,运行在认证、授权之后,是权限认证链上的最后一环,对请求API资源对象进行修改和校验。
1.1 UserAccount与ServiceAccount
[*] 用户账户是针对人而言的。 服务账户是针对运行在 pod 中的历程而言的。
[*] 用户账户是全局性的。 其名称在集群各 namespace 中都是全局唯一的,未来的用户资源不会做 namespace 隔离, 服务账户是 namespace 隔离的。
[*] 集群的用户账户可能会从企业数据库进行同步,其创建需要特殊权限,并且涉及到复杂的业务流程。 服务账户创建的目的是为了更轻量,允许集群用户为了具体的任务创建服务账户 ( 即权限最小化原则 )。
1.1.1 ServiceAccount
[*] 服务账户控制器(Service account controller)
[*] 服务账户管理器管理各命名空间下的服务账户
[*] 每个活跃的命名空间下存在一个名为 “default” 的服务账户
[*] 服务账户准入控制器(Service account admission controller)
[*] 相似pod中 ServiceAccount默认设为 default。
[*] 保证 pod 所关联的 ServiceAccount 存在,否则拒绝该 pod。
[*] 假如pod不包含ImagePullSecrets设置那么ServiceAccount中的ImagePullSecrets 被添加到pod中
[*] 将挂载于 /var/run/secrets/kubernetes.io/serviceaccount 的 volumeSource 添加到 pod 下的每个容器中
[*] 将一个包含用于 API 访问的 token 的 volume 添加到 pod 中
1.1.2 ServiceAccount示例
创建名字为admin的ServiceAccount
# kubectl create sa xiaoding
serviceaccount/xiaoding created
# kubectl describe sa xiaoding
Name: xiaoding
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets:<none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>
# 创建secrets
# kubectl create secret docker-registry docker-login --docker-username admin --docker-password 123456 --docker-server reg.timingding.org --docker-email ding@timingding.org
secret/docker-login created
#
# kubectl get secrets
NAME TYPE DATA AGE
auth-web Opaque 1 18h
docker-login kubernetes.io/dockerconfigjson 1 81s
my-docker-auth kubernetes.io/dockerconfigjson 1 16h
userlist Opaque 4 16h
web-tls-secret kubernetes.io/tls 2 18h
# kubectl describe secrets docker-login
Name: docker-login
Namespace: default
Labels: <none>
Annotations:<none>
Type:kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson:129 bytes
# 将secrets注入到sa中
也可以直接指定到默认的default认证服务中
# kubectl edit sa xiaoding
apiVersion: v1
imagePullSecrets:
- name: docker-login #添加这个,让它读取我们创建的secrets的资源
kind: ServiceAccount
metadata:
creationTimestamp: "2024-09-10T08:07:01Z"
name: xiaoding
namespace: default
resourceVersion: "123878"
uid: ba37d6ca-ecd7-4526-b957-b439c5e139c1
# kubectl describe sa xiaoding
Name: xiaoding
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets:docker-login #注入资源了
Mountable secrets: <none>
Tokens: <none>
Events: <none>
# 测试,拉取私有仓库中私有的镜像
没有注sa认证的default:
# kubectl run testpod --image reg.timingding.org/ding/nginx
pod/testpod created
镜像拉取不到:
# kubectl get pods
NAME READY STATUS RESTARTS AGE
testpod 0/1 ImagePullBackOff 0 8s
给default注入sa:
# kubectl edit sa default
apiVersion: v1
imagePullSecrets: #添加创建的sa认证
- name: docker-login
kind: ServiceAccount
metadata:
creationTimestamp: "2024-09-09T02:34:53Z"
name: default
namespace: default
resourceVersion: "125663"
uid: 4806e111-b158-4e0b-8b6f-efdc8b0f939c
再次去拉取镜像使用:
# kubectl run testpod --image reg.timingding.org/ding/nginx
pod/testpod created
此时就可以拉取,并使用了:
# kubectl get pods
NAME READY STATUS RESTARTS AGE
testpod 1/1 Running 0 4s
取消认证之后又会拉取不到
也可以在yaml文件中设定:
# vim example1.yml
apiVersion: v1
kind: Pod
metadata:
name: testpod
spec:
serviceAccountName: xiaoding
containers:
- image: reg.timingding.org/ding/nginx:latest
name: testpod
# kubectl apply -f example1.yml
pod/testpod created
# kubectl get pods
NAME READY STATUS RESTARTS AGE
testpod 1/1 Running 0 2s
这样也是可以的 二、认证(在k8s中创建认证用户)
2.1 创建UserAccount
查看有本身k8s中的用户:
# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.25.254.100:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
#
k8s中的认证文件位置:
# cd /etc/kubernetes/pki/
# ls
apiserver.crt etcd
apiserver-etcd-client.crt front-proxy-ca.crt
apiserver-etcd-client.key front-proxy-ca.key
apiserver.key front-proxy-client.crt
apiserver-kubelet-client.crtfront-proxy-client.key
apiserver-kubelet-client.keysa.key
ca.crt sa.pub
ca.key
#
建立认证key:
# openssl genrsa -out timingding.key 2048
#
建立证书:
# openssl req-new -key timingding.key -out timingding.csr -subj "/CN=timingding"
# openssl x509 -req-in timingding.csr -CA ca.crt -CAkey ca.key -CAcreateserial-out timingding.crt -days 365
Certificate request self-signature ok
subject=CN = timingding
#
查看证书:
# openssl x509 -in timingding.crt -text -noout
#建立k8s中的用户
# kubectl config set-credentials timingding --client-certificate /etc/kubernetes/pki/timingding.crt --client-key /etc/kubernetes/pki/timingding.key --embed-certs=true #相当于把证书写到了 /etc/kubernetes/admin.conf里面
User "timingding" set.
#
# cat /etc/kubernetes/admin.conf
现在就能看到你新创建的用户:
# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.25.254.100:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
- name: timingding
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
#
映射用户名,为用户名创建集群的安全上下文
# kubectl config set-context timingding@kubernetes --cluster kubernetes --user timingding
Context "timingding@kubernetes" created.
#
切换用户,用户在集群中只有用户身份没有授权:
# kubectl config use-context timingding@kubernetes
Switched to context "timingding@kubernetes".
#
现在看不到资源,因为还没用通过授权:
# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "timingding" cannot list resource "pods" in API group "" in the namespace "default"
# 2.2 RBAC(Role Based Access Control)
2.2.1 基于脚色访问控制授权:
[*] 允许管理员通过Kubernetes API动态配置授权策略。RBAC就是用户通过脚色与权限进行关联。
[*] RBAC只有授权,没有拒绝授权,所以只需要界说允许该用户做什么即可
[*] RBAC的三个根本概念
[*] Subject:被作用者,它表示k8s中的三类主体, user, group, serviceAccount
[*] Role:脚色,它其实是一组规则,界说了一组对 Kubernetes API 对象的操作权限。
[*] RoleBinding:界说了“被作用者”和“脚色”的绑定关系
[*] RBAC包罗四种类型:Role、ClusterRole、RoleBinding、ClusterRoleBinding
[*] Role 和 ClusterRole
[*] Role是一系列的权限的集合,Role只能授予单个namespace 中资源的访问权限。
[*] ClusterRole 跟 Role 类似,但是可以在集群中全局使用。
[*] Kubernetes 还提供了四个预先界说好的 ClusterRole 来供用户直接使用
[*] cluster-amdin、admin、edit、view
2.2.2 role授权实行
# kubectl create role myrole --dry-run=client --verb=get --resource pods -o yaml > myrole.yml
#
#
# vim myrole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: myrole
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
- create
- update
- path
- delete
# kubectl apply -f myrole.yml
role.rbac.authorization.k8s.io/myrole created
# kubectl describe role myrole
Name: myrole
Labels: <none>
Annotations:<none>
PolicyRule:
ResourcesNon-Resource URLsResource NamesVerbs
---------------------------------------------
pods [] []
建立角色绑定:
# kubectl create rolebinding timingding --role myrole --namespace default --user xiaoding --dry-run=client -o yaml > rolebinding-myrole.yml
#
# vim rolebinding-myrole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: timingding
namespace: default #角色绑定必须要指定namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: timingding
# kubectl apply -f rolebinding-myrole.yml
rolebinding.rbac.authorization.k8s.io/xiaoding created
# kubectl get rolebindings.rbac.authorization.k8s.io xiaoding
NAME ROLE AGE
xiaoding Role/myrole 14s
#
切换用户测试授权:
# kubectl config use-context timingding@kubernetes
Switched to context "timingding@kubernetes".
# kubectl get pods
No resources found in default namespace.
#
只授权了pod:
# kubectl run testpod --image myapp:v1
pod/testpod created
# kubectl get pods
NAME READY STATUS RESTARTS AGE
testpod 1/1 Running 0 6s
# 2.2.3 clusterrole授权实行
# kubectl create clusterrole myclusterrole --resource=deployment --verb get --dry-run=client -o yaml > myclusterrole.yml
#
#
#
# vim myclusterrole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: myclusterrole
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- create
- update
- path
- delete
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- create
- update
- path
- delete
# kubectl apply -f myclusterrole.yml
clusterrole.rbac.authorization.k8s.io/myclusterrole created
# kubectl describe clusterrole myclusterrole
Name: myclusterrole
Labels: <none>
Annotations:<none>
PolicyRule:
Resources Non-Resource URLsResource NamesVerbs
--------- ------------------------------------
pods [] []
deployments.apps[] []
#
建立集群绑定角色:
# kubectl create clusterrolebindingclusterrolebind-myclusterrole --clusterrole myclusterrole--user timingding --dry-run=client -o yaml > clusterrolebind-myclusterrole.yml
# vim clusterrolebind-myclusterrole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: clusterrolebind-myclusterrole
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: timingding
# kubectl describe clusterrolebindings.rbac.authorization.k8s.io clusterrolebind-myclusterrole
Name: clusterrolebind-myclusterrole
Labels: <none>
Annotations:<none>
Role:
Kind:ClusterRole
Name:myclusterrole
Subjects:
KindName Namespace
-------- ---------
Usertimingding
#
测试:
# kubectl config use-context timingding@kubernetes
Switched to context "timingding@kubernetes".
# kubectl get pods-A
# kubectl get deployments.apps -A
# kubectl get svc -A
Error from server (Forbidden): services is forbidden: User "timingding" cannot list resource "services" in API group "" at the cluster scope
#
切换为原来用户:
# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
# 资源回收:
资源回收:
# ls
clusterrolebind-myclusterrole.ymlmyclusterrole.ymlrolebinding-myrole.yml
# kubectl delete -f clusterrolebind-myclusterrole.yml
clusterrolebinding.rbac.authorization.k8s.io "clusterrolebind-myclusterrole" deleted
# kubectl delete -f myclusterrole.yml
clusterrole.rbac.authorization.k8s.io "myclusterrole" deleted
# kubectl delete -f rolebinding-myrole.yml
rolebinding.rbac.authorization.k8s.io "timingding" deleted
# cd
# kubectl delete -f myrole.yml
role.rbac.authorization.k8s.io "myrole" deleted
2.2.4 服务账户的自动化
服务账户准入控制器(Service account admission controller)
[*] 假如该 pod 没有 ServiceAccount 设置,将其 ServiceAccount 设为 default。
[*] 保证 pod 所关联的 ServiceAccount 存在,否则拒绝该 pod。
[*] 假如 pod 不包含 ImagePullSecrets 设置,那么 将 ServiceAccount 中的 ImagePullSecrets 信息添加到 pod 中。
[*] 将一个包含用于 API 访问的 token 的 volume 添加到 pod 中。
[*] 将挂载于 /var/run/secrets/kubernetes.io/serviceaccount 的 volumeSource 添加到 pod 下的每个容器中。
服务账户控制器(Service account controller)
服务账户管理器管理各命名空间下的服务账户,并且保证每个活跃的命名空间下存在一个名为 “default” 的服务账户
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]