kubernetes的RBAC - youngperson/study-100 GitHub Wiki
安装cfssl
此工具生成证书非常方便, pem证书与crt证书,编码一致可直接使用
mac:brew install cfssl
linux:自行搜索
签发客户端证书
因为我本地有admin的/Users/phper/.kube文件,这里选择在我本机上去操作
brew install kubectl
从k8s集群的某个master节点拿以下这些文件到本机(/opt/ssl/)来,签发证书需要使用到
# ssh进入某master节点
ls /etc/kubernetes
ls /etc/kubernetes/pki
admin.conf ca.key ca.crt ca-config.json(如果没有则自己创建)
vi ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
创建devuser-csr.json,生成devuser用
{
"CN": "devuser",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
生成devuser证书,执行后得到devuser.csr devuser-key.pem devuser.pem文件
$ cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser
生成config
kubeadm已经生成了admin.conf,我们可以直接利用这个文件,省的自己再去配置集群参数
cp /opt/ssl/admin.conf /opt/ssl/devuser.kubeconfig
设置客户端认证参数
kubectl config set-credentials devuser --client-certificate=/opt/ssl/devuser.pem --client-key=/opt/ssl/devuser-key.pem --embed-certs=true --kubeconfig=devuser.kubeconfig
设置上下文,把namespace指定为K8S集群中的某一个。这里指定为default
kubectl config set-context kubernetes --cluster=kubernetes --user=devuser --namespace=default --kubeconfig=devuser.kubeconfig
设置默认的上下文
kubectl config use-context kubernetes --kubeconfig=/opt/ssl/devuser.kubeconfig
创建角色
区分下Role、RoloBinding 、ClusterRole、ClusterRoleBinding 创建一个叫pod-reader的角色,也可以参考admin的yaml文件去修改
# 导出 admin ClusterRole(作为pod-reader.yaml的参考)
kubectl get clusterrole admin -o yaml > readonly.yaml
cat /opt/ssl/pod-reader.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- get
- list
- watch
- create
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
- watch
kubectl create -f pod-reader.yaml
绑定用户
把pod-reader角色绑定到 devuser上
cat /opt/ssl/devuser-role-bind.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader-global
subjects:
- kind: User
name: devuser # 用户
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader # 角色信息
apiGroup: rbac.authorization.k8s.io
kubectl create -f devuser-role-bind.yaml
修改devuser.kubeconfig文件
因为我们上面只是default的namespace,下面我们添加集群中其它的namespace。添加几行改name和namespace
contexts:
- context:
cluster: kubernetes
namespace: default
user: devuser
name: kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
namespace: prod
user: devuser
name: kubernetes-prod
- context:
cluster: kubernetes
namespace: test
user: devuser
name: kubernetes-test
查看下配置文件
kubectl --kubeconfig devuser.kubeconfig config get-contexts
测试
kubectl --kubeconfig devuser.kubeconfig --namespace=default logs -f sim-xxx-66ff6ff44d-8j2ls
kubectl --namespace=test exec test-xxx-84c585b7c7-k8fsb -it -- /bin/bash
.....