kubernetes之RBAC
Serveraccount
user – username,uid
group – user group
“extra”- 额外信息
API – API资源的对象
Request path – 请求资源的路径(k8s使用resultful风格接口的API)
http://Node_IPaddr:6443/apis/apps/v1/namespaces/namespaces_name/resource_name/
curl http://localhost:8080/api/v1/namespaces
自定义命名空间
curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/
HTTP 请求动作 – HTTP verbs get,post,put,和delete用于非资源请求
HTTP 请求动作映射到 API资源操作- get,list,create,update,patch,watch,proxy,redirect,delete,和deletecollection用于请求resource
Resource -被访问(仅用于resource 请求)的resource 的ID或名字- *对于使用resource 的请求get,update,patch,和delete,必须提供resource 名称。
Subresource – 正在访问的subresource (仅用于请求resource )
Namespace – 正在访问对象的命名空间(仅针对命名空间的请求资源)
创建sa
[root@node1 pv]# kubectl create sa mysa
serviceaccount/mysa created
[root@node1 pv]# kubectl get sa
NAME SECRETS AGE
default 1 2d11h
mysa 1 6s
[root@node1 pv]# kubectl get secret
NAME TYPE DATA AGE
default-token-t5mqv kubernetes.io/service-account-token 3 2d11h
mysa-token-khp58 kubernetes.io/service-account-token 3 10spod中指定要使用的serviceAccount
spec:
serviceAccountName: mysa这要求在Pod规格中指定serviveAccountName,同时此服务帐户已被创建(通过API、kubectl create serviceaccount等)。例如,在“default”命名空间内,授予”my-sa”服务帐户“view”集群角色:
kubectl create rolebinding my-sa-view \
--clusterrole=view \
--serviceaccount=default:my-sa \
--namespace=defaultRBAC
创建pem文件
[root@node1 ssl]# cat cl0411-csr.json
{
"CN": "cl0411",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes cl0411-csr.json cfssljson -bare cl0411创建cc0411.kuberconfig文件
[root@node1 ssl]# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.57.13:6443 --kubeconfig=cl0411.kuberconfig
Cluster "kubernetes" set.
[root@node1 ssl]# kubectl config set-credentials cl0411 --client-key=cl0411-key.pem --client-certificate=cl0411.pem --embed-certs=true --kubeconfig=cl0411.kuberconfig
User "cl0411" set.
[root@node1 ssl]# kubectl config set-context cl0411@kubernetes --cluster=kubernetes --user=cl0411 --kubeconfig=cl0411.kuberconfig
Context "cl0411@kubernetes" created.
[root@node1 ssl]# kubectl config use-context cl0411@kubernetes --kubeconfig=cl0411.kuberconfig
Switched to context "cl0411@kubernetes".查看
[root@node1 ssl]# kubectl config view --kubeconfig=cl0411.kuberconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.57.13:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: cl0411
name: default
current-context: cl0411@kubernetes
kind: Config
preferences: {}
users:
- name: cl0411
user:
client-certificate-data: REDACTED
client-key-data: REDACTED创建角色
kubectl create role pod-reader --verb=get,list,watch --resource=pods --resource-name=readablepod --dry-run -o yaml>role-demo.yaml
kubectl create clusterrole 创建集群角色和创建角色一样
[root@node1 ~]# kubectl apply -f role-demo.yaml
role.rbac.authorization.k8s.io/pod-reader created
[root@node1 ~]# kubectl get role
NAME AGE
pod-reader 4s创建角色绑定
绑定用户(该用户无需创建)
kubectl create rolebinding cl0411-read-pods --role=pod-reader --user=cl0411 --dry-run -o yaml >rolebinding-demo.yaml
kubectl create clusterrolebinding 创建集群角色绑定和绑定角色一样
这里rolebinding可以绑定--role 也可以绑定--clusterrole 但是绑定集群角色会降级为role权限
[root@node1 ~]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/cl0411-read-pods created
[root@node1 ~]# kubectl get rolebinding
NAME AGE
cl0411-read-pods 14s验证
kubectl --kubeconfig=cl0411.kuberconfig get pods -o wide