zoukankan      html  css  js  c++  java

  • kubernetes实战(二十九):Kubernetes RBAC实现不同用户在不同Namespace的不同权限

    1、基本说明

      在生产环境使用k8s以后,大部分应用都实现了高可用,不仅降低了维护成本,也简化了很多应用的部署成本,但是同时也带来了诸多问题。比如开发可能需要查看自己的应用状态、连接信息、日志、执行命令等。

      使用k8s后,业务应用以Pod为单位,不像之前的以服务器为单位,可以直接通过登录服务器进行相关操作。当业务应用使用k8s部署后,k8s官方的dashboard虽然可以进行查看日志、执行命令等基本操作,但是作为运维人员,不想让开发操作或查看自己范围之外的Pod,此时就要使用RBAC进行相关的权限配置。

      本文章主要讲解两方面的问题:

      • 使用用户名密码登录Dashboard
      • 对已登录用户进行权限配置,实现只能操作自己Namespace的Pod,不能进入到未授权的其他Namespace

    2、更改Dashboard认证方式

      为了方便开发和运维人员登录Dashboard,需要将Dashboard登录方式用户名密码认证(用户名密码和Token可以同时开启)。

      使用Ratel将kubernetes-dashboard的deployment的--authentication-mode改成basic即可,未安装Ratel的可以使用kubectl edit进行更改,更改完成会自动重启。

      之后更改kube-apiserver配置添加--basic-auth-file=/etc/kubernetes/basic_auth_file

      basic_auth_file为存储账号密码的文件,格式如下:

    xxx1_2019,xxx1,3,"system:authentication"
xxx2_2019,xxx2,4,"system:authentication"
xxx3_2019,xxx3,5,"system:authentication"
xxx4_2019,xxx4,6,"system:authentication"

      依次是密码、用户名、ID号、用户组,因为下面会为已登录的用户进行授权,所以把组设置成了system:authentication,按需更改。

    3、添加默认权限

      首先配置一个system:authentication组允许查询namespace列表(因为进入到指定namespace,必须能list该集群的namespace):

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: ratel-namespace-readonly
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ratel-namespace-readonly
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ratel-namespace-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authentication

      创建查看namespace资源的权限

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ratel-resource-readonly
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - deployments
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

      创建Pod执行权限

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ratel-pod-exec
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create

      创建Pod删除权限

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ratel-pod-delete
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - delete

      上述权限创建完成后,只需要将对应的用户绑定对应的权限即可实现不同的用户在不同的namespace实现不同的权限。

      对RBAC不熟悉的可以参考https://www.cnblogs.com/dukuan/p/9948063.html

      或者参考书籍《再也不踩坑的Kubernetes实战指南》第二章。

    4、配置权限

      

      案例:假设有一个用户叫java7,需要访问default命名空间下的资源,可以在容器执行命令和查看日志

      添加权限之前是不能查看任何信息的:

      配置权限:

        方式一:使用Ratel一键配置,选择对应的集群、Namespace、用户名、勾选权限点击创建即可。 

         创建成功后再次登录,即可查看该Namespace的信息

        查看日志:

     

         执行命令:

     

        同时也不能查看其他namespace的资源

        

        方式二:使用yaml文件配置

        使用Ratel进行权限配置,在配置权限后在对应的namespace下创建对应的RoleBinding,如下:

    [root@k8s-master01 ~]# kubectl get rolebinding 
NAME                            AGE
gitlab                          112d
ratel-pod-delete-java7          11m
ratel-pod-exec-java7            11m
ratel-resource-readonly-java7   11m

        内容如下:

    ource-readonly-java7 -o yaml
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    creationTimestamp: "2019-12-03T07:34:24Z"
    name: ratel-pod-delete-java7
    namespace: default
    resourceVersion: "35887290"
    selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-delete-java7
    uid: 547f5d42-159f-11ea-b1b5-001e674e3dd6
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: ratel-pod-delete
  subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: java7
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    creationTimestamp: "2019-12-03T07:34:24Z"
    name: ratel-pod-exec-java7
    namespace: default
    resourceVersion: "35887289"
    selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-exec-java7
    uid: 547c5768-159f-11ea-b1b5-001e674e3dd6
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: ratel-pod-exec
  subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: java7
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    creationTimestamp: "2019-12-03T07:34:24Z"
    name: ratel-resource-readonly-java7
    namespace: default
    resourceVersion: "35887288"
    selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-resource-readonly-java7
    uid: 5476577f-159f-11ea-b1b5-001e674e3dd6
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: ratel-resource-readonly
  subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: java7
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

        在没有安装Ratel的情况下,可以使用上述yaml内容直接创建至对应的namespace下即可完成权限配置。

         上述只是实现了对常用资源的权限控制,其他权限控制类似。

         Kubernetes多集群资源管理平台Ratel安装可以参考:https://github.com/dotbalo/ratel-doc
  • 相关阅读:
    Collections类
    delphi Tdxribbon 设置背景和skin 皮肤
    模拟一个带背景的 TPanel
    将控件画成圆角的效果(Delphi)
    Delphi自写组件:可设置颜色的按钮
    delphi StringGrid 表格的复制粘贴
    学习人工智能
    python 环境搭建和Spyder的安装应用
    python 廖雪峰的官方网站
    spyder 安装
  • 原文地址:https://www.cnblogs.com/dukuan/p/11976406.html
Copyright © 2011-2022 走看看