zoukankan      html  css  js  c++  java
  • Openshift 用户,角色和RBAC

    OCP中的权限管理沿用的Kubernetes RBAC机制,授权模式主要取决于下面几个因数

    Rules

    针对主要对象的操作权限,比如建立Pod

    Sets of permitted verbs on a set of objects. For example, whether something can create pods.

    Roles

    一系列的Rules的集合,用户和组能关联这些Roles

    Collections of rules. Users and groups can be associated with, or bound to, multiple roles at the same time.

    Bindings

    用户和组针对角色的关联

    Associations between users and/or groups with a role.

    RBAC分成两种,一种是集群范围内的,叫做Cluster RBAC,一种是项目范围内的,叫Local RBAC,官方定义如下

    Cluster RBAC

    Roles and bindings that are applicable across all projects. Roles that exist cluster-wide are considered cluster roles. Cluster role bindings can only reference cluster roles.

    Local RBAC

    Roles and bindings that are scoped to a given project. Roles that exist only in a project are considered local roles. Local role bindings can reference both cluster and local roles.

    而当前的Cluster Role包括如下:

    Default Cluster RoleDescription

    admin

    A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for quota.

    basic-user

    A user that can get basic information about projects and users.

    cluster-admin

    A super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.

    cluster-status

    A user that can get basic cluster status information.

    edit

    A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings.

    self-provisioner

    A user that can create their own projects.

    view

    A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings.

    下面实际操作一下加深理解。

    • 添加用户
    htpasswd /etc/origin/master/htpasswd  eric
    
    htpasswd /etc/origin/master/htpasswd  alice
    • 查看用户

    首先需要以管理员身份登录

    [root@master ~]# oc login -u system:admin
    Logged into "https://master.example.com:8443" as "system:admin" using existing credentials.
    
    You have access to the following projects and can switch between them with 'oc project <projectname>':
    
        default
        kube-public
        kube-service-catalog
        kube-system
        logging
        management-infra
        myproject
        openshift
        openshift-ansible-service-broker
        openshift-infra
        openshift-node
        openshift-template-service-broker
        openshift-web-console
      * test
    
    Using project "test".
    [root@master ~]# oc get users
    NAME      UID                                    FULL NAME   IDENTITIES
    admin     7594833f-efd1-11e8-bd01-0800275a35ec               htpasswd_auth:admin
    alice     517c077e-f094-11e8-bc3a-0800275a35ec               htpasswd_auth:alice
    eric      9ff08197-f093-11e8-bc3a-0800275a35ec               htpasswd_auth:eric

    eric和alice各自建立project,eric创建myproject,alice创建test项目

    • 以alice登录后查看rolebinding
    [root@master ~]# oc get rolebinding
    NAME                    ROLE                    USERS     GROUPS                        SERVICE ACCOUNTS   SUBJECTS
    admin                   /admin                  alice                                                      
    system:deployers        /system:deployer                                                deployer           
    system:image-builders   /system:image-builder                                           builder            
    system:image-pullers    /system:image-puller              system:serviceaccounts:test                  

    也就是说每个新建立的项目包含的本地rolebinding包括

    • 查看每个rolebinding具体关联的role和用户
    [root@master ~]# oc describe rolebinding.rbac
    Name:         admin
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  admin
    Subjects:
      Kind  Name   Namespace
      ----  ----   ---------
      User  alice  
    
    
    Name:         system:deployers
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  system:deployer
    Subjects:
      Kind            Name      Namespace
      ----            ----      ---------
      ServiceAccount  deployer  test
    
    Name:         system:image-builders
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  system:image-builder
    Subjects:
      Kind            Name     Namespace
      ----            ----     ---------
      ServiceAccount  builder  test
    
    
    Name:         system:image-pullers
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  system:image-puller
    Subjects:
      Kind   Name                         Namespace
      ----   ----                         ---------
      Group  system:serviceaccounts:test  
    • 给alice用户授予访问myproject的admin权限
    [root@master ~]# oc adm policy add-role-to-user admin alice -n myproject
    role "admin" added: "alice"

    如果只是需要拉取myproject命名空间下的镜像,可以赋予image-puller权限就可以了

    [root@master ~]# oc adm policy add-role-to-user system:image-puller  alice -n myproject
    role "system:image-puller" added: "alice"

    再度describe一下

    [root@master ~]# oc describe rolebinding.rbac  -n myproject
    Name:         admin
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  admin
    Subjects:
      Kind  Name  Namespace
      ----  ----  ---------
      User  eric  
    
    
    Name:         admin-0
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  admin
    Subjects:
      Kind  Name   Namespace
      ----  ----   ---------
      User  alice  
    Name:         system:deployers
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  system:deployer
    Subjects:
      Kind            Name      Namespace
      ----            ----      ---------
      ServiceAccount  deployer  myproject
    
    
    Name:         system:image-builders
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  system:image-builder
    Subjects:
      Kind            Name     Namespace
      ----            ----     ---------
      ServiceAccount  builder  myproject
    
    Name:         system:image-puller
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  system:image-puller
    Subjects:
      Kind  Name   Namespace
      ----  ----   ---------
      User  alice  
    
    
    Name:         system:image-pullers
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  ClusterRole
      Name:  system:image-puller
    Subjects:
      Kind   Name                              Namespace
      ----   ----                              ---------
      Group  system:serviceaccounts:myproject  
    •  查看所有的clusterrole
    [root@master ~]# oc get clusterrole
    NAME
    admin
    asb-access
    asb-auth
    basic-user
    cluster-admin
    cluster-debugger
    cluster-reader
    cluster-status
    edit
    hawkular-metrics
    hawkular-metrics-admin
    .....
    • 查看具体的一个clusterrole能做的内容
    [root@master ~]# oc describe clusterrole system:image-builder
    Name:        system:image-builder
    Created:    37 hours ago
    Labels:        <none>
    Annotations:    openshift.io/description=Grants the right to build, push and pull images from within a project.  Used primarily with service accounts for builds.
            openshift.io/reconcile-protect=false
    Verbs        Non-Resource URLs    Resource Names    API Groups        Resources
    [get update]    []            []        [image.openshift.io ]    [imagestreams/layers]
    [create]    []            []        [image.openshift.io ]    [imagestreams]
    [update]    []            []        [build.openshift.io ]    [builds/details]
    [get]        []            []        [build.openshift.io ]    [builds]

    所有缺省的ClusterRole都能绑定用户或组到本地项目中。此外可以自己定义本地Role

    ==============================================================================================

    给权限和回收权限

    给一个imager:pruner的权限,以及给一个集群管理员的权限

    oc adm policy add-cluster-role-to-user system:image-pruner  eric
    
    oc adm policy add-cluster-role-to-user cluster-admin eric

    查看

    [root@master ~]# oc get rolebindings
    NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS
    admin                   /admin                  eric                                                             
    system:deployers        /system:deployer                                                      deployer           
    system:image-builders   /system:image-builder                                                 builder            
    system:image-pruner     /system:image-pruner    eric                                                             
    system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3        

    回收

    [root@master ~]# oc adm policy remove-role-from-user     system:image-pruner    eric 
    role "system:image-pruner" removed: "eric"

    取消eric的对项目的admin权限,而给只读权限

    [root@master ~]# oc adm policy add-role-to-user view eric
    role "view" added: "eric"
    [root@master ~]# oc adm policy remove-role-from-user admin eric
    role "admin" removed: "eric"
    [root@master ~]# oc get rolebinding
    NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS
    system:deployers        /system:deployer                                                      deployer           
    system:image-builders   /system:image-builder                                                 builder            
    system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3                      
    view                    /view                   eric

    可以参考

    https://docs.openshift.com/container-platform/3.9/admin_guide/manage_rbac.html

  • 相关阅读:
    python Exception中的raise、assert
    python循环语句与其他编程语言不同之处
    【转】最大似然估计
    尝试发表代码
    奇异分解(SVD)
    Python学习笔记3-string
    梯度下降法
    前后端分离
    Trie树
    HashMap的工作原理以及代码实现,为什么要转换成红黑树?
  • 原文地址:https://www.cnblogs.com/ericnie/p/10018052.html
Copyright © 2011-2022 走看看