zoukankan      html  css  js  c++  java
  • Kubernetes ---- RBAC授权管理

    RBAC(授权插件)

    RBAC基于角色访问控制: 

      许可: 对于任何一个被访问的对象(k8s组件),对于对象能施加的操作组合,将某些操作权限赋给角色,就完成了授权;
      角色: 可以让一个用户扮演一个角色,而这个角色拥有些权限,那么这个用户就拥有了这个角色的权限,权限授权给角色,与rolebinding工作在名称空间级别,授予名称空间范围内的许可权限的;
        operations: 允许角色做的操作,写进来就是说明允许,不能定义拒绝;
        subject: 对象,对哪些对象做哪些操作;
        rolebinding:
          将user account OR service account 绑定在哪个角色;
        clusterrole: 定义了角色允许的操作后, 与角色绑定的用户执行的操作位于集群,而不仅限于某个名称空间;
        clusterrolebinding: 将user account OR service account 绑定在哪个角色;

    :
      user可通过rolebinding绑定clusterrole:
      所有操作依然是在名称空间范围内,当名称空间过多时,而且每个名称空间都需要一个管理员,直接定义一个clusterrole使用rolebinding就相当于每个用户都是在自己的名称空间中操作的,如果不用这种
      方法的话,有N个名称空间就要创建N个role,N个rolebinding;

    创建角色:

    $ kubectl create role --help
      Usage:
        kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run]
    $ kubectl create role pod-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
    $ vim role-demo.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: pod-reader
      namespace: default
    rules:
    - apiGroups:
      - ""
      resources:
      - pods
      verbs:
      - get
      - list
      - watch
    $ kubectl get role 
    NAME       AGE
    pod-reader   39s
    
    $ kubectl describe role pod-reader
    ....
    PolicyRule:
    Resources Non-Resource URLs Resource Names     Verbs
    --------- ----------------- --------------     -----
    pods     []          []           [get list watch]

    rolebinding创建并绑定:

    $ kubectl create rolebinding --help
      Usage:
        kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname]
        [--serviceaccount=namespace:serviceaccountname] [--dry-run] [options]
    $ kubectl create rolebinding kfree-read-pods --role=pod-reader --user=kfree --dry-run -o yaml > rolebinding-demo.yaml
    $ vim rolebinding-demo.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: kfree-read-pods
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: pod-reader
    subjects:
      - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: kfree
    
    $ kubectl config use-context kfree@kubernetes
    # 发现之前创建的用户已经有了查看pods的权限;
    $ kubectl get pods
    NAME READY STATUS RESTARTS AGE
    deploy-demo-854b57c687-4hbp4 1/1 Running 0 5h26m
    deploy-demo-854b57c687-f7txr 1/1 Running 0 5h26m
    deploy-demo-854b57c687-t9bbl 1/1 Running 0 5h26m

    clusterrole创建并绑定:

    $ kubectl create clusterrole --help
      Usage:
        kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run]
    $ kubectl create clusterrole cluster-readers --verb=get,list,watch --resource=pods,deployment --dry-run -o yaml > clusterrole-demo.yaml
    $ kubectl apply -f clusterrole-demo.yaml
    $ kubectl get clusterrole
    ....
    cluster-readers 
    ....

    绑定:

    $ kubectl create clusterrolebinding --help
      Usage:
        kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
        [--serviceaccount=namespace:serviceaccountname] [--dry-run] [options]
    $ kubectl create clusterrolebinding kfree-read-all-pods --clusterrole=cluster-readers --user=kfree --dry-run -o yaml > clusterrolebinding-demo.yaml
    $ kubectl apply -f clusterrolebinding-demo.yaml
    $ kubectl config use-context kfree@kubernetes
    # 绑定后发现所有名称空间的deployment与pods资源都可以查看(get,list,watch)
    $ kubectl get pods && kubectl get pods -n kube-system
    $ kubectl get deploy && kubectl get deploy -n kube-system
    使用rolebinding绑定clusterrole:
    $ kubectl delete clusterrolebinding kfree-read-all-pods
    $ kubectl create rolebinding kfree-read-pods --clusterrole=cluster-readers --user=kfree --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
    $ kubectl apply -f rolebinding-clusterrole-demo.yaml
    $ kubectl get rolebinding
    NAME       AGE
    kfree-read-pods 3m
    $ kubectl config view
    ....    
    current-context: kfree@kubernetes
    ....
    $ kubectl get pods -n kube-system
    Error from server (Forbidden): pods is forbidden: User "kfree" cannot list resource "pods" in API group "" in the namespace "kube-system"
    $ kubectl get pods 
    NAME READY STATUS RESTARTS AGE
    deploy-demo-854b57c687-4hbp4 1/1 Running 1 18h
    deploy-demo-854b57c687-f7txr 1/1 Running 1 18h
    deploy-demo-854b57c687-t9bbl 1/1 Running 1 18h
     
  • 相关阅读:
    等待队列设备[置顶] Linux设备驱动,等待队列
    宠物功能[置顶] QQ宠物保姆
    选中拖动Unity3D系列教程–使用免费工具在Unity3D中开发2D游戏 第二节(下)
    序列化对象java中为什么要实现序列化,什么时候实现序列化?
    函数表达式[置顶] 母函数详解
    文件问题cocos2dx&cocosbuilder折腾记
    模块functionJavaScript学习笔记(二十五) 沙箱模式
    nullnullflume ng配置拓扑图
    对象序列化对象的序列化和反序列化
    扩展编程PHP自学之路PHP数据库编程
  • 原文地址:https://www.cnblogs.com/k-free-bolg/p/13201408.html
Copyright © 2011-2022 走看看