限制不同用户访问K8S集群

一、SSL认证

1、生成一个证书

（1）生成一个私钥   cd /etc/kubernetes/pki/

(umask 077; openssl genrsa -out lucky.key 2048)

（2）生成一个证书请求

openssl req -new -key lucky.key -out lucky.csr -subj "/CN=lucky"

（3）生成一个证书

openssl x509 -req -in lucky.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lucky.crt -days 3650

2、在kubeconfig下新增加一个lucky这个用户

（1）把lucky这个用户添加到kubernetes集群中，可以用来认证apiserver的连接

kubectl config set-credentials lucky --client-certificate=./lucky.crt --client-key=./lucky.key --embed-certs=true

（2）在kubeconfig下新增加一个lucky这个账号

kubectl config set-context lucky@kubernetes --cluster=kubernetes --user=lucky

（3）切换账号到lucky，默认没有任何权限

kubectl config use-context lucky@kubernetes

3、把lucky这个用户通过rolebinding绑定，授予权限，基于context进行绑定

（1）创建role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: lucky-role
rules:
- apiGroups: ["","extensions"] # "" 标明 core API 组
  resources: ["pods","deploymnets"]
  verbs: ["get", "watch", "list"]

其中 Pod 属于 core 这个 API Group，在 YAML 中⽤空字符就可以，⽽ Deployment 属于 apps 这个 API Group， ReplicaSets 属于 extensions 这个 API Group(我怎么知道的？点这⾥查⽂档)，所以 rules 下⾯的 apiGroups 就综合了这⼏个资源的 API Group：["", "extensions", "apps"]，其中 verbs 就 是我们上⾯提到的可以对这些资源对象执⾏的操作，我们这⾥需要所有的操作⽅法，所以我们也可以 使⽤['*']来代替

（2）创建rolebinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-secrets
  # RoleBinding 的名字空间决定了访问权限的授予范围。
  # 这里仅授权在 "default" 命名空间内的访问权限。
  namespace: default
subjects:
- kind: User
  name: lucky # 'name' 是不区分大小写的
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: lucky-role
  apiGroup: rbac.authorization.k8s.io

（3）测试是否有权限，测试成功

[root@k8s-master rbac]# kubectl config use-context lucky@kubernetes

[root@k8s-master rbac]# kubectl get pods
NAME                                 READY   STATUS    RESTARTS   AGE
centos-deployment-5c698c96f4-gp58x   1/1     Running   0          5d4h
centos-deployment-5c698c96f4-jhpl8   1/1     Running   0          5d4h
nginx-deployment-9f65856f8-pj4hr     1/1     Running   0          5d3h
[root@k8s-master rbac]# kubectl delete pods nginx-deployment-9f65856f8-gkw2j    //没有进行删除的权限
Error from server (Forbidden): pods "nginx-deployment-9f65856f8-gkw2j" is forbidden: User "lucky" cannot delete resource "pods" in API group "" in the namespace "default"

4、基于ServiceAccount的RBAC

1、创建sa

kubectl create sa haimaxy-sa -n kube-system

apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-server
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service:"true"
    addonmanager.kubernetes.io/mode: Reconcile

2、创建clusterrole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name:system:metrics-server
  labels:
    kubernetes.io/cluster-service:"true"
    addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
  -""
  resources:
  - pods
  - nodes
  - nodes/stats
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  -"extensions"
  resources:
  - deployments
  verbs:
  - get
  - list
  - update
  - watch

3、创建clusterrolebinding进行绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metrics-server:system:auth-delegator
  labels:
    kubernetes.io/cluster-service:"true"
    addonmanager.kubernetes.io/mode: Reconcile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole   
  name:system:auth-delegator
subjects:
- kind: ServiceAccount   //使用的类型为  ServiceAccount

name: metrics-server namespace: kube-system

添加一个lucky的普通用户

useradd lucky
cp -ar /root/.kube/ /home/lucky/
chown -R lucky.lucky /home/lucky/
su - lucky