Kubernetes中如何利用RBAC授权并使用不同的普通用户操作k8s集群中实现k8s中权限划分?k8s如何设置某个普通用户对某个空间下的资源有相应的权限? 一文搞懂

于 2024-12-31 11:49:36 发布
阅读量439 收藏 3
点赞数 7
分类专栏: Kubernetes 文章标签: kubernetes 容器 云原生
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/soso678/article/details/144846291
版权

接上篇RBAC授权继续,上篇博文的地址:

https://blog.youkuaiyun.com/soso678/article/details/144826202?spm=1001.2014.3001.5501

在我们使用k8s集群时会遇到一个问题,那就是不同的员工使用不同的用户去操作k8s,如何给新手创建使用普通用户去操作k8s集群并只对某个名称空间下的资源有权限就至关重要了。如果不做权限划分都使用root用户登陆服务器使用admin用户操作k8s集群就很危险了。本文就会告诉大家如何进行用户和权限与资源的划分。

限制不同的用户操作k8s集群

1.先进行ssl认证-------生成一个证书
(1)生成一个私钥
[root@k8s-master ~]# mkdir -p /etc/kubernetes/pki/
[root@k8s-master ~]# cd /etc/kubernetes/pki/
[root@k8s-master pki]# (umask 077; openssl genrsa -out jack.key 2048)
Generating RSA private key, 2048 bit long modulus
.................+++
......................+++
e is 65537 (0x10001)

(2)生成一个证书请求
[root@k8s-master pki]# openssl req -new -key jack.key -out jack.csr -subj "/CN=jack"
(3)生成一个证书
[root@k8s-master pki]# openssl x509 -req -in jack.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out jack.crt -days 3650
Signature ok
subject=/CN=jack
Getting CA Private Key

在kubeconfig下新增加一个jack这个用户
(1)把jack这个用户添加到kubernetes集群中,可以用来认证apiserver的连接
[root@k8s-master pki]# kubectl config set-credentials jack --client-certificate=./jack.crt --client-key=./jack.key --embed-certs=true
User "jack" set.

(2)在kubeconfig下新增加一个jack这个账号
[root@k8s-master pki]# kubectl config set-context jack@kubernetes --cluster=kubernetes --user=jack
Context "jack@kubernetes" created.

(3)切换账号到jack,默认没有任何权限
[root@k8s-master pki]# kubectl config use-context jack@kubernetes
Switched to context "jack@kubernetes".
[root@k8s-master pki]# kubectl get pod 
Error from server (Forbidden): pods is forbidden: User "jack" cannot list resource "pods" in API group "" in the namespace "default"
[root@k8s-master pki]# kubectl get pod,svc 
Error from server (Forbidden): pods is forbidden: User "jack" cannot list resource "pods" in API group "" in the namespace "default"
Error from server (Forbidden): services is forbidden: User "jack" cannot list resource "services" in API group "" in the namespace "default"
[root@k8s-master pki]# kubectl get pod,svc -n kube-systemn
Error from server (Forbidden): pods is forbidden: User "jack" cannot list resource "pods" in API group "" in the namespace "kube-systemn"
Error from server (Forbidden): services is forbidden: User "jack" cannot list resource "services" in API group "" in the namespace "kube-systemn"

切换回集群用户,这个用户是有所有权限的
[root@k8s-master pki]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes". #这个是集群用户,有任何权限

把jack这个用户通过rolebinding绑定到clusterrole上,授予权限,权限只是在my-test这个名称空间有效

(1)把jack这个用户通过rolebinding绑定到clusterrole上
[root@k8s-master pki]# kubectl create ns my-test
namespace/my-test created
您在 /var/spool/mail/root 中有新邮件
[root@k8s-master pki]# kubectl create rolebinding jack-role-binding -n my-test --clusterrole=cluster-admin --user=jack
rolebinding.rbac.authorization.k8s.io/jack-role-binding created
(2)切换到jack这个用户
[root@k8s-master pki]# kubectl config use-context jack@kubernetes
Switched to context "jack@kubernetes".
(3)测试是否有权限
[root@k8s-master pki]# kubectl get pod,svc -n my-test
No resources found in my-test namespace.

有权限操作这个名称空间,只是该名称空间下博主并未创建任何资源

在服务器中添加一个普通用户

[root@k8s-master ~]# useradd xiaoming
[root@k8s-master ~]# passwd xiaoming

将kubecl链接api-server时认证的文件复制一份到/tmp目录中并进行修改

[root@k8s-master ~]# cp -ar /root/.kube /tmp/
[root@k8s-master ~]# cd /tmp/.kube/
[root@k8s-master .kube]# vim config
修改/tmp/.kube/config文件,把kubernetes-admin相关的删除,只留jack用户.
然后将修改好的配置文件复制到xiaoming用户的家目录下,因为xiaoming这个普通用户使用kubectl命令的时候会在家目录中寻找.kube目录下的config文件进行api-server的认证
[root@k8s-master ~]# cp -ar /tmp/.kube/ /home/xiaoming/
[root@k8s-master ~]# chown -R xiaoming.xiaoming /home/xiaoming/
[root@k8s-master ~]# su - xiaoming

开始测试服务器上面的xiaoming用户对集群的操作,由于xiaoming用户使用的jack账号绑定时候设置了只对my-test名称空间有权限,所以它操作不了其它名称空间下的资源

[xiaoming@k8s-master ~]$ kubectl get pod 
Error from server (Forbidden): pods is forbidden: User "jack" cannot list resource "pods" in API group "" in the namespace "default"
[xiaoming@k8s-master ~]$ kubectl get pod,svc
Error from server (Forbidden): pods is forbidden: User "jack" cannot list resource "pods" in API group "" in the namespace "default"
Error from server (Forbidden): services is forbidden: User "jack" cannot list resource "services" in API group "" in the namespace "default"
[xiaoming@k8s-master ~]$ kubectl get pod,svc -n kube-system
Error from server (Forbidden): pods is forbidden: User "jack" cannot list resource "pods" in API group "" in the namespace "kube-system"
Error from server (Forbidden): services is forbidden: User "jack" cannot list resource "services" in API group "" in the namespace "kube-system"

测试my-test名称空间
[xiaoming@k8s-master ~]$ kubectl get pod,svc -n my-test
No resources found in my-test namespace.

退出xiaoming用户,需要在把集群环境切换成管理员权限
[root@k8s-master ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".

授权kubectl用户能查看所有名称空间的pod的权限

1.先进行ssl认证
生成一个证书
(1)生成一个私钥
[root@k8s-master ~]# cd /etc/kubernetes/cert/
[root@k8s-master cert]# (umask 077; openssl genrsa -out tom.key 2048)
Generating RSA private key, 2048 bit long modulus
.......+++
..................+++
e is 65537 (0x10001)

(2)生成一个证书请求
[root@k8s-master cert]# openssl req -new -key tom.key -out tom.csr -subj "/CN=tom"
(3)生成一个证书
[root@k8s-master cert]# openssl x509 -req -in tom.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out tom.crt -days 3650
Signature ok
subject=/CN=tom
Getting CA Private Key

在kubeconfig下新增加一个tom这个用户
(1)把tom这个用户添加到kubernetes集群中,可以用来认证apiserver的连接
[root@k8s-master cert]# kubectl config set-credentials tom --client-certificate=./tom.crt --client-key=./tom.key --embed-certs=true
User "tom" set.

(2)在kubeconfig下新增加一个tom这个账号
[root@k8s-master cert]# kubectl config set-context tom@kubernetes --cluster=kubernetes --user=tom
Context "tom@kubernetes" created.

(3)创建一个clusterrole
[root@k8s-master ~]# mkdir clusterrole
[root@k8s-master ~]# cd clusterrole/
[root@k8s-master clusterrole]# cat tom-clusterrole.yml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tom-clusterrole
rules:
 - apiGroups: [""]
   resources: ["services", "pods", "secrets"]
   verbs: ["get", "list", "watch"]

[root@k8s-master clusterrole]# kubectl apply -f tom-clusterrole.yml
[root@k8s-master clusterrole]# kubectl get clusterrole tom-clusterrole
NAME              CREATED AT
tom-clusterrole   2024-01-24T12:57:10Z
(4)创建一个clusterrolebinding
[root@k8s-master clusterrole]# cat tom-binding-clusterrole.yml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tom-binding-clusterrole
subjects:
 - kind: User
   name: tom
   apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: ClusterRole
 name: tom-clusterrole
 apiGroup: rbac.authorization.k8s.io
 
[root@k8s-master clusterrole]# kubectl apply -f tom-binding-clusterrole.yml
[root@k8s-master clusterrole]# kubectl get clusterrolebinding tom-binding-clusterrole
NAME                      ROLE                          AGE
tom-binding-clusterrole   ClusterRole/tom-clusterrole   75s

切换上下文环境到tom用户
[root@k8s-master ~]# kubectl config use-context tom@kubernetes
Switched to context "tom@kubernetes".

添加一个普通用户

[root@k8s-master ~]# useradd zhangsan
[root@k8s-master ~]# passwd zhangsan
将kubecl链接api-server时认证的文件复制一份到zhangsan用户的家目录中并进行修改
[root@k8s-master ~]# cp -ar /root/.kube/ /home/zhangsan/
[root@k8s-master ~]# vim /home/zhangsan/.kube/config
修改config文件,把kubernetes-admin和jack相关的删除,只留tom用户.因为zhangsan用户使用kubectl命令的时候会在家目录中寻找.kube目录下的config文件进行api-server的认证
[root@k8s-master ~]# chown zhangsan.zhangsan /home/zhangsan/ -R
[root@k8s-master ~]# su - zhangsan 
[zhangsan@k8s-master ~]$ kubectl get pod,svc
NAME                   READY   STATUS    RESTARTS      AGE
pod/pod-hostpath       1/1     Running   8 (82m ago)   13d
pod/vol-pod-emptydir   1/1     Running   8 (82m ago)   13d
pod/web-0              1/1     Running   0             81m
pod/web-1              1/1     Running   4 (82m ago)   6d23h
pod/web-2              1/1     Running   0             81m
pod/web-3              1/1     Running   4 (82m ago)   6d23h

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   38d
service/web-svc      ClusterIP   None         <none>        80/TCP    6d23h
[zhangsan@k8s-master ~]$ kubectl get pod,svc -n kube-system
NAME                                          READY   STATUS    RESTARTS       AGE
pod/calico-kube-controllers-bdf96dff9-qwcbk   1/1     Running   8 (81m ago)    9d
pod/calico-node-4x2tk                         1/1     Running   16 (88m ago)   38d
pod/calico-node-9h2nd                         1/1     Running   17 (81m ago)   38d
pod/calico-node-ngnwp                         1/1     Running   16 (82m ago)   38d
pod/coredns-6554b8b87f-97g8w                  1/1     Running   16 (88m ago)   38d
pod/coredns-6554b8b87f-nxktf                  1/1     Running   16 (88m ago)   38d
pod/etcd-k8s-master                           1/1     Running   17 (88m ago)   38d
pod/kube-apiserver-k8s-master                 1/1     Running   17 (88m ago)   38d
pod/kube-controller-manager-k8s-master        1/1     Running   18 (88m ago)   38d
pod/kube-proxy-mrhk9                          1/1     Running   16 (82m ago)   38d
pod/kube-proxy-nxf5x                          1/1     Running   17 (23h ago)   38d
pod/kube-proxy-sx4vb                          1/1     Running   16 (88m ago)   38d
pod/kube-scheduler-k8s-master                 1/1     Running   18 (88m ago)   38d

NAME               TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE
service/kube-dns   ClusterIP   10.96.0.10   <none>        53/UDP,53/TCP,9153/TCP   38d
[zhangsan@k8s-master ~]$ 

退出zhangsan用户,需要在把集群环境切换成管理员权限
[root@k8s-master ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".

ok

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值