1、K8S账户体系介绍
在k8s中,有两类用户,service account和user,我们可以通过创建role或clusterrole,再将账户和role或clusterrole进行绑定来给账号赋予权限,实现权限控制,两类账户的作用如下。
- server account:k8s的进程、pod申请授权时使用的账户。类似于nginx服务会有一个nginx用户。
- user:k8s的管理人员2\使用的账户,也就是我们使用的账户。
2、Service Account
2.1、 介绍
Kubernetes中所有的访问,无论外部内部,都会通过API Server处理,访问Kubernetes资源前需要经过认证与授权。
- 在k8s中,service account(简称sa)是给集群中的进程使用的,当集群中的pod或进程需要跟apiserver申请调用资源时会使用到sa
2.2 为什么需要sa
主要是为了权限控制,不同的sa账户对应不同的权限,如增删查等
2.3 如何创建sa
- 创建一个sa
[root@node1 user]# kubectl create serviceaccount sa-example --dry-run -o yaml -n default
W1026 11:21:22.486105 25708 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: sa-example
namespace: default
[root@node1 user]# kubectl create serviceaccount sa-example -n default
serviceaccount/sa-example created
[root@node1 user]# kubectl describe serviceaccount sa-example
Name: sa-example
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>
- 给sa创建secret,v1.25版本后创建sa后不再自动创建secret,因此需要手动创建。secret中会包含一些认证信息,包括ca证书等.
[root@node1 user]# vim sa-example-secret.yaml
[root@node1 user]# cat sa-example-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret-sa-example
annotations:
kubernetes.io/service-account.name: "sa-example" # 这里填写serviceAccountName
type: kubernetes.io/service-account-token
[root@node1 user]# kubectl apply -f sa-example-secret.yaml
secret/secret-sa-example created
[root@node1 user]# kubectl describe secret secret-sa-example
Name: secret-sa-example
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: sa-example
kubernetes.io/service-account.uid: 118b18b3-ef04-4d6f-9e67-22110c6b025d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1107 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkNCNE9fSlozNm02Sm1peERyM0wyUDNqVFpvcFBSdnBZbUIxTVczZS1jXzgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNlY3JldC1zYS1leGFtcGxlIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InNhLWV4YW1wbGUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxMThiMThiMy1lZjA0LTRkNmYtOWU2Ny0yMjExMGM2YjAyNWQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzYS1leGFtcGxlIn0.Or_zxnvsjcHNfSS5P9ZGC5EUIGTiAtRO4YddHZqgAQKfpwK3CB904eFHdOubruy1AKOOqJMRBnIZ_BU1Gx7QYiqg7Z_v3cBsOBDcSl7kuKTd74mnUHpmbgUEwp1BJUlA17gOyWrXb_ADm-43nHZhQjuFcBrA9QqMsLK2TBpu-LrLwRgC2qF-tsXGwM4O4fKNg_QtlaUEJK3KL-Y7LkWWIO49ttgD8lYFlnn7SA_n6JVw1Oba_HFedIc0NszzQSwo4ZhH3WaSYsraODtliAi5KR_zlx6zoAVTaenbAgqMqvIYgBUSLwxBNyAFLKeuNwqoeQVpF-eQI0oe3sX5YwpcZg2.4、权限角色设定以及绑定
[root@node1 user]# kubectl get clusterrole cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2023-09-20T01:59:58Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "72"
uid: ae192e4e-e6ed-4cce-920b-2cadc940c573
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
[root@node1 user]# kubectl create role pod-reader --verb=list,get,watch --resource=pods --dry-run -o yaml
W1026 11:46:17.517099 33096 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: pod-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- get
- watch
[root@node1 user]# kubectl create rolebinding sunny-read-pods --user=sunny --role=pod-reader --dry-run -o yaml
W1026 11:46:53.788376 33297 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: sunny-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: sunny
[root@node1 user]# kubectl create clusterrole clusterrole-reader-pods --verb=get,list,watch --resource=pods --dry-run -o yaml
W1026 14:11:45.892696 75953 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: clusterrole-reader-pods
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@node1 user]# kubectl create clusterrolebinding cluster-reader --clusterrole=clusterrole-reader-pods --user=sunny --dry-run -o yaml
W1026 14:12:23.506608 76147 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: cluster-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: clusterrole-reader-pods
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: sunny
[root@node1 user]# kubectl create rolebinding role-to-clusterrole --clusterrole=clusterrole-reader-pods --user=sunny --dry-run -o yaml
W1026 14:13:02.193910 76331 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: role-to-clusterrole
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: clusterrole-reader-pods
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: sunny3、User Account
3.1、介绍
前面说的service account在k8s集群中是给pod使用的,这里介绍的User Account,是给我们自己,也就是给客户端用的。
3.2 、为什么需要user account
- 在k8s集群中跟linux操作系统是一样的,我们默认的账户是:kubernetes-admin@kubernetes,管理员账户,权限也是最大的,在k8s集群中畅通无阻。
但是在企业中,并不是只有我们一个人使用k8s集群,还有很多的研发人员都是需要使用集群的;这时我们需要给他们创建一些账号,但是这些账号权限又不能太大,以防误删资源,这个时候我们就能使用user account了
3.3、创建user account
步骤如下
- 创建用户所需的证书文件和密钥
- 创建用户
- 创建角色
- 将角色和用户进行绑定
3.3.1、用户证书生成
前面介绍的sa账户,secret创建时会创建好证书,对于用户的话我们需要自己创建证书。
openssl genrsa -out pulin.key 2048
openssl req -new -key pulin.key -out pulin.csr -subj "/CN=pulin/O=devops"
[root@node1 pki]# openssl x509 -req -in pulin.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out pulin.crt -days 3650
Signature ok
subject=/CN=pulin/O=devops
Getting CA Private Key
[root@node1 pki]# ls
apiserver.crt apiserver-kubelet-client.crt ca.srl front-proxy-client.crt pulin.key
apiserver-etcd-client.crt apiserver-kubelet-client.key etcd front-proxy-client.key sa.key
apiserver-etcd-client.key ca.crt front-proxy-ca.crt pulin.crt sa.pub
apiserver.key ca.key front-proxy-ca.key pulin.csr
3.3.2、创建用户
现在我们想要通过kubectl以singless的身份来操作集群,需要将singless的认证信息添加进kubectl的配置,即~/.kube/config中,通过以下命令将用户singless的验证信息添加进kubectl的配置:
[root@node1 pki]# kubectl config set-credentials pulin --client-certificate=pulin.crt --client-key=pulin.key
User "pulin" set.
[root@node1 pki]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
###添加完成后在~/.kube/config可以看到新增了
[root@node1 pki]# cat ~/.kube/config |tail -4
- name: pulin
user:
client-certificate: /etc/kubernetes/pki/pulin.crt
client-key: /etc/kubernetes/pki/pulin.key
##创建context,通过context来绑定用户,来实现精细话的权限控制。context可以理解为登录用户时所需的环境变量。删除使用kubectl config delete-context命令
[root@k8s-master01 ~]# kubectl config get-contexts ##查询当前环境的context
[root@node1 pki]# kubectl config set-context pulin --cluster=kubernetes --namespace=* --user=pulin
Context "pulin" created.
[root@node1 pki]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
pulin kubernetes pulin *
3.3.3、创建角色
角色主要分为两种:role和clusterrole,角色(role)是比较有限制性的,只针对于指定的资源生效。而集群角色(clusterrole)就权限就比较广泛了,新建了一个集群角色之后,这个角色将对整个集群受影响。
创建角色有两种方法:
- 通过命令行进行创建
[root@node1 pki]# kubectl create role myrole --verb=get,list,watch --resource=pod,svc --dry-run -o yaml
W1026 14:54:31.031360 88676 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: myrole
rules:
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
[root@node1 pki]# kubectl create clusterrole myrole --verb=get,list,watch --resource=pod,svc --dry-run -o yaml
W1026 14:55:16.119402 88881 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: myrole
rules:
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
[root@node1 pki]# kubectl create clusterrole pulin-admin --verb="*" --resource="*" --non-resource-url="*" --dry-run -o yaml
W1026 15:11:28.972822 93761 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: pulin-admin
rules:
- apiGroups:
- ""
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
[root@node1 pki]# kubectl create clusterrole pulin-admin --verb="*" --resource="*" --non-resource-url="*"
clusterrole.rbac.authorization.k8s.io/pulin-admin created
- 通过yaml文件进行创建
[root@k8s-master01 ~]# cat myrole2.yaml
apiVersion: rbac.authorization.k8s.io/v1
#api版本,使用kubectl explain +【要查询的资源,比如pod】
kind: Role
metadata:
name: myrole2
rules: #规则
- apiGroups: [""] # 空字符串""表明使用支持所有的api版本,一般都放空
resources: ["pods"] #resources:资源,现在这些权限对哪些资源生效,这里写的是pod,如果想要多写几个,就用逗号隔开,其实就是一个列表
verbs: ["get", "watch", "list"] #详细的权限:这三个都是查看的权限。如果需要所有权限,直接填写一个*号即可
[root@k8s-master01 ~]# kubectl create -f myrole2.yaml
role.rbac.authorization.k8s.io/myrole2 created3.3.4、角色绑定用户
[root@node1 pki]# kubectl create rolebinding myrole-binding --role=myrole2 --user=pulin --dry-run -o yaml
\W1026 15:00:23.884947 90400 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: myrole-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myrole2
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: pulin
[root@node1 pki]# kubectl create clusterrolebinding pulin-admin-ding --user=pulin --clusterrole=pulin-admin --dry-run -o yaml
W1026 15:14:24.283139 94613 helpers.go:692] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: pulin-admin-ding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pulin-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: pulin
[root@node1 pki]# kubectl create clusterrolebinding pulin-admin-ding --user=pulin --clusterrole=pulin-admin
clusterrolebinding.rbac.authorization.k8s.io/pulin-admin-ding created3.4、使用账户
[root@node1 pki]# kubectl config use-context pulin
Switched to context "pulin".
[root@node1 pki]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
kubernetes-admin@kubernetes kubernetes kubernetes-admin
* pulin kubernetes pulin *
使用下列命令可以将context切换回管理员用户
[root@node1 pki]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".[root@node1 pki]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
pulin kubernetes pulin *
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
