12.1.了解认证机制
启动API服务器时,通过命令行选项可以开启认证插件。
12.1.1.用户和组
了解用户:
分为两种连接到api服务器的客户端:
1.真实的人
2.pod,使用一种称为ServiceAccount的机制
了解组:
认证插件会连同用户名,和用户id返回组,组可以一次性给用户服务多个权限,不用单次赋予,
system:unauthenticated组:用于所有认证插件都不会认证客户端身份的请求。
system:authenticated组:会自动分配给一个成功通过认证的用户。
system:serviceaccount组:包含 所有在系统中的serviceaccount。
system:serviceaccount:<namespace>组:包含了所有在特定命名空间中的serviceAccount。
12.1.2 ServiceAccount介绍
每个pod中都包含/var/run/secrets/kubernetes.io/serviceaccount/token文件,如下图所示,文件内容用于对身份进行验证,token文件持有serviceaccount的认证token。
应用程序使用token去连接api服务器时,认证插件会对serviceaccount进行身份认证,并将serviceaccount的用户名传回到api服务器内部。
serviceaccount的用户名格式如下:
system:serviceaccount:<namespace>:<service account name>
ServiceAccount是运行在pod中的应用程序,和api服务器身份认证的一中方式。
了解ServiceAccount资源
ServiceAcount作用在单一命名空间,为每个命名空间创建默认的ServiceAccount。
多个pod可以使用相同命名空间下的同一的ServiceAccount,
ServiceAccount如何与授权文件绑定
在pod的manifest文件中,可以指定账户名称的方式,将一个serviceAccount赋值给一个pod,如果不指定,将使用该命名空间下默认的ServiceAccount.
可以 将不同的ServiceAccount赋值给pod,让pod访问不同的资源。
12.1.3创建ServiceAccount
为了集群的安全性,可以手动创建ServiceAccount,可以限制只有允许的pod访问对应的资源。
创建方法如下:
- $ kubectl get sa
- NAME SECRETS AGE
- default 1 21h
-
-
- $ kubectl create serviceaccount yaohong
- serviceaccount/yaohong created
-
-
- $ kubectl get sa
- NAME SECRETS AGE
- default 1 21h
- yaohong 1 3s
使用describe来查看ServiceAccount。
- $ kubectl describe sa yaohong
- Name: yaohong
- Namespace: default
- Labels: <none>
- Annotations: <none>
- Image pull secrets: <none>
- Mountable secrets: yaohong-token-qhbxn //如果强制使用可挂载秘钥。那么使用这个serviceaccount的pod只能挂载这个秘钥
- Tokens: yaohong-token-qhbxn
- Events: <none>
查看该token,
- $ kubectl describe secret yaohong-token-qhbxn
- Name: yaohong-token-qhbxn
- Namespace: default
- Labels: <none>
- Annotations: kubernetes.io/service-account.name: yaohong
- kubernetes.io/service-account.uid: a3d0d2fe-bb43-11e9-ac1e-005056870b4d
-
- Type: kubernetes.io/service-account-token
-
- Data
- ====
- ca.crt: 1342 bytes
- namespace: 7 bytes
- token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Inlhb2hvbmctdG9rZW4tcWhieG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoieWFvaG9uZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImEzZDBkMmZlLWJiNDMtMTFlOS1hYzFlLTAwNTA1Njg3MGI0ZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0Onlhb2hvbmcifQ.BwmbZKoM95hTr39BuZhinRT_vHF-typH4anjkL0HQxdVZEt_eie5TjUECV9UbLRRYIqYamkSxmyYapV150AQh-PvdcLYPmwKQLJDe1-7VC4mO2IuVdMCI_BnZFQBJobRK9EdPdbZ9uxc9l0RL5I5WyWoIjiwbrQvtCUEIkjT_99_NngdrIr7QD9S5SxHurgE3HQbmzC6ItU911LjmxtSvBqS5NApJoJaztDv0cHKvlT67ZZbverJaStQdxr4yiRbpSycRNArHy-UZKbNQXuzaZczSjVouo5A5hzgSHEBBJkQpQ6Tb-Ko5XGjjCgV_b9uQvhmgdPAus8GdFTTFAbCBw
12.1.4将ServiceAccount分配给pod
在pod中定义的spec.serviceAccountName字段上设置,此字段必须在pod创建时设置后续不能被修改。
自定义pod的ServiceAccount的方法如下图
12.2通过基于角色的权限控制加强集群安全
12.2.1.介绍RBAC授权插件
RBAC授权插件将用户角色作为决定用户能否执行操作的关机因素。
12.2.2介绍RBAC授权资源
RBAC授权规则通过四种资源来进行配置的,他们可以分为两组:
Role和ClusterRole,他们决定资源上可执行哪些动词。
RoleBinding和ClusterRoleBinding,他们将上述角色绑定到特定的用户,组或者ServiceAccounts上。
Role和RoleBinding是namespace级别资源
ClusterRole和ClusterRoleBinding是集群级别资源
12.2.3使用Role和RoleBinding
Role资源定义了哪些操作可以在哪些资源上执行,
创建Role
service-reader.yml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- namespace: kube-system
- name: service-reader
- rules:
- - apiGroups: [""]
- verbs: ["get", "list"]
- resources: ["services"]
在kube-system中创建Role
- #kubectl -n kube-system create -f service-reader.yml
查看该namespace下的role
- $ kubectl -n kube-system get role
- NAME AGE
- extension-apiserver-authentication-reader 41h
- kube-state-metrics-resizer 41h
- service-reader 2m17s
- system::leader-locking-kube-controller-manager 41h
- system::leader-locking-kube-scheduler 41h
- system:controller:bootstrap-signer 41h
- system:controller:cloud-provider 41h
- system:controller:token-cleaner 41h
绑定角色到ServiceAccount
将service-reader角色绑定到default ServiceAccount
- $ kubectl create rolebinding test --role=service-reader
- rolebinding.rbac.authorization.k8s.io/test created
- $ kubectl get rolebinding test -o yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- creationTimestamp: 2019-08-11T03:40:51Z
- name: test
- namespace: default
- resourceVersion: "239323"
- selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/test
- uid: d0aff243-bbe9-11e9-ac1e-005056870b4d
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: service-reader
12.2.4使用ClusterRole和ClusterRoleBinding
查看集群ClusterRole
- # kubectl get clusterrole
- NAME AGE
- admin 42h
- cluster-admin 42h
- edit 42h
- flannel 42h
- kube-state-metrics 42h
- system:aggregate-to-admin 42h
- ...
创建ClusterRole
- kubectl create clusterrole flannel --verb=get,list -n kube-system
查看yaml文件
- # kubectl get clusterrole flannel -o yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- annotations:
- kubectl.kubernetes.io/last-applied-configuration: |
- {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"flannel"},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get"]},{"apiGroups":[""],"resources":["nodes"],"verbs":["list","watch"]},{"apiGroups":[""],"resources":["nodes/status"],"verbs":["patch"]}]}
- creationTimestamp: 2019-08-09T09:58:42Z
- name: flannel
- resourceVersion: "360"
- selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/flannel
- uid: 45100f6f-ba8c-11e9-8f57-005056870608
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - nodes/status
- verbs:
- - patch
创建clusterRoleBinding
- $ kubectl create clusterrolebinding cluster-tetst --clusterrole=pv-reader --serviceaccount=kuebsystem:yaohong
- clusterrolebinding.rbac.authorization.k8s.io/cluster-tetst created
12.2.5了解默认的ClusterRole和ClusterRoleBinding
如下所示使用kubectl get clusterroles和kubectl get clusterrolesbinding可以获取k8s默认资源。
用edit ClusterRole允许对资源进行修改
用admin ClusterRole赋予一个命名空间全部的权限
- $ kubectl get clusterroles
- NAME AGE
- admin 44h
- cluster-admin 44h
- edit 44h
- flannel 44h
- kube-state-metrics 44h
- system:aggregate-to-admin 44h
- system:aggregate-to-edit 44h
- system:aggregate-to-view 44h
- system:auth-delegator 44h
- system:aws-cloud-provider 44h
- system:basic-user 44h
- system:certificates.k8s.io:certificatesigningrequests:nodeclient 44h
- system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 44h
- system:controller:attachdetach-controller 44h
- system:controller:certificate-controller 44h
- system:controller:clusterrole-aggregation-controller 44h
- 。。。
- wps@wps:~$ kubectl get clusterrolebindings
- NAME AGE
- clust-tetst 17m
- cluster-admin 44h
- cluster-tetst 13m
- flannel 44h
- kube-state-metrics 44h
- kubelet-bootstrap 44h
- system:aws-cloud-provider 44h
- system:basic-user 44h
- system:controller:attachdetach-controller 44h
- system:controller:certificate-controller 44h
- 。。。
经验首页