k8s权限管理(企业实际案例)

精选原创

luoguo 2021-07-26 14:10:33 博主文章分类：docker-k8s ©著作权

文章标签 k8s cluster config context 权限安全 文章分类 运维

©著作权归作者所有：来自51CTO博客作者luoguo的原创作品，请联系作者获取转载授权，否则将追究法律责任

k8s生成一个用户集群配置文件并限制用户的行为(让linux用户只能对某一个namespace特定的资源操作并且只具有查看权限，在实际工作中可以限定不同用户具有k8s不同的操作行为）

操作前提是已经有namespace,本文的namespace是fronted

一. 新建用户

1. 创建用户证书key

umask 077; openssl genrsa -out fronted.key 2048

2 .创建用户证书请求，-subj指定组和用户，其中O是组名，CN是用户名

openssl req -new -key fronted.key -out fronted.csr -subj "/O=fronted/CN=fronted"

3. 使用k8s的ca签发用户证书

openssl x509 -req -in fronted.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out fronted.crt -days 3650

二. 生成kubeconfig授权文件

1. 设置集群配置

kubectl config set-cluster fronted@kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=https://master.k8s.io:16443 --kubeconfig=fronted.kubeconfig

2. 设置context

kubectl config set-context fronted@kubernetes --cluster=kubernetes --user=fronted --kubeconfig=fronted.kubeconfig

3. 设置客户端认证配置

kubectl config set-credentials fronted --client-certificate=fronted.crt --client-key=fronted.key --embed-certs=true --kubeconfig=fronted.kubeconfig

4. 设置当前用户配置

kubectl config use-context fronted@kubernetes --kubeconfig=fronted.kubeconfig

三. 创建RBAC授权

1. 创建Role(只允许用户对namespace=fronted的pod进行查看操作包括日志查看) fronted-role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: fronted
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods","pods/log"]
  verbs: ["get", "watch", "list"]

2. 创建RoleBinding(将用户fronted和Role进行绑定) fronted-rolebinding.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: fronted
subjects:
- kind: User
  name: fronted 
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

3. 应用RBAC

kubectl apply -f fronted-role.yaml
kubectl apply -f fronted-rolebinding.yaml

四. 将k8s权限应用于linux普通用户

useradd fronted
mkdir -p /home/fronted/.kube
cp fronted.kubeconfig /home/fronted/.kube/
chown fronted.fronted /home/fronted/ -R

五. 验证用户权限

用户只具有查看pod的权限，实际工作中也可以考虑用RoleCluster来进行RBAC

[root@k8s-master-02 fronted]# su fronted
[fronted@k8s-master-02 ~]$ kubectl get pods -A
Error from server (Forbidden): pods is forbidden: User "fronted" cannot list resource "pods" in API group "" at the cluster scope
[fronted@k8s-master-02 ~]$ kubectl get pods -n fronted
NAME                       READY   STATUS    RESTARTS   AGE
h5sdk-5dd65b78b6-68t8z     1/1     Running   0          5d2h
h5sdk-5dd65b78b6-76mg2     1/1     Running   0          5d2h
h5sdk-5dd65b78b6-p2n2k     1/1     Running   0          5d2h
klbb-798555f54c-2p4zx      1/1     Running   0          3d1h
klbb-798555f54c-f4kn5      1/1     Running   0          3d1h
klbb-798555f54c-n7qdp      1/1     Running   0          3d1h
popadmin-fff99fbc7-klg5c   1/1     Running   1          6d20h
popadmin-fff99fbc7-kn566   1/1     Running   1          6d20h
popadmin-fff99fbc7-tmbms   1/1     Running   1          6d20h
[fronted@k8s-master-02 ~]$ kubectl get svc -n fronted
Error from server (Forbidden): services is forbidden: User "fronted" cannot list resource "services" in API group "" in the namespace "fronted"
[fronted@k8s-master-02 ~]$