文章目录

  • 实验环境
  • 一、验证
  • 概述
  • token 认证方式
  • kubeconfig 认证方式
  • oauth2 认证方式
  • 二、授权(鉴权)
  • 三、k8s中的权限、角色、用户
  • 查看角色
  • 查看集群角色
  • 查看角色有哪些权限
  • 创建角色
  • 创建集群角色同创建角色
  • 查看rolebinding
  • 查看clusterrolebinding
  • 创建rolebinding、clusterrolebinding
  • 查看用户在所有命名空间有哪些rolebinding
  • 删除角色
  • 删除rolebinding、clusterrolebinding
  • 实验:创建role
  • 实验:创建clusterrole
  • 四、了解serviceaccount
  • 概述
  • 投射卷projected与sa信息
  • 实验:创建pod时指定sa
  • 对sa进行授权
  • 五、k8s可视化工具安装:dashboard、kuboard
  • 安装dashboard
  • 安装kuboard


实验环境

完成初始化集群的环境:
(vms21)192.168.26.21——master1
(vms22)192.168.26.22——worker1
(vms23)192.168.26.23——worker2

安装了k8s客户端工具的主机:
(vms41)192.168.26.41——client

一、验证

概述

当我们登录master上时,似乎不需要任何验证就可以进行管理操作,这是因为我们使用root用户登录master上并操作,若我们通过其他用户或者在其他节点上进行kubectl相关命令操作时,就会显示拒绝连接

如下图所示:

以使用pc端的微信为例,我们登录pc的账号并不同于登录微信的账号,我们首先登录pc,然后使用微信的账号登录微信

k8s也一样,我们登录os后,需要用k8s的账号登录,只是在k8s中默认已经设置了root账号,所以我们通过root登录os时,便直接可以登录k8s,所以没有感知到登录验证,而使用其他账号(在k8s中并没有进行过设置的账号)则会显示失败

scrt sessions 导入导出_docker


那么在k8s环境里是如何进行认证的?

token 认证方式

用户以登录的方式来认证有以下两种:
(1)basic-auth-file:输入用户名、密码
(2)token-auth-file:输入token进行验证
将用户名、密码或token信息配置在master的/etc/kubernetes/manifests/kube-apiserver.yaml中
但在k8s v1.19之前(不包括v1.19),有basic-auth-file的认证方式(通过用户名密码的方式认证),后来取消了,因此这里我们只需要了解token的认证方式

一:master上生成token

openssl rand -hex 10
#输出:
4a557575eaa52fe0555f

二:master上,生成一个认证文件/etc/kubernetes/pki/xxx.csv,把生成的token写入文件中
如:对mary用户生成一个认证文件bb.csv

vim /etc/kubernetes/pki/bb.csv

#文件中的格式如下:
#token,用户,UUID
4a557575eaa52fe0555f,mary,3

三:master上编辑/etc/kubernetes/manifests/kube-apiserver.yaml文件,在spec.containers.command下配置认证文件的路径

vim /etc/kubernetes/manifests/kube-apiserver.yaml

#在spec.containers.command插入:
- --token-auth-file=/etc/kubernetes/pki/bb.csv

四:重启生效

systemctl restart kubelet

测试:
另启一个虚拟机作为客户端(vms41)
一:安装k8s客户端工具

#添加k8s的国内加速yum源k8s.repo,放入/etc/yum.repos.d/下
rm -rf /etc/yum.repos.d/* ; wget ftp://ftp.rhce.cc/k8s/* -P /etc/yum.repos.d/

yum install -y kubectl-1.24.2-0 --disableexcludes=kubernetes

二:在master查询k8s服务器地址

kubectl cluster-info
#输出:
Kubernetes control plane is running at https://192.168.26.21:6443
CoreDNS is running at https://192.168.26.21:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

三:登录k8s,并执行命令:get pods -n kube-system

# -s:指定k8s服务器
# --token:使用token的验证方式连接
kubectl -s https://192.168.26.21:6443 --token=4a557575eaa52fe0555f get pods -n kube-system

但此时会连接失败:

Unable to connect to the server: x509: certificate signed by unknown authority

这是因为k8s中所有的组件(kube-apiserver、kube-controller-manager…)之间若想要相互进行通信,都需要进行加密认证——证书的认证 TLS
我们可以以跳过认证的方式来连接

# --insecure-skip-tls-verify=true:跳过TLS认证
kubectl --insecure-skip-tls-verify=true -s https://192.168.26.21:6443 --token=4a557575eaa52fe0555f get pods -n kube-system

若出现:

Error from server (Forbidden): pods is forbidden: User "mary" cannot list resource "pods" in API group "" in the namespace "kube-system"

意为mary用户权限不够,只要在master上给mary用户授权即可

kubectl create clusterrolebinding cbind1 --clusterrole cluster-admin --user=mary

授权后就可以连接了

kubectl --insecure-skip-tls-verify=true -s https://192.168.26.21:6443 --token=4a557575eaa52fe0555f get pods -n kube-system

#输出:
NAME                                       READY   STATUS    RESTARTS       AGE
calico-kube-controllers-56cdb7c587-xk97l   1/1     Running   18 (27m ago)   27d
calico-node-4vfw4                          1/1     Running   23 (27m ago)   27d
calico-node-69h65                          1/1     Running   17 (27m ago)   27d
calico-node-k8btq                          1/1     Running   17 (27m ago)   27d
coredns-74586cf9b6-rlkhp                   1/1     Running   17 (27m ago)   27d
coredns-74586cf9b6-x5vld                   1/1     Running   17 (27m ago)   27d
etcd-vms21.rhce.cc                         1/1     Running   22 (27m ago)   27d
kube-apiserver-vms21.rhce.cc               1/1     Running   1 (27m ago)    22h
kube-controller-manager-vms21.rhce.cc      1/1     Running   23 (27m ago)   27d
kube-proxy-d9lsg                           1/1     Running   18 (27m ago)   27d
kube-proxy-f6dbr                           1/1     Running   18 (27m ago)   27d
kube-proxy-lgjsd                           1/1     Running   17 (27m ago)   27d
kube-scheduler-vms21.rhce.cc               1/1     Running   23 (27m ago)   27d
metrics-server-58556b7dd4-cpth2            1/1     Running   16 (27m ago)   27d

删除mary的权限

kubectl delete clusterrolebinding cbind1

kubeconfig 认证方式

k8s中各组件若想要相互通信,则需要TLS认证—mTLS(双向认证)

什么是mTLS双向认证?如下图:

apiserver组件要与kubelet组件相互通信,首先由一个权威的机构(CA)来给各组件颁发证书,包含用户证书和CA证书,kubelet连接到apiserver,需要出示自己的用户证书,apiserver通过自己的CA证书来验证对方用户证书的真伪性,同样,apiserver也需要向kubelet出示用户证书,kubelet使用自己CA证书来验证对方用户证书,这种相互认证对方证书即双向认证

同样的,若有某远端客户端连接到apiserver,也需要进行双向认证

scrt sessions 导入导出_安全_02

使用kubeconfig的认证方式,我们需要编写kubeconfig文件
因为k8s组件间需要TLS认证,因此kubeconfig文件中需要包含三部分信息:
1.cluster信息:
(1)集群的地址
(2)CA证书(CA颁发的证书,用于验证对方出示的用户证书)
2.上下文信息:
(1)关联了集群信息与用户信息
(2)其他一些默认的用户信息,如所处的命名空间等
3.用户信息:
(1)用户私钥
(2)用户证书(CA颁发的证书,出示给对方以供验证)

查看kubeconfig文件结构

kubectl config view

#输出:
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.26.21:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: net
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

当我们使用root用户登录k8s的时候,默认使用的就是kubeconfig的认证方式,他使用的kubeconfig文件就是“/etc/kubernetes/admin.conf”
查看/etc/kubernetes/admin.conf

vim /etc/kubernetes/admin.conf

#输出:
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3dOakE1TkRjME4xb1hEVE15TURjd016QTVORGMwTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTW1DCjNOZFdJcXpVV1B6Yk1hYS9jZTR3NW14ZjBRUUdHTkhqb1lhOHR6S0c3VDNObVBMTDRpTHlhQ05ESUUxeTBLRlEKK1RtZGFCSll4M1U0ZE5ZTHNTZEVWcUI1ajNSem5xNUo2L1BPbTBjVW5yY0VxUFFYN0w5MXNNZU90QlZOdWYyRApRc01ZV3lpK3NXUVMxYVhqTHZyaUdWYXRGd0dDSmhTbHlLTENvODdNOHdHbjZzeWlyaXhNdG1sZURLdlJMYkZRCnRhMzRWSVRlQVg3R3VsckJKQmZEMmRxZXY5K0EzZytWMU5KeXo5TXJ0Tkh5THM5ZWNUcnZpbE1JTW55MmUyMDcKZHRGc2V6MmhyenZhRkpIdzVzcDE3enozUHZXcS83ang1YU9lWEdtaU1NemxQSWhJV1JlbU11UWhmVjRsekVrRApzYUtrV05NNEpvSDlsdDZpb21NQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZMUmlpc0hQMmVERTE4THBGZVFHcVg2WDR4SXFNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSTBMWXU0Q3ArL1ZZME9oaEU5WgpZT09Ob2JmTTg5SG9wVnFCVkZtd1Q1cGliS1pXYmZidGQ5bjg5T3p0WlJrSlBLOGNpOCtwRmpleDJFVGNzRWVTCkxveisyRFN3T1VrSnJ2OHl1VjJPZDI2Q3hIMDFEZ1NjcTJMSlRhNG1EVi93b0ZFYlNGTVVyaUVtRXZRdHZsengKMTlMTWJTOUdVdWtCaURhVWp2U0xqOVViS3lWZ3JnUVdWUlJaY0hHamY5c3dYRmU4NVdUQVJiR1Q2R09ZVnZyQQoxa3JSQlhZSGhKSGxKeEptVXJTSDc5c2pHeGdCQy9qR1ppZURPa2RNVWhDbTFFQ3BTcnBFakhKTml2KzY3Nnh1CkdUbmR5ejk2TFZUM1A3U0phV0tEcThvNTFNcmRNTExiZGVWSE04TkVrWTR1b3UxTkUrVEJtU2lCQlQvL2ZHRnUKdXUwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.26.21:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJUnVuazhVcGVwWFF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBM01EWXdPVFEzTkRkYUZ3MHlNekEzTURZd09UUTNORGxhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXEwdnBWZHVRdFJlMHVWY1QKdHBjWURFU05SM1J4Q1pBZ0FkOEw4Visyc0VlelRKKzhld1d2NEs4ZGY0alVjTXREQUdreUFNZWRJd3hHc2JDVgp1UU1HY2V4YzVyWUNiUm81ekNGMUhFM09OMmZvelZtSWVLL0NyUGRJUnJQdFVaS1NDVUlpNDhIL1dvN1ltdG9rCnhUaFZhUW84T0NZSFFtZThPbjZRUW56MTdpTEhSV241NUE0QjlYWlVCRTNUaXFEUGlWbWlJemJLZ1BhSFJDV0IKRWxwUS9XUXNrV1B3WUJkMXR3cFhLRzBsQ2xwcUI3TTJocEo1RmM4WVBKL2pEeE9DTHFZeXdmQWFhUHoyVjNxdQpUcWppaXM4aSt4bEJrbGxXUERldFhwWHB3Y0JTVnIwS3FJRE9BTFdhMGRwWDRoekFnMVB2Y0c3eG9aZkpWeTRzCnNwdFJKUUlEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTMFlvckJ6OW5neE5mQzZSWGtCcWwrbCtNUwpLakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBY003Vy82YlcwemUyUVMxMThKYlBMeFJlWGV4L2ZTbXZzMFNBCi9qQWlEZXM4RDU4dkVuZmVwTGp1TUR0MTNQRXdyUW5QQXQxY1J4UElqODlwR0FhS2dkNDV3MVE5RzBrbGNsR2UKelcrNkl2TzM5KzVKT1ozSCtzK3UzQlJkTzZJc0RiREN2dE5tVm0vRmt4QTZsSnAwbG9jWE44SW1neWE4SXYxMgo4Y0t1MUx6YWZnK0ZkOEpYcUoyMEt6MVJCZjN3bm5NR3lXZXRkYUN1MmZGb242QVEyaFBaSTNETWdRU01Zbzc0CnErOTdCYm9maklGdkxFclhCRm56dlRLRkQrSzRWcVM3MDQ5N0lDZ3RndUkwbjJ5Zk5LaG1zZmloUGtZQ0k5bG4KdXF1VURYdXpBYWFaZklSbW5WVm5EcldMZktDd1ZPaUFVUmg2Q1Y1YUhrTVcyRS8zUWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcTB2cFZkdVF0UmUwdVZjVHRwY1lERVNOUjNSeENaQWdBZDhMOFYrMnNFZXpUSis4CmV3V3Y0SzhkZjRqVWNNdERBR2t5QU1lZEl3eEdzYkNWdVFNR2NleGM1cllDYlJvNXpDRjFIRTNPTjJmb3pWbUkKZUsvQ3JQZElSclB0VVpLU0NVSWk0OEgvV283WW10b2t4VGhWYVFvOE9DWUhRbWU4T242UVFuejE3aUxIUlduNQo1QTRCOVhaVUJFM1RpcURQaVZtaUl6YktnUGFIUkNXQkVscFEvV1Fza1dQd1lCZDF0d3BYS0cwbENscHFCN00yCmhwSjVGYzhZUEovakR4T0NMcVl5d2ZBYWFQejJWM3F1VHFqaWlzOGkreGxCa2xsV1BEZXRYcFhwd2NCU1ZyMEsKcUlET0FMV2EwZHBYNGh6QWcxUHZjRzd4b1pmSlZ5NHNzcHRSSlFJREFRQUJBb0lCQUY2OWVvMXhCY1VUR25LVAoxYVJjUndHcC9KV3pzajAreUdVZ2p3TnVFNlhGMGtZajV1UUh6akd2eU5uYnZOdXhvQm9mRkhmWDczSU4vUitUCjhndEV3QkRNVU1tTml5UDZxRkxkZ2w4b0xWRDVtSW5TNWljUjF0TkJaV2t0WkttRUxsOE9oQ3VDQlpCNWh4V0cKWjJYbzlWeEdPKzQySWplNUZpTW9Fdk9qRjRZZ01BSmlhTkUwR0xKQldQTDFSYUxqWWdlcVVKdTRuWmVUZUR4LwpEaVdBK0tyTmRBRUpRcXkyTmxmR0JMV25kVHo0N3lLRERzcmhMVU9OOUdFdVQzN0g0SitmR3pJT1JTeDdwSEJ2CjJqZ1lQNnlHbWFOV0Q1bjVKeWhDN0VTdW5NaXFwNEI2WTBUYTNKeVoxcVI4c0p1QUJxUkVqQ3FpTHpXMCs4T3IKS2lnWWhOVUNnWUVBeERKVUJZYlV5ODlqVWYrN2ltalBJMzlJemZ3NFY5VldpaEJtUEpWa3BiNW13cDE5U1d0RApadUZ4c0JPMklRMUcrVlltQmNPZzVIVTBnc0NNdllHelRES3pZQnNVUVRKRVBGNTdBa0tZNGNqcit5OTlXL2F0CmRsdHJYMGhCcGFSMWR4YkVxaWxidm5ydTdhRHN5QzBMbUdLNjQxRXNXZmFkRGltTmxva2YvSDhDZ1lFQTM0S1MKNTlTblQ5cXppSkxJa0tXOE1mQ1lhbVZaT05VK3B5VFpsZU5vMzZ4NWE5c3YyREM0YjM1eW1rekJnUjhqVFZzZgozWklwZ2pzbHRGeVQyZ21ubXJqck5lcU8zdnFISTk2WXNhWHU2TFFjKzdtUEY3N2haUGE5dlBQV0JKSGJ3SzNqCkY0WUxSMVhmdlh0OGJsejRWbXZEcXRxZG44VC9NdENpUXZ1N2NGc0NnWUFDRktLTmVIT1RRYnpFNXRoZlRHTTkKOWlDWWhwODJWejNXc3Z2U2txY0JsdlpTQkFlTEdzY1pOVFRXY0M4VFJLZkhCeUhhRjh3Q0FEZ3hWc2RuVHhQTwpzQTcwNnZTWkNHWnUyWFdtZlh4UGtLam4vZ1h2VHJ0aU1PLy9qNjJhaXhidnoxOEFpdlc5SEdLaVJIMmVWZFAwCnByOWluNzYvcVh6YTVKZnF5OE42RXdLQmdRQ3FseHBRM3ptajlTUTZCTzRYbUtkKzVrY3VUWlEva0dKMVorYTYKUkF0elRFeVFTWWJHMXNpdU1EQ0FIRDFFcytOWjAwY0s4ZGZFa2loQTlMZlVIckpSb1BuRStQVjZzblFhcUhhYQpnQzlNWk13S1JLSTJXWFhtZlh4cmp4KzE5UzFvYms5NVVOR2k3S1FNRndmdG8vL1cxZ0ZOa2ZYa1Q1TUgwYjFHCnFxTnhLUUtCZ1FDNGVDbmZadW1LbGxFeC9CbVB6U2VYSDVYZFh3d2ZVK3UyRU5BL3JYRXJ4dmtmRUVGNEN5OVkKdzB3MXJFRlJnajNpYWRKNDJXQzBGQWsyUFFEMW5pSEtXVG5UVG1ZQURWRTNyYkhMY1RCRFJFaURyalhtazY2bAozSEVUQzBiTWF3cW5PeS92QkM0N1ZMUkQ2WjUzRE50ZDljQTVrS1hTcGdCUTNpdUZNcG9GZmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

clusters.cluster.certificate-authority-data——集群的证书
clusters.cluster.server——集群的地址
users.user.client-certificate-data——用户的证书
users.user.client-key-data——用户的私钥
context——上下文信息,关联用户与集群
(参考多集群切换章节)

实验:
一、master上将/etc/kubernetes/admin.conf拷贝至vms41

scp /etc/kubernetes/admin.conf 192.168.26.41:~

二、vms41上使用kubeconfig的认证方式,使用admin.conf作为kubeconfig文件连接k8s,并执行命令get pods

# --kubeconfig指定kubeconfig文件
kubectl --kubeconfig=./admin.conf get pods

#输出:
NAME              READY   STATUS    RESTARTS       AGE
default-testpod   1/1     Running   4 (133m ago)   2d5h
pod1              1/1     Running   7 (133m ago)   13d
pod2              1/1     Running   6 (133m ago)   9d

三、若每次连接k8s都要指定–kubeconfig略显麻烦,我们可以通过以下两种方式设置:
方式一:配置环境变量,默认使用某文件作为kubeconfig文件
配置vms41上的环境变量KUBECONFIG=./admin.conf

export KUBECONFIG=./admin.conf

配置完后直接可以kubectl [命令]
方式二:创建配置文件目录“.kube/config”,则默认会读取目录下的文件作为kubeconfig文件

#取消环境变量的设置
unset KUBECONFIG
#创建.kube目录
mkdir .kube
#将admin.conf拷贝至.kube/config下
cp admin.conf .kube/config

此时,就可以操作kubectl命令了
若这时进行重新初始化操作kubeadm reset,则.kube/config/admin.conf文件会发生变化
若设置了变量又存在“.kube/config”目录,则会优先选择变量的设置

但在实际工作中,我们不会直接将master上的/etc/kubernetes/admin.conf拷贝给其他客户端使用,因为这是管理员的kubeconfig认证文件,权限很大,不够安全
因此,我们需要针对客户端创建一个kubeconfig文件

实验:(考试不考)
客户端需要一个ca证书和一个私钥
在k8s集群环境中已经存在ca证书,即/etc/kubernetes/pki下的ca.crt
一、master上查看/etc/kubernetes/pki下的相关证书

ls /etc/kubernetes/pki

#输出:
apiserver.crt              apiserver.key                 bb.csv  etcd                front-proxy-client.crt  sa.pub
apiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.crt  front-proxy-ca.crt  front-proxy-client.key
apiserver-etcd-client.key  apiserver-kubelet-client.key  ca.key  front-proxy-ca.key  sa.key

ca.crt——ca证书
ca.key——ca私钥

/var/lib/kubelet/pki下为kubelet的相关证书

ls /var/lib/kubelet/pki

#输出:
kubelet-client-2022-07-06-17-47-50.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key

二、将ca证书拷贝出来到家目录备用

cp /etc/kubernetes/pki/ca.crt .

三、master上生成一个私钥

openssl genrsa -out [文件名].key 2048
#这里生成一个文件名为john的私钥
openssl genrsa -out john.key 2048

四、master上使用私钥向CA证书中心申请证书,首先生成一个csr文件xxx.csr

openssl req -new -key john.key -out [文件名].csr -subj "/CN=john/O=cka2020"
#这里生成一个文件名为john的csr文件
openssl req -new -key john.key -out john.csr -subj "/CN=john/O=cka2020"

五、对csr文件编码

cat john.csr | base64 | tr -d "\n"

#输出:
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1pqQ0NBVTRDQVFBd0lURU5NQXNHQTFVRUF3d0VhbTlvYmpFUU1BNEdBMVVFQ2d3SFkydGhNakF5TURDQwpBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxPV2VMZ2V5L2pkZ25pZWd2dGxQcGpUCmtvbXB6b2ZSN0xFRkw1cGRBQmRHd0N3QkVIWVVCNjVabnM4TGMxWUNnSW1PdjlFUm9DUmU2RHIzQzRRKzVQSXIKVnpaYXZuYW1CdzF5MnRxdm5tTmhxVkRJWUZ4Qzd6VkU3UlVFdTcxaFpwNnFkNWJNbzk3NUFCNXNiSHhJamwwdgp6cFA3eUIybEQvWm1LdmxWdjlLMU90UzhGTDlNTnpoRFVTc2dWWVdrV01LUnpqZ1UwT2RwSFVpYkpUOTRvVW1GCmRKZEh5ZXNyQkdwYTVvN09yZUh6OEliLzJaRGhsMU1xL21GblZobU9SWXpSMlhXQXo0ejU1a3VEakRwbHJSWXUKUGJpZ2FzTmFpVmRKNEpMT0F2MTBaS21FL0tlM1daZHozM2s3V3VZbTRxWWRubm42cWQ3M2FoTXp4STdPWUZrQwpBd0VBQWFBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQUR1cVNYa0pEenVkOUcxVnZLVGZUeVRLYmFGNXRqCkh1dktIQTNwL29nTzdodSs3MU0vNDkrQ0RVQ2NlRlVudVlWUmUrM00yQWdYT1UrVERkZUgwQzY5dzV6TXc2RjUKYmpLbWZncW5PamtTSWVic1o0elBQSWg4WGUydUtGd0NFMnFPN1dRRy9aZGZ4RnJoN1NZVmRHcytRdnRObkZFRAp2VkVWc1hyVG1UR3l4MGMyN0NlNjFMTEI5c0l3a24zUUJ2Y2gwajloRXBWL3hIRnR2VUhHSnM0L3VYQ1RMV0R4CjV5azBQTW9EWjlJQXpRdWlBaStlOENFeTVSMjhZNTIwR0xMUCt3aExrTFA2VzNDOVVyQjh2OVhDeVgxdXRnanYKbjlwWTJlb1BRQ0k5b3dBVTR5czV3TkdLVTVKVE5xdnVCQ3BvTGNRWTM1STRFc0xkNzk3V1FKUzUKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==

六、编写申请证书请求文件的yaml文件

vim csr.yaml

#插入:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: john
spec:
  groups:
  - system:authenticated
  signerName: kubernetes.io/kube-apiserver-client
  request: [...csr文件内容,第五步输出的内容...]
  usages:
  - client auth

七、创建证书申请文件

kubectl apply -f csr.yaml

查看

kubectl get csr

#输出:
NAME   AGE   SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
john   46s   kubernetes.io/kube-apiserver-client   kubernetes-admin   <none>              Pending

八、颁发证书

kubectl certificate approve john

九、颁发后,再次查看csr,可以看到CONDITION变成了Approved,Issued
以yaml文件的形式查看,可以看到spec.status.certificate下有了CA颁发的证书

kubectl get csr
#输出:
NAME   AGE    SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
john   2m3s   kubernetes.io/kube-apiserver-client   kubernetes-admin   <none>              Approved,Issued

kubectl get csr john -o yaml
#输出:
...
status:
  certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCekNDQWUrZ0F3SUJBZ0lSQU5seCtMR2dpQk5GeWZOQURJMm9JU0F3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBNE1EWXdOekkzTkRoYUZ3MHlNekE0TURZdwpOekkzTkRoYU1DRXhFREFPQmdOVkJBb1RCMk5yWVRJd01qQXhEVEFMQmdOVkJBTVRCR3B2YUc0d2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDemxuaTRIc3Y0M1lKNG5vTDdaVDZZMDVLSnFjNkgKMGV5eEJTK2FYUUFYUnNBc0FSQjJGQWV1V1o3UEMzTldBb0NKanIvUkVhQWtYdWc2OXd1RVB1VHlLMWMyV3I1MgpwZ2NOY3RyYXI1NWpZYWxReUdCY1F1ODFSTzBWQkx1OVlXYWVxbmVXektQZStRQWViR3g4U0k1ZEw4NlQrOGdkCnBRLzJaaXI1VmIvU3RUclV2QlMvVERjNFExRXJJRldGcEZqQ2tjNDRGTkRuYVIxSW15VS9lS0ZKaFhTWFI4bnIKS3dScVd1YU96cTNoOC9DRy85bVE0WmRUS3Y1aFoxWVpqa1dNMGRsMWdNK00rZVpMZzR3NlphMFdMajI0b0dyRApXb2xYU2VDU3pnTDlkR1NwaFB5bnQxbVhjOTk1TzFybUp1S21IWjU1K3FuZTkyb1RNOFNPem1CWkFnTUJBQUdqClJqQkVNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3cKRm9BVXRHS0t3Yy9aNE1UWHd1a1Y1QWFwZnBmakVpb3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSVE0QnkzYwpFNWNtRjNVaEFIM3lVdmZEd2Ryb1lxcmFIdHlsNEtRTVhQazhqbXNZWkhaWU9RdG4wVkFhaUF2R1d5Q1Y5YVVRCmd3aUM2Q1Rra285Y0tlOUttUzlyRDMwenhJS2U4MUNnWGVTcXVYcWh4WmduUUxTM2NJejFvT1lIZXFGUFA5WS8KM2hPZUI5a3BsN0xPZzMyU1RFbXRFQXZpbTRRVFBPc2xJaXBKR29ROUc0VUpEYTJIT1VwQXcwNmJkL3I3NzVHOAorc2d1RzdiYjJJWHZuMkI5V1BiWDhVRjZ3RmtqbGNBaFdidU9NTGZQcVllSjQwSzdvMEZiS2FnK05pelVBREZWCk13VHBUeE9PK1ZNeU5aOERUQzA4UjhoZWNEcmE3SThMQy9kV0x4MkFvYzR4aUlJellPSTk1WEtCaXU5dXJwb1QKalRkWFFsdUhRUElZZk5NPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  conditions:
  - lastTransitionTime: "2022-08-06T07:32:48Z"
...

十、把证书导出作为用户证书
将证书base64编码后导出为用户证书文件 “john.crt”

kubectl get csr john -o jsonpath='{.status.certificate}' | base64 -d > john.crt

此时就具备了ca证书ca.crt、用户证书john.crt、用户私钥john.key

十一、以命令行的方式创建一个kubeconfig文件
设置集群信息:
文件名为kc1、集群为cluster1、集群地址为https://192.168.26.21:6443、集群证书为ca.crt
embed-certs=true表示将ca.crt证书内容嵌入到yaml文件中

kubectl config --kubeconfig=kc1 set-cluster cluster1 --server=https://192.168.26.21:6443 --certificate-authority=ca.crt --embed-certs=true

设置用户信息:
将用户证书、用户私钥嵌入kc1的kubeconfig文件中

kubectl config --kubeconfig=kc1 set-credentials john --client-certificate=john.crt --client-key=john.key --embed-certs=true

设置上下文信息:
将集群信息和用户信息关联起来

kubectl config --kubeconfig=kc1 set-context context1 --cluster=cluster1 --namespace=default --user=john

编辑kubeconfig文件kc1,将默认上下文配置current-context改为“context1”

...
current=context: "context1"
...

最终,kubeconfig文件kc1如下:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3dOakE1TkRjME4xb1hEVE15TURjd016QTVORGMwTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTW1DCjNOZFdJcXpVV1B6Yk1hYS9jZTR3NW14ZjBRUUdHTkhqb1lhOHR6S0c3VDNObVBMTDRpTHlhQ05ESUUxeTBLRlEKK1RtZGFCSll4M1U0ZE5ZTHNTZEVWcUI1ajNSem5xNUo2L1BPbTBjVW5yY0VxUFFYN0w5MXNNZU90QlZOdWYyRApRc01ZV3lpK3NXUVMxYVhqTHZyaUdWYXRGd0dDSmhTbHlLTENvODdNOHdHbjZzeWlyaXhNdG1sZURLdlJMYkZRCnRhMzRWSVRlQVg3R3VsckJKQmZEMmRxZXY5K0EzZytWMU5KeXo5TXJ0Tkh5THM5ZWNUcnZpbE1JTW55MmUyMDcKZHRGc2V6MmhyenZhRkpIdzVzcDE3enozUHZXcS83ang1YU9lWEdtaU1NemxQSWhJV1JlbU11UWhmVjRsekVrRApzYUtrV05NNEpvSDlsdDZpb21NQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZMUmlpc0hQMmVERTE4THBGZVFHcVg2WDR4SXFNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSTBMWXU0Q3ArL1ZZME9oaEU5WgpZT09Ob2JmTTg5SG9wVnFCVkZtd1Q1cGliS1pXYmZidGQ5bjg5T3p0WlJrSlBLOGNpOCtwRmpleDJFVGNzRWVTCkxveisyRFN3T1VrSnJ2OHl1VjJPZDI2Q3hIMDFEZ1NjcTJMSlRhNG1EVi93b0ZFYlNGTVVyaUVtRXZRdHZsengKMTlMTWJTOUdVdWtCaURhVWp2U0xqOVViS3lWZ3JnUVdWUlJaY0hHamY5c3dYRmU4NVdUQVJiR1Q2R09ZVnZyQQoxa3JSQlhZSGhKSGxKeEptVXJTSDc5c2pHeGdCQy9qR1ppZURPa2RNVWhDbTFFQ3BTcnBFakhKTml2KzY3Nnh1CkdUbmR5ejk2TFZUM1A3U0phV0tEcThvNTFNcmRNTExiZGVWSE04TkVrWTR1b3UxTkUrVEJtU2lCQlQvL2ZHRnUKdXUwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.26.21:6443
  name: cluster1
contexts:
- context:
    cluster: cluster1
    namespace: default
    user: john
  name: context1
current-context: "context1"
kind: Config
preferences: {}
users:
- name: john
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCekNDQWUrZ0F3SUJBZ0lSQU5seCtMR2dpQk5GeWZOQURJMm9JU0F3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBNE1EWXdOekkzTkRoYUZ3MHlNekE0TURZdwpOekkzTkRoYU1DRXhFREFPQmdOVkJBb1RCMk5yWVRJd01qQXhEVEFMQmdOVkJBTVRCR3B2YUc0d2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDemxuaTRIc3Y0M1lKNG5vTDdaVDZZMDVLSnFjNkgKMGV5eEJTK2FYUUFYUnNBc0FSQjJGQWV1V1o3UEMzTldBb0NKanIvUkVhQWtYdWc2OXd1RVB1VHlLMWMyV3I1MgpwZ2NOY3RyYXI1NWpZYWxReUdCY1F1ODFSTzBWQkx1OVlXYWVxbmVXektQZStRQWViR3g4U0k1ZEw4NlQrOGdkCnBRLzJaaXI1VmIvU3RUclV2QlMvVERjNFExRXJJRldGcEZqQ2tjNDRGTkRuYVIxSW15VS9lS0ZKaFhTWFI4bnIKS3dScVd1YU96cTNoOC9DRy85bVE0WmRUS3Y1aFoxWVpqa1dNMGRsMWdNK00rZVpMZzR3NlphMFdMajI0b0dyRApXb2xYU2VDU3pnTDlkR1NwaFB5bnQxbVhjOTk1TzFybUp1S21IWjU1K3FuZTkyb1RNOFNPem1CWkFnTUJBQUdqClJqQkVNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3cKRm9BVXRHS0t3Yy9aNE1UWHd1a1Y1QWFwZnBmakVpb3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSVE0QnkzYwpFNWNtRjNVaEFIM3lVdmZEd2Ryb1lxcmFIdHlsNEtRTVhQazhqbXNZWkhaWU9RdG4wVkFhaUF2R1d5Q1Y5YVVRCmd3aUM2Q1Rra285Y0tlOUttUzlyRDMwenhJS2U4MUNnWGVTcXVYcWh4WmduUUxTM2NJejFvT1lIZXFGUFA5WS8KM2hPZUI5a3BsN0xPZzMyU1RFbXRFQXZpbTRRVFBPc2xJaXBKR29ROUc0VUpEYTJIT1VwQXcwNmJkL3I3NzVHOAorc2d1RzdiYjJJWHZuMkI5V1BiWDhVRjZ3RmtqbGNBaFdidU9NTGZQcVllSjQwSzdvMEZiS2FnK05pelVBREZWCk13VHBUeE9PK1ZNeU5aOERUQzA4UjhoZWNEcmE3SThMQy9kV0x4MkFvYzR4aUlJellPSTk1WEtCaXU5dXJwb1QKalRkWFFsdUhRUElZZk5NPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBczVaNHVCN0wrTjJDZUo2QysyVSttTk9TaWFuT2g5SHNzUVV2bWwwQUYwYkFMQUVRCmRoUUhybG1lend0elZnS0FpWTYvMFJHZ0pGN29PdmNMaEQ3azhpdFhObHErZHFZSERYTGEycStlWTJHcFVNaGcKWEVMdk5VVHRGUVM3dldGbW5xcDNsc3lqM3ZrQUhteHNmRWlPWFMvT2svdklIYVVQOW1ZcStWVy8wclU2MUx3VQp2MHczT0VOUkt5QlZoYVJZd3BIT09CVFE1MmtkU0pzbFAzaWhTWVYwbDBmSjZ5c0VhbHJtanM2dDRmUHdodi9aCmtPR1hVeXIrWVdkV0dZNUZqTkhaZFlEUGpQbm1TNE9NT21XdEZpNDl1S0JxdzFxSlYwbmdrczRDL1hSa3FZVDgKcDdkWmwzUGZlVHRhNWliaXBoMmVlZnFwM3ZkcUV6UEVqczVnV1FJREFRQUJBb0lCQUJjVmVGN3lWbldldzI2TgpzWGh2QXlUUnpUdzB2MzlsMUc3TW85bkxxbjlUY05BM01zNTZ0S0lNa3dVNkM1RTZzUnI5WmxxUlVXeGJacTV0Cm91VlUwRWp3bVQwN1hOQVRkMFNiUnRabFRJNnB0d0hUUDgrY0t2TkY4Tk9LMERiL2xoay9BREE2RGJaVGUxaHQKeDJRU1QzcGE4c3JDeW01RkVWQXl3Y05hNmxWRER6U0l2TExxR3lOclBZa1pKVUhnTnVkN0RaOUd2TmdCZk8zQwpBY3BZd3h3MVN5bWpBZ2RGcVNHSWU3Q0hkYUpYM0JodHBsREFwUlNBRzNHdnNVakYyRy94NXJVQlE2WVF5OEY4Clp1alo1QTJDU1N1ZDhEbjY0VkZqVXBGN3dLQ0dMRjE2dkR5SlNEOUp3cFZtZmY5bnNxV3loWDc0WncyT1llZGUKVmlacUxxRUNnWUVBMlFOb1pWS2xaSUZ2MDE3bXEyV0p0cFBMdGhXemxzUkRsUFovQWNvbDl0MEVTZWFOR01VZgphSHhZNzdoWjFac1pPbHhWdDdkZTlEaWZkVmEzZllzb0JpaHdyMFIwdkdrNUExdTUyK0xHSGpJWE5ONit4Uy9NClh3Zi9XSy9mY1RESmt0RFRhY1NPaHl2b055QzBjTkFqZ2Z3MUR5SFRrQ0FOdElVT05xc2xPUk1DZ1lFQTA5blcKY1kvd2k4ekJlTTI1V1pBRGc0ODdIdDduaTJBNEdqWnRXa1ViekkxUUU2Qi9CSGU5ek5JQUdvdDdPTDBWbDhTLwpGQXBvY2xNSWY0RjVpb0NSZkR6c2dyZjZFSHhhOTBuNml2eHVUTWd1cUNlMGpjRHNaTVZOMEc2SDZURGQ5K2VOCkRlejFuMWxBUEM5b2Eva25EWmo1OTVobUlKMXc1Y0ttOTMvNU9tTUNnWUVBb2VCdTRSWFRGYk9Qck1YZm52NXcKeVdaWjBJdERtVFR4akk2S2t0VXRtSVdwQzA4VTlPTWwySlRZNm9oRFNwa1ZLbmx4MzBiRFo3MU5CUVFZZjJkcwpCWnZvNG5SWDk2c3R3aG1ML0QrZXRTdDhNQTN2azd0aDRZbGZxZElYQktIMTJyUTIzM0NsT0tOQjVzMVlpOFpXCmxrR0JlcllxMEJsNDM2MVl1dUxUTTAwQ2dZQjQwY043QUp3dkhwYzRUaHRtK0xzSVRLZHE4N1VaeDhZM0xOTXcKcURreWIyVTd6RXlrUDZYL0tjVGxYcWJudE82Ym41bFoxSlc4blo0N0dadzNZUnVYdnljalpjazNuYlJEVSsyUApWbWVSWXBrNVRXdXJiRnRsSFNGRHZjWEZPQmxmU0s4cFFmclM1aE84UDAxT1Jzbis5eitYOVZKSlI0RWJoK2V4ClAwcmtBUUtCZ1FDdUZIQXdGSVpLb3dVNStRNG5zTy81ck5jK2xETzdhOHQ0bm0wemEvYTJPUzI5aW8rTGt6Z2IKK3RNYi9oRm8rbER4SW9zdlZzTUJFbFNSK3BleDVrRWhKbWlKaTVhbTBZems0Rk9yblVkUkFlcERPUGVid1VsQQp6eU0zQS9YOVFRc21wZStURlRtZHpibnN5SHNOUFRXOU1SeHh6eHJvL3h0YzZtakJsMStmbnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

注意:ca所颁发的证书的有效期都只有1年,1年之后,需要续期
十二、将kc1这个kubeconfig文件拷贝到vms41(client)的家目录中

scp kc1 192.168.26.41:~

十三、vms41上,将kc1拷贝至.kube/config目录下,作为默认的kubeconfig文件

cp kc1 .kube/config

查看上下文信息,可以看设置已经生效

kubectl config get-contexts

#输出:
CURRENT   NAME       CLUSTER    AUTHINFO   NAMESPACE
          context1   cluster1   john       default

十四、最后,在master上给用户john授权

kubectl create clusterrolebinding cbind1 --clusterrole cluster-admin --user=john

测试:

#vms41上测试
kubectl get pods

#master上删除用户john的权限
kubectl delete clusterrolebinding cbind1

oauth2 认证方式

接入第三方认证,如HTTP认证等

二、授权(鉴权)

第一章中讲到了客户端用户如何验证登录k8s,登录后,用户得拥有相应的权限才能做相应的操作

master上/etc/kubernetes/manifests/kube-apiserver.yaml文件中,spec.containers.command下用authorization-mode配置项配置鉴权的模式
鉴权的方式:

  • –authorization-mode=Node.RBAC(默认为这种方式)
  • –authorization-mode=AlwaysAlow(允许所有请求,若为这个配置,客户端用户无论是否有被授权,总是允许)——不推荐
  • –authorization-mode=AlwaysDeny(拒绝所有请求,若为这个配置,客户端用户即使被授权了,也是拒绝)——不推荐
  • –authorization-mode=ABAC(这种方式不够灵活,放弃)
    ABAC(Attribute-Based Access Contorl)

推荐使用RBAC(Role Based Access Control——基于角色的访问控制)的模式

  • –authorization-mode=RBAC
    在这种模式下,我们来给用户授权
  • –authorization-mode=Node
    Node授权器主要用于各个node上的kubelet访问apiserver时使用的,其他一般均由RBAC授权器来授权

因此,系统默认的配置为:- --authorization-mode=Node,RBAC,推荐也是这种鉴权方式

三、k8s中的权限、角色、用户

用户——用户不属于任何命名空间,就是一个独立的用户

权限——k8s中有各种权限如:create、update、patch、get、watch、list、delete等

角色——角色是基于命名空间的,我们并不会将某些权限直接授权给用户,而是会先创建某些角色,将权限授权给角色,然后把角色授权给用户,这个授权的过程叫作rolebinding(角色绑定)

注意:角色是基于命名空间的,假设角色role1在命名空间ns1下,将角色role1绑定给用户john,那么john只有在命名空间ns1下才具有角色role1的权限

scrt sessions 导入导出_kubernetes_03


同时,我们也可以创建clusterrole,clusterrole是全局的,没有命名空间的限制,但是,若通过rolebinding的方式来将clusterrole绑定给用户,那么该用户仍然只有在该rolebinding所在的命名空间下才具有相应权限

若想让用户拥有全局的权限(在所有命名空间下都有权限),则创建一个clusterrolebinding,通过clusterrolebinding来将clusterrole绑定给用户

scrt sessions 导入导出_安全_04

查看角色

#查看当前命名空间下的角色
kubectl get role

#查看指定命名空间下的角色
kubectl get role -n [命名空间名称]

查看集群角色

kubectl get clusterrole

查看角色有哪些权限

#Verbs下为属性
kubectl describe role [角色名称]

查看集群角色“管理员”的权限

kubectl describe clusterrole admin

scrt sessions 导入导出_安全_05

创建角色

方式一:命令行的方式

# 命令行中资源类型可以简写,如pod简写为po,但是yaml文件中不能简写
kubectl create role [角色名称] --verb=[拥有的权限,如:get,create...] --resource=[针对什么资源拥有权限,如:pod,svc...]

方式二:yaml文件的方式
通过命令行输出yaml文件模板

kubectl create role [角色名称] --verb=[拥有的权限,如:get,create...] --resource=[针对什么资源拥有权限,如:pod,svc...] --dry-run=client -o yaml > [文件名].yaml

例:
kubectl create role role1 --verb=get,list --resource=po --dry-run=client -o yaml > role1.yaml

输出的yaml文件模板如下:
```bash
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: role1
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list

rules.apiGroups——配置资源类型的apiVersion的父级(具体看下面的实验)
rules.resources——在限定的apiVerion父级的范围下,配置资源类型(注意:yaml文件中的资源类型必须是复数)
rules.verbs——配置拥有的权限,若配置为 - “*” ,表示拥有所有权限
rules表示权限规则,一个apiGroups表示一个规则,若多个资源都在一个apiGroups下则应用相同的权限规则,若想对不同的资源分配不同的权限规则,可以配置多个apiGroups,如下:
对于service拥有get、list的权限、对于pod拥有所有的权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: role1
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - “*”
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list

创建集群角色同创建角色

#命令行方式创建
kubectl create clusterrole [名称] --verb=[权限] --resource=[资源]
#yaml文件
kubectl create clusterrole [名称] --verb=[权限] --resource=[资源] --dry-run=client -o yaml > [文件名].yaml

也可以直接修改某个角色为集群角色
修改yaml文件将kind改为“ClusterRole”

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
...

查看rolebinding

kubectl get rolebinding
kubectl get rolebinding -n [命名空间]

查看clusterrolebinding

kubectl get clusterrolebinding

创建rolebinding、clusterrolebinding

kubectl create rolebinding [名称] --role=[绑定的角色] --user=[绑定的用户]
kubectl create rolebinding [名称] --clusterrole=[绑定的集群角色] --user=[绑定的用户]

kubectl create clusterrolebinding --clusterrole=[绑定的集群角色] --user=[绑定的用户]

查看用户在所有命名空间有哪些rolebinding

kubectl get rolebinding -A -o wide | grep [用户]

删除角色

kubectl delete role [名称]

删除rolebinding、clusterrolebinding

kubectl delete rolebinding [名称]
kubectl delete clusterrolebinding [名称]

实验:创建role

master上创建角色,并将角色绑定给用户john,以yaml文件的方式创建角色,先通过命令行输出yaml文件目标
(1)角色名为role1,对于pod拥有get,list的权限,输出role1.yaml文件

kubectl create role role1 --verb=get,list --resource=po --dry-run=client -o yaml > role1.yaml

(2)输出的yaml文件模板如下:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: role1
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list

(3)创建该角色

kubectl apply -f role1.yaml

(4)查看该角色及查看有哪些权限

kubectl get role
#输出:
NAME    CREATED AT
role1   2022-08-07T08:23:22Z

kbuectl describe role role1
#输出:
Name:         role1
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list]

(5)创建rolebinding,名为rbind1,绑定role1和john

kubectl create rolebinding rbind1 --role=role1 --user=john

(6)查看rolebinding

kubectl get rolebinding
#输出:
NAME     ROLE         AGE
rbind1   Role/role1   8s

查看john在所有命名空间下都有哪些rolebinding、角色

kubectl get rolebinding -A -o wide | grep john
#输出:
default              rbind1                                              Role/role1                                            3m54s                john

(7)给角色role1增加create、delete的权限
修改yaml文件,在rules.verbs下增加create、delete

...
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - create
  - delete
...

修改后需要重新apply一下生效

kubectl apply -f role1.yaml

(8)此时用户john只有针对资源pod拥有get、list、create、delete的权限,我们想要它也有对于service的权限
修改yaml,rules.resources下增加services(yaml文件中不能使用简写svc)

...
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  verbs:
  - get
  - list
  - create
  - delete
...

重新apply生效

kubectl apply -f role1.yaml

(9)查看role1的权限,可以看到有了对于pod、svc的get、list、create、delete的权限

scrt sessions 导入导出_docker_06


(10)使其拥有对于pod和svc的所有权限,修改yaml文件如下

...
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  verbs:
  - “*”
  #- get
  #- list
  #- create
  #- delete
...

重新apply生效

kubectl apply -f role1.yaml

(11)修改权限规则,使得对于svc只有get、list的权限,对于pod拥有所有的权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: role1
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - “*”
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list

重新apply生效

kubectl apply -f role1.yaml

(12)此时,我们想增加对deployment的get、list权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: role1
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - “*”
- apiGroups:
  - ""
  resources:
  - services
  - deployments
  verbs:
  - get
  - list
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: role1
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - “*”
- apiGroups:
  - ""
  resources:
  - services
  - deployments
  verbs:
  - get
  - list

重新apply生效

kubectl apply -f role1.yaml

然后来到vms41上测试,发现权限不够

这是因为不同资源类型的apiVersion不一样

通过kubectl api-resources查看,可以看到pods、services的apiVersion为v1,deployments的apiVersion为apps/v1

scrt sessions 导入导出_安全_07


总的来看,资源类型的apiVersion分成了两种结构

单一结构的xx,如:v1

两层结构的yy/xx,如:apps/v1

对于单层结构的,父级为空 “”,对于两层结构的,父级为yy,如apps

在权限规则中,配置项apiGroups下配置的即为资料类型的apiVersion的父级,该规则就限定了一个范围,只对apiVersion的父级为该配置的资源类型生效

如:

...
rules:
- apiGroups:
  - ""
...

就表示该规则只对apiVersion的父级为空(即apiVersion为单层)的资源类型生效
所以,若想让deployment也能生效规则,则要在apiGroups下增加 - “apps”
修改yaml如下:
并增加对于deployment的create权限

...
- apiGroups:
  - ""
  - "apps"
  resources:
  - services
  - deployments
  verbs:
  - get
  - list
  - create
...

重新apply生效

kubectl apply -f role1.yaml

(13)来到vms41上测试创建deploy,设置2个副本数
出现如下报错:

Error from server (Forbidden): deployments.apps "web1" is forbidden: User "john" cannot patch resource "deployments/scale" in API group "apps" in the namespace "default"

意为用户john缺少对资源deployments/scale的patch权限,在apps这个apiGroups下
因此在“apps”的apiGroups下增加对于deployments/scale的patch权限
修改yaml文件如下:

- apiGroups:
  - ""
  - "apps"
  resources:
  - services
  - deployments
  - deployments/scale
  verbs:
  - get
  - list
  - create
  - patch
...

重新apply生效

kubectl apply -f role1.yaml

实验:创建clusterrole

(1)master上删除role1、rbind1

kubectl delete role role1
kubectl delete rolebinding rbind1

(2)修改role1.yaml,将kind改为ClusterRole,名字改为“crole”

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: crole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - "*"
- apiGroups:
  - ""
  resources:
  - services
  - deployments
  verbs:
  - get
  - list

(3)创建该clusterrole

kubectl apply -f role1.yaml

(4)查看是否创建成功

kubectl get clusterrole | grep crole
#输出:
crole                                                                  2022-08-08T05:57:18Z

(5)通过rolebinding的方式将crole授权给用户john

kubectl create rolebinding rbind1 --clusterrole=crole --user=john

虽然是clusterrole,集群角色是没有命名空间的限制的,但是是通过rolebinding的方式授权给用户,因此用户还是受rolebinding所在的命名空间的限制
来到vms41上,测试发现,只能在当前命名空间(rbind1所在命名空间)才有权限
(6)删除rbind1,通过clusterrolebinding的形式将crole授权给用户john

kubectl delete rolebinding rbind1
kubectl create clusterrolebinding cbind --clusterrole=crole --user=john

此时,用户john才所有命名空间下都具备了集群角色crole的权限
来到vms41下,可以测试查看所有命名空间下的pod

kubectl get pods -A

(7)实验结束,删除clusterrolebinding

kubectl delete clusterrolebinding cbind

四、了解serviceaccount

概述

以上所提到的 “用户”,都属于“用户账户”,系统还有一种账户——serviceaccount
k8s系统中有两种账户:
1.user account(用户账户)——用于登录系统(通过token或者kubeconfig认证方式登录系统)
2.service account(sa)——用于给pod运行的

在每个命名空间里,都有一个默认的sa,这个sa是无法删除的(删除后又会自动重新生成)

#查看当前命名空间下的sa
kubectl get sa
#输出:
NAME      SECRETS   AGE
default   0         32d

当我们创建、运行一个pod的时候,必须指定这个pod使用哪个sa的身份来运行
我们在创建pod时,若没有指定sa,则会默认使用default下的sa身份来运行
例如我们创建如下pod:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pod1
  name: pod1
spec:
  terminationGracePeriodSeconds: 0
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: pod1
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

创建好后,我们以yaml文件的形式查看该pod

kubectl get pod pod1 -o yaml
#输出:
...
spec:
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: pod1
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-m8z25
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: vms22.rhce.cc
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 0
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: kube-api-access-m8z25
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
status:
...

可以看到serviceAccount的这项属性为default

投射卷projected与sa信息

使用sa,会自动给pod生成一个卷,卷类型为projected,可以看到yaml文件中spec.volumes下名为kube-api-access-m8z25的projected类型的卷

projected卷称为 “投射卷”,主要作用是把sa信息挂载到容器中去
进入pod,可查看投射卷挂载在容器的什么位置

kubectl exec -it pod1 -- df -hT
#输出:
Filesystem     Type     Size  Used Avail Use% Mounted on
overlay        overlay  150G  6.9G  144G   5% /
tmpfs          tmpfs     64M     0   64M   0% /dev
tmpfs          tmpfs    2.0G     0  2.0G   0% /sys/fs/cgroup
/dev/sda1      xfs      150G  6.9G  144G   5% /etc/hosts
shm            tmpfs     64M     0   64M   0% /dev/shm
tmpfs          tmpfs    3.8G   12K  3.8G   1% /run/secrets/kubernetes.io/serviceaccount
tmpfs          tmpfs    2.0G     0  2.0G   0% /proc/acpi
tmpfs          tmpfs    2.0G     0  2.0G   0% /proc/scsi
tmpfs          tmpfs    2.0G     0  2.0G   0% /sys/firmware

可以看到,投射卷是挂载在容器的 “/run/secrets/kubernetes.io/serviceaccount” 下
/run/secrets/kubernetes.io/serviceaccount下会生成一个token

#查看该token
kubectl exec -it pod1 -- cat /run/secrets/kubernetes.io/serviceaccount/token
#输出:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjNJUlNCbDgteVViUHdZeFJsTDMzRkgyZlNYMDFLVndrNXMzU2NxOWV2WUEifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjkxNDc1ODYxLCJpYXQiOjE2NTk5Mzk4NjEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJwb2QxIiwidWlkIjoiYmI4OTY5ZGItMzE5OC00ZGYyLTg0ZmQtODljODliZGQ3MTI1In0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJkZWZhdWx0IiwidWlkIjoiYThiNzU2YzItNGY2Ny00Nzg3LWE3OGEtNzNmZGE2ZmJjODRhIn0sIndhcm5hZnRlciI6MTY1OTk0MzQ2OH0sIm5iZiI6MTY1OTkzOTg2MSwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6ZGVmYXVsdCJ9.Tk8oiZpkTWm7qIPqnlOGQy6biue0wPuM6ZFOgr-ixppMfpgipqJh2YVylEZF7RB1DIlqm0aO2cZDy0GDD2F4yBkkOiGo2xpmI1liqDKu-ujsK_SqzZA3_OIKS9VVnTHMAciKg69AHqZVeOIu-n0iY_9pESFtGhn4hEKPyIXTh2QBEwrFdgqW4_mMSlOAJs19akkWoLTILsEBwGX20j-eSAek9zlaSI6iLDFqh5ltsxnAYHxdVRgsQJTdpAtUnXxfYrzALnfvaQeVVsOOZWCug80SN0pdZDDiFqD2XrFyGGcODT3pfedrTKWboRuVsWghcq0NNHJ8XWr3bzTIeXar5Q

这个token就含有sa的信息

可以到https://jwt.io/中解码该token

可以看到sub一项指定的就是default命名空间的sa

因此,若给sa授予了什么权限,这个token中就会包含被授权的权限信息

容器里面的进程会去访问/run/secrets/kubernetes.io/serviceaccount下的token,以获取相应的权限

因此sa的权限越大,容器里面的进程的权限也越大

注:这个token有效期为1小时,过期后kubelet会自动去申请、更新

scrt sessions 导入导出_kubernetes_08


我们也可以手动创建一个sa,然后创建pod时指定该sa

在k8s-1.20之前(包含1.20):创建sa同时会创建一个secret出来,并且pod里的token就是这个secret的token,并且这个token是永不过期的

k8s-1.21至1.23:创建sa同时也会生成一个secret,但是pod里的token不再使用secret里的token了

在k8s-1.24之后(包括1.24):创建sa时干脆就不再生成secret,但是我们可以手动创建secret

实验:创建pod时指定sa

(1)删除上面的pod1

kubectl delete pod pod1

(2)创建名为sa1的service account

kubectl create sa sa1

(3)查看是否创建成功

kubectl get sa
#输出:
NAME      SECRETS   AGE
default   0         32d
sa1       0         3s

注:在k8s1.24之前(不包括1.24),创建sa同时会创建一个secret出来,1.24之后就不会了,但是我们可以手动创建secret
(4)创建pod,spec下使用serviceAccount配置项指定sa
指定sa1作为该pod的sa
创建pod1.yaml

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pod1
  name: pod1
spec:
  terminationGracePeriodSeconds: 0
  serviceAccount: sa1
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: pod1
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

创建该pod

kubectl apply -f pod1.yaml

(5)检验pod1使用的sa是否是sa1
进入pod1查看/run/secrets/kubernetes.io/serviceaccount下的token

kubectl exec -it pod1 -- cat /run/secrets/kubernetes.io/serviceaccount/token
#输出:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjNJUlNCbDgteVViUHdZeFJsTDMzRkgyZlNYMDFLVndrNXMzU2NxOWV2WUEifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjkxNDc4MzYyLCJpYXQiOjE2NTk5NDIzNjIsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJwb2QxIiwidWlkIjoiNTFkOWExZDYtNjAxNC00YTYwLTg4MjgtMGYwNWM3ZGI3MzU5In0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzYTEiLCJ1aWQiOiJjOTY4ZThkMy0zMDkwLTQ5ZTktYTczNC02ZDA2ZTBlNjViZjIifSwid2FybmFmdGVyIjoxNjU5OTQ1OTY5fSwibmJmIjoxNjU5OTQyMzYyLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzYTEifQ.T0hmPRD5-AnYI-BE-HXURAE1mqV3NZEPtoaIwgXq8a6r1y4DJf6b80IjMRnENbew51qABkex8GnVLCALuNym9X_ziIK3LjgTg5Vq1Sk2jM30M3ziclFugI_ZzAdf3Qg1LSWkEIzo7rNOQ-dcnPYFOTHlrsJOXUioXgHj-0qEiSoHKJCc7wIn-yhNsY1mz8DaYvS9OZPJPxw0XXmY5Ov-azCpcta7LPhUONGCg8sYKThAr8fBbSKyGx8cg1WNlzm2GD1IRrHRJtHk0ik-BlKRFYPEK12z1RbT-7n874moLKaay7F51wNz7BWE0-AI2Y7EFtWajvUF9V1GlXSp-Q1Eyg

将token信息复制到https://jwt.io/中解码
可以看到sub一项的值为:“sub”: “system:serviceaccount:default:sa1”
(6)可以给sa1创建一个secret,生成yaml如下:

cat > sa1-secret.yaml<<EOF
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: sa1
  annotations:
    kubernetes.io/service-account.name: "sa1"
EOF

创建该secret

kubectl apply -f sa1-secret.yaml

查看secret

kubectl get secrets
#输出:
NAME   TYPE                                  DATA   AGE
sa1    kubernetes.io/service-account-token   3      57s

查看sa1的secret

kubectl describe secrets sa1
#输出:
Name:         sa1
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: sa1
              kubernetes.io/service-account.uid: c968e8d3-3090-49e9-a734-6d06e0e65bf2

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1099 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjNJUlNCbDgteVViUHdZeFJsTDMzRkgyZlNYMDFLVndrNXMzU2NxOWV2WUEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNhMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzYTEiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjOTY4ZThkMy0zMDkwLTQ5ZTktYTczNC02ZDA2ZTBlNjViZjIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzYTEifQ.c1AfEofgEh6Uy6HK7L8hUlndX01rdgsUczbezOHACfqsbHa3_aefc3_ZNUJvhO2Pts6Vkycl_c3yMHqk0NiJ5Q2DQLUR-w3Q5G_USrhRimlSRzQ5uag_bchAEi0DX1HAsVSByvV_8tgfgUSFDHFNPXqvZpkhY4aNfahmYH3o9MKRHTj1P0Lcn2Q-LhS4wMs_MN55q0Wu7LGPIPrxytxC7K4uBO5ZuTh0QNP_bZSML6tGECvWwo_yQEQ1fqSvcgd-q7NzbQT7GnjhuhwZ1yID5E-G3qz6uzB-CnVydQS0qswat8EGvNPRVqFuJ9ibKaJhSZvmahT0n76FqDWxtTRnBw

但是pod里并没有应用这个token(指k8s-1.21之后,包括1.21)

对sa进行授权

综上,我们在创建、运行一个pod时,必会指定一个sa(没有指定则使用default下的sa)

sa的应用:
假如公司要为k8s环境开发一套程序,程序进程运行在一个容器中,这个程序对用户提供了可视化操作界面,使得用户“点一点”就可以完成对k8s的相关操作,程序底层会将可视化操作转换为相关的命令,因此在创建这个容器时,给他指定的sa就必须得具备相应的权限,容器里的进程才能实现以上的功能

将角色、集群角色授权给sa的语法

kubectl create rolebinding [名称] --role=[角色名称] --serviceaccount=[命名空间]:[sa名称]
kubectl create clusterrolebinding [名称] --clusterrole=[角色名称] --serviceaccount=[命名空间]:[sa名称]

五、k8s可视化工具安装:dashboard、kuboard

安装dashboard

Dashboard 是基于网页的 Kubernetes 用户界面。 你可以使用 Dashboard 将容器应用部署到 Kubernetes 集群中,也可以对容器应用排错,还能管理集群资源。 你可以使用 Dashboard 获取运行在集群中的应用的概览信息,也可以创建或者修改 Kubernetes 资源 (如 Deployment,Job,DaemonSet 等等)。 例如,你可以对 Deployment 实现弹性伸缩、发起滚动升级、重启 Pod 或者使用向导创建新的应用

scrt sessions 导入导出_安全_09


安装:

(1)到k8s官方文档中搜索dashboard:https://kubernetes.io/zh-cn/docs/home/

选择 “部署和访问Kubernetes仪表板(Dashboard)”

下载所需yaml文件

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.0/aio/deploy/recommended.yaml

(2)查看所需镜像

grep image recommended.yaml 
#输出:
     image: kubernetesui/dashboard:v2.5.0
     imagePullPolicy: Always
     image: kubernetesui/metrics-scraper:v1.0.7

(3)所有节点上拉取镜像

nerdctl pull kubernetesui/dashboard:v2.5.0
nerdctl pull kubernetesui/metrics-scraper:v1.0.7

(4)master上安装

kubectl apply -f recommended.yaml

(5)安装完毕后,查看所有命名空间,可以看到帮我们自动创建了一个kubernetes-dashboard的命名空间

kubectl get ns

#输出:
NAME                   STATUS   AGE
default                Active   5d2h
kube-node-lease        Active   5d2h
kube-public            Active   5d2h
kube-system            Active   5d2h
kubernetes-dashboard   Active   7s

(6)查看命名空间kubernetes-dashboard下的pod、svc

kubectl get pods -n kubernetes-dashboard
#输出:
NAME                                         READY   STATUS              RESTARTS   AGE
dashboard-metrics-scraper-7bfdf779ff-fq7f6   0/1     ContainerCreating   0          107m
kubernetes-dashboard-6cdd697d84-25zw2        0/1     ContainerCreating   0          107m

kubectl get svc -n kubernetes-dashboard
#输出:
NAME                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
dashboard-metrics-scraper   ClusterIP   10.104.139.159   <none>        8000/TCP   107m
kubernetes-dashboard        ClusterIP   10.96.48.40      <none>        443/TCP    107m

(7)编辑kubernetes-dashboard这个svc,将type原ClusterIP改为NodePort

kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard

#yaml:
...
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: NodePort
status:
...

(8)查看修改后的这个svc的IP和端口

kubectl get svc -n kubernetes-dashboard

#输出:
NAME                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
dashboard-metrics-scraper   ClusterIP   10.104.139.159   <none>        8000/TCP        111m
kubernetes-dashboard        NodePort    10.96.48.40      <none>        443:32296/TCP   111m

(9)用浏览器访问这个地址:https://192.168.26.21:32296
选择用Token认证登入
创建sa1

kubectl create sa sa1

为这个sa1生成token

kubectl create token sa1

然后用此token登录
登录后会发现权限不足的提醒,这是因为还没有给sa1授权
为sa1授权管理员的权限

kubectl create clusterrolebinding cbind1 --clusterrole=cluster-admin --serviceaccount=default:sa1

除了dashboard这个可视化界面外,还有其他工具如:kuboard

安装kuboard

(1)确保已经安装好了metric-server
(2)wget https://kuboard.cn/install-script/kuboard.yaml (3)所有节点拉取镜像nerdctl pull eipwork/kuboard:latest (4)修改kuboard.yaml,把策略改为IfNotPresent
(5)kubectl apply -f kuboard.yaml (6)确保kuboard运行,查看podkubectl get pods -n kube-system (7)获取token

echo $(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | grep kuboard-user | awk'{print $1}')-o go-template='{{.data.token}}' | base64-d)

(8)登录http://192.168.26.21:32567,用上面获取的token登录