k8s—访问控制

最新推荐文章于 2024-04-28 07:30:00 发布

LHT313

最新推荐文章于 2024-04-28 07:30:00 发布

阅读量158

点赞数

CC 4.0 BY-SA版权

分类专栏：企业实用 linux 文章标签： kubernetes

本文链接：https://blog.csdn.net/weixin_54855780/article/details/119345932

linux 同时被 2 个专栏收录

33 篇文章

订阅专栏

企业实用

27 篇文章

订阅专栏

k8s—访问控制

创建UserAccount

cd /etc/kubernetes/pki/
openssl genrsa -out test.key 2048
openssl req -new -key test.key -out test.csr -subj "/CN=test"
openssl  x509 -req -in test.csr -CA ca.crt -CAkey ca.key  -CAcreateserial -out test.crt -days 365
openssl x509 -in test.crt -text -noout
kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true	
kubectl  config view
kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
kubectl config use-context test@kubernetes
kubectl  get pod
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"

在这里插入图片描述

kubernetes API 访问控制
在这里插入图片描述

在这里插入图片描述

kubectl -n kube-system get cm
kubectl -n kube-system edit cm extension-apiserver-authentication
openssl x509 -in test.crt -text -noout
kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
kubectl config use-context test@kubernetes# 切换至test用户
kubectl config use-context kubernetes-admin@kubernetes #切换到管理用户
vim role.yaml
kubectl apply -f role.yaml #运行

[root@server1 role]# cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: myrole
rules:
- apiGroups: [""] 
  resources: ["pods"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]

在这里插入图片描述

vim clusterrole.yaml
kubectl apply -f clusterrole.yaml

 [root@server1 role]# cat clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myclusterrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

使用rolebinding绑定clusterRole:

[root@server1 role]# cat rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rolebind-myclusterrole
  namespace:  default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test

RoleBinding和ClusterRoleBinding

RoleBinding是将Role中定义的权限授予给用户或用户组。它包含一个subjects列表(users，groups ，service accounts)，并引用该Role。
RoleBinding是对某个namespace 内授权，ClusterRoleBinding适用在集群范围内使用。

[root@server1 role]# cat Rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-read-pods
  namespace: default
subjects:
- kind: User
  name: test
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: myrole
  apiGroup: rbac.authorization.k8s.io

创建clusterrolebinding

[root@server1 role]# cat clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: clusterrolebinding-myclusterrole
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test

[root@server1 role]# kubectl config use-context test@kubernetes #切换用户
Switched to context "test@kubernetes".
[root@server1 role]# kubectl get pod

[root@server1 role]# kubectl get deployments -n kube-system
NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
calico-kube-controllers   1/1     1            1           5d18h
coredns                   2/2     2            2           9d

测试test用户权限是否加上：
在这里插入图片描述