在多用户使用集群的情况下 需要对不同用户划分不同操作权限 以保证集群使用的安全性
以下以为 dev 用户增加授权为例:
创建账户私有证书
- 方便独立使用对应账户权限,单独配置证书。证书有效期时长10年
1.1 利用k8s 集群自带的CA 进行证书认证
[root@XXX ~]# ls -al /etc/kubernetes/pki
total 68
drwxr-xr-x 3 root root 4096 May 15 23:31 .
drwxr-xr-x 5 root root 4096 May 15 23:31 ..
-rw-r--r-- 1 root root 1493 Aug 9 20:07 apiserver.crt
-rw-r--r-- 1 root root 1273 May 17 11:17 apiserver-etcd-client.crt
-rw------- 1 root root 1675 May 17 11:17 apiserver-etcd-client.key
-rw------- 1 root root 1675 Aug 9 20:06 apiserver.key
-rw-r--r-- 1 root root 1281 Aug 9 20:07 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Aug 9 20:07 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 May 15 23:31 ca.crt
-rw------- 1 root root 1675 May 15 23:31 ca.key
drwxr-xr-x 2 root root 4096 May 17 11:06 etcd
-rw-r--r-- 1 root root 1038 May 15 23:31 front-proxy-ca.crt
-rw------- 1 root root 1675 May 15 23:31 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 May 15 23:31 front-proxy-client.crt
-rw------- 1 root root 1675 May 15 23:31 front-proxy-client.key
-rw------- 1 root root 1679 May 15 23:31 sa.key
-rw------- 1 root root 451 May 15 23:31 sa.pub
1.2 下载工具:
[root@XXX ~]# mkdir k8s && cd k8s
[root@XXX ~ k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o cfssl
[root@XXX ~ k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o cfssljson
[root@XXX ~ k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o cfssl-certinfo
[root@XXX ~ k8s]# chmod +x cfssl* && export PATH=$PATH:$PWD
1.3 创建证书描述文件:
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
1.3 创建devuser-csr.json文件:
- k8s的用户名就是从CN上获取的。 组是从O上获取的。这个用户或者组用于后面的角色绑定使用
cat > devuser-csr.json <<EOF
{
"CN": "dev",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "JiangSu",
"L": "SuZhou",
"O": "k8s",
"OU": "System"
}
]
}
EOF
1.4 生成user的证书:
[root@XXX ~ k8s]# cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser
- 就会生成下面的三个文件: devuser.csr devuser-key.pem devuser.pem
生成config文件
- 集群搭建后已经生成了admin.conf,我们可以直接利用这个文件,省的自己再去配置集群参数
2.1 复制并修改dev 用户 kubeconfig 文件
[root@XXX ~ k8s]# cp /etc/kubernetes/admin.conf devuser.kubeconfig
2.2 设置客户端认证参数:
[root@XXX ~ k8s]# kubectl config set-credentials dev --client-certificate=devuser.pem --client-key=devuser-key.pem --embed-certs=true --kubeconfig=devuser.kubeconfig
2.3 设置上下文参数:
[root@XXX ~ k8s]# kubectl config set-context kubernetes --cluster=kubernetes --user=dev --namespace=kube-system --kubeconfig=devuser.kubeconfig
2.4 设置莫认上下文:
kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig
- 以上执行一个步骤就可以看一下 devuser.kubeconfig的变化。里面最主要的三个东西
- cluster: 集群信息,包含集群地址与公钥
- user: 用户信息,客户端证书与私钥,正真的信息是从证书里读取出来的,人能看到的只是给人看的。
- context: 维护一个三元组,namespace cluster 与 user
创建RBAC 授权文件
3.1 创建ClusterRole yaml 文件
[root@XXX ~]# cat dev-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: dev-clusterrole
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/portforward
- pods/proxy
- pods/log
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
- 以上是dev 目前给与的的授权 取消删除等权限。避免非管理员账户使用下的误操作。以用以限制dev 用户对集群的操作产生的不良影响。
3.2 创建 ClusterRoleBinding yaml 文件
[root@XXX ~]# cat dev-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dev-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dev-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: dev
3.3 创建 RBAC 授权
[root@XXX ~]# kubectl create -f dev-clusterrole.yaml
[root@XXX ~]# kubectl create -f dev-clusterrolebinding.yaml
使用生成的kubeconfig 文件 操作kubelet 限制请求kube-server API
4.1 复制替换 /home/dev/.kube 文件加下 的config 文件即可:
[root@XXX k8s]# cp devuser.kubeconfig /home/dev/.kube/config
4.2 验证是否授权限制成功:
[root@XXX k8s]# su - dev
[dev@XXX ~]$ kubectl get po
NAME READY STATUS RESTARTS AGE
default-http-backend-7885f8f56c-vl8wt 1/1 Running 0 4d6h
nginx-ingress-controller-161-7fc9475485-pmtnt 1/1 Running 0 4d6h
[dev@XXX ~]$ kubectl delete po default-http-backend-7885f8f56c-vl8wt
Error from server (Forbidden): pods "default-http-backend-7885f8f56c-vl8wt" is forbidden: User "dev" cannot delete resource "pods" in API group "" in the namespace "default."
限制成功!!!
如果项目需要使用删除权限的 另外部署了一个superdev 用户 需要用户登陆测 提权。