2. 技术博客
  3. 容器编排之战(二十)连载

容器编排之战(二十)连载

tech2026-02-27  1

RBAC 详解(基于角色的访问控制)

一个实验搞定RBAC

RBAC基于角色的访问控制--全拼Role-Based Access Control ​ Service Account为服务提供了一种方便的认证机制,但它不关心授权的问题。可以配合RBAC来为Service Account鉴权 ​ 在Kubernetes中,授权有ABAC(基于属性的访问控制)、RBAC(基于角色的访问控制)、Webhook、Node、AlwaysDeny(一直拒绝)和AlwaysAllow(一直允许)这6种模式。 ​ 在RABC API中,通过如下的步骤进行授权: 1)定义角色:在定义角色时会指定此角色对于资源的访问控制的规则; 2)绑定角色:将主体与角色进行绑定,对用户进行访问授权。 Role与ClusterRole Role:角色可以由命名空间内的Role对象定义,一个Role对象只能用于授予对某一单一命名空间中资源的访问权限 ClusterRole:整个Kubernetes集群范围内有效的角色则通过ClusterRole对象实现。 简介 role: 1、允许的操作,如get,list等 ​ 2、允许操作的对象,如pod,svc等 ​ rolebinding: ​ 将哪个用户绑定到哪个role或clusterrole上 ​ clusterrole:(集群角色) clusterrolebinding:(绑定到集群) 3、如果使用rolebinding绑定到clusterrole上,表示绑定的用户只能用于当前namespace的权限

创建k8s账号与RBAC授权使用

创建账号 1、创建私钥 [root@kub-k8s-master ~]# (umask 077; openssl genrsa -out soso.key 2048) Generating RSA private key, 2048 bit long modulus ...............................+++ ..........................+++ e is 65537 (0x10001) 用此私钥创建一个csr(证书签名请求)文件 [root@kub-k8s-master ~]# openssl req -new -key soso.key -out soso.csr -subj "/CN=soso" ​ 拿着私钥和请求文件生成证书 [root@kub-k8s-master ~]# openssl x509 -req -in soso.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out soso.crt -days 365 Signature ok subject=/CN=soso Getting CA Private Key 2、查看证书内容 [root@kub-k8s-master ~]# openssl x509 -in soso.crt -text -noout 生成账号 [root@kub-k8s-master ~]# kubectl config set-credentials soso --client-certificate=soso.crt --client-key=soso.key --embed-certs=true User "soso" set. 3、设置上下文环境--指的是这个账号只能在这个环境中才能用 [root@kub-k8s-master ~]# kubectl config set-context soso@kubernetes --cluster=kubernetes --user=soso Context "soso@kubernetes" created. 查看当前的工作上下文 [root@kub-k8s-master ~]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.246.166:6443 .... 4、切换用户(切换上下文) [root@kub-k8s-master ~]# kubectl config use-context soso@kubernetes Switched to context "soso@kubernetes". 验证是否已经切换到了新的上下文 [root@kub-k8s-master ~]# kubectl config current-context soso@kubernetes 5.测试(还未赋予权限) [root@kub-k8s-master ~]# kubectl get pod Error from server (Forbidden): pods is forbidden: User "soso" cannot list resource "pods" in API group "" in the namespace "default" 创建一个角色(role)---权限 1.切回管理帐号先 [root@kub-k8s-master ~]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes". 创建角色: [root@kub-k8s-master ~]# kubectl create role myrole --verb=get,list,watch --resource=pod,svc role.rbac.authorization.k8s.io/myrole created --verb: 相当于是权限 --resource:给什么资源使用 ​ ​ 2.绑定用户soso(上面创建的用户),绑定role为myrole [root@kub-k8s-master ~]# kubectl create rolebinding myrole-binding --role=myrole --user=soso rolebinding.rbac.authorization.k8s.io/myrole-binding created ​ 3.切换用户 [root@kub-k8s-master ~]# kubectl config use-context soso@kubernetes Switched to context "soso@kubernetes". ​ 4.查看权限(只授权了default名称空间pod和svc的get,list,watch权限) [root@kub-k8s-master ~]# kubectl get pod NAME READY STATUS RESTARTS AGE lifecycle-demo 1/1 Running 1 22h mypod 1/1 Running 0 8h nginx-configmap 1/1 Running 0 4h29m nginx-pod 1/1 Running 0 39m [root@kub-k8s-master ~]# kubectl get pod -n kube-system #无权访问kube-system Error from server (Forbidden): pods is forbidden: User "soso" cannot list resource "pods" in API group "" in the namespace "kube-system" [root@kub-k8s-master ~]# kubectl delete pod nginx-pod #无权限删除 Error from server (Forbidden): pods "nginx-pod" is forbidden: User "soso" cannot delete resource "pods" in API group "" in the namespace "default" ​ 5.切换用户 [root@kub-k8s-master ~]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes". ​ ​ ​ 实验二 ​ 6.删除soso账号之前绑定的rolebinding [root@kub-k8s-master ~]# kubectl delete rolebinding myrole-binding rolebinding.rbac.authorization.k8s.io "myrole-binding" deleted 7.创建clusterrole #可以访问全部的namespace [root@kub-k8s-master ~]# kubectl create clusterrole myclusterrole --verb=get,list,watch --resource=pod,svc clusterrole.rbac.authorization.k8s.io/myclusterrole created ​ 8.绑定集群角色到用户soso [root@kub-k8s-master ~]# kubectl create clusterrolebinding my-cluster-rolebinding --clusterrole=myclusterrole --user=soso clusterrolebinding.rbac.authorization.k8s.io/my-cluster-rolebinding created ​ 8.切换账号 [root@kub-k8s-master ~]# kubectl config use-context soso@kubernetes Switched to context "soso@kubernetes". ​ 9.查看权限 查看kube-system空间的pod [root@kub-k8s-master ~]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE coredns-5644d7b6d9-sm8hs 1/1 Running 0 5d coredns-5644d7b6d9-vddll 1/1 Running 0 5d etcd-kub-k8s-master 1/1 Running 0 5d ... ​ 注意:10.切换为管理员用户 [root@kub-k8s-master ~]# kubectl config use-context kubernetes-admin@kubernetes

设置上下文和账户切换

设置工作上下文(前提得有用户)

[root@kub-k8s-master ~]# kubectl config set-context soso@kubernetes --cluster=kubernetes --user=soso Context "soso@kubernetes" created.

查看当前的工作上下文

[root@kub-k8s-master ~]# kubectl config view apiVersion: v1 clusters: - cluster: ....

切换上下文(切换用户)

[root@kub-k8s-master ~]# kubectl config use-context soso@kubernetes Switched to context "soso@kubernetes".

切换为管理员用户

[root@kub-k8s-master prome]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes".
最新回复(0)