正文
12.1.了解認證機制
啟動API服務器時,通過命令行選項可以開啟認證插件。
12.1.1.用戶和組
了解用戶:
分為兩種連接到api服務器的客戶端:
1.真實的人
2.pod,使用一種稱為ServiceAccount的機制
了解組:
認證插件會連同用戶名,和用戶id返回組,組可以一次性給用戶服務多個權限,不用單次賦予,
system:unauthenticated組:用于所有認證插件都不會認證客戶端身份的請求。
system:authenticated組:會自動分配給一個成功通過認證的用戶。
system:serviceaccount組:包含 所有在系統中的serviceaccount。
system:serviceaccount:<namespace>組:包含了所有在特定命名空間中的serviceAccount。
12.1.2 ServiceAccount介紹
每個pod中都包含/var/run/secrets/kubernetes.io/serviceaccount/token文件,如下圖所示,文件內容用于對身份進行驗證,token文件持有serviceaccount的認證token。
應用程序使用token去連接api服務器時,認證插件會對serviceaccount進行身份認證,并將serviceaccount的用戶名傳回到api服務器內部。
serviceaccount的用戶名格式如下:
system:serviceaccount:<namespace>:<service account name>
ServiceAccount是運行在pod中的應用程序,和api服務器身份認證的一中方式。
了解ServiceAccount資源
ServiceAcount作用在單一命名空間,為每個命名空間創建默認的ServiceAccount。
多個pod可以使用相同命名空間下的同一的ServiceAccount,
ServiceAccount如何與授權文件綁定
在pod的manifest文件中,可以指定賬戶名稱的方式,將一個serviceAccount賦值給一個pod,如果不指定,將使用該命名空間下默認的ServiceAccount.
可以 將不同的ServiceAccount賦值給pod,讓pod訪問不同的資源。
12.1.3創建ServiceAccount
為了集群的安全性,可以手動創建ServiceAccount,可以限制只有允許的pod訪問對應的資源。
創建方法如下:
$ kubectl get sa
NAME SECRETS AGE
default 1 21h
$ kubectl create serviceaccount yaohong
serviceaccount/yaohong created
$ kubectl get sa
NAME SECRETS AGE
default 1 21h
yaohong 1 3s
使用describe來查看ServiceAccount。
$ kubectl describe sa yaohong
Name: yaohong
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: yaohong-token-qhbxn //如果強制使用可掛載秘鑰。那么使用這個serviceaccount的pod只能掛載這個秘鑰
Tokens: yaohong-token-qhbxn
Events: <none>
查看該token,
$ kubectl describe secret yaohong-token-qhbxn
Name: yaohong-token-qhbxn
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: yaohong
kubernetes.io/service-account.uid: a3d0d2fe-bb43-11e9-ac1e-005056870b4d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1342 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Inlhb2hvbmctdG9rZW4tcWhieG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoieWFvaG9uZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImEzZDBkMmZlLWJiNDMtMTFlOS1hYzFlLTAwNTA1Njg3MGI0ZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0Onlhb2hvbmcifQ.BwmbZKoM95hTr39BuZhinRT_vHF-typH4anjkL0HQxdVZEt_eie5TjUECV9UbLRRYIqYamkSxmyYapV150AQh-PvdcLYPmwKQLJDe1-7VC4mO2IuVdMCI_BnZFQBJobRK9EdPdbZ9uxc9l0RL5I5WyWoIjiwbrQvtCUEIkjT_99_NngdrIr7QD9S5SxHurgE3HQbmzC6ItU911LjmxtSvBqS5NApJoJaztDv0cHKvlT67ZZbverJaStQdxr4yiRbpSycRNArHy-UZKbNQXuzaZczSjVouo5A5hzgSHEBBJkQpQ6Tb-Ko5XGjjCgV_b9uQvhmgdPAus8GdFTTFAbCBw
12.1.4將ServiceAccount分配給pod
在pod中定義的spec.serviceAccountName字段上設置,此字段必須在pod創建時設置后續不能被修改。
自定義pod的ServiceAccount的方法如下圖
12.2通過基于角色的權限控制加強集群安全
12.2.1.介紹RBAC授權插件
RBAC授權插件將用戶角色作為決定用戶能否執行操作的關機因素。
12.2.2介紹RBAC授權資源
RBAC授權規則通過四種資源來進行配置的,他們可以分為兩組:
Role和ClusterRole,他們決定資源上可執行哪些動詞。
RoleBinding和ClusterRoleBinding,他們將上述角色綁定到特定的用戶,組或者ServiceAccounts上。
Role和RoleBinding是namespace級別資源
ClusterRole和ClusterRoleBinding是集群級別資源
12.2.3使用Role和RoleBinding
Role資源定義了哪些操作可以在哪些資源上執行,
創建Role
service-reader.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kube-system
name: service-reader
rules:
– apiGroups: [“”]
verbs: [“get”, “list”]
resources: [“services”]
在kube-system中創建Role
#kubectl -n kube-system create -f service-reader.yml
查看該namespace下的role
$ kubectl -n kube-system get role
NAME AGE
extension-apiserver-authentication-reader 41h
kube-state-metrics-resizer 41h
service-reader 2m17s
system::leader-locking-kube-controller-manager 41h
system::leader-locking-kube-scheduler 41h
system:controller:bootstrap-signer 41h
system:controller:cloud-provider 41h
system:controller:token-cleaner 41h
綁定角色到ServiceAccount
將service-reader角色綁定到default ServiceAccount
$ kubectl create rolebinding test –role=service-reader
rolebinding.rbac.authorization.k8s.io/test created
$ kubectl get rolebinding test -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: 2019-08-11T03:40:51Z
name: test
namespace: default
resourceVersion: “239323”
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/test
uid: d0aff243-bbe9-11e9-ac1e-005056870b4d
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: service-reader
12.2.4使用ClusterRole和ClusterRoleBinding
查看集群ClusterRole
# kubectl get clusterrole
NAME AGE
admin 42h
cluster-admin 42h
edit 42h
flannel 42h
kube-state-metrics 42h
system:aggregate-to-admin 42h
…
創建ClusterRole
kubectl create clusterrole flannel –verb=get,list -n kube-system
查看yaml文件
# kubectl get clusterrole flannel -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{“apiVersion”:”rbac.authorization.k8s.io/v1″,”kind”:”ClusterRole”,”metadata”:{“annotations”:{},”name”:”flannel”},”rules”:[{“apiGroups”:[“”],”resources”:[“pods”],”verbs”:[“get”]},{“apiGroups”:[“”],”resources”:[“nodes”],”verbs”:[“list”,”watch”]},{“apiGroups”:[“”],”resources”:[“nodes/status”],”verbs”:[“patch”]}]}
creationTimestamp: 2019-08-09T09:58:42Z
name: flannel
resourceVersion: “360”
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/flannel
uid: 45100f6f-ba8c-11e9-8f57-005056870608
rules:
– apiGroups:
– “”
resources:
– pods
verbs:
– get
– apiGroups:
– “”
resources:
– nodes
verbs:
– list
– watch
– apiGroups:
– “”
resources:
– nodes/status
verbs:
– patch
創建clusterRoleBinding
$ kubectl create clusterrolebinding cluster-tetst –clusterrole=pv-reader –serviceaccount=kuebsystem:yaohong
clusterrolebinding.rbac.authorization.k8s.io/cluster-tetst created
12.2.5了解默認的ClusterRole和ClusterRoleBinding
如下所示使用kubectl get clusterroles和kubectl get clusterrolesbinding可以獲取k8s默認資源。
用edit ClusterRole允許對資源進行修改
用admin ClusterRole賦予一個命名空間全部的權限
$ kubectl get clusterroles
NAME AGE
admin 44h
cluster-admin 44h
edit 44h
flannel 44h
kube-state-metrics 44h
system:aggregate-to-admin 44h
system:aggregate-to-edit 44h
system:aggregate-to-view 44h
system:auth-delegator 44h
system:aws-cloud-provider 44h
system:basic-user 44h
system:certificates.k8s.io:certificatesigningrequests:nodeclient 44h
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 44h
system:controller:attachdetach-controller 44h
system:controller:certificate-controller 44h
system:controller:clusterrole-aggregation-controller 44h
。。。
wps@wps:~$ kubectl get clusterrolebindings
NAME AGE
clust-tetst 17m
cluster-admin 44h
cluster-tetst 13m
flannel 44h
kube-state-metrics 44h
kubelet-bootstrap 44h
system:aws-cloud-provider 44h
system:basic-user 44h
system:controller:attachdetach-controller 44h
system:controller:certificate-controller 44h
。。。
站長資訊網