RBAC用户管理

方式认证

X509 Client Certs

创建用户

参考文档：

第一步：生成用户证书

在k8s master节点执行：

sudo -s
mkdir -p ~/k8s-user-certs
cd ~/k8s-user-certs
cert_user=wenlg
cert_group=deployer
openssl genrsa -out ${cert_user}.key 2048
openssl req -new -key ${cert_user}.key -out ${cert_user}.csr -subj "/CN=${cert_user}/O=${cert_group}"
openssl x509 -req -in ${cert_user}.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ${cert_user}.crt -days 365

下载生成的证书wenlg.crt和密钥wenlg.key，保存在自己电脑上，推荐存放在~/.certs/目录

在本地电脑执行：

cert_user=wenlg
cert_namespace=office
kubectl config set-credentials ${cert_user} --client-certificate=$(realpath ~/.certs/${cert_user}.crt)  --client-key=$(realpath ~/.certs/${cert_user}.key) --embed-certs=true
kubectl config set-context ${cert_user}@kubernetes --cluster=kubernetes --user=${cert_user} --namespace=${cert_namespace}

本地执行，如果提示Error from server (Forbidden): pods is forbidden: User "wenlg" cannot list pods in the namespace "default" 就说明证书可以了。

kubectl --context=${cert_user}@kubernetes get pods

配置权限

创建一个角色deployment-manager：

kubectl create namespace ${cert_namespace}
cat <<EOS|kubectl apply -f -
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: ${cert_namespace}
  name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
EOS

绑定角色和用户：

cat <<EOS|kubectl apply -f -
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployment-manager-binding
  namespace: ${cert_namespace}
subjects:
- kind: User
  name: ${cert_user}
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiGroup: ""
EOS

测试一下权限：

# 部署一个镜像
kubectl --context=${cert_user}@kubernetes run --image citizenstig/httpbin httpbin
# 显示部署和pod列表
kubectl --context=${cert_user}@kubernetes get deploy,po

Output

➜  ~ kubectl --context=${cert_user}@kubernetes get deploy,po
NAME             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deploy/httpbin   1         1         1            1           47s

NAME                          READY     STATUS    RESTARTS   AGE
po/httpbin-5c5449d8b8-qr2dz   1/1       Running   0          47s

尝试访问default namespace的资源

kubectl --context=${cert_user}@kubernetes get po --namespace=default

Output

➜  ~ kubectl --context=${cert_user}@kubernetes get po --namespace=default
Error from server (Forbidden): pods is forbidden: User "wenlg" cannot list pods in the namespace "default"

至此，创建一个用户，设定访问权限就完成了。

Webhook Token

参考文档：https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication

Previousrke方式安装Kubernetes NextTraefik配置

Last updated 7 years ago