k8s最常使用角色管理集群权限rbac,Role Base Access Control

k8s配置了这样几个资源对象。
执行:
kubectl api-resources |grep rbac

  1. clusterrolebindings                            rbac.authorization.k8s.io/v1           false        ClusterRoleBinding
  2. clusterroles                                   rbac.authorization.k8s.io/v1           false        ClusterRole
  3. rolebindings                                   rbac.authorization.k8s.io/v1           true         RoleBinding
  4. roles                                          rbac.authorization.k8s.io/v1           true         Role

我们可以看到分为两组,角色,绑定,集群角色,集群绑定。集群和非集群的区别就在于:

  • 集群类资源不需要配置命名空间,权限自动对所有命名空间生效
  • 非集群则必须指定命名空间,相应权限只对命名空间生效

    Role

    一个样例Role pod-reader,只有pod的读权限 ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: |
    {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pod-reader","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get","watch","list"]}]}
    creationTimestamp: “2022-04-10T16:52:51Z” name: pod-reader namespace: default resourceVersion: “447047” uid: 64ebbdb4-d801-4f10-b8d6-71b52b80b5b9 rules:
  • apiGroups:
    • “” resources:
    • pods verbs:
    • get
    • watch
    • list ```

ServiceAccount
创建sa:

kubectl create sa pod-reader-sa

最后绑定sa和Role

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"read-secrets","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"pod-reader"},"subjects":[{"kind":"ServiceAccount","name":"pod-reader-sa"}]}
  creationTimestamp: "2022-04-10T16:59:48Z"
  name: pod-reader-binding
  namespace: default
  resourceVersion: "448476"
  uid: 6f01deab-346b-48be-992f-7d8a6e7e75db
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader
subjects:
- kind: ServiceAccount
  name: pod-reader-sa

关联角色只能有一个,关联对象可以有多个。

最后就能试试这个sa什么效果了

kubectl get sa pod-reader-sa -oyaml

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-04-10T16:54:32Z"
  name: pod-reader-sa
  namespace: default
  resourceVersion: "447377"
  uid: fdff489f-b8d2-43dd-96c9-92c9d05e357b
secrets:
- name: pod-reader-sa-token-n58xd

describe这个secret

kubectl describe secret pod-reader-sa-token-n58xd

Name:         pod-reader-sa-token-n58xd
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: pod-reader-sa
              kubernetes.io/service-account.uid: fdff489f-b8d2-43dd-96c9-92c9d05e357b

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1070 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InBxT19YY25IU2dhYkdyVDhGbkNVSFdoSkZfb1lOZUV2TEVNam04YzZkRk0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InBvZC1yZWFkZXItc2EtdG9rZW4tbjU4eGQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicG9kLXJlYWRlci1zYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImZkZmY0ODlmLWI4ZDItNDNkZC05NmM5LTkyYzlkMDVlMzU3YiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnBvZC1yZWFkZXItc2EifQ.kq0h-zhrQO5E251ALlp2-MCSO-fVjpzqh_JGOcWn5qzL0oVyr4iNG_HR4hywa3Qo4QBeanEvO147aTfr5LB3fUWUXZjbnmFRS_cUrIiMThB8lGK2zXkQaQRE_RtDnoC-ZD_l5d9DGrILYrPfQcIyQDJ1DoKOaop6S6DiOL0yUBV3CNHc9n_GgwvuTPVKGtlfYwwVRPrIAvqEg5U_y_KcBITD4zBVoXDy7GPXaPY54yyKRZGZc61Mqz5WmGLXHvhl1VejGprUTvcOK6ackZzuC8-Tf_1PgdKVw08kyZ1uSY0tTXEZ1-2K6U5aAnuhl7OanOvHxH-P7ngkD0TcELybsg

将咱的token加到kubeconfig中
加个用户

- name: pod-reader
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6InBxT19YY25IU2dhYkdyVDhGbkNVSFdoSkZfb1lOZUV2TEVNam04YzZkRk0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InBvZC1yZWFkZXItc2EtdG9rZW4tbjU4eGQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicG9kLXJlYWRlci1zYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImZkZmY0ODlmLWI4ZDItNDNkZC05NmM5LTkyYzlkMDVlMzU3YiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnBvZC1yZWFkZXItc2EifQ.kq0h-zhrQO5E251ALlp2-MCSO-fVjpzqh_JGOcWn5qzL0oVyr4iNG_HR4hywa3Qo4QBeanEvO147aTfr5LB3fUWUXZjbnmFRS_cUrIiMThB8lGK2zXkQaQRE_RtDnoC-ZD_l5d9DGrILYrPfQcIyQDJ1DoKOaop6S6DiOL0yUBV3CNHc9n_GgwvuTPVKGtlfYwwVRPrIAvqEg5U_y_KcBITD4zBVoXDy7GPXaPY54yyKRZGZc61Mqz5WmGLXHvhl1VejGprUTvcOK6ackZzuC8-Tf_1PgdKVw08kyZ1uSY0tTXEZ1-2K6U5aAnuhl7OanOvHxH-P7ngkD0TcELybsg

加个context

- context:
    cluster: kubernetes
    user: pod-reader
    namespace: default
  name: pod-reader

最后执行kubectl get 试试

[root@master rbac]# kubectl get pod --kubeconfig=config
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-74686db7b4-qz9qw       2/2     Running   0          8d
nginx-01-7fd84d946-qlcff          2/2     Running   0          8d
productpage-v1-57d665985b-7w8gt   2/2     Running   0          8d
ratings-v1-6cb88b8fbd-kws6r       2/2     Running   0          8d
reviews-v1-c8b9888cb-mm9tr        2/2     Running   0          8d
reviews-v2-585bdb58fb-tn5n4       2/2     Running   0          8d
reviews-v3-76c85f5c5b-hnb6m       2/2     Running   0          8d

试试其他资源呢?

[root@master rbac]# kubectl get svc --kubeconfig=config
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:default:pod-reader-sa" cannot list resource "services" in API group "" in the namespace "default"

报无权限了。