需求

需求

1、创建token

需求:

只对以下资源具备查看权限:

service、namespace、pod、node

deployment

workspace、workspacetemplates

ingresses

gateways

这些资源都必须是复数形式(可以通过kubectl api-resources | grep work查看对应的组合名称)

创建sa

  1. vim ifcloud-viewer-sa.yaml
  2. ---
  3. apiVersion: v1
  4. kind: ServiceAccount
  5. metadata:
  6.   name: ifcloud-viewer
  7.   namespace: default
  • 创建资源
  1. kubectl create -f ifcloud-viewer-sa.yaml

获取sa关联的secret以及token

  1. kubectl get sa ifcloud-viewer -o jsonpath='{.secrets[0].name}'
  3. kubectl get secret $(kubectl get sa ifcloud-viewer -o jsonpath='{.secrets[0].name}') -o yaml
  5. kubectl get secret $(kubectl get sa ifcloud-viewer -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}'
  7. kubectl get secret $(kubectl get sa ifcloud-viewer -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 -d
  8. eyJhbGciOiJSUzI1NiIsImtpZCI6Im4xc2lFSWZFMlBfNFd6U2xPQTZLbVNoQTlSbjhGek43cmZ6MDJTWV9nTm8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImlmY2xvdWQtdmlld2VyLXRva2VuLXpkaGQ5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImlmY2xvdWQtdmlld2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGMyZjM0YWQtZjgzZi00NmFlLWE1YzUtYWE1OTcyNjg5ZWFiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6aWZjbG91ZC12aWV3ZXIifQ.utEnXVK7jHlD0aoM1K2X3h3L0a5rCbMf3h-o-Q2UKkQrN7LLyrF6d1ocK2X64l0SxD-rrzj70J49A9m612BeLEPKE2L-EfvAvGaN2TsVtgEyXNMHX6mb7ui3wiWQ5LDpBR2VaO77mcDMTI9qZOcFxUHo6NVydadoK4MlmVGHc4eZnpElkYmF4qgl55Kaf9xI5511rtfiDXoeQ-hP4vk7TzqtfHchV2MjaHlX8En0Id2p2PV65u3UbLcKGksl5b2_t4od8palxw5_PTVI9zrkncLBUgAVDNT8bTkodLg92izIUj1MuZwWX0Vc7ebqhqWnpTShYc02427o4IoXGrHVqw

应用程序可以通过Token和kubeconfig两种认证方式

这里的token是进行 base64 编码后的结果,一定要将 kubectl 的输出中的 token 值进行 base64 解码

创建kubeconfig,提供用户的应用程序使用

设置集群参数

  • 设置全局参数

这里的token变量是解码后的真实值

  1. # 查看apiserver
  2. kubectl cluster-info
  4. # 设置变量
  5. KUBE_APISERVER="https://lb.memberkubesphere.local:6443"
  6. SECRET_TOKEN="ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqbDVZelF6VjAxeFdtNXBaVXhPZUhGd1JGTkNNV2RuUkVsWVMwaFVOSGN6UjNCdFNFRTNRbk5TU0hjaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbWxtWTJ4dmRXUXRkbWxsZDJWeUxYUnZhMlZ1TFdRMmJHWmpJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpYSjJhV05sTFdGalkyOTFiblF1Ym1GdFpTSTZJbWxtWTJ4dmRXUXRkbWxsZDJWeUlpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVkV2xrSWpvaVptTXhaREpsTXpjdFpqQTBZUzAwWkRnekxUbGhNV1l0WVdJelpUUm1aV0ptWkRZNElpd2ljM1ZpSWpvaWMzbHpkR1Z0T25ObGNuWnBZMlZoWTJOdmRXNTBPbVJsWm1GMWJIUTZhV1pqYkc5MVpDMTJhV1YzWlhJaWZRLlZRM21kc3pLd0N0ay1vd0tsQVpXaU84Q2RpZU5EQnBqQzlTd3UtV2U1T0tMNW5nZ0FTZVhFdF9QTXlmQlJKVGNQV2cyNmdHQURadjR6WnJnOGQ0N0RlWmFrdkpzd3pLT2lpVWFyVkpiYkdhZ1ptd3lRQ3RzdEZyNUllMzlYVnBfM09abV9fXzVfckg0ZWQ3SWhnSG1oTHNRb0E0VlNZZkVKbjdIYVZGNVF5NEd1QlF2RHZLLVFlLUNadlE5YzAzd0NjekU3ajFQS1p5MlR2MW9NZlhiLTA2dU9ET3dHaVJqcmQwZHg2Q25YNVpRYW1fWU9tcGlTMjRqb2wycHBNd0ZNZEpKWV82bmxIUlU0X3RKazhXOUZ0dmtXbngzWnRKUzZTQ0ZsaVFsZ0p6cDdfTThtMndzeXJWanpiY0puWUJKOUtRbnZDbS14UUZnYmk2c0VqdTJYUQ=="
  • 设置集群参数
  1. kubectl config set-cluster k8s-ifcloud-viewer \
  2. --certificate-authority=/etc/kubernetes/pki/ca.crt \
  3. --server=${KUBE_APISERVER} \
  4. --embed-certs=true \
  5. --kubeconfig=ifcloud-viewer-poc.kubeconfig

设置客户端认证凭据,指定token

  1. kubectl config set-credentials ifcloud-viewer \
  2.   --token=${SECRET_TOKEN} \
  3.   --kubeconfig=ifcloud-viewer-poc.kubeconfig

设置上下文参数

  1. kubectl config set-context k8s-ifcloud-viewer \
  2.   --cluster=k8s-ifcloud-viewer \
  3.   --user=ifcloud-viewer \
  4.   --kubeconfig=ifcloud-viewer-poc.kubeconfig
  • --cluster对应set-cluster名称
  • --user对应set-credentials名称

切换上下文

  1. kubectl config use-context k8s-ifcloud-viewer --kubeconfig=ifcloud-viewer-poc.kubeconfig
  • k8s-ifcloud-viewer对应set-context名称

测试权限

  1. kubectl get pod -A --kubeconfig=ifcloud-viewer-poc.kubeconfig
  2. kubectl get sts -A --kubeconfig=ifcloud-viewer-poc.kubeconfig
  • 这里还没有提供相关权限所有报错

Error from server (Forbidden): pods is forbidden: User “system:serviceaccount:default:ifcloud-viewer” cannot list resource “pods” in API group “” at the cluster scope

创建clusterrole、clusterrolebanding设置权限

  1. vim k8s_create_kubeconfig_ClusterRole_Clusterrolebanding.yaml
  2. ---
  3. apiVersion: rbac.authorization.k8s.io/v1
  4. kind: ClusterRole
  5. metadata:
  6.   name: ifcloud-viewer
  7. rules:
  8. - apiGroups: [""]
  9.   resources: ["services", "namespaces", "pods", "nodes"] 
  10.   verbs: ["get", "watch", "list"]
  11. - apiGroups: ["apps"]
  12.   resources: ["deployments"] 
  13.   verbs: ["get", "watch", "list"]
  14. - apiGroups: ["tenant.kubesphere.io"] 
  15.   resources: ["workspaces", "workspacetemplates"] 
  16.   verbs: ["get", "watch", "list"] 
  17. - apiGroups: ["extensions"] 
  18.   resources: ["ingresses"] 
  19.   verbs: ["get", "watch", "list"] 
  20. - apiGroups: ["networking.k8s.io"] 
  21.   resources: ["ingresses"] 
  22.   verbs: ["get", "watch", "list"] 
  23. - apiGroups: ["gateway.kubesphere.io"] 
  24.   resources: ["gateways"] 
  25.   verbs: ["get", "watch", "list"]
  27. ---
  28. apiVersion: rbac.authorization.k8s.io/v1
  29. kind: ClusterRoleBinding
  30. metadata:
  31.   name: ifcloud-viewer
  32. subjects:
  33. - kind: ServiceAccount
  34.   name: ifcloud-viewer
  35.   namespace: default
  36. #- kind: User
  37. #  name: ifcloud-viewer
  38. #  apiGroup: rbac.authorization.k8s.io
  39. roleRef:  
  40.   kind: ClusterRole
  41.   name: ifcloud-viewer
  42.   apiGroup: rbac.authorization.k8s.io
  • 创建资源
  1. kubectl create -f k8s_create_kubeconfig_ClusterRole_Clusterrolebanding.yaml

再次测试权限成功

  1. kubectl get pod -A --kubeconfig=ifcloud-viewer-poc.kubeconfig
  2. kubectl get sts -A --kubeconfig=ifcloud-viewer-poc.kubeconfig

1.RBAC鉴权-基于sa认证的kubeconfig - 图1

金科生产CMDB-clusterrole

  • 新增storage
  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: ClusterRole
  3. metadata:
  4.   name: cmdb-sniffer-viewer
  5. rules:
  6. - apiGroups:
  7.   - ""
  8.   resources:
  9.   - services
  10.   - namespaces
  11.   - pods
  12.   - nodes
  13.   - persistentvolumeclaims
  14.   - persistentvolumeclaims/status
  15.   verbs:
  16.   - get
  17.   - watch
  18.   - list
  19. - apiGroups:
  20.   - apps
  21.   resources:
  22.   - deployments
  23.   - statefulsets
  24.   verbs:
  25.   - get
  26.   - watch
  27.   - list
  28. - apiGroups:
  29.   - tenant.kubesphere.io
  30.   resources:
  31.   - workspaces
  32.   - workspacetemplates
  33.   verbs:
  34.   - get
  35.   - watch
  36.   - list
  37. - apiGroups:
  38.   - extensions
  39.   resources:
  40.   - ingresses
  41.   verbs:
  42.   - get
  43.   - watch
  44.   - list
  45. - apiGroups:
  46.   - networking.k8s.io
  47.   resources:
  48.   - ingresses
  49.   verbs:
  50.   - get
  51.   - watch
  52.   - list
  53. - apiGroups:
  54.   - gateway.kubesphere.io
  55.   resources:
  56.   - gateways
  57.   verbs:
  58.   - get
  59.   - watch
  60.   - list
  61. - apiGroups:
  62.   - storage.k8s.io
  63.   resources:
  64.   - storageclasses
  65.   verbs:
  66.   - get
  67.   - watch
  68.   - list

https://blog.csdn.net/a772304419/article/details/126285333

https://jimmysong.io/kubernetes-handbook/guide/auth-with-kubeconfig-or-token.html