1.背景

当我们有一个k8s 集群，并且需要将该集群提供给用户使用的时候，我们当然只希望用户只能操作我们预先定义好的资源，即权限管控，RBAC

2. 介绍

Kubernetes中有2种权限管控，一种是为Pod中的应用提供权限管理；另一种是为用户提供权限管理；kubernetes内部使用RBAC这一套鉴权机制;

2.1.实现

openssl genrsa -out liyuan.key 2048
openssl req -new -key liyuan.key -out liyuan.csr -subj "/CN=liyuan"
# 登录集群主节点查看该目录下的证书，基于kubernetes证书签发新证书
openssl x509 -req -in liyuan.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out liyuan.crt -days 365
openssl x509 -in liyuan.crt -text -noout# 创建用户liyuan，并未该用户绑定上述生成的证书
kubectl config set-credentials liyuan --client-certificate=./sa/liyuan.crt --client-key=./sa/liyuan.key # 设置当前上下文
# --namespace=default表示用户使用kubectl无需主动指定namespace, kubectl get po 会默认获取kube-system namespace下Pod资源
# --user=liyuan 别名
kubectl config set-context liyuan --cluster=kubernetes --namespace=default --user=liyuan
kubectl config use-context liyuan
kubectl config get-contexts

2.2. Role & RoleBinding（namespace层面资源权限管理）

• Role 用户设置某个命名空间内的资源权限，必须和namespace绑定
• RoleBinding用于绑定账户和Role

# role-user.yaml
# 为用户liyuan赋予default namespace下获取Pod资源的权限
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:name: role-liyuan
rules:- apiGroups: [""] # "" 标明 core API 组resources: ["pods", "pods/log"]verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: rolebinding-liyuan
subjects:- kind: Username: liyuanapiGroup: rbac.authorization.k8s.io
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: role-liyuan

kubectl apply -f role-user.yaml

2.3. ClusterRole & ClusterRoleBinding （集群层面资源权限管理）

# clusterrole-user.yaml
# 为用户liyuan赋予获取集群下所有secrets资源的权限
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:# "namespace" 被忽略，因为 ClusterRoles 不受名字空间限制name: clusterrole-liyuan
rules:- apiGroups: [ "" ]# 在 HTTP 层面，用来访问 Secret 资源的名称为 "secrets"resources: [ "secrets" ]verbs: [ "get", "watch", "list" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: clusterrolebinding-liyuan
subjects:- kind: Username: liyuanapiGroup: rbac.authorization.k8s.io
roleRef:kind: ClusterRolename: clusterrole-liyuanapiGroup: rbac.authorization.k8s.io

3. 参考

# cluster-admin clusterrole
kind: ClusterRole
metadata:annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"creationTimestamp: "2023-12-12T13:19:37Z"labels:kubernetes.io/bootstrapping: rbac-defaultsname: cluster-adminresourceVersion: "77"uid: ba8010ec-8a5c-4881-b26b-37fed5dc5c67
rules:
- apiGroups:- '*'resources:- '*'verbs:- '*'
- nonResourceURLs:- '*'verbs:- '*'

# apiGroups: 默认为 *
# resources 
kubectl api-resources
# verbs
"get", "list", "watch", "create", "update", "patch", "delete"]

参考

为 Pod 配置服务账号
k8s之基于用户/用户组授权