1、身份认证与权限
前面我们在操作k8s的所有请求都是通过https的方式进行请求,通过REST协议操作我们的k8s接口,所以在k8s中有一套认证和鉴权的资源。
- Kubenetes中提供了良好的多租户认证管理机制,如RBAC、ServiceAccount还有各种策路等。
- 通过该文件可以看到已经配置了RBAC访问控制
- /usr/lib/systemd/system/kube-apiserver.service
2、认证
所有kubernetes集群有两类用户:由Kubernetes管理的ServiceAccounts(服务账户)和(Users Accounts)普通账户。
- 普通账户是假定被外部或独立服务管理的,由管理员分配key,用户像使用Keystone或google账号一样,被存储在包含usernames和passwords的list的文件里。
- 需要注意:在Kubernetes中不能通过API调用将普通用户添加到集群中。
- 普通帐户是针对(人)用户的,服务账户针对Pod进程。
- 普通帐户是全局性。在集群所有namespaces中,名称具有唯一性。
- 通常,集群的普通帐户可以与企业数据库同步,新的普通帐户创建需要特殊权限。服务账户创建目的是更轻量化,允许集群用户为特定任务创建服务账户。
- 普通帐户和服务账户的审核注意事项不同。
- 对于复杂系统的配置包,可以包括对该系统的各种组件的服务账户的定义。
2.1 服务账户的控制器(Service Account Adminssion Controller)
通过Admission Controller插件来实现对pod修改,它是apiserver的一部分,创建或更新pod时会同步进行修改pod,当插件处于激活状态(在大多数发行版中都默认情况)创建或修改pod时,会按以下操作执行:
- 1.如果pod没有设置ServiceAccount,则将ServiceAccount设置为default。
- 2.如果pod引用的ServiceAccount存在,否则将会拒绝请求。
- 3.如果pod不包含任何ImagePullSecrets,则将ServiceAccount的ImagePullSecrets会添加到pod中。
- 4.为包含API访问的Token的pod添加了一个volume。
- 5.把volumeSource添动加到安装在pod的每个容器中,挂载/var/run/secrets/kubernetes.io/serviceaccount。
2.2 服务账户的控制器(Token Controller)
API的访问是基于token的认证,创建对应的service account 都会关联到对应的token,这个是由Token Controller来进行管理的。Pod去访问API的时候是需要证明具有相对应的权限的。
2.3 服务账户的控制器(Service Account Controller)
Service Account Controller在namespaces里管理ServiceAccount,并确保每个有效的namespaces中都存在一个名为"default"的ServiceAcount。
2.4 拓展命令
[root@k8s-master ~]# kubectl get sa
NAME SECRETS AGE
default 0 9d
[root@k8s-master ~]# kubectl get serviceaccounts
NAME SECRETS AGE
default 0 9d[root@k8s-master ~]# kubectl get serviceaccounts --all-namespaces
NAMESPACE NAME SECRETS AGE
default default 0 9d
ingress-nginx default 0 3d19h
ingress-nginx ingress-nginx 0 3d17h
kube-flannel default 0 9d
kube-flannel flannel 0 9d
kube-node-lease default 0 9d
kube-public default 0 9d
kube-system attachdetach-controller 0 9d
kube-system bootstrap-signer 0 9d
kube-system certificate-controller 0 9d
kube-system clusterrole-aggregation-controller 0 9d
kube-system coredns 0 9d
kube-system cronjob-controller 0 9d
kube-system daemon-set-controller 0 9d
kube-system default 0 9d
kube-system deployment-controller 0 9d
kube-system disruption-controller 0 9d
kube-system endpoint-controller 0 9d
kube-system endpointslice-controller 0 9d
kube-system endpointslicemirroring-controller 0 9d
kube-system ephemeral-volume-controller 0 9d
kube-system expand-controller 0 9d
kube-system generic-garbage-collector 0 9d
kube-system horizontal-pod-autoscaler 0 9d
kube-system job-controller 0 9d
kube-system kube-proxy 0 9d
kube-system metrics-server 0 4d15h
kube-system namespace-controller 0 9d
kube-system nfs-client-provisioner 0 40h
kube-system node-controller 0 9d
kube-system persistent-volume-binder 0 9d
kube-system pod-garbage-collector 0 9d
kube-system pv-protection-controller 0 9d
kube-system pvc-protection-controller 0 9d
kube-system replicaset-controller 0 9d
kube-system replication-controller 0 9d
kube-system resourcequota-controller 0 9d
kube-system root-ca-cert-publisher 0 9d
kube-system service-account-controller 0 9d
kube-system service-controller 0 9d
kube-system statefulset-controller 0 9d
kube-system token-cleaner 0 9d
kube-system ttl-after-finished-controller 0 9d
kube-system ttl-controller 0 9d
3、鉴权
3.1 Role 普通角色
代表一个角色,会包含一组权限,没有拒绝规则,只是附加允许。它是Namespaces级别的资源,只能作用与Namespace之内,不可以跨命名空间使用。
- 查看已有的角色信息
- kubectl get role -n ingress-nginx nginx-ingress-role -o yaml
[root@k8s-master ~]# kubectl get role -n ingress-nginx ingress-nginx -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role # 角色
metadata:annotations:meta.helm.sh/release-name: ingress-nginxmeta.helm.sh/release-namespace: ingress-nginxcreationTimestamp: "2024-02-25T11:35:57Z"labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/managed-by: Helmapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.9.6helm.sh/chart: ingress-nginx-4.9.1name: ingress-nginxnamespace: ingress-nginxresourceVersion: "482050"uid: a0df64a1-2e1b-4daf-b777-c7afcc23669crules: # 规则,可以根据角色对一些资源做什么操作
- apiGroups: # api分组- ""resources: # 资源- namespaces # 增对命名空间verbs: # 动作- get # 获取命名空间的信息
- apiGroups: - ""resources:- configmaps - pods- secrets- endpointsverbs:- get - list- watch
- apiGroups:- ""resources:- servicesverbs:- get- list- watch
- apiGroups:- networking.k8s.ioresources:- ingressesverbs:- get- list- watch
- apiGroups:- networking.k8s.ioresources:- ingresses/statusverbs:- update
- apiGroups:- networking.k8s.ioresources:- ingressclassesverbs:- get- list- watch
- apiGroups:- coordination.k8s.ioresourceNames:- ingress-nginx-leaderresources:- leasesverbs:- get- update
- apiGroups:- coordination.k8s.ioresources:- leasesverbs:- create
- apiGroups:- ""resources:- eventsverbs:- create- patch
- apiGroups:- discovery.k8s.ioresources:- endpointslicesverbs:- list- watch- get
[root@k8s
3.2 ClusterRole 兄弟角色
功能与Role一样,区别是资源类型为集群类型,而Role只在Namespace。
- 查看某个集群角色的信息
- kubectl get clusterrole view -oyaml
[root@k8s-master ~]# kubectl get clusterrole
NAME CREATED AT
admin 2024-02-19T14:04:43Z
cluster-admin 2024-02-19T14:04:43Z
edit 2024-02-19T14:04:43Z
flannel 2024-02-19T15:33:13Z
ingress-nginx 2024-02-25T11:35:57Z
kubeadm:get-nodes 2024-02-19T14:04:44Z
nfs-client-provisioner-runner 2024-02-27T12:25:28Z
system:aggregate-to-admin 2024-02-19T14:04:43Z
system:aggregate-to-edit 2024-02-19T14:04:43Z
system:aggregate-to-view 2024-02-19T14:04:43Z
system:aggregated-metrics-reader 2024-02-24T13:26:02Z
system:auth-delegator 2024-02-19T14:04:43Z
system:basic-user 2024-02-19T14:04:43Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient 2024-02-19T14:04:43Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2024-02-19T14:04:43Z
system:certificates.k8s.io:kube-apiserver-client-approver 2024-02-19T14:04:43Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2024-02-19T14:04:43Z
system:certificates.k8s.io:kubelet-serving-approver 2024-02-19T14:04:43Z
system:certificates.k8s.io:legacy-unknown-approver 2024-02-19T14:04:43Z
system:controller:attachdetach-controller 2024-02-19T14:04:43Z
system:controller:certificate-controller 2024-02-19T14:04:43Z
system:controller:clusterrole-aggregation-controller 2024-02-19T14:04:43Z
system:controller:cronjob-controller 2024-02-19T14:04:43Z
system:controller:daemon-set-controller 2024-02-19T14:04:43Z
system:controller:deployment-controller 2024-02-19T14:04:43Z
system:controller:disruption-controller 2024-02-19T14:04:43Z
system:controller:endpoint-controller 2024-02-19T14:04:43Z
system:controller:endpointslice-controller 2024-02-19T14:04:43Z
system:controller:endpointslicemirroring-controller 2024-02-19T14:04:43Z
system:controller:ephemeral-volume-controller 2024-02-19T14:04:43Z
system:controller:expand-controller 2024-02-19T14:04:43Z
system:controller:generic-garbage-collector 2024-02-19T14:04:43Z
system:controller:horizontal-pod-autoscaler 2024-02-19T14:04:43Z
system:controller:job-controller 2024-02-19T14:04:43Z
system:controller:namespace-controller 2024-02-19T14:04:43Z
system:controller:node-controller 2024-02-19T14:04:43Z
system:controller:persistent-volume-binder 2024-02-19T14:04:43Z
system:controller:pod-garbage-collector 2024-02-19T14:04:43Z
system:controller:pv-protection-controller 2024-02-19T14:04:43Z
system:controller:pvc-protection-controller 2024-02-19T14:04:43Z
system:controller:replicaset-controller 2024-02-19T14:04:43Z
system:controller:replication-controller 2024-02-19T14:04:43Z
system:controller:resourcequota-controller 2024-02-19T14:04:43Z
system:controller:root-ca-cert-publisher 2024-02-19T14:04:43Z
system:controller:route-controller 2024-02-19T14:04:43Z
system:controller:service-account-controller 2024-02-19T14:04:43Z
system:controller:service-controller 2024-02-19T14:04:43Z
system:controller:statefulset-controller 2024-02-19T14:04:43Z
system:controller:ttl-after-finished-controller 2024-02-19T14:04:43Z
system:controller:ttl-controller 2024-02-19T14:04:43Z
system:coredns 2024-02-19T14:04:45Z
system:discovery 2024-02-19T14:04:43Z
system:heapster 2024-02-19T14:04:43Z
system:kube-aggregator 2024-02-19T14:04:43Z
system:kube-controller-manager 2024-02-19T14:04:43Z
system:kube-dns 2024-02-19T14:04:43Z
system:kube-scheduler 2024-02-19T14:04:43Z
system:kubelet-api-admin 2024-02-19T14:04:43Z
system:metrics-server 2024-02-24T13:26:02Z
system:monitoring 2024-02-19T14:04:43Z
system:node 2024-02-19T14:04:43Z
system:node-bootstrapper 2024-02-19T14:04:43Z
system:node-problem-detector 2024-02-19T14:04:43Z
system:node-proxier 2024-02-19T14:04:43Z
system:persistent-volume-provisioner 2024-02-19T14:04:43Z
system:public-info-viewer 2024-02-19T14:04:43Z
system:service-account-issuer-discovery 2024-02-19T14:04:43Z
system:volume-scheduler 2024-02-19T14:04:43Z
view 2024-02-19T14:04:43Z
[root@k8s-master ~]# kubectl get clusterrole ingress-nginx -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:annotations:meta.helm.sh/release-name: ingress-nginxmeta.helm.sh/release-namespace: ingress-nginxcreationTimestamp: "2024-02-25T11:35:57Z"labels:app.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/managed-by: Helmapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.9.6helm.sh/chart: ingress-nginx-4.9.1name: ingress-nginxresourceVersion: "482047"uid: 8f7e381f-75a3-4d6e-90f0-13e6ce14e1ae
rules:
- apiGroups:- ""resources:- configmaps- endpoints- nodes- pods- secrets- namespacesverbs:- list- watch
- apiGroups:- coordination.k8s.ioresources:- leasesverbs:- list- watch
- apiGroups:- ""resources:- nodesverbs:- get
- apiGroups:- ""resources:- servicesverbs:- get- list- watch
- apiGroups:- networking.k8s.ioresources:- ingressesverbs:- get- list- watch
- apiGroups:- ""resources:- eventsverbs:- create- patch
- apiGroups:- networking.k8s.ioresources:- ingresses/statusverbs:- update
- apiGroups:- networking.k8s.ioresources:- ingressclassesverbs:- get- list- watch
- apiGroups:- discovery.k8s.ioresources:- endpointslicesverbs:- list- watch- get
3.3 RoleBinding 命名空间级别角色权限绑定
Role或ClusterRole只是用于制定权限集合,具体作用与什么对象上,需要使用RoleBinding来进行绑定。
作用于Namespace内,可以将Role或ClusterRole绑定到User、Group、Service Account上.
-
查看rolebinding信息
-
kubectl get rolebinding --all-namespaces
-
查看指定rolebinding的配置信息
-
kubectl get rolebinding <role_binding_name> --all-namespaces
-oyaml
[root@k8s-master ~]# kubectl get rolebinding --all-namespaces
NAMESPACE NAME ROLE AGE
default leader-locking-nfs-client-provisioner Role/leader-locking-nfs-client-provisioner 41h
ingress-nginx ingress-nginx Role/ingress-nginx 3d17h
kube-public kubeadm:bootstrap-signer-clusterinfo Role/kubeadm:bootstrap-signer-clusterinfo 9d
kube-public system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 9d
kube-system kube-proxy Role/kube-proxy 9d
kube-system kubeadm:kubelet-config Role/kubeadm:kubelet-config 9d
kube-system kubeadm:nodes-kubeadm-config Role/kubeadm:nodes-kubeadm-config 9d
kube-system metrics-server-auth-reader Role/extension-apiserver-authentication-reader 4d16h
kube-system system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 9d
kube-system system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 9d
kube-system system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 9d
kube-system system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 9d
kube-system system:controller:cloud-provider Role/system:controller:cloud-provider 9d
kube-system system:controller:token-cleaner Role/system:controller:token-cleaner 9d
3.4 ClusterRoleBinding 集群角色权限的绑定
- 查看ClusterRoleBinding信息
- kubectl get clusterrolebinding
- 查看指定ClusterRoleBinding的配置信息
- kubectl get clusterrolebinding <clusterrole_binding_name> -o yaml
[root@k8s-master ~]# kubectl get clusterrolebinding
NAME ROLE AGE
cluster-admin ClusterRole/cluster-admin 9d
flannel ClusterRole/flannel 9d
ingress-nginx ClusterRole/ingress-nginx 3d18h
kubeadm:get-nodes ClusterRole/kubeadm:get-nodes 9d
kubeadm:kubelet-bootstrap ClusterRole/system:node-bootstrapper 9d
kubeadm:node-autoapprove-bootstrap ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient 9d
kubeadm:node-autoapprove-certificate-rotation ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 9d
kubeadm:node-proxier ClusterRole/system:node-proxier 9d
metrics-server:system:auth-delegator ClusterRole/system:auth-delegator 4d16h
run-nfs-client-provisioner ClusterRole/nfs-client-provisioner-runner 41h
system:basic-user ClusterRole/system:basic-user 9d
system:controller:attachdetach-controller ClusterRole/system:controller:attachdetach-controller 9d
system:controller:certificate-controller ClusterRole/system:controller:certificate-controller 9d
system:controller:clusterrole-aggregation-controller ClusterRole/system:controller:clusterrole-aggregation-controller 9d
system:controller:cronjob-controller ClusterRole/system:controller:cronjob-controller 9d
system:controller:daemon-set-controller ClusterRole/system:controller:daemon-set-controller 9d
system:controller:deployment-controller ClusterRole/system:controller:deployment-controller 9d
system:controller:disruption-controller ClusterRole/system:controller:disruption-controller 9d
system:controller:endpoint-controller ClusterRole/system:controller:endpoint-controller 9d
system:controller:endpointslice-controller ClusterRole/system:controller:endpointslice-controller 9d
system:controller:endpointslicemirroring-controller ClusterRole/system:controller:endpointslicemirroring-controller 9d
system:controller:ephemeral-volume-controller ClusterRole/system:controller:ephemeral-volume-controller 9d
system:controller:expand-controller ClusterRole/system:controller:expand-controller 9d
system:controller:generic-garbage-collector ClusterRole/system:controller:generic-garbage-collector 9d
system:controller:horizontal-pod-autoscaler ClusterRole/system:controller:horizontal-pod-autoscaler 9d
system:controller:job-controller ClusterRole/system:controller:job-controller 9d
system:controller:namespace-controller ClusterRole/system:controller:namespace-controller 9d
system:controller:node-controller ClusterRole/system:controller:node-controller 9d
system:controller:persistent-volume-binder ClusterRole/system:controller:persistent-volume-binder 9d
system:controller:pod-garbage-collector ClusterRole/system:controller:pod-garbage-collector 9d
system:controller:pv-protection-controller ClusterRole/system:controller:pv-protection-controller 9d
system:controller:pvc-protection-controller ClusterRole/system:controller:pvc-protection-controller 9d
system:controller:replicaset-controller ClusterRole/system:controller:replicaset-controller 9d
system:controller:replication-controller ClusterRole/system:controller:replication-controller 9d
system:controller:resourcequota-controller ClusterRole/system:controller:resourcequota-controller 9d
system:controller:root-ca-cert-publisher ClusterRole/system:controller:root-ca-cert-publisher 9d
system:controller:route-controller ClusterRole/system:controller:route-controller 9d
system:controller:service-account-controller ClusterRole/system:controller:service-account-controller 9d
system:controller:service-controller ClusterRole/system:controller:service-controller 9d
system:controller:statefulset-controller ClusterRole/system:controller:statefulset-controller 9d
system:controller:ttl-after-finished-controller ClusterRole/system:controller:ttl-after-finished-controller 9d
system:controller:ttl-controller ClusterRole/system:controller:ttl-controller 9d
system:coredns ClusterRole/system:coredns 9d
system:discovery ClusterRole/system:discovery 9d
system:kube-controller-manager ClusterRole/system:kube-controller-manager 9d
system:kube-dns ClusterRole/system:kube-dns 9d
system:kube-scheduler ClusterRole/system:kube-scheduler 9d
system:metrics-server ClusterRole/system:metrics-server 4d16h
system:monitoring ClusterRole/system:monitoring 9d
system:node ClusterRole/system:node 9d
system:node-proxier ClusterRole/system:node-proxier 9d
system:public-info-viewer ClusterRole/system:public-info-viewer 9d
system:service-account-issuer-discovery ClusterRole/system:service-account-issuer-discovery 9d
system:volume-scheduler ClusterRole/system:volume-scheduler 9d
