一、SSL认证
1、生成一个证书
(1)生成一个私钥 cd /etc/kubernetes/pki/
(umask 077; openssl genrsa -out lucky.key 2048)
(2)生成一个证书请求
openssl req -new -key lucky.key -out lucky.csr -subj "/CN=lucky"
(3)生成一个证书
openssl x509 -req -in lucky.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lucky.crt -days 3650
2、在kubeconfig下新增加一个lucky这个用户
(1)把lucky这个用户添加到kubernetes集群中,可以用来认证apiserver的连接
kubectl config set-credentials lucky --client-certificate=./lucky.crt --client-key=./lucky.key --embed-certs=true
(2)在kubeconfig下新增加一个lucky这个账号
kubectl config set-context lucky@kubernetes --cluster=kubernetes --user=lucky
(3)切换账号到lucky,默认没有任何权限
kubectl config use-context lucky@kubernetes
3、把lucky这个用户通过rolebinding绑定,授予权限,基于context进行绑定
(1)创建role
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: lucky-role rules: - apiGroups: ["","extensions"] # "" 标明 core API 组 resources: ["pods","deploymnets"] verbs: ["get", "watch", "list"]
其中 Pod 属于 core 这个 API Group,在 YAML 中⽤空字符就可以,⽽ Deployment 属于 apps 这个 API Group, ReplicaSets 属于 extensions 这个 API Group(我怎么知道的?点这⾥查⽂档),所以 rules 下⾯的 apiGroups 就综合了这⼏个资源的 API Group:["", "extensions", "apps"],其中 verbs 就 是我们上⾯提到的可以对这些资源对象执⾏的操作,我们这⾥需要所有的操作⽅法,所以我们也可以 使⽤['*']来代替
(2)创建rolebinding
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-secrets # RoleBinding 的名字空间决定了访问权限的授予范围。 # 这里仅授权在 "default" 命名空间内的访问权限。 namespace: default subjects: - kind: User name: lucky # 'name' 是不区分大小写的 apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: lucky-role apiGroup: rbac.authorization.k8s.io
(3)测试是否有权限,测试成功
[root@k8s-master rbac]# kubectl config use-context lucky@kubernetes
[root@k8s-master rbac]# kubectl get pods NAME READY STATUS RESTARTS AGE centos-deployment-5c698c96f4-gp58x 1/1 Running 0 5d4h centos-deployment-5c698c96f4-jhpl8 1/1 Running 0 5d4h nginx-deployment-9f65856f8-pj4hr 1/1 Running 0 5d3h [root@k8s-master rbac]# kubectl delete pods nginx-deployment-9f65856f8-gkw2j //没有进行删除的权限 Error from server (Forbidden): pods "nginx-deployment-9f65856f8-gkw2j" is forbidden: User "lucky" cannot delete resource "pods" in API group "" in the namespace "default"
4、基于ServiceAccount的RBAC
1、创建sa
kubectl create sa haimaxy-sa -n kube-system
apiVersion: v1
kind: ServiceAccount
metadata:
name: metrics-server
namespace: kube-system
labels:
kubernetes.io/cluster-service:"true"
addonmanager.kubernetes.io/mode: Reconcile
2、创建clusterrole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name:system:metrics-server
labels:
kubernetes.io/cluster-service:"true"
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
-""
resources:
- pods
- nodes
- nodes/stats
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
-"extensions"
resources:
- deployments
verbs:
- get
- list
- update
- watch
3、创建clusterrolebinding进行绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-server:system:auth-delegator
labels:
kubernetes.io/cluster-service:"true"
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name:system:auth-delegator
subjects:
- kind: ServiceAccount //使用的类型为 ServiceAccount
name: metrics-server namespace: kube-system
添加一个lucky的普通用户
useradd lucky cp -ar /root/.kube/ /home/lucky/ chown -R lucky.lucky /home/lucky/ su - lucky