延续上一篇Role和Cluster Role示例,其中绑定都是role绑定rolebinding,clusterrole绑定clusterrolebinding,现在使用rolebinding绑定clusterrole,这样以来权限就会降级到rolebinding所在的权限
- 我们先切换到kubernetes-admin用户下
[root@linuxea role]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
交叉绑定
延续上一篇Role和Cluster Role示例,其中创建的clusterrole的权限是list,get, 这些权限是集群级别的,也就是说所有的namespace都有给的get和list权限
此时,我们使用rolebinding绑定clusterrole,clusterrole的名称是linuxea-cluster-read。需要说明的是,此前的创建的pods-read只针对当前名称空间有list和get权限。如下图
如此此时clusterrole与rolebinding绑定,最终降级到是role角色的名称空间内的get,list权限。
[root@linuxea role]# kubectl create rolebinding pods-read --clusterrole=linuxea-cluster-read --user=linuxea --dry-run -o yaml >> ./role-clusterrole.yaml
如下: kind: RoleBinding
,但是roleRef的kind是ClusterRole
[root@linuxea role]# cat ./role-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: pods-read
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linuxea-cluster-read
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: linuxea
为了避免权限重叠,将之前创建的clusterrolebinding删除
[root@linuxea role]# kubectl delete clusterrolebinding linuxea-cluster-read
clusterrolebinding.rbac.authorization.k8s.io "linuxea-cluster-read" deleted
而后apply -f role-clusterrole.yaml
[root@linuxea role]# kubectl apply -f ./role-clusterrole.yaml
rolebinding.rbac.authorization.k8s.io/pods-read created
[root@linuxea role]# kubectl describe rolebinding pods-read
Name: pods-read
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"pods-read","namespace":"default"},"roleRef":{"ap...
Role:
Kind: ClusterRole
Name: linuxea-cluster-read
Subjects:
Kind Name Namespace
---- ---- ---------
User linuxea
切换到linuxea用户验证下权限
[root@linuxea ~]# kubectl config use-context linuxea@kubernetes
Switched to context "linuxea@kubernetes".
此前的role角色权限是list,也就是说定义在namespace中,只有pods的list,get权限.那么是没有其他namespace的权限
[root@linuxea ~]# kubectl get pods -n ingress-nginx
No resources found.
Error from server (Forbidden): pods is forbidden: User "linuxea" cannot list pods in the namespace "ingress-nginx"
pod是可以进行get的
[root@linuxea ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
linuxea-sa-demo 1/1 Running 0 2d
linuxea-tomcat-group-b77666d76-4h5mz 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-89qnx 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-gvm4w 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-jszbg 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-l5nkq 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-lxr8r 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-m5sxg 1/1 Running 0 3d
satefulset-0 1/1 Running 0 5d
satefulset-1 1/1 Running 0 5d
satefulset-2 1/1 Running 0 5d
satefulset-3 1/1 Running 0 5d
satefulset-4 1/1 Running 0 5d
[root@linuxea ~]#
绑定内置Role
内置的role有很多,其中包含有admin,尝试将linuxea绑定到admin
[root@linuxea ~]# kubectl get clusterrole
NAME AGE
admin 19d
admin的角色有很多,不一 一列举,可以查看这个文件
[root@linuxea ~]# kubectl get clusterrole admin -o yaml >> /admin.yaml
[root@linuxea ~]# cat /admin.yaml
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2018-09-16T05:56:16Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: admin
resourceVersion: "350"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/admin
uid: 39a45e55-b975-11e8-a8ab-88882fbd1028
................
直接绑定到linuxea用户上
[root@linuxea ~]# kubectl create rolebinding linuxea-admin --clusterrole=admin --user=linuxea
rolebinding.rbac.authorization.k8s.io/linuxea-admin created
[root@linuxea ~]# kubectl get rolebinding
NAME AGE
linuxea-admin 8s
pods-read 3h
[root@linuxea ~]# kubectl describe rolebinding linuxea-admin
Name: linuxea-admin
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: admin
Subjects:
Kind Name Namespace
---- ---- ---------
User linuxea
切换到linuxea用户下
[root@linuxea ~]# kubectl config use-context linuxea@kubernetes
Switched to context "linuxea@kubernetes".
验证是否具有admin的角色权限
[root@linuxea ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
linuxea-sa-demo 1/1 Running 0 2d
linuxea-tomcat-group-b77666d76-4h5mz 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-89qnx 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-gvm4w 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-jszbg 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-l5nkq 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-lxr8r 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-m5sxg 1/1 Running 0 4d
satefulset-0 1/1 Running 0 5d
satefulset-1 1/1 Running 0 5d
satefulset-2 1/1 Running 0 5d
satefulset-3 1/1 Running 0 5d
satefulset-4 1/1 Running 0 5d
[root@linuxea ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 19d
linuxea-tomcat ClusterIP 10.97.191.185 <none> 8080/TCP,8009/TCP 4d
satefulset-linuxea ClusterIP None <none> 80/TCP 5d
[root@linuxea ~]# kubectl get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
linuxea-tomcat-group 7 7 7 7 4d
[root@linuxea ~]# kubectl delete pods linuxea-tomcat-group-b77666d76-4h5mz
pod "linuxea-tomcat-group-b77666d76-4h5mz" deleted
[root@linuxea ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
linuxea-sa-demo 1/1 Running 0 2d
linuxea-tomcat-group-b77666d76-89qnx 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-fj2rk 1/1 Running 0 6s
linuxea-tomcat-group-b77666d76-gvm4w 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-jszbg 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-l5nkq 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-lxr8r 1/1 Running 0 4d
linuxea-tomcat-group-b77666d76-m5sxg 1/1 Running 0 4d
satefulset-0 1/1 Running 0 5d
satefulset-1 1/1 Running 0 5d
satefulset-2 1/1 Running 0 5d
satefulset-3 1/1 Running 0 5d
satefulset-4 1/1 Running 0 5d
[root@linuxea ~]#
尽管如此,他是没有管理其他的namespace中的权限
[root@linuxea ~]# kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "linuxea" cannot list pods in the namespace "kube-system"
内置Rolebinding
我们切换回kubernetes-admin
[root@linuxea ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
在内置Rolebinding中已经有绑定admin的clusterrolebinding,cluster-admin
[root@linuxea ~]# kubectl get clusterrolebinding
NAME AGE
cluster-admin 19d
使用-o yaml
查看describe信息
[root@linuxea ~]# kubectl get clusterrolebinding cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2018-09-16T05:56:16Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "110"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
uid: 39d1bdfd-b975-11e8-a8ab-88882fbd1028
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
其中在system:masters组中有kubernetes-admin用户,kubetnetes-admin在pki中的CRT文件的cn对应就是kube-apiserver-kubelet-client
,可以使用openssl查看crt文件
[root@linuxea ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8110592987322906857 (0x708e9d59a727f8e9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Sep 16 05:55:34 2018 GMT
Not After : Sep 16 05:55:35 2019 GMT
Subject: O=system:masters, CN=kube-apiserver-kubelet-client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
如果此时在创建用户或者授权时候,可以O=system:masters
将用户绑定到admin组
在RBAC上授权时候,允许存在三类组件,分别是user,group以及serviceAccount
user可以绑定在group,role,serviceaccount。如果绑定在用户上,则只是授权在一个用户上,绑定在组,则组内用户都有这个权限,如果多个用户有同样的权限,可以授权成一个组。
如果serviceAccount与role或者clusterrole绑定,则意味着serviceAccount有访问权限,并且在serviceAccountName使用了这个serviceAccount的name,那么在service内的pod中的应用程序就有了serviceAccount的权限.
并且,在一些pod运行的时候就需要这种权限来以便于操作,如flannel,在github上有flannel的yml文件文件以供参考
[root@linuxea ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
...
kube-flannel-ds-amd64-5swqs 1/1 Running 0 19d
...
可以查看kube-flannel-ds-amd64-5swqs
yaml文件
[root@linuxea ~]# kubectl get pods kube-flannel-ds-amd64-5swqs -o yaml -n kube-system