kubernetes Role交叉绑定与内置绑定(33)

2023年 7月 16日 50.7k 0

延续上一篇Role和Cluster Role示例,其中绑定都是role绑定rolebinding,clusterrole绑定clusterrolebinding,现在使用rolebinding绑定clusterrole,这样以来权限就会降级到rolebinding所在的权限

  • 我们先切换到kubernetes-admin用户下
[root@linuxea role]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".

交叉绑定

延续上一篇Role和Cluster Role示例,其中创建的clusterrole的权限是list,get, 这些权限是集群级别的,也就是说所有的namespace都有给的get和list权限

此时,我们使用rolebinding绑定clusterrole,clusterrole的名称是linuxea-cluster-read。需要说明的是,此前的创建的pods-read只针对当前名称空间有list和get权限。如下图

RBAC-8.png

如此此时clusterrole与rolebinding绑定,最终降级到是role角色的名称空间内的get,list权限。

[root@linuxea role]# kubectl create rolebinding pods-read --clusterrole=linuxea-cluster-read --user=linuxea --dry-run -o yaml >> ./role-clusterrole.yaml

如下: kind: RoleBinding,但是roleRef的kind是ClusterRole

[root@linuxea role]# cat ./role-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: pods-read
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: linuxea-cluster-read
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: linuxea

为了避免权限重叠,将之前创建的clusterrolebinding删除

[root@linuxea role]# kubectl delete clusterrolebinding linuxea-cluster-read
clusterrolebinding.rbac.authorization.k8s.io "linuxea-cluster-read" deleted

而后apply -f role-clusterrole.yaml

[root@linuxea role]# kubectl apply -f ./role-clusterrole.yaml
rolebinding.rbac.authorization.k8s.io/pods-read created
[root@linuxea role]# kubectl describe rolebinding pods-read
Name:         pods-read
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"pods-read","namespace":"default"},"roleRef":{"ap...
Role:
  Kind:  ClusterRole
  Name:  linuxea-cluster-read
Subjects:
  Kind  Name     Namespace
  ----  ----     ---------
  User  linuxea  

切换到linuxea用户验证下权限

[root@linuxea ~]# kubectl config use-context linuxea@kubernetes
Switched to context "linuxea@kubernetes".

此前的role角色权限是list,也就是说定义在namespace中,只有pods的list,get权限.那么是没有其他namespace的权限

[root@linuxea ~]# kubectl get pods -n ingress-nginx
No resources found.
Error from server (Forbidden): pods is forbidden: User "linuxea" cannot list pods in the namespace "ingress-nginx"

pod是可以进行get的

[root@linuxea ~]# kubectl get pods
NAME                                   READY     STATUS    RESTARTS   AGE
linuxea-sa-demo                        1/1       Running   0          2d
linuxea-tomcat-group-b77666d76-4h5mz   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-89qnx   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-gvm4w   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-jszbg   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-l5nkq   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-lxr8r   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-m5sxg   1/1       Running   0          3d
satefulset-0                           1/1       Running   0          5d
satefulset-1                           1/1       Running   0          5d
satefulset-2                           1/1       Running   0          5d
satefulset-3                           1/1       Running   0          5d
satefulset-4                           1/1       Running   0          5d
[root@linuxea ~]# 

绑定内置Role

内置的role有很多,其中包含有admin,尝试将linuxea绑定到admin

[root@linuxea ~]# kubectl get clusterrole
NAME                                                                   AGE
admin                                                                  19d

admin的角色有很多,不一 一列举,可以查看这个文件

[root@linuxea ~]# kubectl get clusterrole admin -o yaml >> /admin.yaml
[root@linuxea ~]# cat /admin.yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: 2018-09-16T05:56:16Z
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: admin
  resourceVersion: "350"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/admin
  uid: 39a45e55-b975-11e8-a8ab-88882fbd1028
................  

直接绑定到linuxea用户上

[root@linuxea ~]# kubectl create rolebinding linuxea-admin --clusterrole=admin --user=linuxea
rolebinding.rbac.authorization.k8s.io/linuxea-admin created
[root@linuxea ~]# kubectl get rolebinding
NAME            AGE
linuxea-admin   8s
pods-read       3h
[root@linuxea ~]# kubectl describe rolebinding linuxea-admin
Name:         linuxea-admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  admin
Subjects:
  Kind  Name     Namespace
  ----  ----     ---------
  User  linuxea 

切换到linuxea用户下

[root@linuxea ~]# kubectl config use-context linuxea@kubernetes
Switched to context "linuxea@kubernetes".

验证是否具有admin的角色权限

[root@linuxea ~]# kubectl get pods
NAME                                   READY     STATUS    RESTARTS   AGE
linuxea-sa-demo                        1/1       Running   0          2d
linuxea-tomcat-group-b77666d76-4h5mz   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-89qnx   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-gvm4w   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-jszbg   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-l5nkq   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-lxr8r   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-m5sxg   1/1       Running   0          4d
satefulset-0                           1/1       Running   0          5d
satefulset-1                           1/1       Running   0          5d
satefulset-2                           1/1       Running   0          5d
satefulset-3                           1/1       Running   0          5d
satefulset-4                           1/1       Running   0          5d
[root@linuxea ~]# kubectl get svc
NAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
kubernetes           ClusterIP   10.96.0.1       <none>        443/TCP             19d
linuxea-tomcat       ClusterIP   10.97.191.185   <none>        8080/TCP,8009/TCP   4d
satefulset-linuxea   ClusterIP   None            <none>        80/TCP              5d
[root@linuxea ~]# kubectl get deploy
NAME                   DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
linuxea-tomcat-group   7         7         7            7           4d
[root@linuxea ~]# kubectl delete pods linuxea-tomcat-group-b77666d76-4h5mz
pod "linuxea-tomcat-group-b77666d76-4h5mz" deleted
[root@linuxea ~]# kubectl get pods
NAME                                   READY     STATUS    RESTARTS   AGE
linuxea-sa-demo                        1/1       Running   0          2d
linuxea-tomcat-group-b77666d76-89qnx   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-fj2rk   1/1       Running   0          6s
linuxea-tomcat-group-b77666d76-gvm4w   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-jszbg   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-l5nkq   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-lxr8r   1/1       Running   0          4d
linuxea-tomcat-group-b77666d76-m5sxg   1/1       Running   0          4d
satefulset-0                           1/1       Running   0          5d
satefulset-1                           1/1       Running   0          5d
satefulset-2                           1/1       Running   0          5d
satefulset-3                           1/1       Running   0          5d
satefulset-4                           1/1       Running   0          5d
[root@linuxea ~]# 

尽管如此,他是没有管理其他的namespace中的权限

[root@linuxea ~]# kubectl get pods -n kube-system
No resources found.
Error from server (Forbidden): pods is forbidden: User "linuxea" cannot list pods in the namespace "kube-system"

内置Rolebinding

我们切换回kubernetes-admin

[root@linuxea ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".

在内置Rolebinding中已经有绑定admin的clusterrolebinding,cluster-admin

[root@linuxea ~]# kubectl get clusterrolebinding
NAME                                                   AGE
cluster-admin                                          19d

使用-o yaml查看describe信息

[root@linuxea ~]# kubectl get clusterrolebinding cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: 2018-09-16T05:56:16Z
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "110"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
  uid: 39d1bdfd-b975-11e8-a8ab-88882fbd1028
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters

其中在system:masters组中有kubernetes-admin用户,kubetnetes-admin在pki中的CRT文件的cn对应就是kube-apiserver-kubelet-client,可以使用openssl查看crt文件

[root@linuxea ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8110592987322906857 (0x708e9d59a727f8e9)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Sep 16 05:55:34 2018 GMT
            Not After : Sep 16 05:55:35 2019 GMT
        Subject: O=system:masters, CN=kube-apiserver-kubelet-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

如果此时在创建用户或者授权时候,可以O=system:masters将用户绑定到admin组

在RBAC上授权时候,允许存在三类组件,分别是user,group以及serviceAccount

user可以绑定在group,role,serviceaccount。如果绑定在用户上,则只是授权在一个用户上,绑定在组,则组内用户都有这个权限,如果多个用户有同样的权限,可以授权成一个组。

如果serviceAccount与role或者clusterrole绑定,则意味着serviceAccount有访问权限,并且在serviceAccountName使用了这个serviceAccount的name,那么在service内的pod中的应用程序就有了serviceAccount的权限.

并且,在一些pod运行的时候就需要这种权限来以便于操作,如flannel,在github上有flannel的yml文件文件以供参考

[root@linuxea ~]# kubectl get pods -n kube-system
NAME                                           READY     STATUS    RESTARTS   AGE
...
kube-flannel-ds-amd64-5swqs                    1/1       Running   0          19d
...

可以查看kube-flannel-ds-amd64-5swqsyaml文件

[root@linuxea ~]# kubectl get pods kube-flannel-ds-amd64-5swqs -o yaml -n kube-system

相关文章

LeaferJS 1.0 重磅发布:强悍的前端 Canvas 渲染引擎
10分钟搞定支持通配符的永久有效免费HTTPS证书
300 多个 Microsoft Excel 快捷方式
一步步配置基于kubeadmin的kubevip高可用
istio全链路传递cookie和header灰度
REST Web 服务版本控制

发布评论