kubernetes Role和Cluster Role示例(32)

2023年 7月 16日 63.6k 0

不管是role,rolebinding还是clusterRole,clusterRolebinding都是资源清单中的标准资源

我们创建linuxea-readpod和linuxea-cluster-read分别示例RBAC对权限的控制,图示如下:

RBAC-7.png

可以使用kubectl create role --help查看帮助信息

创建ROLE

创建role,对pods有get,list权限,使用-dry-run运行是否有误

[root@linuxea ~]# kubectl create role pods-read --verb=get,list,watch --resource=pods --dry-run
role.rbac.authorization.k8s.io/pods-read created (dry run)

甚至于可以使用-o yaml输出yaml格式

[root@linuxea role]# kubectl create role pods-read --verb=get,list,watch --resource=pods --dry-run -o yaml >> ./role-demo.yaml

随后编辑添加上namespace:default

[root@linuxea role]# cat ./role-demo.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: pods-read
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

apply

[root@linuxea role]# kubectl apply -f ./role-demo.yaml
role.rbac.authorization.k8s.io/pods-read created
[root@linuxea role]# kubectl get role
NAME        AGE
pods-read   3s
[root@linuxea role]# kubectl describe pods-read
error: the server doesn't have a resource type "pods-read"
[root@linuxea role]# kubectl describe role pods-read
Name:         pods-read
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"creationTimestamp":null,"name":"pods-read","namespace":"defaul...
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]

其中可以针对某一个资源做限制

objects:Resources(资源名称)下的 某个Resource Name(资源类别)

Non-Resource URLs(非资源URL,不能对于成对象的资源,是定义成某种特殊操作)

PolicyRule
Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get list watch]

此前创建了一个用户linuxea,linuxea用户并没有权限读取pod,此刻让linuxea扮演此role,那么就需要绑定rolebinding

创建Rolebinding

而rolebinding可以绑定role和clusterrole,我们选择role绑定,而后指定username或者groupname,如果绑定不是普通账号,而是service账号,就需要指定serviceaccount的名称

现在将之前创建的linxea绑定到pods-read的role上

创建一个叫linuxea-readpod的rolebinding,指定上述创建的role名称,绑定到pods-read ,指定--user=linuxea; 这个账号不存在系统上,只是标识

[root@linuxea role]# kubectl create rolebinding linuxea-readpod --role=pods-read --user=linuxea --dry-run -o yaml >> ./rolebinding-demo.yaml

而在yaml文件定义中明确定义了roleRef的api组,组内的kind类型和名称。用户的api组,和组内的kind和用户名

[root@linuxea role]# cat ./rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: linuxea-readpod
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-read
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: linuxea

apply

[root@linuxea role]# kubectl apply -f rolebinding-demo.yaml 
rolebinding.rbac.authorization.k8s.io/linuxea-readpod created
[root@linuxea role]# kubectl get rolebinding
NAME              AGE
linuxea-readpod   11s
[root@linuxea role]# kubectl describe rolebinding linuxea-readpod 
Name:         linuxea-readpod
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"linuxea-readpod","names...
Role:
  Kind:  Role
  Name:  pods-read
Subjects:
  Kind  Name     Namespace

----  ----     ---------
  User  linuxea  

此刻,linuxea用户已经拥有了get,list权限。现在切换到linuxea用户get pods

[root@linuxea ~]# kubectl config use-context linuxea@kubernetes
Switched to context "linuxea@kubernetes".

在看当前的用户则是current-context: linuxea@kubernetes

[root@linuxea ~]# kubectl config view
....
- context:
    cluster: kubernetes
    user: linuxea
  name: linuxea@kubernetes
current-context: linuxea@kubernetes
....

而后get pods,由于之前对当前名称空的pods有get,list权限,查看是没有问题的

[root@linuxea ~]# kubectl get pods
NAME                                   READY     STATUS    RESTARTS   AGE
linuxea-sa-demo                        1/1       Running   0          1d
linuxea-tomcat-group-b77666d76-4h5mz   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-89qnx   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-gvm4w   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-jszbg   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-l5nkq   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-lxr8r   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-m5sxg   1/1       Running   0          3d
satefulset-0                           1/1       Running   0          5d
satefulset-1                           1/1       Running   0          5d
satefulset-2                           1/1       Running   0          5d
satefulset-3                           1/1       Running   0          5d
satefulset-4                           1/1       Running   0          5d

其他删除也没权限操作

[root@linuxea ~]# kubectl delete pods linuxea-tomcat-group-b77666d76-4h5mz
Error from server (Forbidden): pods "linuxea-tomcat-group-b77666d76-4h5mz" is forbidden: User "linuxea" cannot delete pods in the namespace "default"

其他名称空间仍然没有权限

[root@linuxea ~]# kubectl get svc
No resources found.
Error from server (Forbidden): services is forbidden: User "linuxea" cannot list services in the namespace "default"
[root@linuxea ~]# kubectl get pods -n ingress-nginx
No resources found.
Error from server (Forbidden): pods is forbidden: User "linuxea" cannot list pods in the namespace "ingress-nginx"
[root@linuxea ~]# 

创建Cluster role

回到管理员账号创建clusterrole

[root@linuxea ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".

将配置追加到./clusterrole.yaml中.

创建一个名称为linuxea-cluster-read的clusterrole,权限是list和get,watch。在clusterrole中,授权集群级别

[root@linuxea role]#  kubectl create clusterrole linuxea-cluster-read --verb=get,list,watch --resource=pods -o yaml --dry-run >> ./clusterrole.yaml

而后apply

[root@linuxea role]# kubectl apply -f clusterrole.yaml 
clusterrole.rbac.authorization.k8s.io/linuxea-cluster-read created

使用kubectl get clusterrole查看已经被创建的linuxea-cluster-read

[root@linuxea role]# kubectl get clusterrole
NAME                                                                   AGE
....
linuxea-cluster-read                                                   13m
....

现在将linuxea用户绑定到clusterrolebinding上,先将刚才绑定的rolebinding删除

[root@linuxea role]# kubectl get rolebinding
NAME              AGE
linuxea-readpod   1h
[root@linuxea role]# kubectl delete rolebinding linuxea-readpod
rolebinding.rbac.authorization.k8s.io "linuxea-readpod" deleted

现在linuxea账号对任何名称空间都没有任何权限。并且已经创建好了cluster role。接着创建clusterrolebinding绑定

创建Clusterrolebinding

clusterrolebinding只能绑定clusterrole.

创建一个clusterrolebinding名称为linuxea-cluster-read,名称和clusterrole一样,绑定到clusterrolebinding的linuxea-cluster-read上

[root@linuxea role]# kubectl create clusterrolebinding linuxea-cluster-read --clusterrole=linuxea-cluster-read --user=linuxea --dry-run -o yaml >> ./clusterrolebinding.yaml
[root@linuxea role]# cat ./clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: linuxea-cluster-read
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: linuxea-cluster-read
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: linuxea

使用kubectl get clusterrolebinding查看创建已经完成的clusterrolebinding

[root@linuxea role]# kubectl get clusterrolebinding
NAME                                                   AGE
.....
linuxea-cluster-read                                   22s
.....

查看创建的clusterrolebinding的describe信息

[root@linuxea role]# kubectl describe clusterrolebinding linuxea-cluster-read
Name:         linuxea-cluster-read
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"linuxea-clu...
Role:
  Kind:  ClusterRole
  Name:  linuxea-cluster-read
Subjects:
  Kind  Name     Namespace
  ----  ----     ---------
  User  linuxea  

而后切换到linuxea用户下,验证下授予的clusterrole权限

[root@linuxea role]# kubectl config use-context linuxea@kubernetes
Switched to context "linuxea@kubernetes".

之前授权的是名称空间下的pod的list,get

[root@linuxea role]# kubectl get pods
NAME                                   READY     STATUS    RESTARTS   AGE
linuxea-sa-demo                        1/1       Running   0          2d
linuxea-tomcat-group-b77666d76-4h5mz   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-89qnx   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-gvm4w   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-jszbg   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-l5nkq   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-lxr8r   1/1       Running   0          3d
linuxea-tomcat-group-b77666d76-m5sxg   1/1       Running   0          3d
satefulset-0                           1/1       Running   0          5d
satefulset-1                           1/1       Running   0          5d
satefulset-2                           1/1       Running   0          5d
satefulset-3                           1/1       Running   0          5d
satefulset-4                           1/1       Running   0          5d

换名称空间到pods -n kube-system

[root@linuxea role]# kubectl get pods -n kube-system
NAME                                           READY     STATUS    RESTARTS   AGE
coredns-78fcdf6894-mvdln                       1/1       Running   0          19d
coredns-78fcdf6894-zwqfw                       1/1       Running   0          19d
etcd-linuxea.master-1.com                      1/1       Running   0          19d
kube-apiserver-linuxea.master-1.com            1/1       Running   0          19d
kube-controller-manager-linuxea.master-1.com   1/1       Running   0          19d
kube-flannel-ds-amd64-5swqs                    1/1       Running   0          19d
kube-flannel-ds-amd64-fwzjl                    1/1       Running   0          19d
kube-flannel-ds-amd64-gtqhv                    1/1       Running   0          19d
kube-flannel-ds-amd64-qmhq9                    1/1       Running   0          19d
kube-proxy-64jwb                               1/1       Running   0          19d
kube-proxy-sllmj                               1/1       Running   0          19d
kube-proxy-tzdlj                               1/1       Running   0          19d
kube-proxy-vwtx4                               1/1       Running   0          19d
kube-scheduler-linuxea.master-1.com            1/1       Running   0          19d

或者名称空间ingress-nginx

[root@linuxea role]# kubectl get pods -n ingress-nginx
NAME                                        READY     STATUS    RESTARTS   AGE
default-http-backend-6586bc58b6-n9qbt       1/1       Running   0          19d
nginx-ingress-controller-6bd7c597cb-krz4m   1/1       Running   0          19d

当然,除了授权的list,get之外,其他没授权的都是拒绝的,也就是说没有权限的

[root@linuxea role]# kubectl delete pods kube-flannel-ds-amd64-qmhq9
Error from server (Forbidden): pods "kube-flannel-ds-amd64-qmhq9" is forbidden: User "linuxea" cannot delete pods in the namespace "default"

相关文章

LeaferJS 1.0 重磅发布:强悍的前端 Canvas 渲染引擎
10分钟搞定支持通配符的永久有效免费HTTPS证书
300 多个 Microsoft Excel 快捷方式
一步步配置基于kubeadmin的kubevip高可用
istio全链路传递cookie和header灰度
REST Web 服务版本控制

发布评论