基于dashboard理解k8s的RBAC授权
作者:互联网
# 概念
Servic Account(服务账号):是指由Kubernetes API管理的账号,用于为Pod之中的服务进程在访问Kubernetes API时提供身份标识。Service Account通常绑定于特定的名称空间,由API Server创建,或者通过API调用手动创建。
User Account(用户账号):独立于Kubernetes之外的其他服务管理用户账号,例如由管理员分发秘钥、Keystone一类的用户存储(账号库)、甚至是保函有用户名和密码列表的文件等。
- User Account是为人设计的,而Service Account则是为Pod中的进程调用Kubernetes API而设计;
- User Account是跨namespace的,而Service Account则是仅局限它所在的namespace;
- 每个namespace都会自动创建一个default service account
在创建Pod资源时,如果没有指定一个service account,系统会自动在与该Pod相同的namespace下为其指派一个default service account。而pod和apiserver之间进行通信的账号,称为serviceAccountName。
#目标
授权用户通过kubectl 查看指定命名空间的资源
授权用户通过dashboard查看资源监控
#流程
1、创建serviceaccount服务账户 2、创建相对应的账户权限 role 3、绑定权限到用户 rolebindind
4、登陆dashboard验证权限 5、基于token创建kubeconfig 通过kubectl登陆
1、创建服务账户 ServiceAccount
[root@master1 user]# kubectl create serviceaccount alex serviceaccount/alex created
[root@master1 user]# kubectl get sa NAME SECRETS AGE alex 1 17s
2、创建alex的账户权限
[root@master1 role]# cat alex_role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default_role namespace: default rules: - apiGroups: [""] resources: ["pods","pods/log","pods/exec"] verbs: ["get","list","watch","create"] - apiGroups: [""] resources: ["services"] verbs: ["get","list","watch","create"] - apiGroups: [""] resources: ["deployments"] verbs: ["get","list","watch","create"]
3、将权限绑定到对应的sa账户上
[root@master1 role]# cat alex_rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default_rolebindind namespace: default subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: alex - kind: ServiceAccount name: alex roleRef: kind: Role apiGroup: rbac.authorization.k8s.io name: default_role
3.1、执行yaml文件 生成绑定
#role权限 [root@master1 role]# kubectl apply -f alex_role.yaml role.rbac.authorization.k8s.io/default_role created #rolebindind 权限绑定 [root@master1 role]# kubectl apply -f alex_rolebinding.yaml rolebinding.rbac.authorization.k8s.io/default_rolebindind created
4、登陆dashboard验证权限
4.1 # 查看alex服务账户的secret [root@master1 role]# kubectl get secret NAME TYPE DATA AGE alex-token-fbnsb kubernetes.io/service-account-token 3 12m chen-token-56l6t kubernetes.io/service-account-token 3 3d1h default-token-d79vr kubernetes.io/service-account-token 3 3d11h local-harbor-secret kubernetes.io/dockerconfigjson 1 3d10h 4.2# 根据secret 查看token base64 -d 表示转换为64位编码(K8S默认64位编码) #或者通过 describe直接复制 ps: kubectl describe secret alex-token-fbnsb [root@master1 role]# kubectl get secret alex-token-fbnsb -o jsonpath={.data.token} | base64 -d eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDi
5、基于token创建kubeconfig 通过kubectl登陆再次验证
5.1 基于token生产用户的crt文件
[root@master1 alex]# kubectl get secret alex-token-fbnsb -o jsonpath="{.data.ca\.crt}" | base64 -d -----BEGIN CERTIFICATE----- MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl cm5ldGVzMB4XDTIyMDcxMTA0NDQxM1oXDTMyMDcwODA0NDQxM1owFTETMBEGA1UE AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBq +uFBCdpTK64qCtlgTi3WTOPXdzZkrvYvu2y583yex0R7psNtVLVCwz6/UAC4SHNL nZVpiSWW6N9+9KK1idFxhztWmYEDTtHU/j9YNOSfJ0zQVHlLBl/95TIYK+gQm7Lb LN1iQrz88xTPBgP71/zBNP1IkRvBrt38NGdMzq8uWgx7VrrqDiw35BqkPVESeiu9 9bTf/uIxNhaiGXH+v+j1YLtvMPyMzy2GpNnsVpAuDmwTHwB9kAfpMl/tX0pnwNIY xzk/3IeFyHQlTAF+RmI0Oz6kF08MWhZJzd9nX7wW/P1JTUUyR/fppKtyFk6YnkLl 1EFWwwsRqOVNqzW4dJ0CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB /wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABNt5J8VHGRFdSDfpOrti1edCxjc soDQxaSchSX3bhpci3TWvWvdNNpqY7jcYkOhBz5AYinAWNFyCJ/GdJ3JzOKp73TU FmQG+XnriJceKCxtF/1EyOUs6mXV+nNBobQJq2xw2HjHE1q+KLNhbqd+Ss2/xS9W jXCCkLf74AvIHEJWT4r9RDAy4/hKg2EohJddQ+VbcaFtKw7pAFOnVz/QXk59ePXO whMz/YWSMSwK4r5FJdnawgq4so+uvoLZx+TQ6aaWIx9UfFH7Km1lAMPbBnMqUXFa D6HDb9NFlBgr+sXAdshBnybxIsg/CckZenckDnL06HK/i1zgtBnUWKy9Uzw= -----END CERTIFICATE----- [root@master1 alex]# kubectl get secret alex-token-fbnsb -o jsonpath="{.data.ca\.crt}" | base64 -d > alex.crt
5.2 #生成带有集群信息的config配置文件
[root@master1 alex]# kubectl config set-cluster kubernetes --server=https://192.168.24.31:6443 --kubeconfig=/root/role/user/alex/config --certificate-authority=alex.crt --embed-certs=true Cluster "kubernetes" set.
5.3 #生成带有用户签名的config文件
[root@master1 alex]# kubectl get secret alex-token-fbnsb -o jsonpath={.data.token} | base64 -d eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDiYIKTfvazyLVCng0Q [root@master1 alex]# kubectl config set-credentials alex --kubeconfig=/root/role/user/alex/config --token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDiYIKTfvazyLVCng0Q User "alex" set.
5.6创建context配置
[root@master1 alex]# kubectl config set-context alex@kubernetes --cluster=kubernetes --user=alex --kubeconfig=/root/role/user/alex/config Context "alex@kubernetes" created. ##
[root@master1 alex]# kubectl config view --kubeconfig=./config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.24.31:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: alex
name: alex@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: alex
user:
token: REDACTED
#查看生成的config文件
[root@master1 alex]# cat config apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hNVEEwTkRReE0xb1hEVE15TURjd09EQTBORFF4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUJxCit1RkJDZHBUSzY0cUN0bGdUaTNXVE9QWGR6Wmtydll2dTJ5NTgzeWV4MFI3cHNOdFZMVkN3ejYvVUFDNFNITkwKblpWcGlTV1c2TjkrOUtLMWlkRnhoenRXbVlFRFR0SFUvajlZTk9TZkowelFWSGxMQmwvOTVUSVlLK2dRbTdMYgpMTjFpUXJ6ODh4VFBCZ1A3MS96Qk5QMUlrUnZCcnQzOE5HZE16cTh1V2d4N1ZycnFEaXczNUJxa1BWRVNlaXU5CjliVGYvdUl4TmhhaUdYSCt2K2oxWUx0dk1QeU16eTJHcE5uc1ZwQXVEbXdUSHdCOWtBZnBNbC90WDBwbndOSVkKeHprLzNJZUZ5SFFsVEFGK1JtSTBPejZrRjA4TVdoWkp6ZDluWDd3Vy9QMUpUVVV5Ui9mcHBLdHlGazZZbmtMbAoxRUZXd3dzUnFPVk5xelc0ZEowQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCTnQ1SjhWSEdSRmRTRGZwT3J0aTFlZEN4amMKc29EUXhhU2NoU1gzYmhwY2kzVFd2V3ZkTk5wcVk3amNZa09oQno1QVlpbkFXTkZ5Q0ovR2RKM0p6T0twNzNUVQpGbVFHK1hucmlKY2VLQ3h0Ri8xRXlPVXM2bVhWK25OQm9iUUpxMnh3MkhqSEUxcStLTE5oYnFkK1NzMi94UzlXCmpYQ0NrTGY3NEF2SUhFSldUNHI5UkRBeTQvaEtnMkVvaEpkZFErVmJjYUZ0S3c3cEFGT25Wei9RWGs1OWVQWE8Kd2hNei9ZV1NNU3dLNHI1RkpkbmF3Z3E0c28rdXZvTFp4K1RRNmFhV0l4OVVmRkg3S20xbEFNUGJCbk1xVVhGYQpENkhEYjlORmxCZ3Irc1hBZHNoQm55YnhJc2cvQ2NrWmVuY2tEbkwwNkhLL2kxemd0Qm5VV0t5OVV6dz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= server: https://192.168.24.31:6443 name: kubernetes contexts: - context: cluster: kubernetes user: alex name: alex@kubernetes current-context: "" kind: Config preferences: {} users: - name: alex user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDiYIKTfvazyLVCng0Q
#将config 放在一台安装了kubectl的客户端上 路径为/root/.kube/config
[root@24d33 .kube]# kubectl config use-context alex@kubernetes Switched to context "alex@kubernetes".
#验证结果
[root@24d33 .kube]# kubectl get pods,svc NAME READY STATUS RESTARTS AGE pod/mytomcat-5f97c868bd-bghht 1/1 Running 0 2d4h pod/mytomcat-5f97c868bd-xh5cz 1/1 Running 0 35h pod/mytomcat2-6746bcc65b-hmxgb 1/1 Running 0 36h NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d14h service/tomcat-svc NodePort 10.96.234.126 <none> 8080:31801/TCP 2d4h service/tomcat2-svc NodePort 10.98.226.189 <none> 8080:31802/TCP 36h
标签:master1,kubectl,alex,RBAC,token,role,dashboard,k8s,root 来源: https://www.cnblogs.com/Chen-PY/p/16479951.html