51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落

k8s RBAC之基于用户授权案例

1.使用k8s ca签发客户端证

1.1> 解压证书管理工具包

下载地址:

https://github.com/cloudflare/cfssl/releases

下载后,最好把后缀名字去掉:

然后再移动到 /usr/bin下边

 tar xf baimei-cfssl.tar.gz -C /usr/bin/  && chmod +x /usr/bin/cfssl*

mkdir

/manifests/rbac/cfssl/user

1.2> 编写证书请求

过期时间 10年= 87600小时

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF

1.3 生成证书

 cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes baimei-csr.json | cfssljson -bare baimei

可以去查看证书详细信息

cfssl-certinfo -cert baimei.pem

2.生成kubeconfig授权文件

2.1 编写生成kubeconfig文件的脚本

目的是把证书文件写入 baimei-linux86.kubeconfig

cat > kubeconfig.sh <<'EOF'
# 配置集群
# --certificate-authority
#   指定K8s的ca根证书文件路径
# --embed-certs
#   如果设置为true,表示将根证书文件的内容写入到配置文件中,
#   如果设置为false,则只是引用配置文件,将kubeconfig
# --server
#   指定APIServer的地址。
# --kubeconfig
#   指定kubeconfig的配置文件名称
kubectl config set-cluster baimei-linux86 \
  --certificate-authority=/etc/kubernetes/pki/ca.crt \
  --embed-certs=true \
  --server=https://10.0.0.231:6443 \
  --kubeconfig=baimei-linux86.kubeconfig
 
# 设置客户端认证
kubectl config set-credentials baimei \
  --client-key=baimei-key.pem \
  --client-certificate=baimei.pem \
  --embed-certs=true \
  --kubeconfig=baimei-linux86.kubeconfig

# 设置默认上下文
kubectl config set-context linux86 \
  --cluster=baimei-linux86 \
  --user=baimei \
  --kubeconfig=baimei-linux86.kubeconfig

# 设置当前使用的上下文
kubectl config use-context linux86 --kubeconfig=baimei-linux86.kubeconfig
EOF

2.2生成kubeconfig文件

bash kubeconfig.sh

3.创建RBAC授权策略

3.1 创建rbac等配置文件

cat rbac.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: linux-role-reader
rules:
  # API组,""表示核心组,该组包括但不限于"configmaps","nodes","pods","services"等资源.
  # 暂时这样理解:
  #    如果一个资源是apps/v1,则其组取"/"之前的,也就是apps.
  #    如果一个资源是v1,则默认为"/"。
  # 如果遇到不知道所述哪个组的也别着急,他会有报错提示,如下所示:
  #    User "baimei" cannot list resource "deployments" in API group "apps" in the namespace "default"
  # 如上所示,表示的是"deployments"的核心组是"apps"。
- apiGroups: ["","apps"]  
  # 资源类型,不支持写简称,必须写全称哟!!
  # resources: ["pods","deployments"]  
  resources: ["pods","deployments","services"]  
  # 对资源的操作方法.
  # verbs: ["get", "list"]  
  verbs: ["get", "list","delete"]  
- apiGroups: ["","apps"]
  resources: ["configmaps","secrets","daemonsets"]
  verbs: ["get", "list"]  
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["delete"]  

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: baimei-linux86-resources-reader
  namespace: default
subjects:
  # 主体类型
- kind: User  
  # 用户名
  name: baimei  
  apiGroup: rbac.authorization.k8s.io
roleRef:
  # 角色类型
  kind: Role  
  # 绑定角色名称
  name: linux-role-reader
  apiGroup: rbac.authorization.k8s.io

3.2 应用rbac授权

kubectl apply -f rbac.yaml

3.3 访问测试

 kubectl get pods --kubeconfig=baimei-linux86.kubeconfig 

kubectl delete pods --all --kubeconfig=baimei-linux86.kubeconfig 

 kubectl get deploy,ds,svc,cm --kubeconfig=baimei-linux86.kubeconfig 

kubectl get deploy,ds --kubeconfig=baimei-linux86.kubeconfig 
赞(5)
未经允许不得转载:工具盒子 » k8s RBAC之基于用户授权案例