k8s限制用户在多个namespace上访问权限
前提需求
k8s集群中也会根据业务来划分不同的命名空间,随之而来的就是安全权限问题,我们不可能把集群管理员账号分配给每一个人,有时候可能需要限制某用户对某些特定命名空间的权限,比如开发和测试人员也可能需要登录集群,了解应用的运行情况,查看pod的日志,甚至是修改某些配置。这时候,我们可以通过创建受限kubeconfig文件,将该config分发给有需要的人员,让他们能通过kubectl命令实现一些允许的操作
创建集群级别的角色ClusterRole
clusterrole.devops.yaml 用于提供对pod的完全权限和其它资源的查看权限
[root@k8s01 ~]# vim clusterrole.devops.yaml
#提供基本权限
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: devops
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- apiGroups:
- ""
resources:
- endpoints
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
- watch
[root@k8s01 ~]# kubectl apply -f clusterrole.devops.yaml
clusterrole.rbac.authorization.k8s.io/devops created
[root@k8s01 ~]# kubectl get ClusterRole -n default|grep devops
devops 2022-06-08T06:53:11Z
创建ServiceAccount
[root@k8s01 ~]# kubectl create serviceaccount devops -n default
serviceaccount/devops created
[root@k8s01 ~]# kubectl get serviceaccounts |grep devops
devops 1 19s
ServiceAccount和集群角色建立绑定关系
对需要的namespace进行授权,以下示例为对test-env、poc-env命名空间授权
[root@k8s01 ~]# kubectl create rolebinding rbd-devops --clusterrole=devops --serviceaccount=default:devops --namespace=test-env
rolebinding.rbac.authorization.k8s.io/rbd-devops created
[root@k8s01 ~]# kubectl create rolebinding rbd-devops --clusterrole=devops --serviceaccount=default:devops --namespace=poc-env
rolebinding.rbac.authorization.k8s.io/rbd-devops created
获取ServiceAccount的secret中的token
[root@k8s01 ~]# kubectl get serviceaccounts devops -oyaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2022-06-08T07:05:06Z"
name: devops
namespace: default
resourceVersion: "150225846"
selfLink: /api/v1/namespaces/default/serviceaccounts/devops
uid: 3ff8ba81-95ab-4f74-8296-89900679d5f7
secrets:
- name: devops-token-d6lts
对应的secret名称为:devops-token-d6lts
[root@k8s01 ~]# kubectl get secrets devops-token-d6lts -oyaml
apiVersion: v1
data:
ca.crt: xxx
namespace: xxx
token: xxx
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: devops
kubernetes.io/service-account.uid: 3ff8ba81-95ab-4f74-8296-89900679d5f7
creationTimestamp: "2022-06-08T07:05:06Z"
manager: kube-controller-manager
operation: Update
time: "2022-06-08T07:05:06Z"
name: devops-token-d6lts
namespace: default
resourceVersion: "150225845"
selfLink: xxx
uid: xxx
type: kubernetes.io/service-account-token
该token是经过base64处理的,需要进行解码处理
[root@k8s01 ~]# echo $token | base64 -d
xxx
组装config文件
将token填充到以下的config配置中
[root@k8s01 ~]# vim config
#config
apiVersion: v1
kind: Config
clusters:
- cluster:
server: K8S集群地址
certificate-authority-data: "ca.crt后的内容"
name: kubernetes
users:
- name: "devops"
user:
token: "解码后的token字符串"
contexts:
- context:
cluster: kubernetes
user: "devops"
name: kubernetes
preferences: {}
current-context: kubernetes
将该文件保存为config 并放入 $HOME/.kube/ 目录下即可
[root@k8s01 ~]# kubectl get -n test-env po
NAME READY STATUS RESTARTS AGE
cpm-manage-test-55d688b4fd-2prvt 1/1 Running 0 19d
...
[root@k8s01 ~]# kubectl exec -it -n test-env report-test-6d886fc965-lt289 bash
[root@report-test-6d886fc965-lt289 home]#
#其它ns是没权限访问的
[root@k8s08 ~]# kubectl get -n release-env po
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:devops" cannot list resource "pods" in API group "" in the namespace "release-env"
版权声明:
本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
爱吃可爱多!
喜欢就支持一下吧
打赏
微信
支付宝
微信
支付宝