The One Way
kubernetes中有一個預設的的clusterrole:view。它就是一個隻有隻讀權限的角色。進行檢視kubectl describe clusterrole view,顯示結果如下:
[[email protected] test]$ sudo kubectl describe clusterrole view
Name: view
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
bindings [] [] [get list watch]
configmaps [] [] [get list watch]
endpoints [] [] [get list watch]
events [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
namespaces [] [] [get list watch]
persistentvolumeclaims [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
pods [] [] [get list watch]
replicationcontrollers/scale [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
replicationcontrollers [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
serviceaccounts [] [] [get list watch]
services [] [] [get list watch]
controllerrevisions.apps [] [] [get list watch]
daemonsets.apps [] [] [get list watch]
deployments.apps/scale [] [] [get list watch]
deployments.apps [] [] [get list watch]
replicasets.apps/scale [] [] [get list watch]
replicasets.apps [] [] [get list watch]
statefulsets.apps/scale [] [] [get list watch]
statefulsets.apps [] [] [get list watch]
horizontalpodautoscalers.autoscaling [] [] [get list watch]
cronjobs.batch [] [] [get list watch]
jobs.batch [] [] [get list watch]
daemonsets.extensions [] [] [get list watch]
deployments.extensions/scale [] [] [get list watch]
deployments.extensions [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
networkpolicies.extensions [] [] [get list watch]
replicasets.extensions/scale [] [] [get list watch]
replicasets.extensions [] [] [get list watch]
replicationcontrollers.extensions/scale [] [] [get list watch]
nodes.metrics.k8s.io [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
ingresses.networking.k8s.io [] [] [get list watch]
networkpolicies.networking.k8s.io [] [] [get list watch]
poddisruptionbudgets.policy [] [] [get list watch]
可以建立一個新使用者,然後綁定到預設的view role上
建立使用者
kubectl create sa readonly -n kube-system
(#示例readonly賬号)。
将其進行綁定
kubectl create clusterrolebinding readonly --clusterrole=view --serviceaccount=kube-system:readonly
。
之後檢視其token,用其登入後驗證即可
The Two Way
使用證書方式建立隻讀權限使用者,下載下傳證書工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
拷貝檔案
cd /etc/kubernetes/pki && sudo mkdir test
sudo cp ca.crt test
sudo cp ca.key test
進入test目錄生成如下檔案,内容如下:
readonly.json
{
"CN": "readonly",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "HangZhou",
"L": "HangZhou",
"O": "develop:readonly",
"OU": "develop"
}
]
}
ca-config-readonly.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
建立隻讀使用者證書
sudo cfssl gencert --ca ca.crt --ca-key ca.key --config ca-config-readonly.json --profile=kubernetes readonly.json | cfssljson --bare readonly
拷貝檔案
cp /etc/kubernetes/admin.conf pki/test/readonly.kubeconfig
建立環境準備腳本kubeconfig.sh并執行
#!/bin/bash
kubectl config set-credentials develop-readonly \
--certificate-authority=/etc/kubernetes/pki/test/ca.crt \
--embed-certs=true \
--client-key=/etc/kubernetes/pki/test/readonly-key.pem \
--client-certificate=/etc/kubernetes/pki/test/readonly.pem \
--kubeconfig=/etc/kubernetes/pki/test/readonly.kubeconfig
kubectl config set-context default-system --cluster=kubernetes \
--user=develop-readonly \
--kubeconfig=readonly.kubeconfig
kubectl config use-context default-system --kubeconfig=readonly.kubeconfig
建立clusterrole以及将其綁定到readonly這個serviceaccount上,檔案如下
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cluster-readonly
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: develop:readonly
進行驗證
kubectl --kubeconfig=/etc/kubernetes/pki/test/readonly.kubeconfig get nodes #沒有檢視node的權限
Error from server (Forbidden): nodes is forbidden: User "readonly" cannot list resource "nodes" in API group "" at the cluster scope
kubectl --kubeconfig=/etc/kubernetes/pki/test/readonly.kubeconfig get pod #可以檢視pod的權限
嘗試驗證下啟動新的Pod(發現沒有權限進行建立)
[[email protected] test]$ kubectl --kubeconfig=readonly.kubeconfig create -f readonly-rbac.yml
Error from server (Forbidden): error when creating "readonly-rbac.yml": clusterroles.rbac.authorization.k8s.io is forbidden: User "readonly" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): error when creating "readonly-rbac.yml": clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "readonly" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope