在開啟了 TLS 的叢集中,每當與叢集互動的時候少不了的是身份認證,使用 kubeconfig(即證書) 和 token 兩種認證方式是最簡單也最通用的認證方式。
以kubectl為例介紹kubeconfig的配置。kubectl隻是個go編寫的可執行程式,隻要為kubectl配置合适的kubeconfig,就可以在叢集中的任意節點使用。kubectl預設會從$HOME/.kube目錄下查找檔案名為
config
的檔案,也可以通過設定環境變量
KUBECONFIG
或者通過設定 --kubeconfig 去指定其它 kubeconfig 檔案。
總之kubeconfig就是為通路叢集所作的配置。
生成的 kubeconfig 被儲存到
~/.kube/config
檔案;配置檔案描述了叢集、使用者和上下文
Kubernetes 安全架構
k8s安全架構主要指的是apiserver,執行的kubectl指令都是向apiserver發送的請求,apiserver将這些請求持久化到etcd當中,是以apiserver是各個元件的協調者,也是叢集的通路入口。
針對安全也是針對叢集入口來做的,也就是apiserver,kubectl請求apiserver其實也是以http顯示(http://ip:port/api/pods......)kubectl将請求給封裝了,隻提供給我們一些參數。
K8S安全控制架構主要由下面3個階段進行控制,每一個階段都 支援插件方式,通過API Server配置來啟用插件。
1. Authentication(認證)
2. Authorization(授權)
3. Admission Control(準入控制)
用戶端要想通路K8s叢集API Server,一般需要證書、Token或 者使用者名+密碼;如果Pod通路,需要ServiceAccount
認證(Authentication)
三種用戶端身份認證:
•
HTTPS 證書認證:基于CA憑證簽名的數字證書認證
•
HTTP Token認證:通過一個Token來識别使用者
•
HTTP Base認證:使用者名+密碼的方式認證
鑒權(Authentication)
RBAC(Role-Based Access Control,基于角色的通路控制):負責完成授權(Authorization)工作。
RBAC根據API請求屬性,決定允許還是拒絕。
比較常見的授權次元:
•
user:使用者名
•
group:使用者分組
•
資源,例如pod、deployment
•
資源操作方法:get,list,create,update,patch,watch,delete
•
命名空間
•
API組
準入控制(Admission Control)
Adminssion Control實際上是一個準入控制器插件清單,發送到API Server 的
請求都需要經過這個清單中的每個準入控制器插件的檢查,檢查不通過, 則拒絕請求。
現成的插件,比如psp,imagewebhook這些都是已經存在的插件,如果需要使用,可以啟用該準入控制插件。
--enable-admission-plugins:預設啟用了大量的插件
檢視幫助,下面可以檢視到預設啟用的準入控制插件
[root@master ~]# kubectl get pod -n kube-system | grep api
kube-apiserver-master 1/1 Running 9 47h
[root@master ~]# kubectl exec kube-apiserver-master -n kube-system -- kube-apiserver -h
--enable-admission-plugins strings admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter. 啟用一個準入控制器:
kube-apiserver --enable-admission-plugins=NamespaceLifecycle,
LimitRanger ...
關閉一個準入控制器:
kube-apiserver --disable-admission-plugins=PodNodeSelector,AlwaysDeny ...
檢視預設啟用:
kubectl exec kube-apiserver-k8s-master -n kube-system -- kube-apiserver -h | grep enable-admission-plugins
[root@master manifests]# vim kube-apiserver.yaml
- --enable-admission-plugins=NodeRestriction 基于角色的權限通路控制:RBAC
RBAC(Role-Based Access Control,基于角色的通路控 制),允許通過Kubernetes API動态配置政策。
角色
•
Role:授權特定命名空間的通路權限
•
ClusterRole:授權
所有命名空間
的通路權限
角色綁定
•
RoleBinding:将角色綁定到主體(即subject)
•
ClusterRoleBinding:将
叢集角色綁定到主體
主體(subject)
•
User:使用者
•
Group:使用者組
•
ServiceAccount:服務賬号
k8s内置的叢集角色
k8s預定好了四個叢集角色供使用者使用,使用kubectl get clusterrole檢視,其中systemd:開頭的為系統内部使用。(以system開頭的是絕對不能删除的,删除了可能導緻叢集異常)
内置叢集角色
描述
- cluster-admin 超級管理者,對叢集所有權限(在部署dashboard的時候,先建立sa,然後将sa綁定到角色cluster-admin,最後擷取到token,這就使用了内置的cluster-admin )
- admin 主要用于授權命名空間所有讀寫權限
- edit 允許對命名空間大多數對象讀寫操作,不允許檢視或者修改角色、角色綁定。
- view 允許對命名空間大多數對象隻讀權限,不允許檢視角色、角色綁定和Secret
[root@master default]#
[root@master default]# kubectl get clusterrole
NAME CREATED AT
admin 2021-05-20T07:04:01Z
edit 2021-05-20T07:04:01Z
cluster-admin 2021-05-20T07:04:01Z
view 2021-05-20T07:04:01Z 上面這些角色,如果有需要就不要再去自己去建立角色,直接拿來使用即可。
to Subjects
RoleBinding 和 ClusterRoleBinding 可以将 Role 綁定到 Subjects;Subjects 可以是 groups、users 或者service accountsSubjects 中 Users 使用字元串表示,它可以是一個普通的名字字元串,如 “alice”;也可以是 email 格式的郵箱位址,如 “[email protected]”;甚至是一組字元串形式的數字 ID 。但是 Users 的字首 system: 是系統保留的,叢集管理者應該確定普通使用者不會使用這個字首格式Groups 書寫格式與 Users 相同,都為一個字元串,并且沒有特定的格式要求;同樣 system: 字首為系統保留
案例:為指定使用者授權通路不同命名空間權限
需求:
為指定使用者授權通路不同命名空間權限,例如新入職一個小弟,希望讓他先熟悉K8s集
群,為了安全性,先不能給他太大權限,是以先給他授權通路default命名空間Pod讀取權限。
實施大緻步驟
示例:為lulei使用者授權default命名空間Pod讀取權限(隻能檢視,不能删除)
1. 用K8S CA簽發用戶端證書 基于證書的用戶端認證方式
2. 生成kubeconfig授權檔案 kubectl使用kubeconfig連接配接叢集
3. 建立RBAC權限政策 做一定的權限配置設定
也就是生成一個kubeconfig檔案,讓指定使用者拿着這個檔案去通路叢集,如何檢視資源
CA簽發用戶端證書
(1)生成k8s用戶端證書,這裡面準備了CA的配置檔案(用K8S CA簽發用戶端證書)
cat > lulei-csr.json <<EOF
{
"CN": "lulei",
這個字段相當于用戶端使用者資訊的辨別 [root@k8s-master ~]# ls /etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/ca.crt cfssl使用根證書來簽發lulei用戶端的證書
[root@k8s-master rbac]# cat cfssl.sh
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl*
mv cfssl_linux-amd64 /usr/bin/cfssl
mv cfssljson_linux-amd64 /usr/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo [root@k8s-master rbac]# cat cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
cat > lulei-csr.json <<EOF
{
"CN": "lulei",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes lulei-csr.json | cfssljson -bare lulei API Server會把用戶端證書的CN字段作為User,把names.O字段作為Group。k8s在校驗授權的時候就會讀取這兩個字段。
kubelet 使用 TLS Bootstaping 認證時,API Server 可以使用 Bootstrap Tokens 或者 Token authenticationfile 驗證=token,無論哪一種,Kubenetes 都會為 token 綁定一個預設的 User 和 GroupPod使用 ServiceAccount 認證時,service-account-token 中的 JWT 會儲存 User 資訊有了使用者資訊,再建立一對角色/角色綁定(叢集角色/叢集角色綁定)資源對象,就可以完成權限綁定了
[root@k8s-master rbac]# ls
lulei-key.pem lulei.pem 上面就是用戶端證書,有多個使用者需要生成多個
- lulei-key.pem 私鑰 類似配置nginx https通路 .key私鑰
- lulei.pem 數字證書 類似配置nginx https通路的 .crt證書
注意這裡要指定k8s根證書的,kubeadm部署的話根證書預設在/etc/kubernetes/pki/
[root@k8s-master rbac]# ls /etc/kubernetes/pki/
apiserver.crt apiserver-kubelet-client.crt etcd front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.key front-proxy-ca.crt sa.key
apiserver-etcd-client.key ca.crt front-proxy-ca.key sa.pub
apiserver.key ca.key front-proxy-client.crt 上面就是生成了根證書的配置檔案ca-config.json,再生成為某個使用者頒發的用戶端請求檔案。最後就是使用cfssl工具指定相關的檔案去生成用戶端所需要的證書。每個使用者的用戶端證書都是這樣生成的。唯一需要區分的就是CN字段的使用者名。
生成kubeconfig授權檔案
叢集參數設定
使用kubectl config這條指令生成kubeconfig證書,逐漸生成kubeconfig裡面的資訊
生成證書的格式和家目錄的config内容是一樣的
[root@k8s-master ~]# cd .kube/
[root@k8s-master .kube]# ls
cache config 這裡填充了cluster的資訊
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=https://192.168.179.102:6443 \
--kubeconfig=lulei.kubeconfig
[root@k8s-master rbac]# kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/kubernetes/pki/ca.crt \
> --embed-certs=true \
> --server=https://192.168.179.102:6443 \
> --kubeconfig=lulei.kubeconfig
Cluster "kubernetes" set.
這裡生成了檔案
[root@k8s-master rbac]# cat lulei.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01URXhOVEEyTlRZeU5sb1hEVE13TVRFeE16QTJOVFl5Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSmZsCmtaVVhUcVJ3ZjJVeDdqS1pjQURvaHV1aHNXcHAvK2NIOEF1MVpmR3JqN0lTb3VoelVISkZ5cGR5ekdoTDFBRHgKMTkxVlVCN1ZCWlk4cXBDRHYyRnZvWkRFbFVYR1JrTFFDT0lxc1hOVUt3ZU0xdnJqZnpZVW5ZNGN6NDhKNDdpTgpnUjJHRGtsWUlrZFpGZEU1ekN2eitldEtEVVUzdE5GV0djL00yZFE0NUIxNGZlTldpTUR3T0l3dTBSSWRvYmpnCndmSnhoVlJHMmgzdEplL0RpUjQ2cXI1NEdMVUU2VXNDUGJvZ0JxNTVBakt2c2NiOWUzeGdzMVJhZW1BdFZhd08KSFNjRkRDYWhBZDVPUlgzMlIzSGNoRnY2QmFwczgyb0dqUDBLOEY1RXNQWkFYQXFoK3c0UTFMRWQ2aHRuQWhyWAoxcmJ5cTF4eUNESnhhbENaSHBjQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPZXFad29TeUxrVDVKWXlRNURMamUzRFRHUjJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCemtMRXMzUGhIN08wYWs5VWlTbFhDVTljK1RoYlZaTmZVUStKS1JpQU5KQys5Qm8vZApLdUlLYWhxQlE5UkprSk53TmVwT0NJOWxzcGJ4TGtHK3ArYktHV29Yb25CME5RdnZoZTRQd0p0dmdUcGlhVmVYCmNLejhUMDBRT1YyRzR0WEtmaTViK0dvZDA3NktlZm4zbm00U0l1VDh6bmNDclUxeHRpQTRSU3RQRVZZZTRQalAKY2p6MHJVS3BnTmhJL0lYc2JPVDNYV0hFNE4vU0VLcmtIYkRJNFpEUGRYa2gxd3piM1FZODFuZTh1enBNQVJ5VwpLbkx6R1NRaGJ0WTlWRUZkdlhGK0wreWFrQjcrR29xa1lJa1BNdURveFRoeTBuMFJjZStSTUhtZkFQSEh2RDFyCjdSNC9xdlpBLzA4Q0hxb3ZDcCsxUzNXbFE5WE5MRzE3TWExTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.179.102:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null 本段設定了所需要通路的叢集的資訊。
- 使用set-cluster設定了需要通路的叢集,如上為kubernetes,這隻是個名稱,實際為--server指向的apiserver
- --certificate-authority設定了該叢集的公鑰
- --embed-certs為true表示将--certificate-authority證書寫入到kubeconfig中
- --server則表示該叢集的kube-apiserver位址
生成的kubeconfig 被儲存到
lulei.kubeconfig
檔案
使用者參數設定
kubectl config set-credentials lulei \
--client-key=lulei-key.pem \
--client-certificate=lulei.pem \
--embed-certs=true \
--kubeconfig=lulei.kubeconfig
[root@k8s-master rbac]# kubectl config set-credentials lulei \
> --client-key=lulei-key.pem \
> --client-certificate=lulei.pem \
> --embed-certs=true \
> --kubeconfig=lulei.kubeconfig
User "lulei" set.
[root@k8s-master rbac]# cat lulei.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01URXhOVEEyTlRZeU5sb1hEVE13TVRFeE16QTJOVFl5Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSmZsCmtaVVhUcVJ3ZjJVeDdqS1pjQURvaHV1aHNXcHAvK2NIOEF1MVpmR3JqN0lTb3VoelVISkZ5cGR5ekdoTDFBRHgKMTkxVlVCN1ZCWlk4cXBDRHYyRnZvWkRFbFVYR1JrTFFDT0lxc1hOVUt3ZU0xdnJqZnpZVW5ZNGN6NDhKNDdpTgpnUjJHRGtsWUlrZFpGZEU1ekN2eitldEtEVVUzdE5GV0djL00yZFE0NUIxNGZlTldpTUR3T0l3dTBSSWRvYmpnCndmSnhoVlJHMmgzdEplL0RpUjQ2cXI1NEdMVUU2VXNDUGJvZ0JxNTVBakt2c2NiOWUzeGdzMVJhZW1BdFZhd08KSFNjRkRDYWhBZDVPUlgzMlIzSGNoRnY2QmFwczgyb0dqUDBLOEY1RXNQWkFYQXFoK3c0UTFMRWQ2aHRuQWhyWAoxcmJ5cTF4eUNESnhhbENaSHBjQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPZXFad29TeUxrVDVKWXlRNURMamUzRFRHUjJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCemtMRXMzUGhIN08wYWs5VWlTbFhDVTljK1RoYlZaTmZVUStKS1JpQU5KQys5Qm8vZApLdUlLYWhxQlE5UkprSk53TmVwT0NJOWxzcGJ4TGtHK3ArYktHV29Yb25CME5RdnZoZTRQd0p0dmdUcGlhVmVYCmNLejhUMDBRT1YyRzR0WEtmaTViK0dvZDA3NktlZm4zbm00U0l1VDh6bmNDclUxeHRpQTRSU3RQRVZZZTRQalAKY2p6MHJVS3BnTmhJL0lYc2JPVDNYV0hFNE4vU0VLcmtIYkRJNFpEUGRYa2gxd3piM1FZODFuZTh1enBNQVJ5VwpLbkx6R1NRaGJ0WTlWRUZkdlhGK0wreWFrQjcrR29xa1lJa1BNdURveFRoeTBuMFJjZStSTUhtZkFQSEh2RDFyCjdSNC9xdlpBLzA4Q0hxb3ZDcCsxUzNXbFE5WE5MRzE3TWExTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.179.102:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: lulei
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnakNDQW1xZ0F3SUJBZ0lVYVVuc3VhVnA1WkxVRnNmcXk2TWRaNGRQR0pFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1UQXhNVGd3T0RRd01EQmFGdzB6TVRBeApNVFl3T0RRd01EQmFNR0F4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFT01Bd0cKQTFVRUF4TUZiSFZzWldrd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNZNWM2Kwo0bFZIbTJvMXR6bHcyd3dncFp1Sjd2RnJ3TWVtMUlqSkg2c1ZTSE92NnJBOStjUUFmYk50N0swM0NHa2JhVlh5ClJ0ejh6RitYL3BhZUNmZW8wNnFKcU5RZkVhMllQc1lyREZkdXRRdUNGSmpxdlBrbWN3TDdGdnVGcGlsNDZ4TkoKQ2s2QWpXNzh2TUNKQWx2dEtWcWdQdXFyd1lDTkNvZ0NWUEF0cTZMZ2x6b0UwOU9jL05wY2hzdHZwdzR5QTVPcwp0SkkzcDRXbUZQSWNYZUNvR3BlMzk3WUJ3b1JnVDlMVHlnTzhXUkpBeEpQRUFsRnc1KzJqcEZnaU5BdC9tMmFICkFNcXc1MjZRVnVsMnFWYjJyOXViU1drRzFLWS9Va09jOW4zbFgyYnRPWTN2NWxFVUx3cHozYmZwY2lDTE1yN3EKZTB4Sml1TWpicEVNTnpTVkFnTUJBQUdqZnpCOU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVQpCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVhc0orCmw2ai9JdGxObytrOGVRRDVlSzNTNWN3d0h3WURWUjBqQkJnd0ZvQVU1NnBuQ2hMSXVSUGtsakpEa011TjdjTk0KWkhZd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCNjdSVm00U0c4MUZtMnZqSmQ4S1crdk5CMzZESC9tZGZCQwpWRUovdmRiS09JL0dmalc1bXdvckhtVHZyNmJRVE15U1NWMUFZd3RDZzRzNVZhUWJqOXJzUU1TNmZVcnlnaGdqCi9YZkxVVTBkOE1jTTZkMEZpM1h1c3FnVTZjNDBTcHozRkxUZ3BBUUU4Z2Z3aTdUbmRUcHJjU3hMaHV3S0RtVEIKMG5jK0U5TCtlOW5meTliVUp2akZSUGpKV1Q2Z3hEamhJZi9CK0g1andiY1NCM0x6KzBoQzkzaUVkbDdocWlLUwpiMExNSmIvYjZaN1Vya0FEQlR0WlVJWFFWb2lSdnRXWmhCUktKZC9PVWlZWW5CbEpmYnJmYUM4UFNtTHpPak53CnBhaFBzaWZCekplZnRlU1BPZmFZZXhKNUVGSVdLV1lLWnYzY09jQjViSFlYS3p2dWlXUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbU9YT3Z1SlZSNXRxTmJjNWNOc01JS1diaWU3eGE4REhwdFNJeVIrckZVaHpyK3F3ClBmbkVBSDJ6YmV5dE53aHBHMmxWOGtiYy9NeGZsLzZXbmduM3FOT3FpYWpVSHhHdG1EN0dLd3hYYnJVTGdoU1kKNnJ6NUpuTUMreGI3aGFZcGVPc1RTUXBPZ0kxdS9MekFpUUpiN1NsYW9EN3FxOEdBalFxSUFsVHdMYXVpNEpjNgpCTlBUblB6YVhJYkxiNmNPTWdPVHJMU1NONmVGcGhUeUhGM2dxQnFYdC9lMkFjS0VZRS9TMDhvRHZGa1NRTVNUCnhBSlJjT2Z0bzZSWUlqUUxmNXRtaHdES3NPZHVrRmJwZHFsVzlxL2JtMGxwQnRTbVAxSkRuUFo5NVY5bTdUbU4KNytaUkZDOEtjOTIzNlhJZ2l6Sys2bnRNU1lyakkyNlJERGMwbFFJREFRQUJBb0lCQUZFMC9YSDAxRWFNRFFVcQpvNStGT0JPKzRiV0k2MERIeTBLWWIyNGpHOExhRUZmRzFvU1VPNzNuQlgzRXp0c0Q1STlpaXZ0N0Y3Uk0rQmpLClowVFpGbWpjd3g4S1JGK2NEQTlvaCtnbFRlckd6YTN4TXFhNlo3bzhLOEVnbThhSVVrNmV6RWRtNmZydEk1Mm8Kd3JvQ1BzRGZ6ZnArY0RWNU9NV3dhanlTMEYzd2tRYmloVmdmckxLdCtkUEJrV2ZMWjljd3FUYmFZMzZSb202eApHdGY1eWM1ZnZnZ0E0Z3FndjBaSW9OelMzQytNK0JBdGpzWDRUOVFJL09ZcmxsWHJXVksvRVRDTFRYUGhIS1cvCnk5OUNrU3I2ZWR2ODJsbmQ0VGFPVE9pRWp1eVhMVkFCOWVFeWZnUXhLNmJTck1JaFNINTl3M0liaEpWZkU0S3oKVEZsd0V3RUNnWUVBeWF0bW1ESXAyLzhaNHJtcjkvc2RlNUF3Y0d3Q3BxNGdKRkVaR3BoallpMlFPVVRsNnNMNApDNFpjMER6YWN4VzFuUzZHSWF6cTFrdVAwcWVhNVlpV1lPWmFmekdKeXp6L083VGRyRUF6bTcxaDdHL1FSS1gwCllhSGxsYTNGY0FYTEdmZ3ZOeW8xTTJmZUEzOUZiWDczWUF6OGlRa05KUXpnUlFuRzFJN1I2SjBDZ1lFQXdoYSsKd0ZjQ3FIYXVjNWZUeVZOQ1V1Ujd3disyWDluY3plSkl5aGUrTzFnckZGRVIxblVUdGRCTSttNFRWSjZSd0F6MwpVY05CY3JOQXpJK1l2ZGR3OUxCQmhadTkrRmJwTWV5ZkR6V0hyR282NVBHSE4yUm5raElhR3dia1pNUnBHYWhECmJTcDZHK3JzMUMzYkMxMjU3SElwdVFlQlp4R1NJb2VEUTZtYnpsa0NnWUJ3UHh0YWFNbE5ycDQ4eUhWRUVCdm4KMDJoeW1sdWJaRjExZVVJTXdIYkloVzI1d25ScUIxekNKV1h4YlgxMUFzZFVGam9IOGxPL05NMTNSVng4bDFxRAowcExhS3J0MFNKNFRJR2NsWVpLWUEzL0dkckdvRStxQ2tQYlZLYVF6NXJXVjNjS0I1TmM1cG4wMjJ4Yk1qQmVwCitYQng0WHpVZTJjMFplMnFEMWdjTFFLQmdDNy9ETzlMNGxQaWNQbUNjUURWelVCL0hNeXAySUk3SWJFa3N0VmsKakdhWVFjNG9sellqb1VNc0RnZXhzYktTdHQ0WEJhZmhySzVXWTBGbEgrb1FDY1RtRE9lS1A2U3Jmc25jN3VMaQo1bGhFWE1CbEQ0WEZKU01FaVJlMFFvZDMyNjhmeER2aHhqR09ZQXc4a2thZFNsRExqL2pDclgzRWptc1gveHZhCkxPVDVBb0dCQUw0azE0NVdnQlRCOWZRY05iOE01SXNNZmx1QzhHc2FNbDgzQnU3T2x6T3lLanFMbGxSdzlIc2QKbXVEZVJwNmxIRmlDWHhZdXRQWTRPd2NFbndBWDcyRHRlUzJ5bnBjSUNYTTVTbkEvWlJEeDZOZnlWMWNsb1Zlagprd3grc09mT3pBeXNnN21TS1ZxMkVEZThKU1pFOUpEVCswbm5zaHd5bm5hdXZpbk8zZEF4Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== 本段主要設定使用者的相關資訊,主要是使用者證書。如上的使用者名為lulei,證書為:lulei.pem,私鑰為:lulei-key.pem。注意用戶端的證書首先要經過叢集CA的簽署,否則不會被叢集認可。此處使用的是ca認證方式,也可以使用token認證,如kubelet的 TLS Boostrap機制下的bootstrapping使用的就是token認證方式。上述kubectl使用的是ca認證,不需要token字段
上下文參數
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=lulei \
--kubeconfig=lulei.kubeconfig
# 設定上下文參數
[root@k8s-master rbac]# kubectl config set-context kubernetes \
> --cluster=kubernetes \
> --user=lulei \
> --kubeconfig=lulei.kubeconfig
Context "kubernetes" created.
[root@k8s-master rbac]# cat lulei.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01URXhOVEEyTlRZeU5sb1hEVE13TVRFeE16QTJOVFl5Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSmZsCmtaVVhUcVJ3ZjJVeDdqS1pjQURvaHV1aHNXcHAvK2NIOEF1MVpmR3JqN0lTb3VoelVISkZ5cGR5ekdoTDFBRHgKMTkxVlVCN1ZCWlk4cXBDRHYyRnZvWkRFbFVYR1JrTFFDT0lxc1hOVUt3ZU0xdnJqZnpZVW5ZNGN6NDhKNDdpTgpnUjJHRGtsWUlrZFpGZEU1ekN2eitldEtEVVUzdE5GV0djL00yZFE0NUIxNGZlTldpTUR3T0l3dTBSSWRvYmpnCndmSnhoVlJHMmgzdEplL0RpUjQ2cXI1NEdMVUU2VXNDUGJvZ0JxNTVBakt2c2NiOWUzeGdzMVJhZW1BdFZhd08KSFNjRkRDYWhBZDVPUlgzMlIzSGNoRnY2QmFwczgyb0dqUDBLOEY1RXNQWkFYQXFoK3c0UTFMRWQ2aHRuQWhyWAoxcmJ5cTF4eUNESnhhbENaSHBjQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPZXFad29TeUxrVDVKWXlRNURMamUzRFRHUjJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCemtMRXMzUGhIN08wYWs5VWlTbFhDVTljK1RoYlZaTmZVUStKS1JpQU5KQys5Qm8vZApLdUlLYWhxQlE5UkprSk53TmVwT0NJOWxzcGJ4TGtHK3ArYktHV29Yb25CME5RdnZoZTRQd0p0dmdUcGlhVmVYCmNLejhUMDBRT1YyRzR0WEtmaTViK0dvZDA3NktlZm4zbm00U0l1VDh6bmNDclUxeHRpQTRSU3RQRVZZZTRQalAKY2p6MHJVS3BnTmhJL0lYc2JPVDNYV0hFNE4vU0VLcmtIYkRJNFpEUGRYa2gxd3piM1FZODFuZTh1enBNQVJ5VwpLbkx6R1NRaGJ0WTlWRUZkdlhGK0wreWFrQjcrR29xa1lJa1BNdURveFRoeTBuMFJjZStSTUhtZkFQSEh2RDFyCjdSNC9xdlpBLzA4Q0hxb3ZDcCsxUzNXbFE5WE5MRzE3TWExTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.179.102:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: lulei
name: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: lulei
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnakNDQW1xZ0F3SUJBZ0lVYVVuc3VhVnA1WkxVRnNmcXk2TWRaNGRQR0pFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1UQXhNVGd3T0RRd01EQmFGdzB6TVRBeApNVFl3T0RRd01EQmFNR0F4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFT01Bd0cKQTFVRUF4TUZiSFZzWldrd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNZNWM2Kwo0bFZIbTJvMXR6bHcyd3dncFp1Sjd2RnJ3TWVtMUlqSkg2c1ZTSE92NnJBOStjUUFmYk50N0swM0NHa2JhVlh5ClJ0ejh6RitYL3BhZUNmZW8wNnFKcU5RZkVhMllQc1lyREZkdXRRdUNGSmpxdlBrbWN3TDdGdnVGcGlsNDZ4TkoKQ2s2QWpXNzh2TUNKQWx2dEtWcWdQdXFyd1lDTkNvZ0NWUEF0cTZMZ2x6b0UwOU9jL05wY2hzdHZwdzR5QTVPcwp0SkkzcDRXbUZQSWNYZUNvR3BlMzk3WUJ3b1JnVDlMVHlnTzhXUkpBeEpQRUFsRnc1KzJqcEZnaU5BdC9tMmFICkFNcXc1MjZRVnVsMnFWYjJyOXViU1drRzFLWS9Va09jOW4zbFgyYnRPWTN2NWxFVUx3cHozYmZwY2lDTE1yN3EKZTB4Sml1TWpicEVNTnpTVkFnTUJBQUdqZnpCOU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVQpCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVhc0orCmw2ai9JdGxObytrOGVRRDVlSzNTNWN3d0h3WURWUjBqQkJnd0ZvQVU1NnBuQ2hMSXVSUGtsakpEa011TjdjTk0KWkhZd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCNjdSVm00U0c4MUZtMnZqSmQ4S1crdk5CMzZESC9tZGZCQwpWRUovdmRiS09JL0dmalc1bXdvckhtVHZyNmJRVE15U1NWMUFZd3RDZzRzNVZhUWJqOXJzUU1TNmZVcnlnaGdqCi9YZkxVVTBkOE1jTTZkMEZpM1h1c3FnVTZjNDBTcHozRkxUZ3BBUUU4Z2Z3aTdUbmRUcHJjU3hMaHV3S0RtVEIKMG5jK0U5TCtlOW5meTliVUp2akZSUGpKV1Q2Z3hEamhJZi9CK0g1andiY1NCM0x6KzBoQzkzaUVkbDdocWlLUwpiMExNSmIvYjZaN1Vya0FEQlR0WlVJWFFWb2lSdnRXWmhCUktKZC9PVWlZWW5CbEpmYnJmYUM4UFNtTHpPak53CnBhaFBzaWZCekplZnRlU1BPZmFZZXhKNUVGSVdLV1lLWnYzY09jQjViSFlYS3p2dWlXUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbU9YT3Z1SlZSNXRxTmJjNWNOc01JS1diaWU3eGE4REhwdFNJeVIrckZVaHpyK3F3ClBmbkVBSDJ6YmV5dE53aHBHMmxWOGtiYy9NeGZsLzZXbmduM3FOT3FpYWpVSHhHdG1EN0dLd3hYYnJVTGdoU1kKNnJ6NUpuTUMreGI3aGFZcGVPc1RTUXBPZ0kxdS9MekFpUUpiN1NsYW9EN3FxOEdBalFxSUFsVHdMYXVpNEpjNgpCTlBUblB6YVhJYkxiNmNPTWdPVHJMU1NONmVGcGhUeUhGM2dxQnFYdC9lMkFjS0VZRS9TMDhvRHZGa1NRTVNUCnhBSlJjT2Z0bzZSWUlqUUxmNXRtaHdES3NPZHVrRmJwZHFsVzlxL2JtMGxwQnRTbVAxSkRuUFo5NVY5bTdUbU4KNytaUkZDOEtjOTIzNlhJZ2l6Sys2bnRNU1lyakkyNlJERGMwbFFJREFRQUJBb0lCQUZFMC9YSDAxRWFNRFFVcQpvNStGT0JPKzRiV0k2MERIeTBLWWIyNGpHOExhRUZmRzFvU1VPNzNuQlgzRXp0c0Q1STlpaXZ0N0Y3Uk0rQmpLClowVFpGbWpjd3g4S1JGK2NEQTlvaCtnbFRlckd6YTN4TXFhNlo3bzhLOEVnbThhSVVrNmV6RWRtNmZydEk1Mm8Kd3JvQ1BzRGZ6ZnArY0RWNU9NV3dhanlTMEYzd2tRYmloVmdmckxLdCtkUEJrV2ZMWjljd3FUYmFZMzZSb202eApHdGY1eWM1ZnZnZ0E0Z3FndjBaSW9OelMzQytNK0JBdGpzWDRUOVFJL09ZcmxsWHJXVksvRVRDTFRYUGhIS1cvCnk5OUNrU3I2ZWR2ODJsbmQ0VGFPVE9pRWp1eVhMVkFCOWVFeWZnUXhLNmJTck1JaFNINTl3M0liaEpWZkU0S3oKVEZsd0V3RUNnWUVBeWF0bW1ESXAyLzhaNHJtcjkvc2RlNUF3Y0d3Q3BxNGdKRkVaR3BoallpMlFPVVRsNnNMNApDNFpjMER6YWN4VzFuUzZHSWF6cTFrdVAwcWVhNVlpV1lPWmFmekdKeXp6L083VGRyRUF6bTcxaDdHL1FSS1gwCllhSGxsYTNGY0FYTEdmZ3ZOeW8xTTJmZUEzOUZiWDczWUF6OGlRa05KUXpnUlFuRzFJN1I2SjBDZ1lFQXdoYSsKd0ZjQ3FIYXVjNWZUeVZOQ1V1Ujd3disyWDluY3plSkl5aGUrTzFnckZGRVIxblVUdGRCTSttNFRWSjZSd0F6MwpVY05CY3JOQXpJK1l2ZGR3OUxCQmhadTkrRmJwTWV5ZkR6V0hyR282NVBHSE4yUm5raElhR3dia1pNUnBHYWhECmJTcDZHK3JzMUMzYkMxMjU3SElwdVFlQlp4R1NJb2VEUTZtYnpsa0NnWUJ3UHh0YWFNbE5ycDQ4eUhWRUVCdm4KMDJoeW1sdWJaRjExZVVJTXdIYkloVzI1d25ScUIxekNKV1h4YlgxMUFzZFVGam9IOGxPL05NMTNSVng4bDFxRAowcExhS3J0MFNKNFRJR2NsWVpLWUEzL0dkckdvRStxQ2tQYlZLYVF6NXJXVjNjS0I1TmM1cG4wMjJ4Yk1qQmVwCitYQng0WHpVZTJjMFplMnFEMWdjTFFLQmdDNy9ETzlMNGxQaWNQbUNjUURWelVCL0hNeXAySUk3SWJFa3N0VmsKakdhWVFjNG9sellqb1VNc0RnZXhzYktTdHQ0WEJhZmhySzVXWTBGbEgrb1FDY1RtRE9lS1A2U3Jmc25jN3VMaQo1bGhFWE1CbEQ0WEZKU01FaVJlMFFvZDMyNjhmeER2aHhqR09ZQXc4a2thZFNsRExqL2pDclgzRWptc1gveHZhCkxPVDVBb0dCQUw0azE0NVdnQlRCOWZRY05iOE01SXNNZmx1QzhHc2FNbDgzQnU3T2x6T3lLanFMbGxSdzlIc2QKbXVEZVJwNmxIRmlDWHhZdXRQWTRPd2NFbndBWDcyRHRlUzJ5bnBjSUNYTTVTbkEvWlJEeDZOZnlWMWNsb1Zlagprd3grc09mT3pBeXNnN21TS1ZxMkVEZThKU1pFOUpEVCswbm5zaHd5bm5hdXZpbk8zZEF4Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== 叢集參數和使用者參數可以同時設定多對,在上下文參數中将叢集參數和使用者參數關聯起來。上面的上下文名稱為kubenetes,叢集為kubenetes,使用者為lulei,表示使用lulei的使用者憑證來通路kubenetes叢集的default命名空間,也可以增加--namspace來指定通路的命名空間。
最後使用kubectl config use-context kubernetes來使用名為kubenetes的環境項來作為配置。如果配置了多個環境項,可以通過切換不同的環境項名字來通路到不同的叢集環境。
# 設定目前使用配置
kubectl config use-context kubernetes --kubeconfig=lulei.kubeconfig
[root@k8s-master rbac]# kubectl config use-context kubernetes --kubeconfig=lulei.kubeconfig
Switched to context "kubernetes".
contexts:
- context:
cluster: kubernetes
user: lulei
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {} 可以看到上面配置是沒有問題的,給出的提示是使用者lulei是不能列出這方面資源的
[root@k8s-master rbac]# kubectl --kubeconfig=lulei.kubeconfig get pod
Error from server (Forbidden): pods is forbidden: User "lulei" cannot list resource "pods" in API group "" in the namespace "default" 可以看到通過管理者的配置檔案是可以通路到的
[root@k8s-master rbac]# kubectl --kubeconfig=/root/.kube/config get pod
NAME READY STATUS RESTARTS AGE
nginx-6799fc88d8-drb2s 1/1 Running 3 64d 上面說明了配置檔案是沒有問題的,隻是缺少相應的權限
建立RBAC權限政策
需要建立role和rolebinding,role是權限的集合,rolebinding是要将role裡面權限綁定到指定的使用者,也就是我們上面的lulei使用者
比較常見的授權次元:
• user:使用者名
• group:使用者分組
• 資源,例如pod、deployment
• 資源操作方法:get,list,create,update,patch,watch,delete
• 命名空間
• API組
組可以通過kubectl api-resources檢視k8s當中所有資源,并且資源屬于哪個組
[root@master tls]# kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true
#檢視deployment屬于apps組
[root@master tls]# kubectl api-resources | grep deployment
deployments deploy apps true Deployment
[root@master tls]# kubectl --kubeconfig=lulei.kubeconfig get deployment
Error from server (Forbidden): deployments.apps is forbidden: User "lulei" cannot list resource "deployments" in API group "apps" in the namespace "default"
rules:
- apiGroups: ["","apps"]
resources: ["pods","deployments"]
verbs: ["get", "watch", "list"]
[root@master tls]# kubectl apply -f rbac.yaml
role.rbac.authorization.k8s.io/pod-reader configured
[root@master tls]# kubectl --kubeconfig=lulei.kubeconfig get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
nfs-client-provisioner 1/1 1 1 40d
#ingress屬于networking.k8s.io這個組
[root@master tls]# kubectl api-resources | grep ingress
ingresses ing extensions true Ingress
ingressclasses networking.k8s.io false IngressClass
ingresses ing networking.k8s.io true Ingress [root@k8s-master rbac]# cat rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules: #配置授權次元
- apiGroups: [""] #裡面為空,為核心的api組,常用的資源都在核心組裡面
resources: ["pods"]
verbs: ["get", "watch", "list"] #資源操作方法
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: lulei
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
[root@k8s-master rbac]# kubectl apply -f rbac.yaml
role.rbac.authorization.k8s.io/pod-reader created
rolebinding.rbac.authorization.k8s.io/read-pods created name: lulei 和CN裡面名字對應,上面綁定有兩塊,主題即綁定誰,另外和哪個role綁定
[root@k8s-master rbac]# kubectl --kubeconfig=lulei.kubeconfig get pod
NAME READY STATUS RESTARTS AGE
nginx-6799fc88d8-drb2s 1/1 Running 3 64d
[root@k8s-master rbac]# kubectl --kubeconfig=lulei.kubeconfig get deployment
Error from server (Forbidden): deployments.apps is forbidden: User "lulei" cannot list resource "deployments" in API group "apps" in the namespace "default" 現在準确授權了,隻能檢視Pod,其他資源不能檢視
删除也不行
[root@k8s-master rbac]# kubectl --kubeconfig=lulei.kubeconfig delete pod nginx-6799fc88d8-drb2s
Error from server (Forbidden): pods "nginx-6799fc88d8-drb2s" is forbidden: User "lulei" cannot delete resource "pods" in API group "" in the namespace "default" 現在要放開權限
授權的時候還要考慮資源在不在這個組裡面,apps裡面包含了deployment
[root@k8s-master rbac]# cat rbac.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: ["","apps"]
resources: ["pods","deployments","services"]
verbs: ["get", "watch", "list"] [root@k8s-master rbac]# kubectl apply -f rbac.yml
role.rbac.authorization.k8s.io/pod-reader configured
rolebinding.rbac.authorization.k8s.io/read-pods unchanged
[root@k8s-master rbac]# kubectl --kubeconfig=lulei.kubeconfig get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 1/1 1 1 64d
[root@k8s-master rbac]# kubectl --kubeconfig=lulei.kubeconfig get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 64d
nginx NodePort 10.99.50.2 <none> 80:31332/TCP 64d [root@k8s-master rbac]# kubectl api-versions 檢視哪些資源組
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1
apiextensions.k8s.io/v1
apiextensions.k8s.io/v1beta1
apiregistration.k8s.io/v1
apiregistration.k8s.io/v1beta1
apps/v1 拿着上面lulei.kubeconfig就可以使用kubectl指令連接配接叢集了
總結
當使用kucetl調用其api或者使用ui其實都是向api server元件發送的請求。
提取出證書裡面的CN字段,該字段作為你的使用者名。也就是從證書當中提取出使用者名 "CN": "lulei",
- kind: User
name: lulei 也可以基于組 "O": "k8s"
使用 ClusterRoleBinding 可以對整個叢集中的所有命名空間資源權限進行授權;以下 ClusterRoleBinding 樣例展示了授權 manager 組内所有使用者在全部命名空間中對 secrets 進行通路