1. 云图网首页
  2. 技术专区
  3. 编程笔记

基于dashboard理解k8s的RBAC授权

编程笔记


# 概念

Servic Account(服务账号):是指由Kubernetes API管理的账号,用于为Pod之中的服务进程在访问Kubernetes API时提供身份标识。Service Account通常绑定于特定的名称空间,由API Server创建,或者通过API调用手动创建。
User Account(用户账号):独立于Kubernetes之外的其他服务管理用户账号,例如由管理员分发秘钥、Keystone一类的用户存储(账号库)、甚至是保函有用户名和密码列表的文件等。

  • User Account是为人设计的,而Service Account则是为Pod中的进程调用Kubernetes API而设计;
  • User Account是跨namespace的,而Service Account则是仅局限它所在的namespace;
  • 每个namespace都会自动创建一个default service account

在创建Pod资源时,如果没有指定一个service account,系统会自动在与该Pod相同的namespace下为其指派一个default service account。而pod和apiserver之间进行通信的账号,称为serviceAccountName。

#目标

授权用户通过kubectl 查看指定命名空间的资源 

授权用户通过dashboard查看资源监控

#流程

1、创建serviceaccount服务账户
2、创建相对应的账户权限 role
3、绑定权限到用户 rolebindind
4、登陆dashboard验证权限
5、基于token创建kubeconfig 通过kubectl登陆

1、创建服务账户 ServiceAccount

[root@master1 user]# kubectl create serviceaccount alex
serviceaccount/alex created
[root@master1 user]# kubectl get sa 
NAME      SECRETS   AGE
alex      1         17s

2、创建alex的账户权限

[root@master1 role]# cat alex_role.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: default_role
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods","pods/log","pods/exec"]
  verbs: ["get","list","watch","create"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","list","watch","create"]
- apiGroups: [""]
  resources: ["deployments"]
  verbs: ["get","list","watch","create"]

3、将权限绑定到对应的sa账户上

[root@master1 role]# cat alex_rolebinding.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default_rolebindind
  namespace: default
subjects:
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: alex
- kind: ServiceAccount
  name: alex
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: default_role

3.1、执行yaml文件 生成绑定

#role权限
[root@master1 role]# kubectl apply -f alex_role.yaml 
role.rbac.authorization.k8s.io/default_role created

#rolebindind 权限绑定
[root@master1 role]# kubectl apply -f alex_rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/default_rolebindind created

4、登陆dashboard验证权限

4.1 # 查看alex服务账户的secret
[root@master1 role]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
alex-token-fbnsb      kubernetes.io/service-account-token   3      12m
chen-token-56l6t      kubernetes.io/service-account-token   3      3d1h
default-token-d79vr   kubernetes.io/service-account-token   3      3d11h
local-harbor-secret   kubernetes.io/dockerconfigjson        1      3d10h

4.2# 根据secret 查看token base64 -d 表示转换为64位编码(K8S默认64位编码)
#或者通过 describe直接复制 ps: kubectl describe secret alex-token-fbnsb 
[root@master1 role]# kubectl get secret alex-token-fbnsb -o jsonpath={.data.token} | base64 -d 
eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDi

基于dashboard理解k8s的RBAC授权

 

 

 

5、基于token创建kubeconfig 通过kubectl登陆再次验证
5.1 基于token生产用户的crt文件
[root@master1 alex]# kubectl get secret alex-token-fbnsb -o jsonpath="{.data.ca/.crt}" | base64 -d
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIyMDcxMTA0NDQxM1oXDTMyMDcwODA0NDQxM1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBq
+uFBCdpTK64qCtlgTi3WTOPXdzZkrvYvu2y583yex0R7psNtVLVCwz6/UAC4SHNL
nZVpiSWW6N9+9KK1idFxhztWmYEDTtHU/j9YNOSfJ0zQVHlLBl/95TIYK+gQm7Lb
LN1iQrz88xTPBgP71/zBNP1IkRvBrt38NGdMzq8uWgx7VrrqDiw35BqkPVESeiu9
9bTf/uIxNhaiGXH+v+j1YLtvMPyMzy2GpNnsVpAuDmwTHwB9kAfpMl/tX0pnwNIY
xzk/3IeFyHQlTAF+RmI0Oz6kF08MWhZJzd9nX7wW/P1JTUUyR/fppKtyFk6YnkLl
1EFWwwsRqOVNqzW4dJ0CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABNt5J8VHGRFdSDfpOrti1edCxjc
soDQxaSchSX3bhpci3TWvWvdNNpqY7jcYkOhBz5AYinAWNFyCJ/GdJ3JzOKp73TU
FmQG+XnriJceKCxtF/1EyOUs6mXV+nNBobQJq2xw2HjHE1q+KLNhbqd+Ss2/xS9W
jXCCkLf74AvIHEJWT4r9RDAy4/hKg2EohJddQ+VbcaFtKw7pAFOnVz/QXk59ePXO
whMz/YWSMSwK4r5FJdnawgq4so+uvoLZx+TQ6aaWIx9UfFH7Km1lAMPbBnMqUXFa
D6HDb9NFlBgr+sXAdshBnybxIsg/CckZenckDnL06HK/i1zgtBnUWKy9Uzw=
-----END CERTIFICATE-----

[root@master1 alex]# kubectl get secret alex-token-fbnsb -o jsonpath="{.data.ca/.crt}" | base64 -d > alex.crt

5.2 #生成带有集群信息的config配置文件

[root@master1 alex]# kubectl config set-cluster kubernetes --server=https://192.168.24.31:6443  --kubeconfig=/root/role/user/alex/config --certificate-authority=alex.crt --embed-certs=true
Cluster "kubernetes" set.

5.3 #生成带有用户签名的config文件

[root@master1 alex]# kubectl get secret alex-token-fbnsb -o jsonpath={.data.token} | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDiYIKTfvazyLVCng0Q


[root@master1 alex]#  kubectl config set-credentials alex   --kubeconfig=/root/role/user/alex/config  --token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDiYIKTfvazyLVCng0Q
User "alex" set.

 

5.6创建context配置

[root@master1 alex]# kubectl config set-context alex@kubernetes --cluster=kubernetes --user=alex --kubeconfig=/root/role/user/alex/config 
Context "alex@kubernetes" created.

##

[root@master1 alex]# kubectl config view –kubeconfig=./config
apiVersion: v1
clusters:
– cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.24.31:6443
name: kubernetes
contexts:
– context:
cluster: kubernetes
user: alex
name: alex@kubernetes
current-context: “”
kind: Config
preferences: {}
users:
– name: alex
user:
token: REDACTED

 

#查看生成的config文件

[root@master1 alex]# cat config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hNVEEwTkRReE0xb1hEVE15TURjd09EQTBORFF4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUJxCit1RkJDZHBUSzY0cUN0bGdUaTNXVE9QWGR6Wmtydll2dTJ5NTgzeWV4MFI3cHNOdFZMVkN3ejYvVUFDNFNITkwKblpWcGlTV1c2TjkrOUtLMWlkRnhoenRXbVlFRFR0SFUvajlZTk9TZkowelFWSGxMQmwvOTVUSVlLK2dRbTdMYgpMTjFpUXJ6ODh4VFBCZ1A3MS96Qk5QMUlrUnZCcnQzOE5HZE16cTh1V2d4N1ZycnFEaXczNUJxa1BWRVNlaXU5CjliVGYvdUl4TmhhaUdYSCt2K2oxWUx0dk1QeU16eTJHcE5uc1ZwQXVEbXdUSHdCOWtBZnBNbC90WDBwbndOSVkKeHprLzNJZUZ5SFFsVEFGK1JtSTBPejZrRjA4TVdoWkp6ZDluWDd3Vy9QMUpUVVV5Ui9mcHBLdHlGazZZbmtMbAoxRUZXd3dzUnFPVk5xelc0ZEowQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCTnQ1SjhWSEdSRmRTRGZwT3J0aTFlZEN4amMKc29EUXhhU2NoU1gzYmhwY2kzVFd2V3ZkTk5wcVk3amNZa09oQno1QVlpbkFXTkZ5Q0ovR2RKM0p6T0twNzNUVQpGbVFHK1hucmlKY2VLQ3h0Ri8xRXlPVXM2bVhWK25OQm9iUUpxMnh3MkhqSEUxcStLTE5oYnFkK1NzMi94UzlXCmpYQ0NrTGY3NEF2SUhFSldUNHI5UkRBeTQvaEtnMkVvaEpkZFErVmJjYUZ0S3c3cEFGT25Wei9RWGs1OWVQWE8Kd2hNei9ZV1NNU3dLNHI1RkpkbmF3Z3E0c28rdXZvTFp4K1RRNmFhV0l4OVVmRkg3S20xbEFNUGJCbk1xVVhGYQpENkhEYjlORmxCZ3Irc1hBZHNoQm55YnhJc2cvQ2NrWmVuY2tEbkwwNkhLL2kxemd0Qm5VV0t5OVV6dz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.24.31:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: alex
  name: alex@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: alex
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDiYIKTfvazyLVCng0Q

 

#将config 放在一台安装了kubectl的客户端上  路径为/root/.kube/config 

[root@24d33 .kube]# kubectl config use-context alex@kubernetes
Switched to context "alex@kubernetes".

#验证结果

[root@24d33 .kube]# kubectl get pods,svc
NAME                             READY   STATUS    RESTARTS   AGE
pod/mytomcat-5f97c868bd-bghht    1/1     Running   0          2d4h
pod/mytomcat-5f97c868bd-xh5cz    1/1     Running   0          35h
pod/mytomcat2-6746bcc65b-hmxgb   1/1     Running   0          36h

NAME                  TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
service/kubernetes    ClusterIP   10.96.0.1       <none>        443/TCP          3d14h
service/tomcat-svc    NodePort    10.96.234.126   <none>        8080:31801/TCP   2d4h
service/tomcat2-svc   NodePort    10.98.226.189   <none>        8080:31802/TCP   36h

 

原创文章,作者:bd101bd101,如若转载,请注明出处:https://blog.ytso.com/274484.html

(0)
0
上一篇 2022年7月15日
下一篇 2022年7月15日

相关推荐

发表回复

登录后才能评论