k8s之基于用户/用户组授权
实验环境
| 主机 | 权限 |
|---|---|
| k8s-master-1 | admin |
| k8s-node-1 | 无 |
签发用户证书
创建kubectl证书请求文件,必须要由和apiserver证书相同机构来颁发这个证书,否则apiserver使用它的CA公钥无法认证这个证书- 如果提供了客户端证书并且证书被验证通过,
则 subject 中的公共名称(Common Name)就被 作为请求的用户名 - Kubernetes 1.4 开始,客户端证书还可以通过证书的
organization 字段标明用户的组成员信息。 要包含用户的多个组成员信息,可以在证书种包含多个 organization 字段:openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=jbeda/O=app1/O=app2"
创建证书请求文件
cfssl csr格式参考链接:https://github.com/cloudflare/cfssl/wiki/Creating-a-new-CSR
-
"CN":Common Name,设置用户名为user1 -
"C": country -
"ST": the state or province -
"L": locality or municipality (such as city or town name) -
"O": organisation,设置属于二个组,group1,group2 -
"OU": organisational unit, such as the department responsible for owning the key; it can also be used for a “Doing Business As” (DBS) name
[root@k8s-master-1 different]# cat > kubectl-csr.json <<EOF{ "CN": "user1", "hosts": [],# 这里设置host也不生效,无法限制,原因未知 "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "hunan", "L": "changsha", "O": "group1", "OU": "system" } ]}EOF颁发证书
-ca:签发apiserver证书的CA证书-ca-key:私钥-config:CA配置
# 生成证书cfssl gencert -ca=/root/cluster/pki/kube-apiserver-ca.pem -ca-key=/root/cluster/pki/kube-apiserver-ca-key.pem -config=/root/cluster/pki/ca-config.json -profile=kubernetes kubectl-csr.json | cfssljson -bare kubectl# 或者使用openssl方式openssl genrsa -out kubectl-key 2048openssl req -new -key kubectl-key -out kubectl.csr -subj "/CN=user1/O=group1/O=group2"openssl x509 -req -CA /root/cluster/pki/kube-apiserver-ca.pem -CAkey /root/cluster/pki/kube-apiserver-ca-key.pem -CAcreateserial -days 730 -in kubectl.csr -out kubectl.crt# 查看生成的证书[root@k8s-master-1 different]# lskubectl.csr kubectl-csr.json kubectl-key.pem kubectl.pem# 设置集群参数kubectl config set-cluster kubernetes --certificate-authority=/root/cluster/pki/kube-apiserver-ca.pem --embed-certs=true --server=https://192.168.0.10:6443 --kubeconfig=kube.config# 设置客户端认证参数,生成了一个kubectl的user,里面包含了证书kubectl config set-credentials kubectl --client-certificate=kubectl.pem --client-key=kubectl-key.pem --embed-certs=true --kubeconfig=kube.config# 设置上下文参数,--user,使用上面的kubectl,这里仅仅是标识区分作用,实际不会以这个用户去向apiserver通信kubectl config set-context kubernetes --cluster=kubernetes --user=kubectl --kubeconfig=kube.config# 设置默认上下文kubectl config use-context kubernetes --kubeconfig=kube.config# 将kube.config传到k8s-node-1[root@k8s-master-1 different]# ssh root@k8s-node-1 "mkdir -p /root/.kube/" && scp kube.config root@k8s-node-1:/root/.kube/config# k8s-node-1 执行命令,因为此时未授权故而没法正常[root@k8s-node-1 .kube]# kubectl get pods -AError from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" at the cluster scope基于用户和组颁发权限
cluster-admin 是通过system:masters组方式进行授权,如果我们在创建用户证书时,/CN=XX/O=system:masters,那么这个用户就拥有超级管理员的权限
基于用户授权
# 基于用户方式授权,cluster-admin 这个clusterrole权限很大,可以操作集群内所有资源,也可以使用自定义的clusterole[root@k8s-master-1 different]# kubectl create clusterrolebinding kubectl-test --clusterrole=cluster-admin --user=user1clusterrolebinding.rbac.authorization.k8s.io/kubectl-test created# 授权完成后,看是否可以执行相关命令[root@k8s-node-1 .kube]# kubectl get nodesNAME STATUS ROLES AGE VERSIONk8s-master-1 Ready master 5d19h v1.20.15k8s-node-1 Ready node 5d19h v1.20.15# 删除授权[root@k8s-master-1 different]# kubectl delete clusterrolebinding kubectl-testclusterrolebinding.rbac.authorization.k8s.io "kubectl-test" deleted基于用户组授权
# 基于用户组授权[root@k8s-master-1 different]# kubectl create clusterrolebinding kubectl-test --clusterrole=cluster-admin --group=group1clusterrolebinding.rbac.authorization.k8s.io/kubectl-test created# 授权后,查看是否可以执行相关命令[root@k8s-node-1 .kube]# kubectl get nodesNAME STATUS ROLES AGE VERSIONk8s-master-1 Ready master 5d19h v1.20.15k8s-node-1 Ready node 5d19h v1.20.15# 删除授权[root@k8s-master-1 different]# kubectl delete clusterrolebinding kubectl-testclusterrolebinding.rbac.authorization.k8s.io "kubectl-test" deleted
