网站导航
> 文档中心 > K8S 认证和授权

K8S 认证和授权

网友: 文档中心 2022-04-10 09:20:34

k8s认证方式一般为token和kubeconfig。以下用使用kubeconfig方式演示

[root@k8s-master-01 k8s]# mkdir -p testUser[root@k8s-master-01 k8s]# cd testUser/[root@k8s-master-01 testUser]# ls#生成私钥[root@k8s-master-01 testUser]# openssl genrsa -out testUser.key 2048Generating RSA private key, 2048 bit long modulus...................+++.....+++e is 65537 (0x10001)[root@k8s-master-01 testUser]# lstestUser.key#生成证书请求文件,其中CN=testUser指明用户名[root@k8s-master-01 testUser]# openssl req -new -key testUser.key -out testUser.csr -subj "/CN=testUser/O=Apple"[root@k8s-master-01 testUser]# lstestUser.csr  testUser.key#对证书请求文件编码[root@k8s-master-01 testUser]# cat testUser.csr | base64 | tr -d "\n"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FEQ0NBVkFDQVFBd0l6RVJNQThHQTFVRUF3d0lkR1Z6ZEZWelpYSXhEakFNQmdOVkJBb01CVUZ3Y0d4bApNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTVhODVSUGx2MWhodnFJdU4xak5jCi9leE04SkNGbjNqYnhNMHAySUpDSzdHbHpvZkZlWGZsRnNyeFBUR0FDWTN5bkwyVG41bXFvcDR6NThQaGFQcGkKZ1I0bldkWWQ5OGNlNXY1UWhlVmFNK2lBS1M1UjlNRHJOM1hPcDQ1V3EyYityRXRnUWR2cXZlYnZzU0VVTlhpMgpONnp3ZW1xYlFPVkMwa2NkbzV3YWxCd0tqTk9KdGljZVZIN3dIUmpVNGYyRCtLM2RPc3pwNXo4NjhMeGhEMnRQCkYrc1MwR25kWWhBQWdLUkYvTGdPRERQT3BGaHBPbWNmdVd5dWhpQ3VRUkVmdVdTQXU0SW94WjNLaU5EZmZFa0sKR1hPd3BWd0NiY0pxc3Fib1BZRUlHTzA5RFUyaWJJVVZBMUVMbW5GVXJDSHdaQmw2WGthMDNWVURFbG85dkdsWgp3UUlEQVFBQm9BQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQmNGT1BDbFdzaWpXQ3FPUm8zM085UTJWS2Y2CldDdTA1UlI0NytWUnlKL1p5Ukxha2cwZVBXOWFzdG5UdDRlcC9kbHdwaEcwNVM3SlF3aCtoYTlNMk8rdVZMUXEKU3hxWUVHMlJUWVluMG1jWmpEK0phZHpVVmoxdFV5U0NJTUV3ZVVJRnFHVXdCOUNzaVMwOG9WUlFvdytLbmtMaQpLTGRZNGQyK1dmODduQTQxSHpBbmNmSUNvdTdtUGgrOVZEeSticzducWJvUHk4a0QzbllqeTJ5aDhHa0FVR0ZTCmlETkVwOUxCZDAxcWVteWFWMFQxZVA0cjRyL1pUSTlyakZDR1FUdmJ3dWtBMWFNL3F4anRCZjIzemdVZXBRYlYKUUxoM0o3ajdpMFk5OG1SL25GZG1KL2dwdDhIK1VTWUk1UW5IZkRKY0IwSkNhZ2xza2NseTdHK2FvWnc9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=#创建csr.yaml并应用[root@k8s-master-01 testUser]# vim csr.yaml[root@k8s-master-01 testUser]# kubectl apply -f csr.yamlcertificatesigningrequest.certificates.k8s.io/testUser created[root@k8s-master-01 testUser]# cat csr.yamlapiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata:  name: testUserspec:  groups:  - system:authenticated  signerName: kubernetes.io/kube-apiserver-client  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FEQ0NBVkFDQVFBd0l6RVJNQThHQTFVRUF3d0lkR1Z6ZEZWelpYSXhEakFNQmdOVkJBb01CVUZ3Y0d4bApNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTVhODVSUGx2MWhodnFJdU4xak5jCi9leE04SkNGbjNqYnhNMHAySUpDSzdHbHpvZkZlWGZsRnNyeFBUR0FDWTN5bkwyVG41bXFvcDR6NThQaGFQcGkKZ1I0bldkWWQ5OGNlNXY1UWhlVmFNK2lBS1M1UjlNRHJOM1hPcDQ1V3EyYityRXRnUWR2cXZlYnZzU0VVTlhpMgpONnp3ZW1xYlFPVkMwa2NkbzV3YWxCd0tqTk9KdGljZVZIN3dIUmpVNGYyRCtLM2RPc3pwNXo4NjhMeGhEMnRQCkYrc1MwR25kWWhBQWdLUkYvTGdPRERQT3BGaHBPbWNmdVd5dWhpQ3VRUkVmdVdTQXU0SW94WjNLaU5EZmZFa0sKR1hPd3BWd0NiY0pxc3Fib1BZRUlHTzA5RFUyaWJJVVZBMUVMbW5GVXJDSHdaQmw2WGthMDNWVURFbG85dkdsWgp3UUlEQVFBQm9BQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQmNGT1BDbFdzaWpXQ3FPUm8zM085UTJWS2Y2CldDdTA1UlI0NytWUnlKL1p5Ukxha2cwZVBXOWFzdG5UdDRlcC9kbHdwaEcwNVM3SlF3aCtoYTlNMk8rdVZMUXEKU3hxWUVHMlJUWVluMG1jWmpEK0phZHpVVmoxdFV5U0NJTUV3ZVVJRnFHVXdCOUNzaVMwOG9WUlFvdytLbmtMaQpLTGRZNGQyK1dmODduQTQxSHpBbmNmSUNvdTdtUGgrOVZEeSticzducWJvUHk4a0QzbllqeTJ5aDhHa0FVR0ZTCmlETkVwOUxCZDAxcWVteWFWMFQxZVA0cjRyL1pUSTlyakZDR1FUdmJ3dWtBMWFNL3F4anRCZjIzemdVZXBRYlYKUUxoM0o3ajdpMFk5OG1SL25GZG1KL2dwdDhIK1VTWUk1UW5IZkRKY0IwSkNhZ2xza2NseTdHK2FvWnc9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=  usages:  - client auth#处于pending状态的csr[root@k8s-master-01 testUser]# kubectl get csrNAMEAGE   SIGNERNAMEREQUESTOR   REQUESTEDDURATION   CONDITIONtestUser   57s   kubernetes.io/kube-apiserver-client   kubernetes-admin   Pending#审核通过,之后csr处于approved和issued状态[root@k8s-master-01 testUser]# kubectl certificate approve testUsercertificatesigningrequest.certificates.k8s.io/testUser approved[root@k8s-master-01 testUser]# kubectl get csrNAMEAGE     SIGNERNAMEREQUESTOR   REQUESTEDDURATION   CONDITIONtestUser   3m17s   kubernetes.io/kube-apiserver-client   kubernetes-admin   Approved,Issued[root@k8s-master-01 testUser]# kubectl get csr testUser -o yamlstatus:  certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDVENDQWZHZ0F3SUJBZ0lSQU45SFhVVHltanhFdjlISVVldHJsMXN3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBeU1UTXhOVEk0TkRaYUZ3MHlNekF5TVRNeApOVEk0TkRaYU1DTXhEakFNQmdOVkJBb1RCVUZ3Y0d4bE1SRXdEd1lEVlFRREV3aDBaWE4wVlhObGNqQ0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFPV3ZPVVQ1YjlZWWI2aUxqZFl6WFAzc1RQQ1EKaFo5NDI4VE5LZGlDUWl1eHBjNkh4WGwzNVJiSzhUMHhnQW1OOHB5OWs1K1pxcUtlTStmRDRXajZZb0VlSjFuVwpIZmZISHViK1VJWGxXalBvZ0NrdVVmVEE2emQxenFlT1ZxdG0vcXhMWUVIYjZyM203N0VoRkRWNHRqZXM4SHBxCm0wRGxRdEpISGFPY0dwUWNDb3pUaWJZbkhsUis4QjBZMU9IOWcvaXQzVHJNNmVjL092QzhZUTlyVHhmckV0QnAKM1dJUUFJQ2tSZnk0RGd3enpxUllhVHBuSDdsc3JvWWdya0VSSDdsa2dMdUNLTVdkeW9qUTMzeEpDaGx6c0tWYwpBbTNDYXJLbTZEMkJDQmp0UFExTm9teUZGUU5SQzVweFZLd2g4R1FaZWw1R3ROMVZBeEphUGJ4cFdjRUNBd0VBCkFhTkdNRVF3RXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUUKR0RBV2dCVHAzeVZQRVZTSnhrZXcvM1paRHBSMjN2U3o5ekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWWdhaApkMUlLNDRneTJ2TGEyc3lxVGRWNFhvaC9NWFRmZ0xoTDVZa3FZZFZRcVhJOTUvSGJLVUZTSXN1QVlWdWtwdkZHCjdmeGNYZE5idTl6RWRQZFdjbHJOamZaZVJpa1V0a3BXREQxL0hDZVNQUCtaZGZRNWdzUE1zWDVQVVpSWTc0ei8KN1JsOU9oL3B2MW4ydzJuOU9tUDN3dFpWNEFTUnlGb0EvKzRyL3hjNmVzaXRzYUxoOGhxdndNb1FqRFl5aEZPagovb1l4VGI1ZnNEZTVYY2crY2VUdmJzWW12ME5yYThZZlhrN05XS1dud1A1OGI3c1MxL0tGZkdiQytkUSt5cnBsCkluSVJ6d3lBQnNONnpWa3RhMGJXeHUzS2E4WSs1ZzFrUG1pTXZqOWFZZDV1aHJIMEZZVjkxQUNweFNFYnZTcjQKemt4bjNOVnY4ZHVqK0pTNW9BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=#jsonpath方式获取到证书信息[root@k8s-master-01 testUser]# kubectl get csr testUser -o jsonpath='{.status.certificate}'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDVENDQWZHZ0F3SUJBZ0lSQU45SFhVVHltanhFdjlISVVldHJsMXN3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBeU1UTXhOVEk0TkRaYUZ3MHlNekF5TVRNeApOVEk0TkRaYU1DTXhEakFNQmdOVkJBb1RCVUZ3Y0d4bE1SRXdEd1lEVlFRREV3aDBaWE4wVlhObGNqQ0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFPV3ZPVVQ1YjlZWWI2aUxqZFl6WFAzc1RQQ1EKaFo5NDI4VE5LZGlDUWl1eHBjNkh4WGwzNVJiSzhUMHhnQW1OOHB5OWs1K1pxcUtlTStmRDRXajZZb0VlSjFuVwpIZmZISHViK1VJWGxXalBvZ0NrdVVmVEE2emQxenFlT1ZxdG0vcXhMWUVIYjZyM203N0VoRkRWNHRqZXM4SHBxCm0wRGxRdEpISGFPY0dwUWNDb3pUaWJZbkhsUis4QjBZMU9IOWcvaXQzVHJNNmVjL092QzhZUTlyVHhmckV0QnAKM1dJUUFJQ2tSZnk0RGd3enpxUllhVHBuSDdsc3JvWWdya0VSSDdsa2dMdUNLTVdkeW9qUTMzeEpDaGx6c0tWYwpBbTNDYXJLbTZEMkJDQmp0UFExTm9teUZGUU5SQzVweFZLd2g4R1FaZWw1R3ROMVZBeEphUGJ4cFdjRUNBd0VBCkFhTkdNRVF3RXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUUKR0RBV2dCVHAzeVZQRVZTSnhrZXcvM1paRHBSMjN2U3o5ekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWWdhaApkMUlLNDRneTJ2TGEyc3lxVGRWNFhvaC9NWFRmZ0xoTDVZa3FZZFZRcVhJOTUvSGJLVUZTSXN1QVlWdWtwdkZHCjdmeGNYZE5idTl6RWRQZFdjbHJOamZaZVJpa1V0a3BXREQxL0hDZVNQUCtaZGZRNWdzUE1zWDVQVVpSWTc0ei8KN1JsOU9oL3B2MW4ydzJuOU9tUDN3dFpWNEFTUnlGb0EvKzRyL3hjNmVzaXRzYUxoOGhxdndNb1FqRFl5aEZPagovb1l4VGI1ZnNEZTVYY2crY2VUdmJzWW12ME5yYThZZlhrN05XS1dud1A1OGI3c1MxL0tGZkdiQytkUSt5cnBsCkluSVJ6d3lBQnNONnpWa3RhMGJXeHUzS2E4WSs1ZzFrUG1pTXZqOWFZZDV1aHJIMEZZVjkxQUNweFNFYnZTcjQKemt4bjNOVnY4ZHVqK0pTNW9BPT0KLS0tLS#获取证书信息并导入到testUser.crt[root@k8s-master-01 testUser]# kubectl get csr testUser -o jsonpath='{.status.certificate}' | base64 -d >testUser.crt#拷贝ca证书到当前目录[root@k8s-master-01 testUser]# cp /etc/kubernetes/pki/ca.crt .[root@k8s-master-01 testUser]# lsca.crt  csr.yaml  testUser.crt  testUser.csr  testUser.key #.key为用户私钥,.crt为用户证书#设置集群字段[root@k8s-master-01 testUser]# kubectl config --kubeconfig=kubeconfigTest set-cluster cluster1 --server=https://192.168.71.133:6443 --certificate-authority=ca.crt --embed-certs=true#设置用户字段[root@k8s-master-01 testUser]# kubectl config --kubeconfig=kubeconfigTest set-credentials testUser --client-certificate=testUser.crt --client-key=testUser.key --embed-certs=trueUser "testUser" set.#设置上下文字段,将用户与上下文、集群关联[root@k8s-master-01 testUser]# kubectl config --kubeconfig=kubeconfigTest set-context context1 --cluster=cluster1 --namespace=default --user=testUserContext "context1" created.#使用该配置文件查看pod信息,认证成功但是该用户没有get的权限,需要为其分配授权。[root@k8s-master-01 testUser]# kubectl --kubeconfig=kubeconfigTest get podsError from server (Forbidden): pods is forbidden: User "testUser" cannot list resource "pods" in API group "" in the namespace "default"#查看当前授权策略,可以看到为Node和RBAC模式[root@k8s-master-01 testUser]# cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep "authorization"    - --authorization-mode=Node,RBAC#修改为AlwaysAllow模式,查看权限。[root@k8s-master-01 testUser]# cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep "authorization"    #- --authorization-mode=Node,RBAC    - --authorization-mode=AlwaysAllow[root@k8s-master-01 testUser]# kubectl --kubeconfig=kubeconfigTest get podsNo resources found in default namespace.

RBAC授权方式不会直接将权限授权给用户,而是将权限绑定到role,再将role分配给用户,即为rolebinding。role只属于一个ns,而clusterrole则可以作用于所有ns,通过clusterrolebinding分配给用户。

#创建一个角色[root@k8s-master-01 testUser]# kubectl create role roleTest --verb=get,list,watch --resource=pod --dry-run -o yaml >roleTest.yamlW0214 00:18:24.637610  115345 helpers.go:598] --dry-run is deprecated and can be replaced with --dry-run=client.[root@k8s-master-01 testUser]# more roleTest.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  creationTimestamp: null  name: roleTestrules:- apiGroups:  - ""  resources:  - pods  verbs:  - get  - list  - watch[root@k8s-master-01 testUser]# kubectl apply -f roleTest.yamlrole.rbac.authorization.k8s.io/roleTest created#创建rolebinding[root@k8s-master-01 testUser]# kubectl create rolebinding testRoleBinding --role=roleTest --user=testUserrolebinding.rbac.authorization.k8s.io/testRoleBinding created[root@k8s-master-01 testUser]# kubectl get rolebindingsNAMEROLE     AGEtestRoleBinding   Role/roleTest   19s[root@k8s-master-01 testUser]# kubectl get rolebinding testRoleBinding -o yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  creationTimestamp: "2022-02-13T16:24:22Z"  name: testRoleBinding  namespace: app01  resourceVersion: "256904"  uid: 0d4a9b67-dcea-4468-9d3e-6dfc27ceb19froleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role    name: roleTest #引用哪个名称的role,这里为上述创建的roleTestsubjects:- apiGroup: rbac.authorization.k8s.io  kind: User  name: testUser#将kubeconfigTest中namespace修改为app01(当前ns),如下#contexts:#- context:#    cluster: cluster1#    namespace: app01#    user: testUser#使用kubeconfigTest的配置文件查看pods[root@k8s-master-01 testUser]# kubectl --kubeconfig=kubeconfigTest get podsNAME   READY   STATUS    RESTARTS      AGEmydeploy-67b66cbd74-tckxf   1/1     Running   1 (11h ago)   24h#创建名为cRole的clusterrole[root@k8s-master-01 testUser]# kubectl create clusterrole cRole --verb=get,create,delete --resource=pod,svc --dry-run -o yaml > cRoleTest.yamlW0214 13:41:20.976880   19293 helpers.go:598] --dry-run is deprecated and can be replaced with --dry-run=client.[root@k8s-master-01 testUser]# more cRoleTest.yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  creationTimestamp: null  name: cRolerules:- apiGroups:  - ""  resources:  - pods  - services  verbs:  - get  - create  - delete#将cRole权限与testUser绑定[root@k8s-master-01 testUser]# kubectl create clusterrolebinding cBind --clusterrole=cRole --user=testUser

K8S中权限管理有User和sa,创建一个sa后会自动为其创建一个secret。sa实验如下

#创建一个sa,名为satest。会自动产生一个satest-token开头的secret[root@k8s-master-01 testUser]# kubectl create sa satestserviceaccount/satest created[root@k8s-master-01 testUser]# kubectl get secretsNAME    TYPE      DATA   AGEdefault-token-kxfs4   kubernetes.io/service-account-token   3      3d2hsatest-token-9dcpl    kubernetes.io/service-account-token   3      3m7s#为该sa分配clusterrolebinding[root@k8s-master-01 testUser]# kubectl create clusterrolebinding saCbind --clusterrole=cluster-admin --serviceaccount=app01:satestclusterrolebinding.rbac.authorization.k8s.io/saCbind created#通过jsonpath方式获取dashboard的登录token[root@k8s-master-01 testUser]# kubectl get secrets -n kubernetes-dashboardNAME   TYPE      DATA   AGEadmin-user-token-b8hnm      kubernetes.io/service-account-token   3      4d22hdefault-token-rq2p4  kubernetes.io/service-account-token   3      4d22hkubernetes-dashboard-certs  Opaque    0      4d22hkubernetes-dashboard-csrf   Opaque    1      4d22hkubernetes-dashboard-key-holder    Opaque    2      4d22hkubernetes-dashboard-token-whqcq   kubernetes.io/service-account-token   3      4d22h[root@k8s-master-01 testUser]# kubectl get secrets -n kubernetes-dashboard admin-user-token-b8hnm -o jsonpath='{.data.token}' | base64 -deyJhbGciOiJSUzI1NiIsImtpZCI6Ilk3QVo5bmFucWxLUGVOa0tmRm0wb2wwdFN5MlFWemJFdTlvMjhjdFhrUjAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWI4aG5tIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmMmM1ZDZkMi0xN2ZjLTRmY2QtYjY1Zi01OWI5MjkxZDcwZTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.ckIDLFsWcubrr9wQnpIiRt0lEZvpbw4nZgs3gGBWtTUs3u4IESGtp5bL4Ukq-03fntgH4C7PwDgA80dqFpbkxNUSHjzpG_Q_kYKgVSLptUxbw3gqKsS6oQ6MYsNyszppShQm2bzBhDBBlBnkGptIUDqNhX57llz2N6hIz3sQ6LyfQyNNfyidXu_GFBvjdkWM3U0QC3P_zAjtObxEGonULIZ_Z0xpnx6qQDsrHVYSLr13PYuOPwbSuwaLh_SR7F1zZg1aN5tmj-gpKmLtY6hE4vD2tf7e4CTZwYVV_YOpcMC34rJ7F9bfDEJBE3boraA_cetkusfl0c8fpTBmYcPSkw

网络标签:

相关问题