Kubernetes认证与授权

APIService安全控制

23.png
  • 认证:身份认证
  • 鉴权:你可以访问拿些资源
  • 准入:一个控制链(层层关卡),偏集群安全控制、管理方面。

Kubectl的认证授权

kubectl显然在请求中使用了tls client certificate的方式,即客户端的证书。

vi .kube/config
echo 'certificate-authority-data:' |base64 -d > kubectl.crt
openssl verify -CAfile /etc/kubernetes/pki/ca.crt kubectl.crt
openssl x509 -in kubectl.crt -text   #文本形式查看证书内容

RBAC

Role

一个Role只能授权访问单个namespace。

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] 
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
  
## apiGroups: "","apps", "autoscaling", "batch", kubectl api-versions
## resources: "services", "pods","deployments"... kubectl api-resources
## verbs: "get", "list", "watch", "create", "update", "patch", "delete", "exec"

ClusterRole

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

Rolebinding

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User   #这里可以是User,Group,ServiceAccount
  name: jane 
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role 
  name: pod-reader 
  apiGroup: rbac.authorization.k8s.io
### 定义一个角色绑定,将dave这个用户和secret-reader这个集群角色绑定,虽然secret-reader是集群角色,但是因为是使用rolebinding绑定的,因此dave的权限也会被限制在development这个命名空间内

ClusterRolebinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager 
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

Service Account

之前访问DashBoard使用的认证

kubectl -n kubernetes-dashboard get sa admin -o yaml
kubectl -n kubernetes-dashboard describe secret admin-token-2t2hh

开发的时候调用k8s的api

 curl -k  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlItRS1ZVHZsZEhDVXlpUURQYTJyeWJJdkx2VDdDM21MZ3VWV3Rld2R5STQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi0ydDJoaCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjlmYWJjYWU2LTc2NTktNDY3OS1iNTBiLTMxZTdhNzM5N2JkMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbiJ9.oHunLuAZ59Hn9ker0uT0WSpK0ObbP_3BZZPtKibtLPZfrG-qGKUu2HYaxu5Ob9mlEhaIFH7YoxPdWcx-4R5ceXV0qQgrPzz9Jy4XNmM6z-1zvUInH-1K-CST5LCvHEFTWHZI8EiNgkhntetHPR8EzBcxDSKq0f6DD2GfyJyCXD8DeTU0ys2mV4RcA4Rl95J-UO_jwz98nNOP9RIM0vImCocLL59z8sIIsOHUCdWfZLsvK0EyI9PY6sR6Xtr8bNTV9EoT_4NbEj4iSPsYdrok2rT-o9cssDi3Adt-tuSjtJJ1E6lPFu_q36jlmYXO9_opmdwTp-Drw1GOkZ9lMWcxRQ" https://192.168.188.8:6443/api/v1/namespaces/demo/pods?limit=500
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇