即使自動化, 我們也會考慮用ansible 來遠(yuǎn)程操作master node…
所以大部分開發(fā)人員默認(rèn)上是不用深入研究k8s的Access control的
但是作為SRE 或者 DevOps 開發(fā)����, 理解一下還是有好處�, 當(dāng)然本文也只是介紹個基本概念���,也不會深入��。
K8S 權(quán)限認(rèn)證機制介紹
Kubernetes(K8s)的權(quán)限認(rèn)證機制主要涉及認(rèn)證(Authentication)和授權(quán)(Authorization)兩個方面:
Authentication 包括用戶驗證與 服務(wù)帳號(SA) 認(rèn)證
至于Authorization 授權(quán)方面�, 就是我們常見的RBAC (Role-based Access Control)
如下圖�, 其實一切對k8s集群的管理操作都是通過api service 去調(diào)用nodes 的kubelet 去完成
而認(rèn)證和授權(quán)是在api service 里完成的���, 任何調(diào)用 api service 里的api之前都必須pass 認(rèn)證和授權(quán)
K8S 的用戶帳號
在 Kubernetes 中����,用戶賬戶(User Account)通常不是直接管理的資源�����,而是由身份驗證插件和身份提供者處理的�。這些身份提供者可以包括基本身份驗證、證書認(rèn)證����、令牌認(rèn)證、OpenID Connect 等��。當(dāng)用戶成功進行身份驗證后,Kubernetes 將使用其提供的身份信息調(diào)用集群中的授權(quán)插件來確定用戶是否有權(quán)限執(zhí)行請求的操作���。
要創(chuàng)建用戶賬戶����,您通常需要依賴外部的身份提供者�����,比如 LDAP��、Active Directory�����、OpenID Connect 等���。這些身份提供者負(fù)責(zé)驗證用戶身份��,并將驗證成功的用戶映射到 Kubernetes 中的特定用戶賬戶���。
總之, 一般情況下我們用不上它�����, 除非大型企業(yè)下的k8s 平臺會考慮使用User 帳號。
K8S 的Service account 服務(wù)帳號
反而�����, k8s的sa 我們更應(yīng)該重點關(guān)注����, 因為sa 可以被k8s 本身管理, 包括sa 的創(chuàng)建和授權(quán)
通常1個namespace 被創(chuàng)建�����, 該namespace 會被自動創(chuàng)建1個名字叫default的 sa
我們可以下面命令來查看某個namespace 的sa
gateman@MoreFine-S500: conf$ kubectl get sa -n default
NAME SECRETS AGE
default 1 206d
K8S 的Service account 和 用戶帳號的對比
Service Account Admission Controller
這個控制器主要是管理POD 的sa 設(shè)置
它是 apiserver 的一部分�����。當(dāng)1個POD 被創(chuàng)建和修改時
- 如果POD 沒有被設(shè)置sa, 那么它會將POD 的sa 設(shè)為 default (default 是1個sa)
- 確保POD 引用的sa 存在�����, 否則會拒絕POD的創(chuàng)建和修改請求
- 如果POD 不包含任何 ImagePullSecret, 則將SA 的imagePullSecret 添加到POD中(前提是該SA 配置了ImagePullSecret
- 為包含API訪問的token的POD添加了1個Volume���, 掛載在/var/run/secrets/kubernetes.io/serviceaccount(容器里)
例子���, 把default 的 token mount在pod里了
gateman@MoreFine-S500: conf$ kubectl exec -it deployment-cloud-order-5f46d97659-2d7nk /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
bash-4.4
/var/run/secrets/kubernetes.io/serviceaccount
bash-4.4
ca.crt namespace token
bash-4.4
default
Token Controller
每個sa 都觀念1個token 就是 Token Controller 管理的
Service Account Controller
很簡單, 這個controller 會管理namespace 的sa
他會確保每個namespace 會存在1個名字叫default的sa
Role
作用范圍:Role 專注于特定命名空間(Namespace-specific)��。它定義了對特定命名空間內(nèi)資源的權(quán)限�����。
應(yīng)用對象:Role 通常用于控制對該命名空間內(nèi)資源的訪問權(quán)限���。
示例用途:可以為特定命名空間內(nèi)的用戶或 ServiceAccount 分配 Role��,以其對該命名空間內(nèi)資源的操作權(quán)限��。
可以用下面命令來查看分別每個namespace 的role
gateman@MoreFine-S500: conf$ kubectl get role --all-namespaces
NAMESPACE NAME CREATED AT
ingress-nginx ingress-nginx 2024-06-24T18:17:27Z
kube-public kubeadm:bootstrap-signer-clusterinfo 2024-02-23T20:44:20Z
kube-public system:controller:bootstrap-signer 2024-02-23T20:44:19Z
kube-system extension-apiserver-authentication-reader 2024-02-23T20:44:19Z
kube-system kube-proxy 2024-02-23T20:44:20Z
kube-system kubeadm:kubelet-config-1.23 2024-02-23T20:44:19Z
kube-system kubeadm:nodes-kubeadm-config 2024-02-23T20:44:19Z
kube-system system::leader-locking-kube-controller-manager 2024-02-23T20:44:19Z
kube-system system::leader-locking-kube-scheduler 2024-02-23T20:44:19Z
kube-system system:controller:bootstrap-signer 2024-02-23T20:44:19Z
kube-system system:controller:cloud-provider 2024-02-23T20:44:19Z
kube-system system:controller:token-cleaner 2024-02-23T20:44:19Z
可以見default namespace 是沒有role 定義的
查看具體Role的權(quán)限���,
我們就查看上面的ingress-nginx
gateman@MoreFine-S500: conf$ kubectl get role ingress-nginx -n ingress-nginx -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
meta.helm.sh/release-name: ingress-nginx
meta.helm.sh/release-namespace: ingress-nginx
creationTimestamp: "2024-06-24T18:17:27Z"
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.1
helm.sh/chart: ingress-nginx-4.10.1
name: ingress-nginx
namespace: ingress-nginx
resourceVersion: "3038700"
uid: f27340df-0f11-448d-8591-baaca1b2
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
ClusterRole
作用范圍:ClusterRole 跨越整個集群,即集群范圍(Cluster-wide)�。它定義了對整個集群中資源的權(quán)限。
應(yīng)用對象:ClusterRole 用于控制對集群級資源的訪問權(quán)限��,例如節(jié)點�、命名空間等。
示例用途:可以為具有全局職責(zé)的用戶或 ServiceAccount 分配 ClusterRole,以允許他們對整個集群的資源進行操作����。
由于ClusterRole 是for all namespaces的, 我們可以下面命令來查看所有namespace的clusterrole
gateman@MoreFine-S500: conf$ kubectl get clusterrole
NAME CREATED AT
admin 2024-02-23T20:44:18Z
cluster-admin 2024-02-23T20:44:18Z
edit 2024-02-23T20:44:18Z
flannel 2024-03-08T18:25:29Z
ingress-nginx 2024-06-24T18:17:26Z
kubeadm:get-nodes 2024-02-23T20:44:20Z
system:aggregate-to-admin 2024-02-23T20:44:18Z
system:aggregate-to-edit 2024-02-23T20:44:18Z
system:aggregate-to-view 2024-02-23T20:44:18Z
system:auth-delegator 2024-02-23T20:44:18Z
system:basic-user 2024-02-23T20:44:18Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient 2024-02-23T20:44:18Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2024-02-23T20:44:18Z
system:certificates.k8s.io:kube-apiserver-client-approver 2024-02-23T20:44:18Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2024-02-23T20:44:18Z
system:certificates.k8s.io:kubelet-serving-approver 2024-02-23T20:44:18Z
system:certificates.k8s.io:legacy-unknown-approver 2024-02-23T20:44:18Z
system:controller:attachdetach-controller 2024-02-23T20:44:18Z
system:controller:certificate-controller 2024-02-23T20:44:19Z
system:controller:clusterrole-aggregation-controller 2024-02-23T20:44:18Z
system:controller:cronjob-controller 2024-02-23T20:44:18Z
system:controller:daemon-set-controller 2024-02-23T20:44:18Z
system:controller:deployment-controller 2024-02-23T20:44:18Z
system:controller:disruption-controller 2024-02-23T20:44:18Z
system:controller:endpoint-controller 2024-02-23T20:44:18Z
system:controller:endpointslice-controller 2024-02-23T20:44:18Z
system:controller:endpointslicemirroring-controller 2024-02-23T20:44:18Z
system:controller:ephemeral-volume-controller 2024-02-23T20:44:18Z
system:controller:expand-controller 2024-02-23T20:44:18Z
system:controller:generic-garbage-collector 2024-02-23T20:44:18Z
system:controller:horizontal-pod-autoscaler 2024-02-23T20:44:18Z
system:controller:job-controller 2024-02-23T20:44:18Z
system:controller:namespace-controller 2024-02-23T20:44:18Z
system:controller:node-controller 2024-02-23T20:44:18Z
system:controller:persistent-volume-binder 2024-02-23T20:44:18Z
system:controller:pod-garbage-collector 2024-02-23T20:44:19Z
system:controller:pv-protection-controller 2024-02-23T20:44:19Z
system:controller:pvc-protection-controller 2024-02-23T20:44:19Z
system:controller:replicaset-controller 2024-02-23T20:44:19Z
system:controller:replication-controller 2024-02-23T20:44:19Z
system:controller:resourcequota-controller 2024-02-23T20:44:19Z
system:controller:root-ca-cert-publisher 2024-02-23T20:44:19Z
system:controller:route-controller 2024-02-23T20:44:19Z
system:controller:service-account-controller 2024-02-23T20:44:19Z
system:controller:service-controller 2024-02-23T20:44:19Z
system:controller:statefulset-controller 2024-02-23T20:44:19Z
system:controller:ttl-after-finished-controller 2024-02-23T20:44:19Z
system:controller:ttl-controller 2024-02-23T20:44:19Z
system:coredns 2024-02-23T20:44:20Z
system:discovery 2024-02-23T20:44:18Z
system:heapster 2024-02-23T20:44:18Z
system:kube-aggregator 2024-02-23T20:44:18Z
system:kube-controller-manager 2024-02-23T20:44:18Z
system:kube-dns 2024-02-23T20:44:18Z
system:kube-scheduler 2024-02-23T20:44:18Z
system:kubelet-api-admin 2024-02-23T20:44:18Z
system:monitoring 2024-02-23T20:44:18Z
system:node 2024-02-23T20:44:18Z
system:node-bootstrapper 2024-02-23T20:44:18Z
system:node-problem-detector 2024-02-23T20:44:18Z
system:node-proxier 2024-02-23T20:44:18Z
system:persistent-volume-provisioner 2024-02-23T20:44:18Z
system:public-info-viewer 2024-02-23T20:44:18Z
system:service-account-issuer-discovery 2024-02-23T20:44:18Z
system:volume-scheduler 2024-02-23T20:44:18Z
view 2024-02-23T20:44:18Z
同樣我們可以用下命令來查看某個clusterrole的具體權(quán)限
gateman@MoreFine-S500: conf$ kubectl get clusterrole cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2024-02-23T20:44:18Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "87"
uid: f8f9-d9bc-41a0-b4a2-d1a28eaacdda
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
權(quán)限基本都有��!
Rolebinding 和 ClusterRoleBinding
這兩個都容易理解了���, 就是role 和 sa/User的mapping
gateman@MoreFine-S500: conf$ kubectl get rolebinding --all-namespaces
NAMESPACE NAME ROLE AGE
ingress-nginx ingress-nginx Role/ingress-nginx 85d
kube-public kubeadm:bootstrap-signer-clusterinfo Role/kubeadm:bootstrap-signer-clusterinfo 206d
kube-public system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 206d
kube-system kube-proxy Role/kube-proxy 206d
kube-system kubeadm:kubelet-config-1.23 Role/kubeadm:kubelet-config-1.23 206d
kube-system kubeadm:nodes-kubeadm-config Role/kubeadm:nodes-kubeadm-config 206d
kube-system system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 206d
kube-system system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 206d
kube-system system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 206d
kube-system system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 206d
kube-system system:controller:cloud-provider Role/system:controller:cloud-provider 206d
kube-system system:controller:token-cleaner Role/system:controller:token-cleaner 206d
具體例子
參考:
