ICode9
精准搜索请尝试: 精确搜索
首页
编程语言>
数据库
系统相关
互联网
其他分享
Python
Java
JavaScript
android
PHP
首页 > 其他分享> 文章详细

基于dashboard理解k8s的RBAC授权

2022-07-15 03:31:08  阅读:201  来源: 互联网

标签:master1 kubectl alex RBAC token role dashboard k8s root


# 概念

Servic Account(服务账号):是指由Kubernetes API管理的账号,用于为Pod之中的服务进程在访问Kubernetes API时提供身份标识。Service Account通常绑定于特定的名称空间,由API Server创建,或者通过API调用手动创建。
User Account(用户账号):独立于Kubernetes之外的其他服务管理用户账号,例如由管理员分发秘钥、Keystone一类的用户存储(账号库)、甚至是保函有用户名和密码列表的文件等。

  • User Account是为人设计的,而Service Account则是为Pod中的进程调用Kubernetes API而设计;
  • User Account是跨namespace的,而Service Account则是仅局限它所在的namespace;
  • 每个namespace都会自动创建一个default service account

在创建Pod资源时,如果没有指定一个service account,系统会自动在与该Pod相同的namespace下为其指派一个default service account。而pod和apiserver之间进行通信的账号,称为serviceAccountName。

#目标

授权用户通过kubectl 查看指定命名空间的资源 

授权用户通过dashboard查看资源监控

#流程

1、创建serviceaccount服务账户
2、创建相对应的账户权限 role
3、绑定权限到用户 rolebindind
4、登陆dashboard验证权限
5、基于token创建kubeconfig 通过kubectl登陆

1、创建服务账户 ServiceAccount

[root@master1 user]# kubectl create serviceaccount alex
serviceaccount/alex created
[root@master1 user]# kubectl get sa 
NAME      SECRETS   AGE
alex      1         17s

2、创建alex的账户权限

[root@master1 role]# cat alex_role.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: default_role
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods","pods/log","pods/exec"]
  verbs: ["get","list","watch","create"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","list","watch","create"]
- apiGroups: [""]
  resources: ["deployments"]
  verbs: ["get","list","watch","create"]

3、将权限绑定到对应的sa账户上

[root@master1 role]# cat alex_rolebinding.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default_rolebindind
  namespace: default
subjects:
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: alex
- kind: ServiceAccount
  name: alex
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: default_role

3.1、执行yaml文件 生成绑定

#role权限
[root@master1 role]# kubectl apply -f alex_role.yaml 
role.rbac.authorization.k8s.io/default_role created

#rolebindind 权限绑定
[root@master1 role]# kubectl apply -f alex_rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/default_rolebindind created

4、登陆dashboard验证权限

4.1 # 查看alex服务账户的secret
[root@master1 role]# kubectl get secret
NAME                  TYPE                                  DATA   AGE
alex-token-fbnsb      kubernetes.io/service-account-token   3      12m
chen-token-56l6t      kubernetes.io/service-account-token   3      3d1h
default-token-d79vr   kubernetes.io/service-account-token   3      3d11h
local-harbor-secret   kubernetes.io/dockerconfigjson        1      3d10h

4.2# 根据secret 查看token base64 -d 表示转换为64位编码(K8S默认64位编码)
#或者通过 describe直接复制 ps: kubectl describe secret alex-token-fbnsb 
[root@master1 role]# kubectl get secret alex-token-fbnsb -o jsonpath={.data.token} | base64 -d 
eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDi

 

 

 

5、基于token创建kubeconfig 通过kubectl登陆再次验证
5.1 基于token生产用户的crt文件
[root@master1 alex]# kubectl get secret alex-token-fbnsb -o jsonpath="{.data.ca\.crt}" | base64 -d
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIyMDcxMTA0NDQxM1oXDTMyMDcwODA0NDQxM1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBq
+uFBCdpTK64qCtlgTi3WTOPXdzZkrvYvu2y583yex0R7psNtVLVCwz6/UAC4SHNL
nZVpiSWW6N9+9KK1idFxhztWmYEDTtHU/j9YNOSfJ0zQVHlLBl/95TIYK+gQm7Lb
LN1iQrz88xTPBgP71/zBNP1IkRvBrt38NGdMzq8uWgx7VrrqDiw35BqkPVESeiu9
9bTf/uIxNhaiGXH+v+j1YLtvMPyMzy2GpNnsVpAuDmwTHwB9kAfpMl/tX0pnwNIY
xzk/3IeFyHQlTAF+RmI0Oz6kF08MWhZJzd9nX7wW/P1JTUUyR/fppKtyFk6YnkLl
1EFWwwsRqOVNqzW4dJ0CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABNt5J8VHGRFdSDfpOrti1edCxjc
soDQxaSchSX3bhpci3TWvWvdNNpqY7jcYkOhBz5AYinAWNFyCJ/GdJ3JzOKp73TU
FmQG+XnriJceKCxtF/1EyOUs6mXV+nNBobQJq2xw2HjHE1q+KLNhbqd+Ss2/xS9W
jXCCkLf74AvIHEJWT4r9RDAy4/hKg2EohJddQ+VbcaFtKw7pAFOnVz/QXk59ePXO
whMz/YWSMSwK4r5FJdnawgq4so+uvoLZx+TQ6aaWIx9UfFH7Km1lAMPbBnMqUXFa
D6HDb9NFlBgr+sXAdshBnybxIsg/CckZenckDnL06HK/i1zgtBnUWKy9Uzw=
-----END CERTIFICATE-----

[root@master1 alex]# kubectl get secret alex-token-fbnsb -o jsonpath="{.data.ca\.crt}" | base64 -d > alex.crt

5.2 #生成带有集群信息的config配置文件

[root@master1 alex]# kubectl config set-cluster kubernetes --server=https://192.168.24.31:6443  --kubeconfig=/root/role/user/alex/config --certificate-authority=alex.crt --embed-certs=true
Cluster "kubernetes" set.

5.3 #生成带有用户签名的config文件

[root@master1 alex]# kubectl get secret alex-token-fbnsb -o jsonpath={.data.token} | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDiYIKTfvazyLVCng0Q


[root@master1 alex]#  kubectl config set-credentials alex   --kubeconfig=/root/role/user/alex/config  --token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDiYIKTfvazyLVCng0Q
User "alex" set.

 

5.6创建context配置

[root@master1 alex]# kubectl config set-context alex@kubernetes --cluster=kubernetes --user=alex --kubeconfig=/root/role/user/alex/config 
Context "alex@kubernetes" created.

##

[root@master1 alex]# kubectl config view --kubeconfig=./config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.24.31:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: alex
name: alex@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: alex
user:
token: REDACTED

 

#查看生成的config文件

[root@master1 alex]# cat config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hNVEEwTkRReE0xb1hEVE15TURjd09EQTBORFF4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUJxCit1RkJDZHBUSzY0cUN0bGdUaTNXVE9QWGR6Wmtydll2dTJ5NTgzeWV4MFI3cHNOdFZMVkN3ejYvVUFDNFNITkwKblpWcGlTV1c2TjkrOUtLMWlkRnhoenRXbVlFRFR0SFUvajlZTk9TZkowelFWSGxMQmwvOTVUSVlLK2dRbTdMYgpMTjFpUXJ6ODh4VFBCZ1A3MS96Qk5QMUlrUnZCcnQzOE5HZE16cTh1V2d4N1ZycnFEaXczNUJxa1BWRVNlaXU5CjliVGYvdUl4TmhhaUdYSCt2K2oxWUx0dk1QeU16eTJHcE5uc1ZwQXVEbXdUSHdCOWtBZnBNbC90WDBwbndOSVkKeHprLzNJZUZ5SFFsVEFGK1JtSTBPejZrRjA4TVdoWkp6ZDluWDd3Vy9QMUpUVVV5Ui9mcHBLdHlGazZZbmtMbAoxRUZXd3dzUnFPVk5xelc0ZEowQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCTnQ1SjhWSEdSRmRTRGZwT3J0aTFlZEN4amMKc29EUXhhU2NoU1gzYmhwY2kzVFd2V3ZkTk5wcVk3amNZa09oQno1QVlpbkFXTkZ5Q0ovR2RKM0p6T0twNzNUVQpGbVFHK1hucmlKY2VLQ3h0Ri8xRXlPVXM2bVhWK25OQm9iUUpxMnh3MkhqSEUxcStLTE5oYnFkK1NzMi94UzlXCmpYQ0NrTGY3NEF2SUhFSldUNHI5UkRBeTQvaEtnMkVvaEpkZFErVmJjYUZ0S3c3cEFGT25Wei9RWGs1OWVQWE8Kd2hNei9ZV1NNU3dLNHI1RkpkbmF3Z3E0c28rdXZvTFp4K1RRNmFhV0l4OVVmRkg3S20xbEFNUGJCbk1xVVhGYQpENkhEYjlORmxCZ3Irc1hBZHNoQm55YnhJc2cvQ2NrWmVuY2tEbkwwNkhLL2kxemd0Qm5VV0t5OVV6dz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.24.31:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: alex
  name: alex@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: alex
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFsZXgtdG9rZW4tZmJuc2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYWxleCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNmNDEyZGFiLWE3ZTMtNGZmNy05ZDE0LTM2MmU2NmViYzg0MSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFsZXgifQ.LFlE4q5zr-5ddJ8q9E8sJngEeqhd9C3CI9Q4qN-NfsEyU1j76mpxS4SbiE-gTry11c8C3yTSu1rDHh6R131ibJvyvTUGKdBYArT2CVEv1SSha0ldd7RMysH8vUDBnN1_QtM5uZ9H_gNVI0K0BfPu0grlzz7Z1fKrFvr8GXaNXtpL5jbiNjzH3dzMrjNdBZv2sose5elLl0I9Gsm766ba1n3RX-YbQv-3yfKmCfqHgZ986Cmf_3zCXbz308_muw3V3w5tXpUwlzNUMwkN9L0vlcicSyXOye0e9UsRDbLpoL1oi0ExRjH252tVSRbcO4sY4CPmDiYIKTfvazyLVCng0Q

 

#将config 放在一台安装了kubectl的客户端上  路径为/root/.kube/config 

[root@24d33 .kube]# kubectl config use-context alex@kubernetes
Switched to context "alex@kubernetes".

#验证结果

[root@24d33 .kube]# kubectl get pods,svc
NAME                             READY   STATUS    RESTARTS   AGE
pod/mytomcat-5f97c868bd-bghht    1/1     Running   0          2d4h
pod/mytomcat-5f97c868bd-xh5cz    1/1     Running   0          35h
pod/mytomcat2-6746bcc65b-hmxgb   1/1     Running   0          36h

NAME                  TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
service/kubernetes    ClusterIP   10.96.0.1       <none>        443/TCP          3d14h
service/tomcat-svc    NodePort    10.96.234.126   <none>        8080:31801/TCP   2d4h
service/tomcat2-svc   NodePort    10.98.226.189   <none>        8080:31802/TCP   36h

 

标签:master1,kubectl,alex,RBAC,token,role,dashboard,k8s,root
来源: https://www.cnblogs.com/Chen-PY/p/16479951.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

关于我们 | 联系我们 | 留言反馈

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有