一篇文章带给你Zabbix 5.4 alpha版本体验
686
2022-10-31
Kubernetes(一) - RBAC授权管理
“默认Kubernetes部署好后会签发一个cluster-admin角色的admin用户kubeconfig,如何来创建一个权限更小的用户呢?”RBACRBAC[1]是一种基于角色的访问控制。Kubernetes通过rbac.authorization.k8s.io API组来进行鉴权,能通过配置各种对象来完成配置。Kubernetes有4个对象:Role代表相关权限的规则总是用来在某个Namespace内设置访问权限ClusterRole也是相关权限的规则,但是一个集群作用域的资源(如Node)RoleBinding将Role中定义的权限授权给一个或一组用户在指定的Namespace中执行授权ClusterRoleBinding在集群范围内执行授权创建一个用户的kubeconfig文件安装cfssl[2]下载cfssl和cfssljson工具:wget -c https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64wget -c https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64创建用户的配置创建devuser.json文件,定义用户名等信息:{ "CN": "devuser", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangDong", "L": "GuangZhou", "O": "k8s", "OU": "System" } ]}创建证书的配置定义证书的签发时长等信息(如命名为:ca-config.json){ "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } }}生成用户的公钥和私钥默认Kubernetes的证书放在/etc/kubernetes/pki/目录。cd /etc/kubernetes/pki/cfssl gencert \-ca=/etc/kubernetes/pki/ca.crt \-ca-key=/etc/kubernetes/pki/ca.key -config=/root/ca-config.json \-profile=kubernetes \/root/devuser.json| cfssljson -bare devuser创建kubeconfig文件设置集群参数:cd /rootkubectl config set-cluster local-cluster \--certificate-authority=/etc/kubernetes/pki/ca.crt \--embed-certs=true \--server=https://10.xx.xx.164:6443 \--kubeconfig=devuser.kubeconfig设置客户端认证参数:kubectl config set-credentials devuser \--client-certificate=/etc/kubernetes/pki/devuser.pem \--client-key=/etc/kubernetes/pki/devuser-key.pem \--embed-certs=true \--kubeconfig=devuser.kubeconfig进行角色绑定如限制用户在某个命名空间(如default)有admin(集群角色)的权限。kubectl create rolebinding \devuser-admin-rolebinding \--clusterrole=admin \--user=devuser \--namespace=default将使用新建的kubeconfig进行集群访问在当前master机器使用use-context切换上下文。设置上下文参数,通过参数namespace指定默认namespace,这样kubectl就不需要用-n指定NS了。kubectl config set-context devuser-admin@local-cluster \--cluster=local-cluster \--user=devuser \--kubeconfig=devuser.kubeconfig \--namespace=default 设置默认上下文:kubectl config use-context \devuser-admin@local-cluster \--kubeconfig=devuser.kubeconfig查看context:kubectl config get-contexts其他机器可以将kubeconfig拷贝到.kube/config文件中进行使用。参考资料[1]RBAC Authorization: https://kubernetes.io/docs/reference/access-authn-authz/rbac/[2]cfssl: https://github.com/cloudflare/cfssl
发表评论
暂时没有评论,来抢沙发吧~