十一、K8s细粒度权限管理RBAC

发布于:2025-07-11 ⋅ 阅读:(47) ⋅ 点赞:(0)

十一、K8s细粒度权限管理RBAC

文章目录

1、权限管理定义

1.1 常用权限需求分析

  • Namespace列表查看权限
  • 日志查看权限
  • 执行命令权限
  • Pod删除权限
  • 资源编辑权限
  • 其他权限

1.2 K8s服务账户-ServiceAccount

ServiceAccount是K8s中的一种资源,主要用于身份验证和授权,可以让应用或用户以特定的身份访问集群内部的其他资源和服务。

ServiceAccount主要用于以下场景:

  • 授权给应用程序指定的权限,让其可以访问集群中的资源
  • 生成受限的kubeconfig,供不同的用户使用
  • 生成临时或永久token,可以登陆K8s的Dashboard

1.3 K8s基于角色的权限管理-RBAC

RBAC:Role-Based Access Control,是一种基于角色的访问控制机制,用于管理用户和应用程序对K8s资源的访问权限。通过RBAC,管理员可以细粒度地控制哪些用户或服务账户可以执行哪些操作,从而确保集群地安全性和资源的合理利用。

注意:RBAC只具备添加权限,不具备拒绝权限

RBAC授权模式分为 Roles 和 Bindings 两种组件:

  • Roles:用于定义相关权限
  • Bindings:用于把权限绑定至相关主体,比如用户和组

1.4 Roles和Bindings组件分类

  • Role:命名空间级别的权限,权限规则仅限于命名空间内
  • ClusterRole:集群级别的权限,权限规则覆盖整个集群,同时可以绑定到某个空间内
  • RoleBindings:将 Role 或者 ClusterRole 的权限绑定到用户、组或服务账户,并指定到某个空间内,绑定后用户只具备该空间的相关权限
  • ClusterRoleBindings:将 ClusterRole 绑定到用户、组或服务账户,绑定后用户具备集群的相关权限
  • roleRef:指定需要绑定的权限
    • kind:指定权限来源,可以是 Role 或 ClusterRole
    • name:Role 或 ClusterRole 的名字
    • apiGroup:API组名
  • subjects:配置被绑定对象,可以配置多个
    • kind:绑定对象的类别,当前为User,还可以是Group、ServiceAccount
    • name:绑定对象名称

2、服务账户 ServiceAccount

2.1 ServiceAccount 增删改查

# 创建 ServiceAccount:
[root@k8s-master01 ~]# kubectl create sa yunwei

# 查看 ServiceAccount:
[root@k8s-master01 ~]# kubectl get sa yunwei
NAME     SECRETS   AGE
yunwei   0         39s

# 为某个 ServiceAccount 创建 Token:
[root@k8s-master01 ~]# kubectl create token yunwei
eyJhbGciOiJSUzI1NiIsImtpZC....

# 创建一个指定过期时间的 Token:
[root@k8s-master01 ~]# kubectl create token yunwei --duration=99999h
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFFSjE5cktFc1hr....

Token可以用来登陆我们K8s界面

在这里插入图片描述

2.2 使用 Secret 存储 ServiceAccount Token

[root@k8s-master01 ~]# vim yunwei-token-secret.yaml
[root@k8s-master01 ~]# cat yunwei-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: yunwei-token-secret
  annotations:
   kubernetes.io/service-account.name: yunwei
type: kubernetes.io/service-account-token

# 创建该 Secret:
[root@k8s-master01 ~]# kubectl create -f yunwei-token-secret.yaml 

# 查看生成的 Token:
[root@k8s-master01 ~]# kubectl get secret yunwei-token-secret
NAME                  TYPE                                  DATA   AGE
yunwei-token-secret   kubernetes.io/service-account-token   3      80s

# 查看生成的 Token 详情:
[root@k8s-master01 ~]# kubectl describe secret yunwei-token-secret
Name:         yunwei-token-secret
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: yunwei
              kubernetes.io/service-account.uid: a42d2efd-fc1c-4cec-b825-184d67cd7494

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1107 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImFFSjE5cktFc1hrSk00QXB6MjFIWFZOc0ZnUVoxQTVPeWgycm1OdGszZTQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Inl1bndlaS10b2tlbi1zZWNyZXQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoieXVud2VpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTQyZDJlZmQtZmMxYy00Y2VjLWI4MjUtMTg0ZDY3Y2Q3NDk0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6eXVud2VpIn0.xeLNEJwPDSv4w88kge5ADSbJ-ckMtyr6EOCGlBCQIls_WMQQ0417P__04rUAX69HTXkPy0X9XgXLAZKgPpbi962OODDJ-KKrGhnS2JWQVs1mKyBkB49oDKhpuiP9LwyWLbyFnRuDHUEbDTjKCpBO6jpPypxDwLXuy3CmOt1rXcSAg0qLgqkZ2u4rWwZP41KHXbQt92p9LLP5VuniFlvFQwaoOvzbfkWUTR0FIajCqohkCzNZB0zv4GHSFvHEas4k8BNnMmORY_h3Tu2r3_ClTL-xRnOsH2czJguXJBjZlsxL-r-ySJNG4k3mprMKABTYosM7GytBXDy5k8-EZMvXzw

2.3 基于 ServiceAccount 生成 Kubeconfig

基于 ServiceAccount 生成 Kubeconfig,需要先为 ServiceAccount 生成一个 Token,可以使用保存在 Secret 中的 Token。

# 编写脚本
[root@k8s-master01 ~]# vim kubeconfig.sh 
[root@k8s-master01 ~]# cat kubeconfig.sh 
#!/bin/bash
serviceaccountName="yunwei"
secretName="yunwei-token-secret"

serverAddr=`kubectl cluster-info | grep --color=never \
  -Eo -m 1 "https://.*" | \
  sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"`
ca=$(kubectl get secret/$secretName -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret/$secretName -o jsonpath='{.data.token}' | base64 --decode)

cat <<EOF > ${serviceaccountName}-kubeconfig.yaml
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
  cluster:
    server: ${serverAddr}
    certificate-authority-data: ${ca}
users:
- name: ${serviceaccountName}
  user:
    token: ${token}
contexts:
- name: ${serviceaccountName}-context
  context:
    cluster: default-cluster
    user: ${serviceaccountName}
    namespace: default
current-context: ${serviceaccountName}-context
EOF

# 基于 ServiceAccount 生成 Kubeconfig
[root@k8s-master01 ~]# bash kubeconfig.sh 

[root@k8s-master01 ~]# cat yunwei-kubeconfig.yaml 
apiVersion: v1
kind: Config
clusters:
- name: default-cluster
  cluster:
    server: https://192.168.200.50:6443
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJS2xDSVh2RCtodjh3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBMk1UQXdOek15TXpWYUZ3MHpOVEEyTURnd056TTNNelZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUMwRkZBbjFlcDRNRW82REZSdXc3VS9ENllXV3pvQmptaC9lRUtjd284c3htTjMyT3dabW5QVzAwSncKRGVma0RIN0RZVXAwVG91eVFLSHdHS08yRWs2Tnhubklqb0hXdjN3QWN6OWJFWkh6cmd3aW5Qa0o3R2RjU3pHdApSWm1ocm5IcGVISGU0OVFOVDhXeDB5c0ZVVjY5ais3RzgvN0I0eUc5N3hHRlNHZGtkcmVqUUgzOExFTTZRblNQCkt3RVJ4dFV5RTFSQkV6QW5sRXhMcGNBaTlqa2Y2c25yNk9pODNPL3BzQzNOaitXU2lPREE4K0lndkFlVmdDRkMKNnlBQjg3ZS9vL0Ixd3MzWXB2MXJ2ZkJaaWlzalF3emNmUnJybXVVOWVIUU4xZlFHQXgyc0YyY2dnUWxENk1IWApMYVJldjhUcFBCaFJDVWJjaDVUd3Vmck5qaW9QQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJUakl3SmpOWGxSZkNWNWRBOHRDc2NHeWxYblV6QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQjFIMTZ3N2J0RQpHZ3M1TVZpOGhKL0M1djB0QVJNV1ZBVGJ5blNaSktjQS9nVWowYVNQMVFFbUlhUnprWWQ1eEM2OTRTdTRpRlBFCktPZlkrdU9XaFdMQmNWYjc5WEs2SEtONXFTTG9vMTA3dlBCaS9ZejNnRGNGS2J6QzNqdjR1Skk4SUFuUTM3UkEKUDN6YlVkRjQydnJ1TWJoc1VWVjJnSytvNHd1Ky9URTJTMlpNSmR0QmMyYzQzcjEzYy9ONCttWWdBZXdGOElHbwpBa29LSzJyaXMwaTNvYjdPVFg5RHFHUnAySGxQcTVReWdOZG4rSnhTWk9tL3RldlpQc1NBUnNQQ1dCalFlQlk2CmFXYTArUWh4REtNdXhxdC9GbkNOQ2RyaDA5R0plMHpyZ3ptS2I1Z2hqV09nWHhhTGN3aFhGTENyOWRTdTBwN2UKR1JoUkxuMmRUeEpDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
users:
- name: yunwei
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImFFSjE5cktFc1hrSk00QXB6MjFIWFZOc0ZnUVoxQTVPeWgycm1OdGszZTQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Inl1bndlaS10b2tlbi1zZWNyZXQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoieXVud2VpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTQyZDJlZmQtZmMxYy00Y2VjLWI4MjUtMTg0ZDY3Y2Q3NDk0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6eXVud2VpIn0.xeLNEJwPDSv4w88kge5ADSbJ-ckMtyr6EOCGlBCQIls_WMQQ0417P__04rUAX69HTXkPy0X9XgXLAZKgPpbi962OODDJ-KKrGhnS2JWQVs1mKyBkB49oDKhpuiP9LwyWLbyFnRuDHUEbDTjKCpBO6jpPypxDwLXuy3CmOt1rXcSAg0qLgqkZ2u4rWwZP41KHXbQt92p9LLP5VuniFlvFQwaoOvzbfkWUTR0FIajCqohkCzNZB0zv4GHSFvHEas4k8BNnMmORY_h3Tu2r3_ClTL-xRnOsH2czJguXJBjZlsxL-r-ySJNG4k3mprMKABTYosM7GytBXDy5k8-EZMvXzw
contexts:
- name: yunwei-context
  context:
    cluster: default-cluster
    user: yunwei
    namespace: default
current-context: yunwei-context

# 测试以生成的这个kubeconfig文件访问咱们的资源(发现报错)
[root@k8s-master01 ~]# kubectl get po --kubeconfig yunwei-kubeconfig.yaml 
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:yunwei" cannot list resource "pods" in API group "" in the namespace "default"

# 给sa加上读权限
[root@k8s-master01 ~]# kubectl create rolebinding yunwei-view --clusterrole=view --serviceaccount=default:yunwei

[root@k8s-master01 ~]# kubectl get rolebinding
NAME          ROLE               AGE
yunwei-view   ClusterRole/view   42s

# 已经可以正常访问
[root@k8s-master01 ~]# kubectl get po --kubeconfig yunwei-kubeconfig.yaml 
NAME                       READY   STATUS    RESTARTS      AGE
counter-6c77464d64-2sb45   1/1     Running   2 (17d ago)   17d

3、细粒度权限配置

3.1 使用 Kubectl 管理 RBAC

# 创建一个可以查询 Pod 的 Role:
[root@k8s-master01 ~]# kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods

# 指定非核心组:
[root@k8s-master01 ~]# kubectl create role foo --verb=get,list,watch --resource=replicasets.apps

# 查看创建的role
[root@k8s-master01 ~]# kubectl get role
NAME         CREATED AT
foo          2025-06-27T09:11:17Z
pod-reader   2025-06-27T09:11:03Z

# 创建一个可以查询 Pod 的 ClusterRole:
[root@k8s-master01 ~]# kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods

# 查看创建的clusterrole
[root@k8s-master01 ~]# kubectl get clusterrole pod-reader
NAME         CREATED AT
pod-reader   2025-06-27T09:18:20Z


# 创建一个 RoleBinding,把 pod-reader 绑定至 default 空间下的 yunwei02 用户:
[root@k8s-master01 ~]# kubectl create rolebinding yunwei02-pod-reader --clusterrole=pod-reader --serviceaccount=default:yunwei02

# 查看创建的rolebinding
[root@k8s-master01 ~]# kubectl get rolebinding
NAME                  ROLE                     AGE
....
yunwei02-pod-reader   ClusterRole/pod-reader   22s

# 验证某个用户是否具有某个权限:
[root@k8s-master01 ~]# kubectl auth can-i get pods -n default --as=system:serviceaccount:default:yunwei02
yes

3.2 通用权限管理

  • kind:定义资源类型为 Role 或 ClusterRole
  • rules:定义具体的权限规则,切片类型,可以匹配多个
    • API Groups:包含该资源的组名称,比如apps,为空则为核心组
    • resources:定义对哪些资源进行授权,切片类型,可以定义多个,比如podsservice*
    • verbs:定义可以执行等操作,切片类型,可以定义多个,比如createdeletelistgetwatchupdatepods/log(子资源)等
    • resourcesName:指定授权具体的对象,切片类型,可以定义多个,比如my-deployment
  • roleRef:指定需要绑定的权限
    • kind:指定权限来源,可以是 Role 或 ClusterRole
    • name:Role 或 ClusterRole 的名字
    • apiGroup:API组名
  • subjects:配置被绑定对象,可以配置多个
    • kind:绑定对象的类别,当前为User,还可以是Group、ServiceAccount
    • name:绑定对象名称
[root@k8s-master01 ~]# vim clusterrole.yaml 
[root@k8s-master01 ~]# cat clusterrole.yaml 
apiVersion: rbac.authorization.k8s.io/v1    # 创建一个可以查询命名空间的权限
kind: ClusterRole
metadata:
  name: namespace-readonly
rules:
  - apiGroups:
    - ""
    resources:
    - namespaces
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - metrics.k8s.io
    resources:
    - pods
    verbs:
    - get
    - list
    - watch
---
apiVersion: rbac.authorization.k8s.io/v1    # 创建一个可以删除 Pod 的权限
kind: ClusterRole
metadata:
  name: pod-delete
rules:
  - apiGroups:
    - ""
    resources:
    - pods
    - pods/status
    verbs:
    - get
    - list
    - delete
---
apiVersion: rbac.authorization.k8s.io/v1    # 创建一个可以执行命令的权限
kind: ClusterRole
metadata:
  name: pod-exec
rules:
  - apiGroups:
    - ""
    resources:
    - pods
    - pods/status
    verbs:
    - get
    - list
  - apiGroups:
    - ""
    resources:
    - pods/exec
    verbs:
    - create
---
apiVersion: rbac.authorization.k8s.io/v1    # 创建一个可以查看日志的权限
kind: ClusterRole
metadata:
  name: pod-log
rules:
  - apiGroups:
    - ""
    resources:
    - pods
    - pods/log
    - pods/status
    verbs:
    - get
    - list
    - watch
---
apiVersion: rbac.authorization.k8s.io/v1    # 创建一个可以针对指定资源进行编辑的权限
kind: ClusterRole
metadata:
  name: configmap-deployment-manager
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]

# 创建clusterrole
[root@k8s-master01 ~]# kubectl create -f clusterrole.yaml 

# 查看clusterrole
[root@k8s-master01 ~]# kubectl get clusterrole | egrep "namespace-readonly|pod-delete|pod-exec|pod-log|configmap-deployment-manager"
configmap-deployment-manager                            2025-06-27T16:26:19Z
namespace-readonly                                      2025-06-27T16:26:19Z
pod-delete                                              2025-06-27T16:26:19Z
pod-exec                                                2025-06-27T16:26:19Z
pod-log                                                 2025-06-27T16:26:19Z

3.3 K8s 多用户管理

# 创建一个专用于存储用户的 Namespace:
[root@k8s-master01 ~]# kubectl create ns kube-users

# 授权 kube-users 空间下的用户都有查看 Namespace 的权限:
[root@k8s-master01 ~]# kubectl create clusterrolebinding namespace-readonly --clusterrole=namespace-readonly --group=system:serviceaccounts:kube-users

# 创建多个用户模拟不同的场景:
[root@k8s-master01 ~]# kubectl create sa project-a-develop -n kube-users
[root@k8s-master01 ~]# kubectl create sa project-a-opselop -n kube-users

# 创建 Namespace 模拟不同的环境:
[root@k8s-master01 ~]# kubectl create ns project-a-dev
[root@k8s-master01 ~]# kubectl create ns project-a-test
[root@k8s-master01 ~]# kubectl create ns project-a-prod

# 在每个环境下创建一个服务:
[root@k8s-master01 ~]# kubectl create deploy redis --image=crpi-q1nb2n896zwtcdts.cn-beijing.personal.cr.aliyuncs.com/ywb01/redis:7.2.5 -n project-a-dev

[root@k8s-master01 ~]# kubectl create deploy redis --image=crpi-q1nb2n896zwtcdts.cn-beijing.personal.cr.aliyuncs.com/ywb01/redis:7.2.5 -n project-a-test

[root@k8s-master01 ~]# kubectl create deploy redis --image=crpi-q1nb2n896zwtcdts.cn-beijing.personal.cr.aliyuncs.com/ywb01/redis:7.2.5 -n project-a-prod

3.4 不同用户授权管理

3.4.1 授权测试环境可以查看日志和执行命令

在非生产环境,可以针对开发和测试人员开放查看日志和执行命令的权限,方便排查问题等。

授权 project-a-develop 用户对 project-a-devproject-a-test 两个空间可以有查看日志和执行命令的权限

[root@k8s-master01 ~]# kubectl create rolebinding develop-pod-log --clusterrole=pod-log --serviceaccount=kube-users:project-a-develop -n project-a-dev

[root@k8s-master01 ~]# kubectl create rolebinding develop-pod-exec --clusterrole=pod-exec --serviceaccount=kube-users:project-a-develop -n project-a-dev

[root@k8s-master01 ~]# kubectl create rolebinding develop-pod-log --clusterrole=pod-log --serviceaccount=kube-users:project-a-develop -n project-a-test

[root@k8s-master01 ~]# kubectl create rolebinding develop-pod-exec --clusterrole=pod-exec --serviceaccount=kube-users:project-a-develop -n project-a-test

# 创建 Token 测试:
[root@k8s-master01 ~]# kubectl create token project-a-develop -n kube-users
eyJhbGciOiJSUzI1NiIsImtpZCI6ImtiTm05eWxpaVR2WEFPM25hblMyX09SdXZndVZBN3lxWElwMjhvVjdudW8ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzUxMDQ0MTk3LCJpYXQiOjE3NTEwNDA1OTcsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiOGM0MzljYjItYzE5MC00OTUzLWE4YjctYjZhMGFjNWQzZjMwIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlLXVzZXJzIiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InByb2plY3QtYS1kZXZlbG9wIiwidWlkIjoiMmYxMDQzZDMtM2EyZS00ODEyLTk2NTEtNzQ4ZGRmN2Y3YTUzIn19LCJuYmYiOjE3NTEwNDA1OTcsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXVzZXJzOnByb2plY3QtYS1kZXZlbG9wIn0.WZ9qBYd17_lz35DYC6PbV0Jf940SF3wsMUNsgxyfrFp_R2dKIoj-Uze7VrZvWIWB_cQd85ErySBQs-hr_p2ldJbVfSHNRZFG7lI9OkPthdvftbzC5Pc7RhjZNe5mPE8QMAE5waGeDS2_RLwRPixtZ_XM4eSBvwU4QsTYSBIoxKHfnwfynQxjYvUA3xlHDHWquCvrkb6ZAnATJObHBjU8Dpa_DI4jcyqIukaQxhTAb4SF0MYYbiST_CS7DdbbBx3RiCqrEf-3_z_8FLPipMBsg7d9rvFeT8MEYX3i-19PZaoOCyEDtdKSIzPjFlOFoXK_vbNuz3E42SkY6U5fKhhLjA

之后可以登录到 Kubernetes 的 Dashboard 测试权限

目前只能查看pod这块

在这里插入图片描述

日志可以正常查询

在这里插入图片描述

也可以正常执行命令

在这里插入图片描述

3.4.2 授权生产环境只查看日志

在生产环境,通常不允许其他用户有特别大的权限,此时可以限制只能查看日志。

授权之前

在这里插入图片描述

# 授权开发人员只能查看生产环境的日志权限:
[root@k8s-master01 ~]# kubectl create rolebinding develop-pod-log --clusterrole=pod-log --serviceaccount=kube-users:project-a-develop -n project-a-prod

授权之后可以正常查看

在这里插入图片描述

在这里插入图片描述

但无法执行命令

在这里插入图片描述

3.4.3 授权开发人员可以修改非生产环境部分资源

有时候开发人员需要修改程序的配置用来测试新功能或者排查故障,此时可以给开发人员授权可以编辑部分的资源,比如 ConfigMap 和 Deployment。

[root@k8s-master01 ~]# kubectl create rolebinding develop-configmap-deployment-manager --clusterrole=configmap-deployment-manager --serviceaccount=kube-users:project-a-develop -n project-a-dev
3.4.4 授权多租户场景受限管理员的权限

如果集群中分配了多个租户和 OPS 用户,此时租户和 OPS 用户应当具备指定空间的所有权限,此时可以直接使用 admin 或者 edit 的 ClusterRole 进行授权:

比如授权 project-a-ops 用户可以操作 project-a-dev、test、prod 空间下的所有资源:

[root@k8s-master01 ~]# kubectl create rolebinding ops-edit --clusterrole=edit --serviceaccount=kube-users:project-a-opselop -n project-a-dev

[root@k8s-master01 ~]# kubectl create rolebinding ops-edit --clusterrole=edit --serviceaccount=kube-users:project-a-opselop -n project-a-test

[root@k8s-master01 ~]# kubectl create rolebinding ops-edit --clusterrole=edit --serviceaccount=kube-users:project-a-opselop -n project-a-prod

# 此时使用 project-a-ops 用户登录集群,即可操作上述空间的大部分资源
[root@k8s-master01 ~]# kubectl create token project-a-opselop -n kube-users
eyJhbGciOiJSUzI1NiIsImtpZCI6ImtiTm05eWxpaVR2WEFPM25hblMyX09SdXZndVZBN3lxWElwMjhvVjdudW8ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzUxMDUxNDg3LCJpYXQiOjE3NTEwNDc4ODcsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiMTc0MzIyY2MtOTIxZC00YzNmLWJkZTQtY2U5NWQ1YzdmZGM5Iiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlLXVzZXJzIiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InByb2plY3QtYS1vcHNlbG9wIiwidWlkIjoiY2NmNzBmODgtZTc0ZC00ZTA4LTlmNDctMmMzNWJmMmJiNzE2In19LCJuYmYiOjE3NTEwNDc4ODcsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXVzZXJzOnByb2plY3QtYS1vcHNlbG9wIn0.P45NlthKRMSvWVhtEQ5xV0fWx9JxvNP9OeoY0d6Hs-5i19fd99yTIG0yIFR0CQKvCqsb7BfeIktinpz4wwDSo_MygJF6MRnAa5b1NCDctnAijpzjv3V0cJ1A8ieA5ALnt2yRevfFsxeZtBsUUTyysZwv1NFpqXef80sEgYgVVUEt_i7-K9tHw-7fazQ6D3JjZGL32fPa0GNiu9qlCIlArK2PW6eB2KfG2Bj5G84HvckuOyCRCnf1UTlkRMMii-ZKNZdYfPA5v4IJ4NPZ59cVTugx5LELApS3Wr2C4ZE6JSpddvUzyiOUBY5cV8l_26K4LVB7oQB5ifUMH1yaQWEmvg

在这里插入图片描述

3.4.5 授权应用程序可以访问集群资源

有时候需要对部署在 Kubernetes 集群中的服务进行授权,使其可以访问资源的某些资源,比如获取集群中的 Pod 状态等,此时可以授权给某个 ServiceAccount,然后让 Pod 用该ServiceAccount 创建 Pod,此时该 Pod 内的程序即可具备相关的权限。

比如要实现某个程序具备 view 的权限,可以用如下方式进行授权。

# 首先创建一个用于该程序的 ServiceAccount:
[root@k8s-master01 ~]# kubectl create sa app-view -n project-a-dev

# 授权该 ServiceAccount:
[root@k8s-master01 ~]# kubectl create rolebinding app-view --clusterrole=view --serviceaccount=project-a-dev:app-view -n project-a-dev

# 创建一个资源,并使用该 ServiceAccount:
[root@k8s-master01 ~]# kubectl create deploy app --image=crpi-q1nb2n896zwtcdts.cn-beijing.personal.cr.aliyuncs.com/ywb01/kubectl -n project-a-dev -- sleep 36000

# 添加配置
[root@k8s-master01 ~]# kubectl edit deploy app -n project-a-dev
....
    spec:
      serviceAccountName: app-view
      containers:
....


[root@k8s-master01 ~]# kubectl get po -n project-a-dev
NAME                     READY   STATUS    RESTARTS   AGE
app-754479d4cc-lsh9f     1/1     Running   0          3m41s
redis-555d6889cd-dkc5j   1/1     Running   0          37m

# 登录至该容器,即可访问该空间下的所有资源:
[root@k8s-master01 ~]# kubectl exec -it app-754479d4cc-lsh9f -n project-a-dev -- bash
I have no name!@app-754479d4cc-lsh9f:/$ kubectl get po -n project-a-dev
NAME                     READY   STATUS    RESTARTS   AGE
app-754479d4cc-lsh9f     1/1     Running   0          4m56s
redis-555d6889cd-dkc5j   1/1     Running   0          38m

 
其它空间未授权无法访问:
I have no name!@app-754479d4cc-lsh9f:/$ kubectl get pod -n project-atest
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:project-a-dev:app-view" cannot list resource "pods" in API group "" in the namespace "project-atest"

# 如果需要访问其它空间的资源,按需创建 RoleBinding 即可。

此博客来源于:https://edu.51cto.com/lecturer/11062970.html

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布