kubernetes实战(二十九)：Kubernetes RBAC实现不一样用户在不一样Namespace的不一样权限

一、基本说明html

　　在生产环境使用k8s之后，大部分应用都实现了高可用，不只下降了维护成本，也简化了不少应用的部署成本，可是同时也带来了诸多问题。好比开发可能须要查看本身的应用状态、链接信息、日志、执行命令等。java

　　使用k8s后，业务应用以Pod为单位，不像以前的以服务器为单位，能够直接经过登陆服务器进行相关操做。当业务应用使用k8s部署后，k8s官方的dashboard虽然能够进行查看日志、执行命令等基本操做，可是做为运维人员，不想让开发操做或查看本身范围以外的Pod，此时就要使用RBAC进行相关的权限配置。git

　　本文章主要讲解两方面的问题：github

使用用户名密码登陆Dashboard
对已登陆用户进行权限配置，实现只能操做本身Namespace的Pod，不能进入到未受权的其余Namespace

二、更改Dashboard认证方式bootstrap

　　为了方便开发和运维人员登陆Dashboard，须要将Dashboard登陆方式用户名密码认证（用户名密码和Token能够同时开启）。api

　　使用Ratel将kubernetes-dashboard的deployment的--authentication-mode改为basic便可，未安装Ratel的可使用kubectl edit进行更改，更改完成会自动重启。服务器

　　以后更改kube-apiserver配置添加--basic-auth-file=/etc/kubernetes/basic_auth_fileapp

　　basic_auth_file为存储帐号密码的文件，格式以下：运维

xxx1_2019,xxx1,3,"system:authentication" xxx2_2019,xxx2,4,"system:authentication" xxx3_2019,xxx3,5,"system:authentication" xxx4_2019,xxx4,6,"system:authentication"

　　依次是密码、用户名、ID号、用户组，由于下面会为已登陆的用户进行受权，因此把组设置成了system:authentication，按需更改。gitlab

三、添加默认权限

　　首先配置一个system:authentication组容许查询namespace列表（由于进入到指定namespace，必须能list该集群的namespace）:

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: ratel-namespace-readonly rules: - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ratel-namespace-readonly roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-namespace-readonly subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authentication

　　建立查看namespace资源的权限

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-resource-readonly rules: - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch

　　建立Pod执行权限

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-exec rules: - apiGroups: - "" resources: - pods - pods/log verbs: - get - list - apiGroups: - "" resources: - pods/exec verbs: - create

　　建立Pod删除权限

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-delete rules: - apiGroups: - "" resources: - pods verbs: - get - list - delete

　　上述权限建立完成后，只须要将对应的用户绑定对应的权限便可实现不一样的用户在不一样的namespace实现不一样的权限。

　　对RBAC不熟悉的能够参考https://www.cnblogs.com/dukuan/p/9948063.html

　　或者参考书籍《不再踩坑的Kubernetes实战指南》第二章。

四、配置权限

　　案例：假设有一个用户叫java7，须要访问default命名空间下的资源，能够在容器执行命令和查看日志

　　添加权限以前是不能查看任何信息的:

　　配置权限：

　　　　方式一：使用Ratel一键配置，选择对应的集群、Namespace、用户名、勾选权限点击建立便可。　

　　　　建立成功后再次登陆，便可查看该Namespace的信息

　　　　查看日志：

　　　　执行命令：

　　　　同时也不能查看其余namespace的资源

　　　　方式二：使用yaml文件配置

　　　　使用Ratel进行权限配置，在配置权限后在对应的namespace下建立对应的RoleBinding，以下：

[root@k8s-master01 ~]# kubectl get rolebinding NAME AGE gitlab 112d ratel-pod-delete-java7 11m ratel-pod-exec-java7 11m ratel-resource-readonly-java7   11m

　　　　内容以下：

ource-readonly-java7 -o yaml apiVersion: v1 items: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2019-12-03T07:34:24Z" name: ratel-pod-delete-java7 namespace: default resourceVersion: "35887290" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-delete-java7 uid: 547f5d42-159f-11ea-b1b5-001e674e3dd6 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-pod-delete subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: java7 - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2019-12-03T07:34:24Z" name: ratel-pod-exec-java7 namespace: default resourceVersion: "35887289" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-pod-exec-java7 uid: 547c5768-159f-11ea-b1b5-001e674e3dd6 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-pod-exec subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: java7 - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2019-12-03T07:34:24Z" name: ratel-resource-readonly-java7 namespace: default resourceVersion: "35887288" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-resource-readonly-java7 uid: 5476577f-159f-11ea-b1b5-001e674e3dd6 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-resource-readonly subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: java7 kind: List metadata: resourceVersion: "" selfLink: ""

　　　　在没有安装Ratel的状况下，可使用上述yaml内容直接建立至对应的namespace下便可完成权限配置。

　　　上述只是实现了对经常使用资源的权限控制，其余权限控制相似。

　　　 Kubernetes多集群资源管理平台Ratel安装能够参考：https://github.com/dotbalo/ratel-doc

原文出处：https://www.cnblogs.com/dukuan/p/11976406.html