背景
在kubernetes容器中使用kubectl客戶端獲取kubernetes集群中的資源信息或者是執(zhí)行一些腳本。
kubernetes中RBAC機(jī)制
1倒堕、創(chuàng)建subject service account資源:
kubectl create serviceaccount <service_account_name> -n namespace
比如:
kubectl create serviceaccount initdb -n kube-system
還可以通過yaml的方式創(chuàng)建service account:
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: example
查看創(chuàng)建好的service account蝶桶,可以看到會自動創(chuàng)建一個secret,secret,就是這個 ServiceAccount 對應(yīng)的珍手、用來跟 APIServer 進(jìn)行交互的授權(quán)文件,我們一般稱它為:Token辞做。Token 文件的內(nèi)容一般是證書或者密碼琳要,它以一個 Secret 對象的方式保存在 Etcd 當(dāng)中
apiVersion: v1
kind: ServiceAccount
metadata:
name: example
namespace: default
resourceVersion: "6234756"
selfLink: /api/v1/namespaces/default/serviceaccounts/example
uid: 34a93e41-83b5-4cab-ba95-6859a7e57da7
secrets:
- name: example-token-fplk6
可以查看secret的內(nèi)容,里面包含了證書:
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1ESXlOekE1TURBME5Wb1hEVE16TURJeU5EQTVNREEwTlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTzdLCjRoY2JaN2cvZWVLNXlSYU1JeVhOQitjSGdGOHhWL1prYm43NzlRNU9WeVB2ekxrbUJyclFHVG1CeG12eG1BczAKeVlRM1dlUVdBbHdxNHNJMHlraWJ3VzhEK1E0MXhsMm9mNmZhQWRpS0N4MzJJd2lEZytncThpM0plTERmZUd6bApFbU1kS3MxMFV1NGxvV2NJUGQ5RkNOMXVRbEpmK0MxTU5yYjVWazhpYTJhSzRsK2E0YVkwS0NIVHJrSVp0RXJPCjExalZyNTB6SExYTGc1VldGeDhUamE4c3ladllGdlFqd0JnakU3WGM2SmFoczhsUGovaGZMdy90T2Y2MHRYNEQKbmRCaittMUkvSnBPSENEQzkwdENnYWF3cVA1WlFBOVp0L3N4SnUzcGV0UjVZSTYvbzc3NjViVVJGUVNsVGlDcwovSnhpcUVRakpIZU5paStLRzljQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFPZGY2aSs2SUNPYXZ4M0FQc1hvdnVVQXFmRk8KYjhYS0RoK2lESE9xVGRIdlUzbEZxWHFxcWw2QVZrbkp3c1phWDVoSDFJZHpqNlk2QnJQZzI1QmR1dkR5eEMzTApHUDZxNVNjZTk4bHRrRnRFM28wTmZmb2R0bSsvL2dqS2ZnZXE3THBoUi9yQ2xWUTlXc1cxMTFQZHJ3VWU1NG1sCkdhM1I5WXBCcjdoOTh2VHpWYXA5OGtSY21kTGZ3dkF1N21JWVcvN2tPZEo5V01obEJtU3djQ3dOMVR4YzBzQlkKRk5SL1lQZ1JHcDMyQnlJMndZdnZIOGhDbFIvSlVWdGl1NlEvSDlnQWFueDRmSnpmbWt6dnVYMWxENm42SjA2YgpsckQ1amZ4dC9xOGRhUkxGVUNYMElRMjdMS1B0VmdJMzhNMkFUalRZMVpQamdoQUpNeTRDQ2FROGhxWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
namespace: ZGVmYXVsdA==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkluWlRUVjlWUVhwUk5XMUliVk5JVXpSUVEyRmFWM0ZPZGtRMExYYzJMVzFoYmpSRmRGTlNXbmM0ZEVVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVY0WVcxd2JHVXRkRzlyWlc0dFpuQnNhellpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWlhoaGJYQnNaU0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJak0wWVRrelpUUXhMVGd6WWpVdE5HTmhZaTFpWVRrMUxUWTROVGxoTjJVMU4yUmhOeUlzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21WNFlXMXdiR1VpZlEuTEJxaTdPMld4OVJRbGZQNUxWelBCX3c2alRTME5yNmJaX0V3MXZiOHhSOExKR0pBa09ScVdMeXNmcDdEa0MzV29BeGtCd01zRjQ2UmJ4c1YtZXVvR1hWQWUzSXMxV1lJa3NzNDc4YnJpaWtPVEVrdWp6bU9EeFFTelpIaVNXQW1BUHgwQkhCODE3VXQ5b2dOWDVJVi1HTWdqaDBYZTJjZGJuVm1DN0xnNTZiUjN0cW9wMWgxZmp5azlZVnNLdmFCV05PelFMVHR4eEoycXhQRTVjNE5reUpDTncxWGdUVnByU3d1bWhGNm5maXVmRFdrUlNWdERyb1dkbmllOXI4aEs5VDFpU2JTTWFSbm5uMVNVN3JLQ2d4bS1odVdxTHFxbnA4RXZiNmxFOTY4U1RwYTAtV2lRXy16TWNuNG1icjVJSjVQcWZyOEwzeUN3cjQ1X0cxZUVB
kind: Secret
metadata:
name: example-token-fplk6
namespace: default
resourceVersion: "6234755"
selfLink: /api/v1/namespaces/default/secrets/example-token-fplk6
uid: bde5d411-5e12-4b14-b977-2fad7afa0d23
type: kubernetes.io/service-account-token
secret 對象秤茅,被 Kubernetes 自動掛載到了容器的/var/run/secrets/kubernetes.io/serviceaccount 目錄下稚补,可以進(jìn)入到容器中看到掛在的內(nèi)容:
# kubectl exec -it nginx sh
# cd /var/run/secrets/kubernetes.io/serviceaccount
# ls
ca.crt namespace token
# cat namespace
default
容器里的應(yīng)用就會使用ca.crt
文件來訪問API Server。
2框喳、k8s內(nèi)置了好多clusterrole資源课幕,cluster role資源代表了被作用者service account擁有的操作集群中資源的權(quán)限比如get,list,delete,watch等。我們使用cluster-admin這個clusterrole來給予上面創(chuàng)建的service account資源權(quán)限五垮,特別說明cluster-admin這個clusterrole的權(quán)限比較大乍惊,具有操作集群中任何資源的權(quán)限,所以謹(jǐn)慎使用放仗。
kubectl create clusterrolebinding <cluster_role_binding_name> --clusterrole=cluster-admin --serviceaccount=<namespace-name>:<service_account_name>
比如:
kubectl create clusterrolebinding initdb --clusterrole=cluster-admin --serviceaccount=kube-system:initdb
3润绎、上面創(chuàng)建資源已經(jīng)就緒,接下來就是在pod中使用創(chuàng)建的service account诞挨,在模版中指定serviceAccountName
字段的值莉撇,此處我創(chuàng)建的是helm chart中的一個post-install-hook資源:
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-post-install-job
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ .Release.Name }}
labels:
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}
version: {{ .Chart.Version }}
spec:
serviceAccountName: initdb
restartPolicy: Never
containers:
- name: post-install-job
image: tkestack/kubectl:1.22.7
command: ["/bin/bash", "/opt/init.sh"]
volumeMounts:
- mountPath: "/opt/init.sh"
name: config-db
subPath: init.sh
volumes:
- name: config-db
configMap:
name: config-db