rbac
最后更新: 此方案國(guó)內(nèi)不可用
0x00 目標(biāo)
昨天寫的 http://www.reibang.com/p/e9c769192746, 是基于自己爬google 總結(jié)出來的.
今天, 參考 https://www.eksworkshop.com/beginner/091_iam-groups/intro/ 來一波官方最佳實(shí)踐.
- 本文目標(biāo):
開發(fā)者提供快速賬號(hào)添加,移除操作. 中國(guó)AWS環(huán)境
0x01 創(chuàng)建IAM Role
export ACCOUNT_ID={12位賬號(hào)}
POLICY=$(echo -n '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws-cn:iam::'; echo -n "$ACCOUNT_ID"; echo -n ':root"},"Action":"sts:AssumeRole","Condition":{}}]}')
aws iam create-role \
--role-name k8sDev \
--description "Kubernetes developer role (for AWS IAM Authenticator for Kubernetes)." \
--assume-role-policy-document "$POLICY" \
--output text \
--query 'Role.Arn'
# arn:aws-cn:iam::{12Number}:role/k8sDev
0x02 創(chuàng)建IAM Group
aws iam create-group --group-name k8sDev
為這個(gè)Group添加訪問IAM Role 的策略
DEV_GROUP_POLICY=$(echo -n '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeOrganizationAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws-cn:iam::'; echo -n "$ACCOUNT_ID"; echo -n ':role/k8sDev"
}
]
}')
echo DEV_GROUP_POLICY=$DEV_GROUP_POLICY
aws iam put-group-policy \
--group-name k8sDev \
--policy-name k8sDev-policy \
--policy-document "$DEV_GROUP_POLICY"
手動(dòng)添加Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "arn:aws-cn:eks:*:{12Number}:cluster/*"
}
]
}
0x03 創(chuàng)建IAM User
創(chuàng)建開發(fā)者用戶: dev-mm, 綁定到Group, 生成密鑰
aws iam create-user --user-name dev-mm
aws iam add-user-to-group --group-name k8sDev --user-name dev-mm
aws iam create-access-key --user-name dev-mm | tee ./dev-mm.json
重點(diǎn) :后續(xù)SRE管理新增用戶時(shí), 只需執(zhí)行上面三行即可.
0x04 配置EKS Role, RoleBinding
我們希望把開發(fā)者限定在namespace sit 下面, 可以這樣
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-role
namespace: sit
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods", "configmaps","services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-role-binding
namespace: sit
subjects:
- kind: User
name: dev-user
roleRef:
kind: Role
name: dev-role
apiGroup: rbac.authorization.k8s.io
0x05 配置IAM-EKS賬號(hào)關(guān)聯(lián)
這一步是把IAM Role 綁定到EKS的User, 這樣就把所有對(duì)象串聯(lián)起來了.
eksctl create iamidentitymapping \
--cluster eksworkshop-eksctl \
--arn arn:aws:iam::${ACCOUNT_ID}:role/k8sDev \
--username dev-user
也可以直接在集群里修改aws-auth配置:
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws-cn:iam::{12Number}:role/k8sDev
username: dev-user
0x06 驗(yàn)證
略過 ...
