RBAC 訪問控制 Users Accounts

前言:
前面已經(jīng)對ServiceAccount跛锌、Users Account認(rèn)證進(jìn)行了介紹與創(chuàng)建,但最后的測試發(fā)現(xiàn)是Users Account并沒有訪問權(quán)限,本節(jié)介紹RBAC授權(quán) 對ServiceAccount、Users Account認(rèn)證進(jìn)行授權(quán)

RBAC是什么梁剔？

RBAC 是基于角色的訪問控制（Role-Based Access Control ）在 RBAC 中脯颜，權(quán)限與角色相關(guān)聯(lián)，用戶通過成為適當(dāng)角色的成員而得到這些角色的權(quán)限贩据。這就極大地簡化了權(quán)限的管理栋操。這樣管理都是層級相互依賴的闸餐，權(quán)限賦予給角色，而把角色又賦予用戶矾芙，這樣的權(quán)限設(shè)計(jì)很清楚舍沙，管理起來很方便。

角色
　　Role：角色,名稱空間級別;授權(quán)特定命名空間的訪問權(quán)限
　　ClusterRole：集群角色,全局級別;授權(quán)所有命名空間的訪問權(quán)限

角色綁定
　　RoleBinding：將角色綁定到主體（即subject）,意味著剔宪，用戶僅得到了特定名稱空間下的Role的權(quán)限拂铡，作用范圍也限于該名稱空間;
　　ClusterRoleBinding：將集群角色綁定到主體,讓用戶扮演指定的集群角色;意味著，用戶得到了是集群級別的權(quán)限葱绒，作用范圍也是集群級別;
　　
主體（subject）
　　User：用戶
　　Group：用戶組
　　ServiceAccount：服務(wù)賬號

綁定對應(yīng)關(guān)系
主體(Subject) --> RoleBinding --> Role #主體獲得名稱空間下的Role的權(quán)限
主體(Subject) --> ClusterRoleBinding --> clusterRoles #主體獲得集群級別clusterRoles的權(quán)限
主體(Subject) --> Rolebindig -->ClusterRole #權(quán)限降級 主體獲得名稱空間下的clusterRoles的權(quán)限

• rules中的參數(shù)說明：
  1感帅、apiGroups：支持的API組列表，例如："apiVersion: batch/v1"等
  2地淀、resources：支持的資源對象列表失球，例如pods、deplayments帮毁、jobs等
  3实苞、resourceNames: 指定resource的名稱
  3、verbs：對資源對象的操作方法列表烈疚。

• RBAC使用rbac.authorization.k8s.io API Group 來實(shí)現(xiàn)授權(quán)決策黔牵，允許管理員通過 Kubernetes API 動態(tài)配置策略，要啟用RBAC爷肝，需要在 apiserver 中添加參數(shù)--authorization-mode=RBAC猾浦，如果使用的kubeadm安裝的集群，都默認(rèn)開啟了RBAC阶剑，可以通過查看 Master 節(jié)點(diǎn)上 apiserver 的靜態(tài)Pod定義文件：

[root@k8s-master usercerts]# cat /etc/kubernetes/manifests/kube-apiserver.yaml 
apiVersion: v1
kind: Pod
metadata:
 ...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=192.168.4.170
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC   #默認(rèn)支持BRAC 基于角色的訪問控制
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
...

• 查看 kube-system名稱空間下的role角色詳情

[root@k8s-master ~]# kubectl get role -n kube-system
NAME                                             CREATED AT
extension-apiserver-authentication-reader        2021-06-28T17:43:31Z
kube-proxy                                       2021-06-28T17:43:33Z
kubeadm:kubelet-config-1.19                      2021-06-28T17:43:31Z
kubeadm:nodes-kubeadm-config                     2021-06-28T17:43:31Z
system::leader-locking-kube-controller-manager   2021-06-28T17:43:31Z
system::leader-locking-kube-scheduler            2021-06-28T17:43:31Z
system:controller:bootstrap-signer               2021-06-28T17:43:31Z
system:controller:cloud-provider                 2021-06-28T17:43:31Z
system:controller:token-cleaner                  2021-06-28T17:43:31Z

[root@k8s-master ~]# kubectl get role kube-proxy -n kube-system -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2021-06-28T17:43:33Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: kubeadm
    operation: Update
    time: "2021-06-28T17:43:33Z"
  name: kube-proxy
  namespace: kube-system
  resourceVersion: "195"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/kube-proxy
  uid: a5404b1f-90f0-447f-b104-86fcbdd388e0
rules:   #角色規(guī)則詳細(xì)信息
- apiGroups:
  - ""
  resourceNames:
  - kube-proxy
  resources:
  - configmaps
  verbs:   #能執(zhí)行的操作
  - get

• role角色綁定
• RoleBinding 角色綁定

[root@k8s-master ~]# kubectl explain rolebinding
KIND:     RoleBinding
VERSION:  rbac.authorization.k8s.io/v1
...
   roleRef  <Object> -required-
     RoleRef can reference a Role in the current namespace or a ClusterRole in
     the global namespace. If the RoleRef cannot be resolved, the Authorizer
     must return an error.

   subjects <[]Object>
     Subjects holds references to the objects the role applies to.

示例1: 創(chuàng)建role角色綁定 作用域?yàn)槊Q空間

[root@k8s-master authfiles]# cat pods-reader-rbac.yaml 
kind : Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""]  #空表示默認(rèn)群組
  resources: ["pods","services","pods/log"]  #對象資源
  verbs: ["get","list","watch"]  #權(quán)限

[root@k8s-master authfiles]# cat tom-pods-reader.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tom-pods-reader
  namespace: default
subjects:
- kind: User
  name: tom   #綁定的用戶名
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pods-reader  #綁定之前的角色
  apiGroup: rbac.authorization.k8s.io
  
[root@k8s-master authfiles]# kubectl apply -f pods-reader-rbac.yaml 
[root@k8s-master authfiles]# kubectl apply -f tom-pods-reader.yaml 

[root@k8s-master authfiles]# kubectl get role
NAME          CREATED AT
pods-reader   2021-08-24T07:33:54Z
[root@k8s-master authfiles]# kubectl get rolebinding
NAME              ROLE               AGE
tom-pods-reader   Role/pods-reader   15m

• 使用tom用戶驗(yàn)證權(quán)限 pod跃巡、svc

[root@k8s-master authfiles]# kubectl config get-contexts   --kubeconfig=/tmp/mykubeconfig  #查看當(dāng)前用戶
CURRENT   NAME             CLUSTER      AUTHINFO   NAMESPACE
*         tom@kubernetes   kubernetes   tom 

[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
NAME                                 READY   STATUS    RESTARTS   AGE
centos-deployment-66d8cd5f8b-bnnw6   1/1     Running   0          7m8s
[root@k8s-master authfiles]# kubectl get svc --kubeconfig=/tmp/mykubeconfig
NAME          TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
demoapp       ClusterIP   10.97.26.1     <none>        80/TCP     10d
demoapp-svc   ClusterIP   10.99.170.77   <none>        80/TCP     10d
demodb        ClusterIP   None           <none>        9907/TCP   5d22h
kubernetes    ClusterIP   10.96.0.1      <none>        443/TCP    10d

• 驗(yàn)證deployment、nodes權(quán)限 沒有授權(quán)訪問失敗

[root@k8s-master authfiles]# kubectl get deployment  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"

[root@k8s-master authfiles]# kubectl get nodes  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope

內(nèi)建管理員admin

• 名稱空間管理員admin

• clusterrole admin 名稱空間級別資源 擁有所有名稱空間下的資源 所有操作權(quán)限

• 集群管理員 cluster-admin

• clusterrole cluster-admin 集群級別資源 擁有集群所有空的資源 所有操作權(quán)限

• 之前綁定的rolebinding只對默認(rèn)名稱空間有一定的權(quán)限

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "longhorn-system"

• clusterrole admin 對所有名稱空間下的資源權(quán)限

[root@k8s-master authfiles]# kubectl get clusterrole admin
NAME    CREATED AT
admin   2021-06-28T17:43:30Z
[root@k8s-master authfiles]# kubectl get clusterrole admin -o yaml

• 刪除綁定,重新綁定到clusterrole admin

[root@k8s-master authfiles]# kubectl get rolebinding
NAME              ROLE               AGE
tom-pods-reader   Role/pods-reader   35m

[root@k8s-master authfiles]# kubectl delete Role/pods-reader
role.rbac.authorization.k8s.io "pods-reader" deleted

[root@k8s-master authfiles]# kubectl delete rolebinding/tom-pods-reader
rolebinding.rbac.authorization.k8s.io "tom-pods-reader" deleted

[root@k8s-master authfiles]# kubectl get pod  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"

示例2: 綁定admin 并驗(yàn)證權(quán)限,作用域?yàn)槊Q空間

[root@k8s-master authfiles]# kubectl create --help  
...
Available Commands:
  clusterrole         Create a ClusterRole.
  clusterrolebinding  Create a ClusterRoleBinding for a particular ClusterRole
  configmap           Create a configmap from a local file, directory or literal value
  cronjob             Create a cronjob with the specified name.
  deployment          Create a deployment with the specified name.
  job                 Create a job with the specified name.
  namespace           Create a namespace with the specified name
  poddisruptionbudget Create a pod disruption budget with the specified name.
  priorityclass       Create a priorityclass with the specified name.
  quota               Create a quota with the specified name.
  role                Create a role with single rule.
  rolebinding         Create a RoleBinding for a particular Role or ClusterRole
  secret              Create a secret using specified subcommand
  service             Create a service using specified subcommand.
  serviceaccount      Create a service account with the specified name

• 可以分別對--user牧愁、--group素邪、--serviceaccount進(jìn)行授權(quán)

[root@k8s-master authfiles]# kubectl create clusterrolebinding  --help
Create a ClusterRoleBinding for a particular ClusterRole.
....
Usage:  
  kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]

• 綁定并進(jìn)行權(quán)限驗(yàn)證

[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-admin --user=tom  --clusterrole=admin
clusterrolebinding.rbac.authorization.k8s.io/tom-admin created

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
NAME                                        READY   STATUS    RESTARTS   AGE
csi-attacher-54c7586574-bh88g               1/1     Running   5          7d
csi-attacher-54c7586574-fvv4p               1/1     Running   7          19d
csi-attacher-54c7586574-zkzrg               1/1     Running   10         19d
csi-provisioner-5ff5bd6b88-9tqnh            1/1     Running   5          7d
csi-provisioner-5ff5bd6b88-bs687            1/1     Running   8          19d
csi-provisioner-5ff5bd6b88-qkzt4            1/1     Running   12         19d
csi-resizer-7699cdfc4-4w49w                 1/1     Running   8          19d
......

[root@k8s-master authfiles]# kubectl get pod -n kube-system  --kubeconfig=/tmp/mykubeconfig
NAME                                 READY   STATUS    RESTARTS   AGE
coredns-f9fd979d6-l9zck              1/1     Running   16         56d
coredns-f9fd979d6-s8fp5              1/1     Running   15         56d
etcd-k8s-master                      1/1     Running   12         56d
kube-apiserver-k8s-master            1/1     Running   16         56d
kube-controller-manager-k8s-master   1/1     Running   39         56d
kube-flannel-ds-6sppx                1/1     Running   1          6d22h
kube-flannel-ds-j5g9s                1/1     Running   3          6d22h
kube-flannel-ds-nfz77                1/1     Running   1          6d22h
kube-flannel-ds-sqhq2                1/1     Running   1          6d22h

[root@k8s-master authfiles]# kubectl get deployment   --kubeconfig=/tmp/mykubeconfig
NAME                READY   UP-TO-DATE   AVAILABLE   AGE
centos-deployment   1/1     1            1           6d22h

• node是集群級別資源 無權(quán)限

[root@k8s-master authfiles]# kubectl get node  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope

[root@k8s-master authfiles]# kubectl get pv  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): persistentvolumes is forbidden: User "tom" cannot list resource "persistentvolumes" in API group "" at the cluster scope

示例3: 綁定cluster-admin 并驗(yàn)證權(quán)限 作用域?yàn)榧杭墑e資源

[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-admin" deleted

[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-cluste-admin --user=tom  --clusterrole=cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/tom-cluste-admin created
[root@k8s-master authfiles]# kubectl get pv  --kubeconfig=/tmp/mykubeconfig
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM                   STORAGECLASS   REASON   AGE
pv-nfs-demo002                             10Gi       RWX            Retain           Available                                                   21d
pv-nfs-demo003                             1Gi        RWO            Retain           Available                                                   21d
pvc-33e9acff-afd9-417e-bbfb-293cb6305fb1   1Gi        RWX            Retain           Bound       default/data-demodb-1   longhorn                5d23h
pvc-c5a0bfaa-6948-4814-886f-8bf079b00dd1   1Gi        RWX            Retain           Bound       default/data-demodb-0   longhorn                5d23h
[root@k8s-master authfiles]# kubectl get node  --kubeconfig=/tmp/mykubeconfig
NAME         STATUS   ROLES    AGE   VERSION
k8s-master   Ready    master   56d   v1.19.9
k8s-node1    Ready    <none>   56d   v1.19.9
k8s-node2    Ready    <none>   56d   v1.19.9
k8s-node3    Ready    <none>   20d   v1.19.9

• 需要注意的是 cluster-admin 是通過system:masters組方式進(jìn)行授權(quán),如果我們在創(chuàng)建用戶證書時(shí),/CN=XX/O=system:masters;那么這個(gè)用戶就擁有超級管理員的權(quán)限

[root@k8s-master authfiles]# kubectl describe clusterrolebinding cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters   #通過組授權(quán)所有system:masters都擁有超級管理員權(quán)限

示例4: rolebinding 綁定admin 并驗(yàn)證權(quán)限 權(quán)限降級

• 前面有提到
  User --> Rolebindig -->ClusterRole:權(quán)限降級，
  ClusterRole猪半，用戶得到的權(quán)限僅是ClusterRole的權(quán)限在Rolebinding所屬的名稱空間上的一個(gè)子集;

• 刪除之前綁定

[root@k8s-master authfiles]# kubectl delete  clusterrolebinding tom-cluste-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-cluste-admin" deleted

• 創(chuàng)建角色綁定集群角色 權(quán)限降級 只對指定名稱空間有權(quán)限

[root@k8s-master authfiles]# kubectl create  rolebinding tom-admin --user=tom  -n longhorn-system --clusterrole=admin
rolebinding.rbac.authorization.k8s.io/tom-admin created

• 測試權(quán)限 作用域盡為longhorn-system名稱空間

[root@k8s-master authfiles]# kubectl get pod -n kube-system  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system"

[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"

[root@k8s-master authfiles]# kubectl get deployment  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
NAME                                        READY   STATUS    RESTARTS   AGE
csi-attacher-54c7586574-bh88g               1/1     Running   5          7d
csi-attacher-54c7586574-fvv4p               1/1     Running   7          19d
csi-attacher-54c7586574-zkzrg               1/1     Running   10         19d
csi-provisioner-5ff5bd6b88-9tqnh            1/1     Running   5          7d
csi-provisioner-5ff5bd6b88-bs687            1/1     Running   8          19d
csi-provisioner-5ff5bd6b88-qkzt4            1/1     Running   12         19d
csi-resizer-7699cdfc4-4w49w                 1/1     Running   8          19d
csi-resizer-7699cdfc4-f5jph                 1/1     Running   6          7d
csi-resizer-7699cdfc4-l2j49                 1/1     Running   9          19d
...