一. Kubernetes的安全框架
? 訪問K8S集群的資源(API訪問)需要過三關:認證、鑒權彰触、準入控制
? 普通用戶若要安全訪問集群API Server,往往需要證書、Token
或者用戶名+密碼;Pod訪問荞雏,需要ServiceAccount
? K8S安全控制框架主要由下面3個階段進行控制,每一個階段都
支持插件方式,通過API Server配置來啟用插件凤优。
- Authentication
- Authorization
-
Admission Control
image.png
二. 傳輸安全過三關
傳輸安全過三關:認證悦陋,授權,準入控制
傳輸安全: 告別8080筑辨,迎接6443
1. 認證
三種客戶端身份認證:
? HTTPS 證書認證: 基于CA證書簽名的數(shù)字證書認證
? HTTP Token認證: 通過一個Token來識別用戶
? HTTP Base認證: 用戶名+密碼的方式認證
2. 授權
RBAC(Role-Based Access Control俺驶,基于角色的訪問控制):負責完成授權(Authorization)工作。
3. 準入控制
Adminssion Control實際上是一個準入控制器插件列表棍辕,發(fā)送到API Server的請求都需要經過這個列表中的每個準入控制器 插件的檢查暮现,檢查不通過,則拒絕請求楚昭。
1.11版本以上推薦使用的插件:
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds, ResourceQuota
三. RBAC核心概念
RBAC(Role-Based Access Control栖袋,基于角色的訪問控制),允許通過Kubernetes API動態(tài)配置策略抚太。
1. 角色(Role)
角色(Role):
(1). Role:授權特定命名空間的訪問權限
(2). ClusterRole:授權所有命名空間的訪問權限
2. 主體(subject)
主體(subject):
(1). User:用戶
(2). Group:用戶組
(3). ServiceAccount:服務賬號
3. 角色綁定(RoleBinding)
角色綁定(RoleBinding):
(1). RoleBinding:將角色綁定到主體(即subject)
(2). ClusterRoleBinding:將集群角色綁定到主體
四. RBAC授權普通用戶
RBAC授權普通用戶對命名空間訪問權限控制
需求:liuzhousheng用戶訪問進來塘幅,對ctnrs命名空間只有讀取pod的權限:
1. 創(chuàng)建ctnrs命名空間
# kubectl create ns ctnrs
# kubectl run nginx --image=nginx --replicas=3 -n ctnrs
2. 創(chuàng)建角色
創(chuàng)建只有讀取pod權限的角色pod-reader-role
# cat rbac-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: ctnrs
name: pod-reader-role
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
# kubectl create -f rbac-role.yaml
# kubectl get role -n ctnrs
NAME AGE
pod-reader-role 53s
3. 用戶主體角色綁定
創(chuàng)建rolebinding,主體角色綁定尿贫,這里的subjects主體對象是user, 名為liuzhousheng, 將其綁定到pod-reader-role角色晌块。
# cat rbac-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods-rolebinding
namespace: ctnrs
subjects:
- kind: User
name: liuzhousheng # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: pod-reader-role # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
# kubectl create -f rbac-rolebinding.yaml
# kubectl get role,rolebinding -n ctnrs
NAME AGE
role.rbac.authorization.k8s.io/pod-reader-role 5m5s
NAME AGE
rolebinding.rbac.authorization.k8s.io/read-pods-rolebinding 87s
4. 創(chuàng)建認證證書
通過kube-apiserver 讀取pod 信息,得使用kube-apiserver 部署時的根證書頒發(fā)證書
# mkdir liuzhousheng && cd liuzhousheng
# cp /usr/local/src/k8s/kube-apiserver/{ca.pem,ca-key.pem,ca-config.json} ./
# cat rbac-user.sh
#!/bin/bash
cat > liuzhousheng-csr.json <<EOF
{
"CN": "liuzhousheng",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
###簽發(fā)一個客戶端證書,注意要指定根證書
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes liuzhousheng-csr.json | cfssljson -bare liuzhousheng
#-----------------------------------
##生成配置文件帅霜,使用配置文件連接集群
#配置集群匆背,這里的ca.pem為集群ca證書
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://10.40.6.175:6443 \
--kubeconfig=liuzhousheng-kubeconfig
#客戶端證書配置
kubectl config set-credentials liuzhousheng \
--client-key=liuzhousheng-key.pem \
--client-certificate=liuzhousheng.pem \
--embed-certs=true \
--kubeconfig=liuzhousheng-kubeconfig
#配置上下文
kubectl config set-context default \
--cluster=kubernetes \
--user=liuzhousheng \
--kubeconfig=liuzhousheng-kubeconfig
kubectl config use-context default --kubeconfig=liuzhousheng-kubeconfig
# bash rbac-user.sh
生成liuzhousheng-kubeconfig配置文件,使用此配置連接集群讀取資源
# kubectl --kubeconfig=liuzhousheng-kubeconfig get pod -n ctnrs
NAME READY STATUS RESTARTS AGE
nginx-dbddb74b8-dfj29 1/1 Running 0 74m
nginx-dbddb74b8-jqc7r 1/1 Running 0 74m
nginx-dbddb74b8-zlkvj 1/1 Running 0 74m
沒權限讀取service
# kubectl --kubeconfig=liuzhousheng-kubeconfig get svc -n ctnrs
Error from server (Forbidden): services is forbidden: User "liuzhousheng" cannot list resource "services" in API group "" in the namespace "ctnrs"
五. RBAC授權ServiceAccount
RBAC授權ServiceAccount訪問命名空間權限身冀,之前有部署過kubernetes UI钝尸,訪問地址:https://NodeIP:30899,使用token登錄搂根,獲取之前對token 值珍促。
# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.0.0.198 <none> 443:30899/TCP 25d
# kubectl get secret -n kube-system
NAME TYPE DATA AGE
dashboard-admin-token-tbszw kubernetes.io/service-account-token 3 25d
# kubectl describe secret dashboard-admin-token-tbszw -n kube-system
1. 創(chuàng)建ServiceAccount
創(chuàng)建 pod-reader-sa ServiceAccount。
# cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: pod-reader-sa
namespace: ctnrs
# kubectl create -f sa.yaml
# kubectl get sa -n ctnrs
NAME SECRETS AGE
pod-reader-sa 1 40s
2. 創(chuàng)建角色
創(chuàng)建只有讀取ctnrs命名空間pod權限的角色 pod-reader-role剩愧。
# cat rbac-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: ctnrs
name: pod-reader-role
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
# kubectl create -f rbac-role.yaml
# kubectl get role -n ctnrs
NAME AGE
pod-reader-role 53s
3. ServiceAccount主體角色綁定
將pod-reader-sa ServiceAccount主體綁定到角色pod-reader-role猪叙。
# cat sa-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: sa-read-pods-rolebinding
namespace: ctnrs
subjects:
- kind: ServiceAccount
name: pod-reader-sa #serviceaccount name
roleRef:
kind: Role
name: pod-reader-role #授權角色名
apiGroup: rbac.authorization.k8s.io
# kubectl create -f sa-rolebinding.yaml
# kubectl get sa -n ctnrs
NAME SECRETS AGE
pod-reader-sa 1 7m16s
查看pod-reader-sa ServiceAccount 的token值,使用此token登錄k8s UI, 只能查看ctnrs命名空間的Pod仁卷。
kubectl describe secret pod-reader-sa -n ctnrs
