docker中k8s认证及serviceaccount、RBAC的示例分析

这篇文章给大家分享的是有关docker中k8s认证及serviceaccount、RBAC的示例分析的内容。小编觉得挺实用的，因此分享给大家做个参考，一起跟随小编过来看看吧。

目前RBAC是k8s授权方式最常用的一种方式。

在k8s上，一个客户端向apiserver发起请求，需要如下信息：

1）username，uid，2) group,3) extra(额外信息)4) API5) request path,例如：http://127.0.0.1:8080/apis/apps/v1/namespaces/kube-system/d6）HTTP request action，如get,post,put,delete,7）Http request action，如 get,list,create,udate,patch,watch,proxy,redirect,delete,deletecollection8） Rresource9）Subresource10）Namespace11）API group

K8s可以支持多版本并存。

其实，我们用kubectl向apiserver发起的命令，都是http方式的。

k8s验证分为useraccount和serviceaccount。

可以用代理：

[root@master ~]# kubectl proxy --port=8080[root@master ~]# curl [root@master ~]# kubectl get deploy -n kube-systemNAME      DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGEcoredns   2         2         2            2           20d[root@master ~]# curl http://127.0.0.1:8080/apis/apps/v1/namespaces/kube-system/deployments

[root@master ~]# kubectl get svcNAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGEkubernetes   ClusterIP   10.96.0.1               443/TCP             20d

[root@master ~]# kubectl describe svc kubernetesName:              kubernetesNamespace:         defaultLabels:            component=apiserver                   provider=kubernetesAnnotations:       Selector:          Type:              ClusterIPIP:                10.96.0.1Port:              https  443/TCPTargetPort:        6443/TCPEndpoints:         172.16.1.100:6443Session Affinity:  NoneEvents:            

上面我们看到10.96.0.1是kubernetes apiserver的地址，从而实现了集群外部通过10.96.0.1访问集群内部的pod，同时也实现了集群内部的pod访问集群外部的应用的功能。

只要访问apiserver，就必须实现认证。而认证信息是存储在pod中的。

[root@master ~]# kubectl explain pods.spec.serviceAccountName

[root@master manifests]# kubectl create  serviceaccount  mysa -o yaml --dry-run > mysa.yaml

[root@master manifests]# cat mysa.yaml apiVersion: v1kind: ServiceAccountmetadata:  creationTimestamp: null  name: mysa

上面我们可以看到，只要是kubectl create的，只要加上-o yaml，就可以导出清单文件，这样我们以后就不用从头到尾写清单文件了，而是只要生产一个，然后改改就行了，这个很不错。

另外kubectl get 也可以导出yaml格式的，如下：

[root@master manifests]# kubectl get pods myapp-1 -o yaml --exportapiVersion: v1kind: Podmetadata:  creationTimestamp: null  generateName: myapp-  labels:    app: myapp-pod    controller-revision-hash: myapp-8598dd746f    statefulset.kubernetes.io/pod-name: myapp-1  ownerReferences:  - apiVersion: apps/v1    blockOwnerDeletion: true    controller: true    kind: StatefulSet    name: myapp    uid: a98ebc48-c24f-11e8-bb35-005056a24ecb  selfLink: /api/v1/namespaces/default/pods/myapp-1spec:  containers:  - image: ikubernetes/myapp:v1    imagePullPolicy: IfNotPresent    name: myapp    ports:    - containerPort: 80      name: web      protocol: TCP    resources: {}    terminationMessagePath: /dev/termination-log    terminationMessagePolicy: File    volumeMounts:    - mountPath: /usr/share/nginx/html      name: myappdata    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount      name: default-token-5r85r      readOnly: true  dnsPolicy: ClusterFirst  hostname: myapp-1  nodeName: node2  priority: 0  restartPolicy: Always  schedulerName: default-scheduler  securityContext: {}  serviceAccount: default  serviceAccountName: default  subdomain: myapp-svc  terminationGracePeriodSeconds: 30  tolerations:  - effect: NoExecute    key: node.kubernetes.io/not-ready    operator: Exists    tolerationSeconds: 300  - effect: NoExecute    key: node.kubernetes.io/unreachable    operator: Exists    tolerationSeconds: 300  volumes:  - name: myappdata    persistentVolumeClaim:      claimName: myappdata-myapp-1  - name: default-token-5r85r    secret:      defaultMode: 420      secretName: default-token-5r85rstatus:  phase: Pending  qosClass: BestEffort

将上面的改改就成为我们新的配置清单了。

创建service account

[root@master manifests]# kubectl create serviceaccount adminserviceaccount/admin created

[root@master manifests]# kubectl get saNAME      SECRETS   AGEadmin     1         2sdefault   1         20d

[root@master manifests]# kubectl describe sa adminName:                adminNamespace:           defaultLabels:              Annotations:         Image pull secrets:  Mountable secrets:   admin-token-6jpc5Tokens:              admin-token-6jpc5Events:              

[root@master manifests]# kubectl get secretNAME                    TYPE                                  DATA      AGEadmin-token-6jpc5       kubernetes.io/service-account-token   3         57s

看到自动就会多一个token。

下面我们用配置清单把serviceaccount和pod绑定起来。

[root@master manifests]# cat  pod-sa-demo.yaml apiVersion: v1kind: Podmetadata:  name: pod-sa-demo  namespace: default  labels:    app: myapp    tier: frontend  annotations:    zhixin.com/created-by: "cluster admin"spec:  containers:  - name: myapp    image: ikubernetes/myapp:v1    ports:    - name: http      containerPort: 80  serviceAccountName: admin #这表示我们这个pod使用自定义的验证信息admin

[root@master manifests]# kubectl apply -f pod-sa-demo.yaml pod/pod-sa-demo created

创建useraccount

kubeconfig是客户端连接apiserver时使用的认证格式的配置文件。

[root@master manifests]# kubectl config view apiVersion: v1clusters:- cluster:    certificate-authority-data: REDACTED    server: https://172.16.1.100:6443  name: kubernetescontexts:- context: #context定义了哪个集群用哪个用户来访问。    cluster: kubernetes    user: kubernetes-admin  name: kubernetes-admin@kubernetescurrent-context: kubernetes-admin@kuberneteskind: Configpreferences: {}users:- name: kubernetes-admin  user:    client-certificate-data: REDACTED    client-key-data: REDACTED

证书存放位置：

[root@master manifests]# cd /etc/kubernetes/pki/[root@master pki]# lsapiserver.crt              apiserver.key                 ca.crt  front-proxy-ca.crt      front-proxy-client.keyapiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.key  front-proxy-ca.key      sa.keyapiserver-etcd-client.key  apiserver-kubelet-client.key  etcd    front-proxy-client.crt  sa.pub

例子：

1、做一个私钥

[root@master pki]# cd /etc/kubernetes/pki[root@master pki]# (umask 077; openssl genrsa -out zhixin.key 2048)Generating RSA private key, 2048 bit long modulus...........+++...........+++e is 65537 (0x10001)

括号是子shell的意思。

2、基于私钥生成一个证书

CN就是用户的账户名字。

[root@master pki]# openssl req -new -key zhixin.key -out zhixin.csr -subj "/CN=zhixin"

-subj:替换或指定证书申请者的个人信息

3、签证书

[root@master pki]# openssl  x509 -req -in zhixin.csr -CA ca.crt  -CAkey ca.key  -CAcreateserial -out zhixin.crt -days 365Signature oksubject=/CN=zhixinGetting CA Private Key

-days：表示证书的过期时间

x509:生成x509格式证书

4、查看证书内容

[root@master pki]# openssl x509 -in zhixin.crt -text -nooutCertificate:    Data:        Version: 1 (0x0)        Serial Number:            ab:45:1b:b3:92:32:59:ae    Signature Algorithm: sha256WithRSAEncryption        Issuer: CN=kubernetes #证书签署人        Validity #有效期限            Not Before: Sep 28 08:01:20 2018 GMT            Not After : Sep 28 08:01:20 2019 GMT        Subject: CN=zhixin #一会用这个账户登录k8s        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:                    00:bf:e5:b1:80:1a:a6:d1:24:ca:b8:75:a1:71:08:                    d2:ba:43:ee:53:a1:10:b5:7a:83:e7:8b:06:65:c7:                    8a:07:02:ca:cc:8f:5c:94:a9:7a:10:24:f6:41:a0:                    c6:fe:5f:21:59:21:e7:72:30:12:38:89:85:78:54:                    c1:15:c4:13:33:43:9c:94:c0:dc:99:e9:f0:44:7e:                    35:66:cd:e0:d9:0c:82:dc:b3:73:ee:ea:47:9e:5e:                    e5:bf:0b:45:fb:a3:cf:59:67:ae:13:31:9c:dc:b6:                    78:da:b2:7e:c0:7e:c2:30:c5:fd:ea:6f:94:fa:81:                    19:9f:71:9c:cf:60:07:5b:fa:0d:c0:6f:2c:b4:e0:                    42:d6:6d:d3:39:23:2b:f7:ad:cc:21:f8:df:89:ff:                    6e:45:59:1f:5d:db:aa:fa:07:ef:fc:b3:7e:3d:b1:                    dd:3e:be:5e:43:de:8f:e2:ea:aa:ec:6c:48:df:2f:                    2e:20:61:e3:5c:6a:37:3e:2b:32:e5:1a:ad:35:88:                    d6:d2:db:aa:26:5d:cb:67:0a:65:9e:d4:79:76:92:                    9a:41:fb:df:db:85:1a:ea:5e:ff:bb:7b:2f:01:10:                    9f:8e:9c:a1:fe:ae:ac:9d:43:02:40:01:f7:d6:da:                    bf:5a:99:ba:d0:bf:ea:53:1e:f5:51:06:9c:ac:6f:                    32:43                Exponent: 65537 (0x10001)    Signature Algorithm: sha256WithRSAEncryption         91:43:cd:36:ad:88:17:a1:81:9f:8f:ad:9b:c5:41:d7:de:aa:         6a:f0:3a:00:f2:d7:9b:0e:89:bc:51:73:cc:4f:10:85:13:70:         aa:d1:67:f8:f3:a1:6b:83:ff:99:76:7f:14:a5:b4:82:fb:1b:         fb:cf:d5:fc:b0:2f:ff:68:c4:b1:c0:ee:f9:6b:41:ea:0a:96:         2f:55:1d:d7:77:f8:70:a6:15:a4:b6:e7:6d:93:61:2e:ac:7a:         10:70:fa:f7:43:da:56:f2:d0:e9:6b:01:72:73:2d:65:ea:4d:         c4:3b:46:2d:1b:ad:f8:1f:eb:71:88:35:51:2a:dc:3a:36:fe:         63:bb:28:ee:d2:a0:d4:e0:14:95:10:96:20:2e:f3:75:12:eb:         05:8e:34:a1:dc:74:19:a5:76:0f:f2:bd:f3:56:aa:c9:40:51:         c7:bd:1f:1f:c1:ec:a5:98:c8:b8:1d:07:67:fa:1c:a0:a3:1f:         d3:ba:cb:09:52:9a:e7:59:39:ce:c8:ef:01:c2:4b:98:ff:05:         12:bf:69:36:0e:a6:a9:f6:40:34:28:36:0d:1b:76:31:b4:96:         6e:09:33:8e:d5:0a:96:77:dd:41:b3:29:db:d5:5e:fa:05:f7:         e7:90:5d:79:6d:a9:59:20:60:0f:fe:d5:b6:38:6c:1a:ee:51:         66:c3:9b:4b

5、把用户账户信息添加到k8s集群中

[root@master pki]# kubectl config set-credentials zhixin --client-certificate=zhixin.crt --client-key=zhixin.key --embed-certs=trueUser "zhixin" set.

embed-certs：表示把用户信息隐藏起来。

5、设置context上下文，指定zhixin用户访问k8s的哪个集群

[root@master pki]# kubectl config viewapiVersion: v1clusters:- cluster:    certificate-authority-data: REDACTED    server: https://172.16.1.100:6443  name: kubernetescontexts:- context:    cluster: kubernetes    user: kubernetes-admin  name: kubernetes-admin@kubernetescurrent-context: kubernetes-admin@kuberneteskind: Configpreferences: {}users:- name: kubernetes-admin  user:    client-certificate-data: REDACTED    client-key-data: REDACTED- name: zhixin  user:    client-certificate-data: REDACTED    client-key-data: REDACTED

[root@master pki]# kubectl config set-context zhixin@kubernetes --cluster=kubernetes --user=zhixinContext "zhixin@kubernetes" created.

[root@master pki]# kubectl config viewapiVersion: v1clusters:- cluster:    certificate-authority-data: REDACTED    server: https://172.16.1.100:6443  name: kubernetescontexts:- context:    cluster: kubernetes    user: kubernetes-admin  name: kubernetes-admin@kubernetes- context:    cluster: kubernetes    user: zhixin  name: zhixin@kubernetescurrent-context: kubernetes-admin@kuberneteskind: Configpreferences: {}users:- name: kubernetes-admin  user:    client-certificate-data: REDACTED    client-key-data: REDACTED- name: zhixin  user:    client-certificate-data: REDACTED    client-key-data: REDACTED

上面看到contexts里面有zhixin的名字了。

6、切换到zhixin用户登录k8s

[root@master pki]# kubectl config use-context zhixin@kubernetesSwitched to context "zhixin@kubernetes".

[root@master pki]# kubectl get podsNo resources found.Error from server (Forbidden): pods is forbidden: User "zhixin" cannot list pods in the namespace "default"

上面看到get pods时报错了，这是因为用户zhixin@kubernetes没有管理器权限。

7、切回k8s管理员

[root@master pki]# kubectl config use-context kubernetes-admin@kubernetesSwitched to context "kubernetes-admin@kubernetes".

8、设置新的k8s集群

[root@master ~]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://127.0.0.1:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=trueCluster "mycluster" set

.--kubeconfig：指定认证文件位置，不指定的话默认就在~/.kube/config

--embed-certs=true 表示证书信息被隐藏

大家看到，我们上面就创建了一个新的k8s集群叫mycluster。

[root@master ~]# kubectl config view --kubeconfig=/tmp/test.conf apiVersion: v1clusters:- cluster:    certificate-authority-data: REDACTED    server: https://127.0.0.1:6443  name: myclustercontexts: []current-context: ""kind: Configpreferences: {}users: []

RBAC（基于角色的访问控制）

rbac:role based ac，也就是我们把用户加入角色里面，这样用户就具有角色的权限了。

在k8s中，一切皆对象。

Object_URL: /apis///namespaces//[OJJECT_ID]

RBAC是通过rolebinding把user绑定到role上的。而role是基于namespace设定的，也就是这说这个user只能访问指定namespace下的pod资源。

而如果把user通过clusterrolebind绑定到clusterrole上后，那么这个user就突破了namespace的限制，而拥有了集群级别的权限，即这个用户可以访问这个集群下所有namespace下的pod了。

但是，我们也可以用rolebinding去把user绑定到clusterrole。在上图中，我们把user1通过rolebinding绑定到clusterrole上，但是我们知道rolebinding只限制在namespace中，所以user1也只限定在namespace中，而不是整个集群中。

[root@master ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods注意：想要授予所有权限可以用*来表示

[root@master ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  creationTimestamp: null  name: pods-readerrules:- apiGroups:  - ""  resources:  - pods  verbs:  - get  - list  - watch

[root@master ~]# kubectl get roleNAME          AGEpods-reader   7s

[root@master ~]# kubectl describe role pods-readerName:         pods-readerLabels:       Annotations:  PolicyRule:  Resources  Non-Resource URLs  Resource Names  Verbs  ---------  -----------------  --------------  -----  pods       []                 []              [get list watch]

[root@master ~]# kubectl create rolebinding zhixin-read-pods --role=pods-reader --user=zhixinrolebinding.rbac.authorization.k8s.io/zhixin-read-pods created

[root@master ~]# kubectl create rolebinding zhixin-read-pods --role=pods-reader --user=zhixin -o yaml --dry-runapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  creationTimestamp: null  name: zhixin-read-podsroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: pods-readersubjects: #就是引用的用户- apiGroup: rbac.authorization.k8s.io  kind: User  name: zhixin

[root@master ~]# kubectl explain rolebinding

[root@master ~]# kubectl describe rolebinding zhixin-read-podsName:         zhixin-read-podsLabels:       Annotations:  Role:  Kind:  Role  Name:  pods-readerSubjects:  Kind  Name    Namespace  ----  ----    ---------  User  zhixin

[root@master ~]# kubectl config use-context zhixin@kubernetesSwitched to context "zhixin@kubernetes".

[root@master ~]# kubectl get podsNAME                             READY     STATUS             RESTARTS   AGEclient                           0/1       Error              0          18dfilebeat-ds-bn7wf                0/1       InvalidImageName   0          4dfilebeat-ds-vd287                0/1       InvalidImageName   0          3dliveness-httpget-pod             1/1       Running            7          11dmyapp-0                          1/1       Running            0          23h

上面我们看到先前我们建立的zhixin用户是没有get pods权限的，但是我这回把它加入了pods-reader role，也就拥有了pods-reader role的权限。

[root@master ~]# kubectl get pods -n kube-systemNo resources found.Error from server (Forbidden): pods is forbidden: User "zhixin" cannot list pods in the namespace "kube-system

但是，zhixin用户就没有访问kube-system权限，因为role就没有访问这个名称空间的权限，而只有访问default名称空间的权限。

rolebinding只对namespace有效。

我们再切换回到管理员。

[root@master ~]# kubectl config use-context kubernetes-admin@kubernetesSwitched to context "kubernetes-admin@kubernetes".

下面我们再定义一个clusterrole。

[root@master ~]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=podsclusterrole.rbac.authorization.k8s.io/cluster-reader created

[root@master ~]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-runapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  creationTimestamp: null  name: cluster-readerrules:- apiGroups:  - ""  resources:  - pods  verbs:  - get  - list  - watch

[root@master ~]# kubectl explain clusterrole

[root@master ~]# kubectl get rolebindingNAME               AGEzhixin-read-pods   46m

[root@master ~]# kubectl delete rolebinding zhixin-read-podsrolebinding.rbac.authorization.k8s.io "zhixin-read-pods" deleted

下面我们测试把用户zhixin加入clusterrole里面：

[root@master ~]# kubectl create clusterrolebinding zhixin-read-all-pods --clusterrole=cluster-reader --user=zhixin clusterrolebinding.rbac.authorization.k8s.io/zhixin-read-all-pods created

[root@master ~]# kubectl get clusterrolebinding |grep readzhixin-read-all-pods                                   2m

[root@master ~]# kubectl describe clusterrolebinding zhixin-read-all-podsName:         zhixin-read-all-podsLabels:       Annotations:  Role:  Kind:  ClusterRole  Name:  cluster-readerSubjects:  Kind  Name    Namespace  ----  ----    ---------  User  zhixin

[root@master ~]# kubectl config use-context zhixin@kubernetesSwitched to context "zhixin@kubernetes".

[root@master ~]# kubectl get podsNAME                             READY     STATUS             RESTARTS   AGEclient                           0/1       Error              0          18dfilebeat-ds-bn7wf                0/1       InvalidImageName   0          4d

[root@master ~]# kubectl get pods -n kube-systemNAME                             READY     STATUS    RESTARTS   AGEcoredns-78fcdf6894-2l2cf         1/1       Running   17         21dcoredns-78fcdf6894-dkkfq         1/1       Running   16         21d

可见，我们把用户zhixin绑定到clusterrole后，这个 用户对所有的名称空间都有权限了。因为cluserrolebinding是针对集群的，而rolebinding是只针对namespace的。

下面我们再测试一个，把用户用rolebinding绑定到cluserrole里面，看是什么效果：

[root@master ~]# kubectl config use-context kubernetes-admin@kubernetesSwitched to context "kubernetes-admin@kubernetes".

[root@master ~]# kubectl  delete clusterrolebinding zhixin-read-all-podsclusterrolebinding.rbac.authorization.k8s.io "zhixin-read-all-pods" deleted

[root@master ~]# kubectl create rolebinding zhixin-read-pods --clusterrole=cluster-reader --user=zhixin rolebinding.rbac.authorization.k8s.io/zhixin-read-pods created

[root@master ~]# kubectl describe rolebinding zhixin-read-podsName:         zhixin-read-podsLabels:       Annotations:  Role:  Kind:  ClusterRole  Name:  cluster-readSubjects:  Kind  Name    Namespace  ----  ----    ---------  User  zhixin

[root@master ~]# kubectl config use-context zhixin@kubernetesSwitched to context "zhixin@kubernetes".

[root@master ~]# kubectl get podsNAME                             READY     STATUS             RESTARTS   AGEclient                           0/1       Error              0          18dfilebeat-ds-bn7wf                0/1       InvalidImageName   0          4dfilebeat-ds-vd287                0/1       InvalidImageName   0          3dliveness-httpget-pod             1/1       Running            7          11d

[root@master ~]# kubectl get pods -n kube-systemNo resources found.Error from server (Forbidden): pods is forbidden: User "zhixin" cannot list pods in the namespace "kube-system"

可以看出，clusterrole用rolebinding绑定后，会被降级到rolebinding所在的namespace里面。

[root@master ~]# kubectl get clusterrole admin -o yaml resources:  - pods  - pods/attach  - pods/exec  - pods/portforward  - pods/proxy  verbs:  - create  - delete  - deletecollection  - get  - list  - patch  - update  - watch

[root@master ~]# kubectl create rolebinding default-nameespace-admin --clusterrole=adin --user=zhixinrolebinding.rbac.authorization.k8s.io/default-nameespace-admin created

这样，我们就把zhixin设置为default名称空间的管理员，而不是其他名称空间的管理员。这就是用rolebinding绑定clusterrole的功能。

[root@master ~]# kubectl get clusterrolebinding cluster-admin -o yaml- apiGroup: rbac.authorization.k8s.io  kind: Group  name: system:masters

[root@master pki]# openssl x509 -in ./apiserver-kubelet-client.crt -text -noout        Subject: O=system:masters, CN=kube-apiserver-kubelet-client

看到system:masters组具有管理员权限

感谢各位的阅读！关于"docker中k8s认证及serviceaccount、RBAC的示例分析"这篇文章就分享到这里了，希望以上内容可以对大家有一定的帮助，让大家可以学到更多知识，如果觉得文章不错，可以把它分享出去让更多的人看到吧！