Shulou(Shulou.com)06/03 Report--

Related recommendation

The kubernetes environment of this article: https://blog.51cto.com/billy98/2350660

RBAC official document: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Preface RBAC (role-based access control) is a new, flexible and widely used access control mechanism, which grants permissions to "roles" (role). This is different from the traditional access control mechanism in which permissions are directly assigned to users. Simply speaking, permissions are bound to role, and then users are bound to role, so that users have the same permissions as role. In any system that provides resources or services to limited users, authentication and authorization are two essential functions. Authentication is used for identity authentication, while authorization implements authority allocation. Kubemetes implements these two functions in a plug-in way, and there are a variety of plug-ins available. In addition, it supports admission control mechanisms, which are used to complement authorization mechanisms to achieve more refined access control functions. As the gateway of Kubernetes cluster system, API Server is the only population to access and manage resource objects. All components that need to access cluster resources, as well as previously used kubectl commands, are accessed and managed through this gateway. RBAC uses rbac.authorization.k8s.io API Group to implement authorization decisions, allowing administrators to dynamically configure policies through Kubernetes API. To enable RBAC, you need to add a parameter-authorization-mode=RBAC to apiserver. If the cluster installed with kubeadm is used, RBAC is enabled by default. You can view the static Pod definition file of apiserver on the Master node: [root@node-01 ~] # cat / etc/kubernetes/manifests/kube-apiserver.yaml-authorization-mode=Node. If the RBAC is built in a binary way, after adding this parameter, remember to restart the apiserver service. RBAC API resource object

A very basic feature of Kubernetes is that all its resource objects are modeled API objects, allowing you to add, delete, modify, query and other operations, such as the following resources:

PodsConfigMapsDeploymentsNodesSecretsNamespaces

The possible operations of these resource objects above are:

Creategetdeletelistupdateeditwatchexec user accounts and user groups

Kubernetes does not store the information of the user and the group that the authentication plug-in extracts from the client request, they are only used to verify that the user has permission to perform the requested operation.

There are usually three ways for clients to access API services: kubectl, client libraries, or requests directly using the REST interface.

Subjects that can execute such requests are also divided into two categories by Kubernetes: real "people" and Pod objects, whose user identities correspond to regular users (User Account) and service accounts (Service Account), respectively.

Use Account (user account): generally refers to user accounts managed by services other than Kubernetes, such as keys distributed by administrators, user storage such as Keystone (account library), and even files containing user names and password lists. There is no object in Kubernetes that represents such user accounts, so it cannot be added directly to the Kubernetes system. Service Account (service account): an account managed by Kubernetes API, which is used to provide an identity (identity) for the service process in Pod when accessing the Kubernetes API. Service Account is usually bound to a specific namespace, which is created by API Server or through API calls to the action, with a set of credentials stored as Secret to access the API Server.

Kubernetes has the following built-in groups for special purposes.

System:unauthenticated: the account that fails to be verified by any authorized plug-in, that is, the group to which the user who fails the authentication test belongs. System: authenticated: a group automatically joined by users after successful authentication, which is used to quickly reference all normally authenticated user accounts. System: serviceaccounts: all Service Account objects on the current system. System: serviceaccounts:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.