Shulou(Shulou.com)06/02 Report--

There are very few places on the Internet that deal with how to authorize User Group when a role is authorized. We all know that when doing role binding, there will be kind: User,kind: Group, but in fact, Kubernetes does not provide User, Group resource creation interface, so how to use these two? Here is an example to illustrate

Prerequisite: kube-apiserver must run in secure port mode, which is a two-way digital certificate authentication method based on CA root certificate signature.

1. Create Role first

The role-demo.yaml content is as follows:

ApiVersion: rbac.authorization.k8s.io/v1

Kind: Role

Metadata:

Name: pods-reader

Namespace: default

Rules:

-apiGroups:

-"

Resources:

-pods

Verbs:

-get

-list

-watch

2. Bind the role and grant permissions to the real role

Edit rolebinding-demo.yaml

ApiVersion: rbac.authorization.k8s.io/v1

Kind: RoleBinding

Metadata:

CreationTimestamp: null

Name: kubelet-read-pods

RoleRef:

ApiGroup: rbac.authorization.k8s.io

Kind: Role

Name: pods-reader

Subjects:

-apiGroup: rbac.authorization.k8s.io

Kind: Group

Name: app1

Here, you will give the group app1 permission to view only pod whose namespace is default. Kind can also be user.

3. Create users and groups

Users and groups can be created now, and CA can be done through openssl.

3.1 create user jbeda and belong to groups app1 and app2 at the same time

Openssl genrsa-out jbeda.key 2048

Openssl req-new-key jbeda.key-out jbeda.csr-subj "/ CN=jbeda/O=app1/O=app2"

Openssl x509-req-in jbeda.csr-CA ca.crt-CAkey ca.key-CAcreateserial-out jbeda.crt-days 365

Copy jbeda.key and jbeda.crt to the / etc/kubernetes/ssl/ directory

L jbeda/O=app1/O=app2 this representative created the user jbeda, and the user belongs to the group app1, app2

L ca.crt ca.key is the root certificate, which is created for kube-apiserver and is used by all clients to sign. The process of creating it is not repeated here.

3.2 Test permissions

The role used by the calling interface used by the @ configuration

Use kubectl here to compile ~ / .kube/config

ApiVersion: v1

Kind: Config

Clusters:

-cluster:

Server: https://10.8.8.27:6443

Certificate-authority: / etc/kubernetes/ssl/ca.crt

Name: local

Users:

-name: jbeda

User:

Client-certificate: / etc/kubernetes/ssl/jbeda.crt

Client-key: / etc/kubernetes/ssl/jbeda.key

Contexts:

-context:

Cluster: local

User: jbeda

Name: local

Current-context: local

View pod

View the config currently used by kubectl

You can see that you can only view the pod information when namespace is default.

RBAC can also be authenticated by service account. There are too many materials on the Internet, so there is no introduction here.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.