Shulou(Shulou.com)05/31 Report--

Rancher in the K8S certification and RBAC how to understand, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Rancher Kubernetes has the RBAC (role-based access Control) feature, which allows administrators to configure different policies to allow or deny user and service accounts access to Kubernetes API resources.

To better understand how RBAC functions work, this article illustrates how to use Kubernetes API for authentication and how the RBAC authorization module works with authenticated users.

Using KUBERNETES authentication in Rancher

Rancher uses the Webhook Token authentication policy to authenticate the user's bearer token. First, the user uses Rancher authentication to get the kube configuration file through the Kubernetes > CLI tab, which includes bearer token. Then, with this token and web hook remote authentication service, kubectl authenticates the user with Kubernetes API:

When a user attempts to authenticate a Kubernetes API using bearer token, the authentication webhook communicates with the Rancher Kubernetes authentication service and sends an authentication audit object that contains the token. The Rancher Kubernetes authentication service then sends a check status that specifies whether the user is authenticated.

The review status contains user information such as name, uid, and group. The authorization module in Kubernetes API will later determine the access level of the user.

The following is an example of an authentication request sent by Kubernetes to the Rancher Kubernetes authentication service.

Authentication request:

The Rancher Kubernetes authentication service determines whether the user is authenticated or not and sends a response to the Kubernetes.

Authentication response:

As you can see, because the environment owner sends this request, the user is classified in the system as a system:masters group, which has access to all resources in the Kubernetes cluster:

The cluster role Cluster Management resource allows access to all Kubernetes resources in all API groups:

RBAC authorization module

The request for API contains the user name of the requestor, the requested operation, and information about the object affected by the operation. After the request for Kubernetes API is successfully authenticated, the request must be authorized.

The RBAC authorization module defines four top-level objects that control the authorization decisions of authorized users:

Role

Cluster role

Role binding

Cluster role binding

Both roles and cluster roles identify the permission set of Kubernetes API resources. The only difference between them is that roles can be defined in the namespace, while cluster role bindings are defined in the cluster scope.

Role binding and cluster role binding assign defined roles to users, groups, or service accounts. They can be granted by role binding in the namespace or cluster role binding within the cluster scope. We will discuss the relevant examples in the next section.

How to enable Kubernetes RBAC function in Rancher

To install Kubernetes completely in Rancher to enable the RBAC feature, you can edit the default environment or create a new environment template. In the Kubernetes environment options, you can enable RBAC, and if you have already started the Kubernetes infrastructure service, you can click Update to update the configuration options for Kubernetes.

RBAC example

As described in the previous section, these examples assume that you have enabled Kubernetes for the RBAC feature and that you have enabled GitHub authentication for Rancher.

As the owner of the Kubernetes environment, as mentioned earlier, you can access all Kubernetes API because the cluster administrator role is assigned to the environment owner by default. Administrator users do not access any API resources by default.

If you have added some GitHub users and groups as members of the Kubernetes environment, when you try to access Kubernetes API, you will receive the following message:

To enable access to the GitHub organization across all Kubernetes clusters, create the following cluster roles:

This role defines the list and gains access to the service resources. At this point, the cluster role is not associated with any users or groups, so the following steps are to create a cluster role binding:

The role binding specifies the "github_org:" group of the GitHub organization. At this point, you will find that when you want to apply role binding to a group, each authentication type has a special Rancher authentication syntax. For more details, refer to the Rancher documentation:

After you create a role binding, you can list the services of any user who belongs to this GitHub organization:

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.