Shulou(Shulou.com)06/02 Report--

To enable RBAC, you need to add the parameter-authorization-mode=RBAC to apiserver. If you are using a cluster installed by kubeadm, RBAC is enabled by default for those with version 1.6 or above.

Check to see if it is on:

$cat / etc/kubernetes/manifests/kube-apiserver.yaml

Spec: containers:-command:-kube-apiserver-advertise-address=192.168.1.243-- allow-privileged=true-authorization-mode=Node,RBAC

A very basic feature of Kubernetes is that all its resource objects are allowed to perform CRUD (Create, Read, Update, Delete) operations (that is, what we often call add, delete, change, and query operations).

Resource objects related to rbac include:

1. Rule: rules. Rules are a set of operations that belong to different API Group resources.

2. Role and ClusterRole: roles and cluster roles, both of which contain the above Rules elements. The difference between the two is that in Role, the rules defined only apply to a single namespace, that is, they are associated with namespace, while ClusterRole is cluster-scoped, so the rules defined are not constrained by namespaces.

3. Subject: topic. Three types of topic resources are defined in the cluster corresponding to the objects attempted to operate in the cluster:

User Account: this is managed by an external independent service. There is no associated resource object within the cluster for users' management, so users cannot manage through the API within the cluster.

Group: this is used to associate multiple accounts. There are groups created by default in the cluster, such as cluster-admin.

Service Account: some user accounts managed through Kubernetes API, associated with namespace, are suitable for applications running within the cluster, and need to be authenticated through API.

4:RoleBinding and ClusterRoleBinding

To put it simply, it is the process of binding the declared Subject and our Role (the permission to bind to a user). The difference between the two is also the difference in scope: RoleBinding will only affect the permission to manipulate resources under the current namespace, while ClusterRoleBinding will affect all namespace.

Create a User Account that can only access the kube-system namespace

1. Create a private key

$openssl genrsa-out dongyali.key 2048

2. Create a certificate signature request file

CN represents the user name to be created, and O represents the group to be created

Penssl req-new-key dongyali.key-out dongyali.csr-subj "/ CN=dongyali/O=booster"

3. Generate the final certificate file and set the validity period of the certificate to 1000 days

Two files, ca.crt and ca.key, are required to approve the certificate request. If you are using a cluster installed by kubeadm, these two files are located in the / etc/kubernetes/pki/ directory.

$openssl x509-req-in dongyali.csr-CA / etc/kubernetes/pki/ca.crt-CAkey / etc/kubernetes/pki/ca.key-CAcreateserial-out dongyali.crt-days 1000

$ls

Dongyali.csr dongyali.key dongyali.crt

4. Create a user dongyali in the cluster using the certificate file and private key file you just created

$kubectl config set-credentials dongyali-client-certificate=dongyali.crt-client-key=dongyali.key

5. Create a context for the user and limit it to kube-system space

$kubectl config set-context dongyali-context-cluster=kubernetes-namespace=kube-system-user=dongyali

6. Create roles for user dongyali

Create a role that allows users to manipulate Deployment, Pod, and ReplicaSets

ApiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: dongyali-role namespace: kube-systemrules:- apiGroups: ["," extensions "," apps "] resources: [" deployments "," replicasets "," pods "] verbs: [" get "," list "," watch "," create "," update "," patch "," delete "] # you can also use ['*']

7. Create role binding, bind user dongyali and role

ApiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: dongyali-rolebinding namespace: kube-systemsubjects:- kind: User name: dongyali apiGroup: "" roleRef: kind: Role name: dongyali-role apiGroup: ""

8. Testing

$kubectl get pods-context=dongyali-context

$kubectl-context=dongyali-context get pods-namespace=default

Error from server (Forbidden): pods is forbidden: User "dongyali" cannot list pods in the namespace "default"

Create a ServiceAccount that can only access a namespace

1. Create a ServiceAccount object

$kubectl create sa dongyali-sa-n kube-system

2. Create role

ApiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: dongyali-sa-role namespace: kube-systemrules:- apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]-apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

3. Create a RoleBinding object

Kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: dongyali-sa-rolebinding namespace: kube-systemsubjects:- kind: ServiceAccount name: dongyali-sa namespace: kube-systemroleRef: kind: Role name: dongyali-sa-role apiGroup: rbac.authorization.k8s.io

Create a ServiceAccount that can access all namespace

Two resource objects, ClusterRole and ClusterRoleBinding, are required.

1. Create a new ServiceAcount object

ApiVersion: v1kind: ServiceAccountmetadata: name: dongyali-sa2 namespace: kube-system

2. Create a ClusterRoleBinding object

Use the existing cluster role cluster-admin instead of creating a new one

Kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: dongyali-sa2-clusterrolebindingsubjects:- kind: ServiceAccount name: dongyali-sa2 namespace: kube-systemroleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.