k8s安全管理认证
1、SA
Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的。
- 是为Pod中的进程调用Kubernetes API而设计;
- 仅局限它所在的namespace;
- 每个namespace都会自动创建一个default service account;
- Token controller检测service account的创建,并为它们创建secret;
开启ServiceAccount Admission Controller后,每个Pod在创建后都会自动设置spec.serviceAccount为default(除非指定了其他ServiceAccout);验证Pod引用的service account已经存在,否则拒绝创建;如果Pod没有指定ImagePullSecrets,则把service account的ImagePullSecrets加到Pod中;每个container启动后都会挂载该service account的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/
创建SA用户
# vim 01_k8s_pod_test.ymlapiVersion: v1kind: ServiceAccountmetadata:name: superopsmsb-sa---apiVersion: v1kind: Podmetadata:name: my-nginx-1spec:containers:image: nginx:1.23.0name: my-nginxserviceAccountName: superopsmsb-sa# kubectl apply -f 01_k8s_pod_test.yml # kubectl get sa# kubectl get pods -o wide# kubectl describe pod my-nginx-12、UA
创建UA
# vim test-csr.json {"CN": "test","hosts": [],"key": {"algo": "rsa","size": 2048 },"names": [ {"C": "CN","ST": "Beijing","L": "Beijing","O": "system:test", "OU": "system" } ]}# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes test-csr.json | cfssljson -bare test# cp test*.pem /etc/kubernetes/ssl/## 创建集群# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.16.250:16443 --kubeconfig=test.kubeconfig## 创建用户# kubectl config set-credentials test --client-certificate=test.pem --client-key=test-key.pem --embed-certs=true --kubeconfig=test.kubeconfig## 创建上下文,用户和集群关联# kubectl config set-context kubernetes --cluster=kubernetes --user=test --kubeconfig=test.kubeconfig# kubectl config current-context --kubeconfig=test.kubeconfig# kubectl config view --kubeconfig=test.kubeconfig## 设置使用默认的上下文# kubectl config use-context kubernetes --kubeconfig=test.kubeconfig# kubectl --kubeconfig=test.kubeconfig get podsError from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods"in API group ""in the namespace "default"# kubectl --kubeconfig=kube.config get podsNAME READY STATUS RESTARTS AGEmy-nginx-11/1 Running 04h26mpod-cm1 1/1 Running 34d22hpod-harbor 1/1 Running 226hpod-mysql-secret1 1/1 Running 54d21hpod-mysql-secret2 1/1 Running 24d21h3、config文件
- 创建登录k8s集群的用户,基于证书和密钥信息创建用户
- 创建登录k8s集群的地址
- 将登录用户和目标k8s集群关联在一起,形成k8s集群入口
- 设定默认的k8s集群入口
config文件优先级
- --kubeconfig 指定文件
- 设置系统环境 KUBECONFIG
- /root/.kube/config
4、role创建
资源对象的权限集合定义
# kubectl create role myrole --verb=get,list --resource=pods --dry-run=client -o yaml > 02_k8s_secure_role.yaml# vim 02_k8s_secure_role.yaml apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: myrolerules:- apiGroups: - "" - "apps" resources: - pods - deployments - replicasets verbs: - get - list - delete# kubectl apply -f 02_k8s_secure_role.yaml # kubectl get roleNAME CREATED ATmyrole 2023-11-30T02:34:21Z# kubectl describe role myroleName: myroleLabels: <none>Annotations: <none>PolicyRule: Resources Non-Resource URLs ResourceNames Verbs--------- ----------------- -------------- ----- deployments [] [] [getlistdelete] pods [] [] [getlistdelete] replicasets [] [] [getlistdelete] deployments.apps [] [] [getlistdelete] pods.apps [] [] [getlistdelete] replicasets.apps [] [] [getlistdelete]
5、rolebinding创建
# kubectl create rolebinding test-myrole --role=myrole --user=test --dry-run=client -o yaml > 03_k8s_test-myrole.yaml# kubectl apply -f 03_k8s_test-myrole.yaml # kubectl describe rolebinding test-myroleName: test-myroleLabels: <none>Annotations: <none>Role: Kind: Role Name: myroleSubjects: Kind Name Namespace ---- ---- --------- User test # kubectl get pods --kubeconfig=test.kubeconfigNAME READY STATUS RESTARTS AGEmy-nginx-11/1 Running 125hpod-cm1 1/1 Running 55d20h# kubectl get deployment --kubeconfig=test.kubeconfig# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-systemError from server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments"in API group "apps"in the namespace "kube-system"# kubectl get svc --kubeconfig=test.kubeconfigError from server (Forbidden): services is forbidden: User "test" cannot list resource "services"in API group ""in the namespace "default"
6、clusterrole和clusterrolebinding创建
# kubectl create clusterrole myclusterrole --verb=get,list,delete --resource=pods --dry-run=client -o yaml > 04_k8s_secure-clsterrole.yaml# kubectl apply -f 04_k8s_secure-clsterrole.yaml # kubectl create clusterrolebinding test-myclusterrole --clusterrole=myclusterrole --user=test# kubectl edit clusterrolebinding test-myclusterrole[root-master01 tools]# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-systemErrorfrom server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments"in API group "apps"in the namespace"kube-system"# kubectl get pods --kubeconfig=test.kubeconfig -n kube-systemNAME READY STATUS RESTARTS AGEcalico-kube-controllers-7cc8dd57d9-hvkz5 1/1 Running 556d23hcalico-node-c4dxg 1/1 Running 76d22hcalico-node-srqch 1/1 Running 86d22hcalico-node-tcdmv 0/1 Running 76d22hcalico-node-tvjzj 1/1 Running 76d22hcoredns-675db8b7cc-5fbjk 1/1 Running 76d22hrole和clusterrole混合使用,赋予clusterrole权限,但又限制命名空间权限
kubectl create rolebinding test-myclusterrole --clusterrole=myclusterrole --user=test接:https://www.cnblogs.com/zbc230/p/17864665.html
(版权归原作者所有,侵删)
最新评论
推荐文章
作者最新文章
你可能感兴趣的文章
Copyright Disclaimer: The copyright of contents (including texts, images, videos and audios) posted above belong to the User who shared or the third-party website which the User shared from. If you found your copyright have been infringed, please send a DMCA takedown notice to [email protected]. For more detail of the source, please click on the button "Read Original Post" below. For other communications, please send to [email protected].
版权声明:以上内容为用户推荐收藏至CareerEngine平台,其内容(含文字、图片、视频、音频等)及知识版权均属用户或用户转发自的第三方网站,如涉嫌侵权,请通知[email protected]进行信息删除。如需查看信息来源,请点击“查看原文”。如需洽谈其它事宜,请联系[email protected]。
版权声明:以上内容为用户推荐收藏至CareerEngine平台,其内容(含文字、图片、视频、音频等)及知识版权均属用户或用户转发自的第三方网站,如涉嫌侵权,请通知[email protected]进行信息删除。如需查看信息来源,请点击“查看原文”。如需洽谈其它事宜,请联系[email protected]。