认证授权
1.创建namespace
student@ubuntu:~/helm/linux-amd64$kubectl create namespace development
namespace/development created
2.查看kubectl配置
student@ubuntu:~/helm/linux-amd64$kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
3.创建新用户student
student@ubuntu:~/security$openssl genrsa -out student.key 2048
Generating RSA private key, 2048 bit long modulus
...............................+++
..............+++
e is 65537 (0x10001)
student@ubuntu:~/security$openssl req -new -key student.key -out student.csr -subj "/CN=student/O=school"
student@ubuntu:~/security$ll
total 16
drwxrwxr-x 2 student student 4096 Dec 11 11:35 ./
drwxr-xr-x 18 student student 4096 Dec 11 11:25 ../
-rw-rw-r-- 1 student student 911 Dec 11 11:35 student.csr
-rw-rw-r-- 1 student student 1679 Dec 11 11:34 student.key
student@ubuntu:~/security$sudo openssl x509 -req -in student.csr \
> -CA /etc/kubernetes/pki/ca.crt \
> -CAkey /etc/kubernetes/pki/ca.key \
> -CAcreateserial \
> -out student.crt -days 45
[sudo] password for student:
Signature ok
subject=/CN=student/O=school
Getting CA Private Key
student@ubuntu:~/security$ll
total 20
drwxrwxr-x 2 student student 4096 Dec 11 11:37 ./
drwxr-xr-x 18 student student 4096 Dec 11 11:25 ../
-rw-r--r-- 1 root root 997 Dec 11 11:37 student.crt
-rw-rw-r-- 1 student student 911 Dec 11 11:35 student.csr
-rw-rw-r-- 1 student student 1679 Dec 11 11:34 student.key
student@ubuntu:~/security$kubectl config set-credentials student --client-certificate=./student.crt --client-key=./student.key
User "student" set.
student@ubuntu:~/security$kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.30.81.194:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: student
user:
client-certificate: /home/student/security/student.crt
client-key: /home/student/security/student.key
student@ubuntu:~/security$kubectl config set-context student \
> --cluster=kubernetes \
> --namespace=development \
> --user=student
Context "student" created.
student@ubuntu:~/security$kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.30.81.194:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
--namespace=development
--user=student
name: student
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: student
user:
client-certificate: /home/student/security/student.crt
client-key: /home/student/security/student.key
student@ubuntu:~/security$kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
student kubernetes--namespace=development--user=student
4.测试student用户
student@ubuntu:~/security$kubectl --context=student get pods
Error from server (Forbidden): pods is forbidden: User "student" cannot list resource "pods" in API group "" in the namespace "development"
5.给student赋予rbac权限
student@ubuntu:~/security$cat role-student.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: development
name: student
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
student@ubuntu:~/security$kubectl create -f role-student.yaml
role.rbac.authorization.k8s.io/student created
student@ubuntu:~/security$cat rolebind.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: student-role-binding
namespace: development
subjects:
- kind: User
name: student
apiGroup: ""
roleRef:
kind: Role
name: student
apiGroup: ""
student@ubuntu:~/security$kubectl create -f rolebind.yaml
rolebinding.rbac.authorization.k8s.io/student-role-binding created
6.再次测试student
student@ubuntu:~/security$kubectl --context=student get pods
No resources found.
7.添加资源
student@ubuntu:~/security$kubectl --context=student get jobs
Error from server (Forbidden): jobs.batch is forbidden: User "student" cannot list resource "jobs" in API group "batch" in the namespace "development"
student@ubuntu:~/security$kubectl -n development describe role student
Name: student
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments [] [] [list get watch create update patch delete]
pods [] [] [list get watch create update patch delete]
replicasets [] [] [list get watch create update patch delete]
deployments.apps [] [] [list get watch create update patch delete]
pods.apps [] [] [list get watch create update patch delete]
replicasets.apps [] [] [list get watch create update patch delete]
deployments.extensions [] [] [list get watch create update patch delete]
pods.extensions [] [] [list get watch create update patch delete]
replicasets.extensions [] [] [list get watch create update patch delete]
student@ubuntu:~/security$cat role-student.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: development
name: student
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
student@ubuntu:~/security$kubectl -n development describe role student
Name: student
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [list get watch create update patch delete]
student@ubuntu:~/security$kubectl --context=student get pods
No resources found.
