0x02 RBAC 基础知识
参考:
https://jimmysong.io/kubernetes-handbook/concepts/rbac.html
参考:
https://www.qikqiak.com/post/use-rbac-in-k8s/
K8s中的RBAC有以下几个名词:
2.1 Entity
定义了对资源进行操作的主体, 比如: User, Group, ServiceAccount 等
2.2 Resource
K8s中的资源类型, 比如: pod,service,secret,node等
2.3 Role & ClusterRole
Role: 关联到特定namespace下的角色
ClusterRole: 集群全局作用域的角色
2.4 RoleBinding & ClusterRoleBinding
把Role/ClusterRole 和 Entity 进行关联.实现授权功能.
0x03 绑定操作
以下操作都是在原来的集群管理员下完成
创建k8s 用户, 完成集群用户和 IAM账号的绑定
# 在线编辑集群用户配置
kubectl edit cm aws-auth -n kube-system
添加mapUsers节点:
apiVersion: v1
data:
mapUsers: |
- userarn: arn:aws-cn:iam::{你的12位主账号}:user/eksadmin
username: eksadmin
groups:
— system:masters
保存退出后, 此时执行 kubectl get all 会提示权限不够.
但是也说明, 已经完成了IAM账号和集群账号的关联绑定.
原本以为, 加上groups 参数就有管理权限了, 实测不行, 继续下面的操作
重点 给用户绑定集群的管理员权限
kubectl create clusterrolebinding eksadmin --clusterrole=cluster-admin --user=eksadmin
再次访问 kubectl get all , everything goes OK.
任务达成~.
0x04 指定namespace访问权限
目标: 对开发者组的同学开放sit namespace 的完全访问
4.1 创建Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: sit-role
namespace: sit
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods", "configmaps","services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
4.2 创建测试用户
aws iam create-user --user-name dev-gg
"User": {
"Path": "/",
"UserName": "dev-gg",
"UserId": "AI******5",
"Arn": "arn:aws-cn:iam::{你的12位主账号}:user/dev-gg",
"CreateDate": "2022-03-28T06:01:10+00:00"
记录生成的 arn, 后面要用
创建access key/secrets
aws iam create-access-key --user-name dev-gg
"AccessKey": {
"UserName": "dev-gg",
"AccessKeyId": "***",
"Status": "Active",
"SecretAccessKey": "***",
"CreateDate": "2022-03-28T06:04:50+00:00"
记录 AceessKey, 和 Secret.
创建IAM 策略
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "eks:DescribeCluster",
"Resource": "arn:aws-cn:eks:*:{你的12位主账号}:cluster/*"
策略ARN: arn:aws-cn:iam::{12位主账号}:policy/eks_desc_cluster
绑定到测试用户
aws iam attach-user-policy --user-name dev-gg --policy-arn arn:aws-cn:iam::{12位主账号}:policy/eks_desc_cluster
4.3 配置集群中的账号
kubectl edit cm aws-auth -n kube-system
增加用户:
mapUsers: |
- userarn: arn:aws-cn:iam::{12位账号}:user/dev-gg
username: dev-gg
4.4 绑定用户角色
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-gg
namespace: sit
subjects:
- kind: User
name: dev-gg
apiGroup: ""
roleRef:
kind: Role
name: sit-role
apiGroup: ""
4.5 验证
绑定登录信息
把步骤4.2的secret key 信息配置到用户目录
aws configure
AWS Access Key ID [None]: A***O
AWS Secret Access Key [None]: 0***p
Default region name [None]: cn-northwest-1
Default output format [None]: json
拉取集群配置
aws eks update-kubeconfig --name aws-cn
Added new context arn:aws-cn:eks:cn-northwest-1:{12位账号}:cluster/aws-cn to /Users/dev-gg/.kube/config
部署&删除测试应用
kubectl create deploy web --image=nginx -n sit
kubectl get po -n sit
NAME READY STATUS RESTARTS AGE
web-96d5df5c8-t8n8z 0/1 ContainerCreating 0 16m
kubectl delete deploy web -n sit
deployment.apps "web" deleted
Good Job ~
4.6 关于增加其他权限
如果在使用中遇到权限问题:
kubectl get hpa -n sit
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "dev-gg" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "sit"
