• (2022版)一套教程搞定k8s安装到实战 | RBAC

    视频来源:B站《(2022版)最新、最全、最详细的KubernetesK8s)教程,从K8s安装到实战一套搞定》

    一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持!

    附上汇总贴:(2022版)一套教程搞定k8s安装到实战 | 汇总_COCOgsta的博客-CSDN博客

    基于角色的访问控制,Role Based Access Control。它是一种基于企业内个人角色来管理一些资源的访问方法。

    1. [root@k8s-master-lb ~]# more /usr/lib/systemd/system/kube-apiserver.service 
    2. [Unit]
    3. Description=Kubernetes API Server
    4. Documentation=https://github.com/kubernetes/kubernetes
    5. After=network.target
    6.  
    7. [Service]
    8. ExecStart=/usr/local/bin/kube-apiserver \
    9.       --v=2 \
    10.       --logtostderr=true \
    11.       --allow-privileged=true \
    12.       --bind-address=0.0.0.0 \
    13.       --secure-port=6443 \
    14.       --insecure-port=0 \
    15.       --advertise-address=192.168.1.107 \
    16.       --service-cluster-ip-range=10.96.0.0/12 \
    17.       --service-node-port-range=30000-32767 \
    18.       --etcd-servers=https://192.168.1.107:2379,https://192.168.1.108:2379,https://192.168.1.109:2379 \
    19.       --etcd-cafile=/etc/etcd/ssl/etcd-ca.pem \
    20.       --etcd-certfile=/etc/etcd/ssl/etcd.pem \
    21.       --etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
    22.       --client-ca-file=/etc/kubernetes/pki/ca.pem \
    23.       --tls-cert-file=/etc/kubernetes/pki/apiserver.pem \
    24.       --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem \
    25.       --kubelet-client-certificate=/etc/kubernetes/pki/apiserver.pem \
    26.       --kubelet-client-key=/etc/kubernetes/pki/apiserver-key.pem \
    27.       --service-account-key-file=/etc/kubernetes/pki/sa.pub \
    28.       --service-account-signing-key-file=/etc/kubernetes/pki/sa.key \
    29.       --service-account-issuer=https://kubernetes.default.svc.cluster.local \
    30.       --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
    31.       --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
    32.       --authorization-mode=Node,RBAC \
    33.       --enable-bootstrap-token-auth=true \
    34.       --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
    35.       --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.pem \
    36.       --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client-key.pem \
    37.       --requestheader-allowed-names=aggregator \
    38.       --requestheader-extra-headers-prefix=X-Remote-Group \
    39.       --requestheader-username-headers=X-Remote-User
    40.       # --token-auth-file=/etc/kubernetes/token.csv
    41.  
    42. Restart=on-failure
    43. RestartSec=10s
    44. LimitNOFILE=65535
    45.  
    46. [Install]
    47. WantedBy=multi-user.target
    48. [root@k8s-master-lb ~]# 
    49. 复制代码

    Jenkins使用基于角色的用户权限管理。

    RBAC:4种顶级资源,Role、ClusterRole、RoleBinding、ClusterRoleBinding。

    Role:角色,包含一组权限的规则。没有拒绝规则,只是附加允许。Namespace隔离,只作用于命名空间内。

    1. [root@k8s-master-lb ~]# kubectl get role -n ingress-nginx ingress-nginx -oyaml
    2. apiVersion: rbac.authorization.k8s.io/v1
    3. kind: Role
    4. metadata:
    5.   creationTimestamp: "2022-08-20T04:59:54Z"
    6.   labels:
    7.     app.kubernetes.io/component: controller
    8.     app.kubernetes.io/instance: ingress-nginx
    9.     app.kubernetes.io/managed-by: Helm
    10.     app.kubernetes.io/name: ingress-nginx
    11.     app.kubernetes.io/version: 0.40.2
    12.     helm.sh/chart: ingress-nginx-3.6.0
    13.   managedFields:
    14.   - apiVersion: rbac.authorization.k8s.io/v1
    15.     fieldsType: FieldsV1
    16.     fieldsV1:
    17.       f:metadata:
    18.         f:labels:
    19.           .: {}
    20.           f:app.kubernetes.io/component: {}
    21.           f:app.kubernetes.io/instance: {}
    22.           f:app.kubernetes.io/managed-by: {}
    23.           f:app.kubernetes.io/name: {}
    24.           f:app.kubernetes.io/version: {}
    25.           f:helm.sh/chart: {}
    26.       f:rules: {}
    27.     manager: Go-http-client
    28.     operation: Update
    29.     time: "2022-08-20T04:59:54Z"
    30.   name: ingress-nginx
    31.   namespace: ingress-nginx
    32.   resourceVersion: "461437"
    33.   uid: b46670cc-21ac-4e7d-88bb-0cb14d815baa
    34. rules:
    35. - apiGroups:
    36.   - ""
    37.   resources:
    38.   - namespaces
    39.   verbs:
    40.   - get
    41. - apiGroups:
    42.   - ""
    43.   resources:
    44.   - configmaps
    45.   - pods
    46.   - secrets
    47.   - endpoints
    48.   verbs:
    49.   - get
    50.   - list
    51.   - watch
    52. - apiGroups:
    53.   - ""
    54.   resources:
    55.   - services
    56.   verbs:
    57.   - get
    58.   - list
    59.   - update
    60.   - watch
    61. - apiGroups:
    62.   - extensions
    63.   - networking.k8s.io
    64.   resources:
    65.   - ingresses
    66.   verbs:
    67.   - get
    68.   - list
    69.   - watch
    70. - apiGroups:
    71.   - extensions
    72.   - networking.k8s.io
    73.   resources:
    74.   - ingresses/status
    75.   verbs:
    76.   - update
    77. - apiGroups:
    78.   - networking.k8s.io
    79.   resources:
    80.   - ingressclasses
    81.   verbs:
    82.   - get
    83.   - list
    84.   - watch
    85. - apiGroups:
    86.   - ""
    87.   resourceNames:
    88.   - ingress-controller-leader-nginx
    89.   resources:
    90.   - configmaps
    91.   verbs:
    92.   - get
    93.   - update
    94. - apiGroups:
    95.   - ""
    96.   resources:
    97.   - configmaps
    98.   verbs:
    99.   - create
    100. - apiGroups:
    101.   - ""
    102.   resources:
    103.   - endpoints
    104.   verbs:
    105.   - create
    106.   - get
    107.   - update
    108. - apiGroups:
    109.   - ""
    110.   resources:
    111.   - events
    112.   verbs:
    113.   - create
    114.   - patch
    115. [root@k8s-master-lb ~]# 
    116. 复制代码

    ClusterRole:和Role的区别,Role是只作用于命名空间内,作用于整个集群。

    1. [root@k8s-master-lb ~]# kubectl get clusterrole view -oyaml
    2. aggregationRule:
    3.   clusterRoleSelectors:
    4.   - matchLabels:
    5.       rbac.authorization.k8s.io/aggregate-to-view: "true"
    6. apiVersion: rbac.authorization.k8s.io/v1
    7. kind: ClusterRole
    8. metadata:
    9.   annotations:
    10.     rbac.authorization.kubernetes.io/autoupdate: "true"
    11.   creationTimestamp: "2022-06-21T13:12:31Z"
    12.   labels:
    13.     kubernetes.io/bootstrapping: rbac-defaults
    14.     rbac.authorization.k8s.io/aggregate-to-edit: "true"
    15.   managedFields:
    16.   - apiVersion: rbac.authorization.k8s.io/v1
    17.     fieldsType: FieldsV1
    18.     fieldsV1:
    19.       f:aggregationRule:
    20.         .: {}
    21.         f:clusterRoleSelectors: {}
    22.       f:metadata:
    23.         f:annotations:
    24.           .: {}
    25.           f:rbac.authorization.kubernetes.io/autoupdate: {}
    26.         f:labels:
    27.           .: {}
    28.           f:kubernetes.io/bootstrapping: {}
    29.           f:rbac.authorization.k8s.io/aggregate-to-edit: {}
    30.     manager: kube-apiserver
    31.     operation: Update
    32.     time: "2022-06-21T13:12:31Z"
    33.   - apiVersion: rbac.authorization.k8s.io/v1
    34.     fieldsType: FieldsV1
    35.     fieldsV1:
    36.       f:rules: {}
    37.     manager: kube-controller-manager
    38.     operation: Update
    39.     time: "2022-06-21T13:16:31Z"
    40.   name: view
    41.   resourceVersion: "34722"
    42.   uid: 709188e2-dc10-4fce-8c36-66caba981ed5
    43. rules:
    44. - apiGroups:
    45.   - ""
    46.   resources:
    47.   - configmaps
    48.   - endpoints
    49.   - persistentvolumeclaims
    50.   - persistentvolumeclaims/status
    51.   - pods
    52.   - replicationcontrollers
    53.   - replicationcontrollers/scale
    54.   - serviceaccounts
    55.   - services
    56.   - services/status
    57.   verbs:
    58.   - get
    59.   - list
    60.   - watch
    61. - apiGroups:
    62.   - ""
    63.   resources:
    64.   - bindings
    65.   - events
    66.   - limitranges
    67.   - namespaces/status
    68.   - pods/log
    69.   - pods/status
    70.   - replicationcontrollers/status
    71.   - resourcequotas
    72.   - resourcequotas/status
    73.   verbs:
    74.   - get
    75.   - list
    76.   - watch
    77. - apiGroups:
    78.   - ""
    79.   resources:
    80.   - namespaces
    81.   verbs:
    82.   - get
    83.   - list
    84.   - watch
    85. - apiGroups:
    86.   - apps
    87.   resources:
    88.   - controllerrevisions
    89.   - daemonsets
    90.   - daemonsets/status
    91.   - deployments
    92.   - deployments/scale
    93.   - deployments/status
    94.   - replicasets
    95.   - replicasets/scale
    96.   - replicasets/status
    97.   - statefulsets
    98.   - statefulsets/scale
    99.   - statefulsets/status
    100.   verbs:
    101.   - get
    102.   - list
    103.   - watch
    104. - apiGroups:
    105.   - autoscaling
    106.   resources:
    107.   - horizontalpodautoscalers
    108.   - horizontalpodautoscalers/status
    109.   verbs:
    110.   - get
    111.   - list
    112.   - watch
    113. - apiGroups:
    114.   - batch
    115.   resources:
    116.   - cronjobs
    117.   - cronjobs/status
    118.   - jobs
    119.   - jobs/status
    120.   verbs:
    121.   - get
    122.   - list
    123.   - watch
    124. - apiGroups:
    125.   - extensions
    126.   resources:
    127.   - daemonsets
    128.   - daemonsets/status
    129.   - deployments
    130.   - deployments/scale
    131.   - deployments/status
    132.   - ingresses
    133.   - ingresses/status
    134.   - networkpolicies
    135.   - replicasets
    136.   - replicasets/scale
    137.   - replicasets/status
    138.   - replicationcontrollers/scale
    139.   verbs:
    140.   - get
    141.   - list
    142.   - watch
    143. - apiGroups:
    144.   - policy
    145.   resources:
    146.   - poddisruptionbudgets
    147.   - poddisruptionbudgets/status
    148.   verbs:
    149.   - get
    150.   - list
    151.   - watch
    152. - apiGroups:
    153.   - networking.k8s.io
    154.   resources:
    155.   - ingresses
    156.   - ingresses/status
    157.   - networkpolicies
    158.   verbs:
    159.   - get
    160.   - list
    161.   - watch
    162. - apiGroups:
    163.   - metrics.k8s.io
    164.   resources:
    165.   - pods
    166.   - nodes
    167.   verbs:
    168.   - get
    169.   - list
    170.   - watch
    171. [root@k8s-master-lb ~]# 
    172. 复制代码

    RoleBinding:作用于命名空间内,将ClusterRole或者Role绑定到User、Group、ServiceAccount。

    1. [root@k8s-master-lb ~]# kubectl get rolebinding ingress-nginx -n ingress-nginx -oyaml
    2. apiVersion: rbac.authorization.k8s.io/v1
    3. kind: RoleBinding
    4. metadata:
    5.   creationTimestamp: "2022-08-20T04:59:54Z"
    6.   labels:
    7.     app.kubernetes.io/component: controller
    8.     app.kubernetes.io/instance: ingress-nginx
    9.     app.kubernetes.io/managed-by: Helm
    10.     app.kubernetes.io/name: ingress-nginx
    11.     app.kubernetes.io/version: 0.40.2
    12.     helm.sh/chart: ingress-nginx-3.6.0
    13.   managedFields:
    14.   - apiVersion: rbac.authorization.k8s.io/v1
    15.     fieldsType: FieldsV1
    16.     fieldsV1:
    17.       f:metadata:
    18.         f:labels:
    19.           .: {}
    20.           f:app.kubernetes.io/component: {}
    21.           f:app.kubernetes.io/instance: {}
    22.           f:app.kubernetes.io/managed-by: {}
    23.           f:app.kubernetes.io/name: {}
    24.           f:app.kubernetes.io/version: {}
    25.           f:helm.sh/chart: {}
    26.       f:roleRef:
    27.         f:apiGroup: {}
    28.         f:kind: {}
    29.         f:name: {}
    30.       f:subjects: {}
    31.     manager: Go-http-client
    32.     operation: Update
    33.     time: "2022-08-20T04:59:54Z"
    34.   name: ingress-nginx
    35.   namespace: ingress-nginx
    36.   resourceVersion: "461438"
    37.   uid: 1633ad2d-b46b-4212-ab8d-1c19a7ec35ca
    38. roleRef:
    39.   apiGroup: rbac.authorization.k8s.io
    40.   kind: Role
    41.   name: ingress-nginx
    42. subjects:
    43. - kind: ServiceAccount
    44.   name: ingress-nginx
    45.   namespace: ingress-nginx
    46. [root@k8s-master-lb ~]# 
    47. 复制代码

    ClusterRolebinding:作用于整个集群。

    1. [root@k8s-master-lb ~]# kubectl get clusterrolebinding admin-user -oyaml
    2. apiVersion: rbac.authorization.k8s.io/v1
    3. kind: ClusterRoleBinding
    4. metadata:
    5.   annotations:
    6.     rbac.authorization.kubernetes.io/autoupdate: "true"
    7.   creationTimestamp: "2022-06-22T06:25:56Z"
    8.   managedFields:
    9.   - apiVersion: rbac.authorization.k8s.io/v1
    10.     fieldsType: FieldsV1
    11.     fieldsV1:
    12.       f:metadata:
    13.         f:annotations:
    14.           .: {}
    15.           f:rbac.authorization.kubernetes.io/autoupdate: {}
    16.       f:roleRef:
    17.         f:apiGroup: {}
    18.         f:kind: {}
    19.         f:name: {}
    20.       f:subjects: {}
    21.     manager: kubectl-create
    22.     operation: Update
    23.     time: "2022-06-22T06:25:56Z"
    24.   name: admin-user
    25.   resourceVersion: "35909"
    26.   uid: d4e47393-e698-4405-9bb1-823a6814f7dd
    27. roleRef:
    28.   apiGroup: rbac.authorization.k8s.io
    29.   kind: ClusterRole
    30.   name: cluster-admin
    31. subjects:
    32. - kind: ServiceAccount
    33.   name: admin-user
    34.   namespace: kube-system
    35. [root@k8s-master-lb ~]# 
    36. 复制代码

    kind分类:ServiceAccount、User、Group。

    --basic-auth-file:格式为'password','username','group1,group2'

    参考文档:kubernetes.io/docs/refere…

    \

    基于用户名密码实现不同用户有不同的权限

    基于ServiceAccount实现不同的SA有不同的权限

  • 相关阅读:
    java web程序 静/动网页项目部署到tomcat上
    华为---PPP协议简介及示例配置
    ResNeXt网络结构解析
    【Linux】命令
    【图像分割】基于回溯搜索优化算法实现图像聚类分割附matlab代码
    ClickHouse学习笔记之备份和恢复
    科技成果鉴定测试有多重要?可出具专业测试报告的软件测评机构推荐
    左值和右值
    植物大战 继承——C++
    网页端IM即时通讯开发:短轮询、长轮询、SSE、WebSocket
  • 原文地址:https://blog.csdn.net/guolianggsta/article/details/126618805