总有人间一两风,填我十万八千梦

K8S集群为特定用户赋予访问特定namespace的权限

软件技巧 Zero、J 1673℃ 0评论

原文:https://blog.csdn.net/zz_aiytag/article/details/106473106 ,写的很nice~~

目的

创建一个myuser1用户,让该用户只能操作myns1下载的pod,其它的都无权操作。

注意,后面执行了context切换,操作完成之后别忘记切回去。

此外,如果想要用户ssh登录直接可以用kubectl,你可以拷贝一些默认的k8s的.kube/config文件到对应用户的config文件中,清除掉admin的context配置,并设置默认的context为当前用户。

创建用户

创建新用户的证书,在任意目录下操作
我这里在/opt/mytest目录中操作

[root@manager mytest]# openssl genrsa -out myuser1.key 2048
Generating RSA private key, 2048 bit long modulus
...........+++
......................+++
e is 65537 (0x10001)
[root@manager mytest]# openssl req -new -key myuser1.key -out myuser1.csr -subj "/CN=myuser1"
[root@manager mytest]# openssl x509 -req -in myuser1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out myuser1.crt -days 365
Signature ok
subject=/CN=myuser1
Getting CA Private Key
[root@manager mytest]# openssl x509 -in myuser1.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            c7:48:13:1e:63:1b:7e:5b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Jun  1 07:39:15 2020 GMT
            Not After : Jun  1 07:39:15 2021 GMT
        Subject: CN=myuser1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
		......
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
        ......

更改集群配置和用户上下文环境

[root@manager mytest]# kubectl config set-credentials myuser1 --client-certificate=/opt/mytest/myuser1.crt --client-key=/opt/mytest/myuser1.key --embed-certs=true
User "myuser1" set.
[root@manager mytest]# kubectl config set-context myuser1@kubernetes --cluster=kubernetes --user=myuser1
Context "myuser1@kubernetes" created.
[root@manager mytest]# kubectl config use-context myuser1@kubernetes
Switched to context "myuser1@kubernetes".

没赋权状态下,pod、service等信息都无法获取

[root@manager mytest]# kubectl get pods,svc
Error from server (Forbidden): pods is forbidden: User "myuser1" cannot list resource "pods" in API group "" in the namespace "default"
Error from server (Forbidden): services is forbidden: User "myuser1" cannot list resource "services" in API group "" in the namespace "default"
[root@manager mytest]# kubectl get pods,svc -n myns1
Error from server (Forbidden): pods is forbidden: User "myuser1" cannot list resource "pods" in API group "" in the namespace "myns1"
Error from server (Forbidden): services is forbidden: User "myuser1" cannot list resource "services" in API group "" in the namespace "myns1"
[root@manager mytest]# kubectl get ns
Error from server (Forbidden): namespaces is forbidden: User "myuser1" cannot list resource "namespaces" in API group "" at the cluster scope

赋权

切换回管理员身份(注意当前使用的context,在~/.kube/config中可以看到当前使用的context)

[root@manager mytest]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@manager mytest]# kubectl get ns
NAME              STATUS   AGE
default           Active   6d1h
hdfstgm           Active   4d2h
kube-node-lease   Active   6d1h
kube-public       Active   6d1h
kube-system       Active   6d1h
myns1             Active   2d22h

创建角色role.yaml

# vim role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: myns1
  name: myrole1
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list","create","update","patch","delete"]

创建角色绑定rolebinding.yaml

# vim rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: my-rolebinding1
  namespace: myns1
subjects:
- kind: User
  name: myuser1
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: myrole1
  apiGroup: rbac.authorization.k8s.io

执行创建

[root@manager mytest]# kubectl create -f role.yaml 
role.rbac.authorization.k8s.io/myrole1 created
[root@manager mytest]# kubectl create -f rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/my-rolebinding1 created

切换用户验证

查看myns1命名空间中的pod和service

[root@manager mytest]# kubectl config use-context myuser1@kubernetes
Switched to context "myuser1@kubernetes".
[root@manager mytest]# kubectl get pods,svc -n myns1
NAME                      READY   STATUS    RESTARTS   AGE
hadoop-datanode-6-mbqtn   1/1     Running   0          2d22h
hadoop-datanode-6-t7x5j   1/1     Running   0          2d22h
hadoop-datanode-6-wvwwp   1/1     Running   0          2d22h
hdfs-master-4-5stbn       1/1     Running   0          2d22h
Error from server (Forbidden): services is forbidden: User "myuser1" cannot list resource "services" in API group "" in the namespace "myns1"

pod已经有权查看了,但是service还没赋权
重新编辑role.yaml,再次创建角色

# 切换用户
[root@manager mytest]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@manager mytest]# kubectl delete -f role.yaml
role.rbac.authorization.k8s.io "myrole1" deleted

修改role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: myns1
  name: myrole1
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list","create","update","patch","delete"]
- apiGroups: [""] 
  resources: ["services"]
  verbs: ["get","watch","list"]

再次创建修改后的角色

[root@manager mytest]# kubectl create -f role.yaml
role.rbac.authorization.k8s.io/myrole1 created
[root@manager mytest]# kubectl config use-context myuser1@kubernetes
Switched to context "myuser1@kubernetes".

验证

[root@manager mytest]# kubectl get svc -n myns1
NAME                   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                          AGE
hadoop-hdfs-master   NodePort   10.96.238.218   <none>        9000:32504/TCP,50070:32227/TCP   2d23h

再次验证进入POD指令

[root@manager ~]# kubectl exec -it hdfs-master-4-5stbn bash -n myns1
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
Error from server (Forbidden): pods "hdfs-master-4-5stbn" is forbidden: User "myuser1" cannot create resource "pods/exec" in API group "" in the namespace "myns1"

删除角色,然后修改role.yaml文件

rules:
- apiGroups: [""]
  resources: ["pods","pods/exec"]  #增加pods/exec
  verbs: ["get","watch","list","create","update","patch","delete"]

再次创建,再次 执行,就可以正常使用了

[root@manager mytest]# kubectl exec -it hdfs-master-4-5stbn bash -n myns1
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
root@hdfs-master-4-5stbn:
root@hdfs-master-4-5stbn:~# hadoop fs -ls /
root@hdfs-master-4-5stbn:~# hadoop fs -mkdir /mytest
root@hdfs-master-4-5stbn:~# hadoop fs -ls /
Found 1 items
drwxr-xr-x   - root supergroup          0 2020-06-02 09:14 /mytest

转载请注明:悠然品鉴 » K8S集群为特定用户赋予访问特定namespace的权限

喜欢 (162)or分享 (0)
发表我的评论
取消评论

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址