安全机制:
1. Kubernetes的安全框架
2. 传输安全,认证,授权,准入控制
3. 使用RBAC授权
访问K8S集群的资源需要过三关:认证、鉴权、准入控制
普通用户若要安全访问集群API Server,往往需要证书、Token或者用户名+密码;Pod访问,需要ServiceAccount
K8S安全控制框架主要由下面3个阶段进行控制,每一个阶段都支持插件方式,通过API Server配置来启用插件。
1. Authentication
2. Authorization
3. Admission Control
阶段一:传输安全和认证
阶段二:授权
阶段三:准入控制
阶段四:使用RBAC授权
使用RBAC授权:
角色
Role:授权特定命名空间的访问权限
ClusterRole:授权所有命名空间的访问权限
角色绑定
RoleBinding:将角色绑定到主体(即subject)
ClusterRoleBinding:将集群角色绑定到主体
主体(subject)
User:用户
Group:用户组
ServiceAccount:服务账号
1先创建角色:
2角色绑定:
3这个用户是基于什么认证方式识别身份
[root@centos7 demo2]# kubectl create ns ctnrs
namespace/ctnrs created
[root@centos7 demo2]# kubectl run nginx --images=nginx -n ctnrs
[root@centos7 demo2]# kubectl get pods -n ctnrs
NAME READY STATUS RESTARTS AGE
nginx-6db489d4b7-7qpq7 1/1 Running 0 39s
[root@centos7 demo2]#
[root@centos7 demo2]#
[root@centos7 demo2]# cat rbac-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: ctnrs
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
[root@centos7 demo2]#
[root@centos7 demo2]#
[root@centos7 demo2]#
[root@centos7 demo2]# kubectl apply -f rbac-role.yaml
role.rbac.authorization.k8s.io/pod-reader created
[root@centos7 demo2]#
[root@centos7 demo2]# kubectl get role -n ctnrs
NAME AGE
pod-reader 26s
[root@centos7 demo2]#
[root@centos7 demo2]#
[root@centos7 demo2]# cat rbac-rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: ctnrs
subjects:
- kind: User
name: aliang # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
[root@centos7 demo2]#
[root@centos7 demo2]#
[root@centos7 demo2]#
[root@centos7 demo2]#
[root@centos7 demo2]# kubectl apply -f rbac-rolebinding.yaml
rolebinding.rbac.authorization.k8s.io/read-pods created
[root@centos7 demo2]#
[root@centos7 demo2]# kubectl get role -n ctnrs
NAME AGE
pod-reader 3m4s
[root@centos7 demo2]# kubectl get rolebinding -n ctnrs
NAME AGE
read-pods 3m25s
[root@centos7 demo2]#
认证
三种客户端身份认证:
HTTPS 证书认证:基于CA证书签名的数字证书认证
HTTP Token认证:通过一个Token来识别用户
HTTP Base认证:用户名+密码的方式认证
如下是基于HTTPS 证书认证:
[root@centos7 demo3]#
[root@centos7 demo3]# ll
total 24
-rw-r--r-- 1 root root 294 Dec 9 2018 ca-config.json
-rw-r--r-- 1 root root 1001 Dec 9 2018 ca.csr
-rw-r--r-- 1 root root 263 Dec 9 2018 ca-csr.json
-rw-r--r-- 1 root root 1675 Dec 9 2018 ca-key.pem
-rw-r--r-- 1 root root 1359 Dec 9 2018 ca.pem
-rw-r--r-- 1 root root 860 Jul 9 21:49 rabc-user.sh
[root@centos7 demo3]# cat rabc-user.sh
cat > aliang-csr.json <<EOF
{
"CN": "aliang",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes aliang-csr.json | cfssljson -bare aliang
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.0.11:6443 --kubeconfig=aliang-kubeconfig
kubectl config set-credentials aliang --client-key=aliang-key.pem --client-certificate=aliang.pem --embed-certs=true --kubeconfig=aliang-kubeconfig
kubectl config set-context default --cluster=kubernetes --user=aliang --kubeconfig=aliang-kubeconfig
kubectl config use-context default --kubeconfig=aliang-kubeconfig
[root@centos7 demo3]#
[root@centos7 demo3]# bash rabc-user.sh
2020/07/09 21:54:44 [INFO] generate received request
2020/07/09 21:54:44 [INFO] received CSR
2020/07/09 21:54:44 [INFO] generating key: rsa-2048
2020/07/09 21:54:44 [INFO] encoded CSR
2020/07/09 21:54:44 [INFO] signed certificate with serial number 25230847140977846289360739941478317420645831912
2020/07/09 21:54:44 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
Cluster "kubernetes" set.
User "aliang" set.
Context "default" created.
Switched to context "default".
[root@centos7 demo3]#
[root@centos7 demo3]#
[root@centos7 demo3]# ll
total 48
-rw-r--r-- 1 root root 952 Jul 9 21:54 aliang.csr
-rw-r--r-- 1 root root 179 Jul 9 21:54 aliang-csr.json
-rw------- 1 root root 1679 Jul 9 21:54 aliang-key.pem
-rw------- 1 root root 6188 Jul 9 21:54 aliang-kubeconfig
-rw-r--r-- 1 root root 1346 Jul 9 21:54 aliang.pem
-rw-r--r-- 1 root root 294 Dec 9 2018 ca-config.json
-rw-r--r-- 1 root root 1001 Dec 9 2018 ca.csr
-rw-r--r-- 1 root root 263 Dec 9 2018 ca-csr.json
-rw-r--r-- 1 root root 1675 Dec 9 2018 ca-key.pem
-rw-r--r-- 1 root root 1359 Dec 9 2018 ca.pem
-rw-r--r-- 1 root root 860 Jul 9 21:49 rabc-user.sh
[root@centos7 demo3]#
[root@centos7 demo3]#
[root@centos7 demo3]# kubectl get pods -n ctnrs
NAME READY STATUS RESTARTS AGE
nginx-6db489d4b7-7qpq7 1/1 Running 0 54m
[root@centos7 demo3]#
[root@centos7 demo3]# kubectl --kubeconfig=aliang-kubeconfig get pods -n ctnrs
NAME READY STATUS RESTARTS AGE
nginx-6db489d4b7-7qpq7 1/1 Running 0 54m
[root@centos7 demo3]#
[root@centos7 demo3]# kubectl --kubeconfig=aliang-kubeconfig get svc -n ctnrs
Error from server (Forbidden): services is forbidden: User "aliang" cannot list resource "services" in API group "" in the namespace "ctnrs"
[root@centos7 demo3]#
如下是基于ServiceAccount对命名空间访问,用它登陆K8S-UI
[root@centos7 demo3]#
[root@centos7 demo3]# cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: pod-reader
namespace: ctnrs
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sa-read-pods
namespace: ctnrs
subjects:
- kind: ServiceAccount
name: pod-reader
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
[root@centos7 demo3]#
[root@centos7 demo3]#
[root@centos7 demo3]# kubectl get secret -n ctnrs
NAME TYPE DATA AGE
default-token-nt2cp kubernetes.io/service-account-token 3 57m
[root@centos7 demo3]#
[root@centos7 demo3]# kubectl apply -f sa.yaml
serviceaccount/pod-reader created
rolebinding.rbac.authorization.k8s.io/sa-read-pods created
[root@centos7 demo3]#
[root@centos7 demo3]# kubectl get secret -n ctnrs
NAME TYPE DATA AGE
default-token-nt2cp kubernetes.io/service-account-token 3 57m
pod-reader-token-rcgvd kubernetes.io/service-account-token 3 4s
[root@centos7 demo3]#
[root@centos7 demo3]# kubectl describe secret pod-reader-token-rcgvd -n ctnrs
Name: pod-reader-token-rcgvd
Namespace: ctnrs
Labels: <none>
Annotations: kubernetes.io/service-account.name: pod-reader
kubernetes.io/service-account.uid: 57f087a2-6f3e-44e3-9615-f46c7f1121e3
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 5 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkUwa0p0aC1TMDBoTU1OZ3Y2SWRWaVd5NGRYLTdSTlY3TUVHUXJsRV9NY2sifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjdG5ycyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJwb2QtcmVhZGVyLXRva2VuLXJjZ3ZkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InBvZC1yZWFkZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1N2YwODdhMi02ZjNlLTQ0ZTMtOTYxNS1mNDZjN2YxMTIxZTMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6Y3RucnM6cG9kLXJlYWRlciJ9.ltqpH-WktEiitFrVkui7WkQx4f_B3cJEMpUQ3Q3du-nLej8rrk-FTMZUXpiXr0lDgJmKo6sf0aL0Vs3q8kX7TfuuWomToc2B4A5sUh5w-eGEQReghD01Z1wRANh3c3IhcCuRnMvvQIxHDzY83LGYwtdCVtMrxINYnuRCYqeDFJz9q0Q53hjBMx2m-rFprFkG3otTI4GeHNv14EQF8chJ8GD6NC1KA1mvZrU5ATFnh8_cgDB66EalbVKFYxEyGm5syg32LTaPT3aWZd4DO4Z0SWlWt_a8tfMHY2K1iDUrLNPTHjhX3NX8NuZQevZRP8Qcg1fpuIjSyjBP_yT_4sElbw
[root@centos7 demo3]#
原文:https://www.cnblogs.com/k8s-pod/p/13276624.html