K8s中的RBAC认证授权之基于HTTPS证书给User授权认证
概述本文主要介绍在K8s中如何使用证书给User进行授权认证。
在生产环境中,当你想给对应的人员分配不同的权限,则可以阅读这篇文章
阅读这篇文章之前,你应该有一些前置知识,应该知道K8s的授权认证
可以阅读这篇文章:一文搞懂K8s中的RBAC认证授权
实操
使用cfssl生成User的CA证书
cfssl可以阅读这篇文章:https://www.cnblogs.com/huangSir-devops/p/18876361
## 创建CA证书
# cat ca-config.json
{
"signing": {
"default": {
# 配置默认证书有效期为10年
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": ["signing", "key encipherment", "server auth", "client auth"]
}
}
}
}
# 创建CA证书请求
# cat ca-csr.json
{
# CN表示用户名称
"CN": "develop",
"hosts": [],
"key": {
# 加密算法
"algo": "rsa",
# 密钥长度
"size": 4096
},
"names": [
{
# 国家代码,CN代表是中国
"C": "CN",
# 省份
"ST": "Beijing",
# 城市或地区
"L": "Beijing",
# 这里O表示用户组
"O": "dev
# 组织单位(Organizational Unit),可以理解成公司部门
"OU": "ca"
}
]
}
# 创建证书存储目录
# mkdir -p develop
# 生成证书
# cfssl gencert \
-ca=/etc/kubernetes/pki/ca.crt \
-ca-key=/etc/kubernetes/pki/ca.key \
-config=ca-config.json \
-profile=kubernetes \
ca-csr.json| cfssljson -bare develop/develop
2025/06/07 13:52:37 generate received request
2025/06/07 13:52:37 received CSR
# 查看文件
# tree
.
├── ca-config.json
├── ca-csr.json
└── develop
├── develop-key.pem # 公钥
├── develop.csr
└── develop.pem# 私钥生成kubeconfig文件
创建集群入口
# 配置集群,集群可以设置多套,此处只配置了一套
# --certificate-authority
# 指定K8s的ca根证书文件路径
# --embed-certs
# 如果设置为true,表示将根证书文件的内容写入到配置文件中,
# 如果设置为false,则只是引用配置文件,将kubeconfig
# --server
# 指定APIServer的地址。
# --kubeconfig
# 指定kubeconfig的配置文件名称
# kubectl config set-cluster dev \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=https://apiserver.cluster.local:6443 \
--kubeconfig=develop.kubeconfig
# 检查kubeconfig的配置文件
# ll develop.kubeconfig
-rw------- 1 root root 5336 Jun4 11:27 develop.kubeconfig设置客户端认证,客户端将来需要携带证书让服务端验证
# kubectl config set-credentials develop \
--client-key=/root/cfssl/develop/develop-key.pem \
--client-certificate=/root/cfssl/develop/develop.pem \
--embed-certs=true \
--kubeconfig=develop.kubeconfig设置默认上下文,可以用于绑定多个客户端和服务端的对应关系。
# kubectl config set-context develop \
--cluster=dev \
--user=develop \
--kubeconfig=develop.kubeconfig测试使用生成的kubeconfig文件访问K8s集群资源
# 设置当前使用的上下文
# kubectl config use-context develop --kubeconfig=/root/cfssl/develop.kubeconfig
Switched to context "develop"
# 访问测试,这里显示无权限
# kubectl get po --kubeconfig=/root/cfssl/develop.kubeconfig
Error from server (Forbidden): pods is forbidden: User "develop" cannot list resource "pods" in API group "" in the namespace "default"为用户配置Role
上面的步骤,是认证没有问题了,但是对应的用户对集群没有权限操作
# cat role-default.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: custom-role
rules:
# 规则1:操作核心组和 apps 组的 pods、deployments,仅允许 get 和 list
- apiGroups: ["","apps"]
resources: ["pods","deployments"]
verbs: ["get", "list"]
# 规则2:操作核心组和 apps 组的 configmaps、secrets、daemonsets,仅允许 get 和 list
- apiGroups: ["","apps"]
resources: ["configmaps","secrets","daemonsets"]
verbs: ["get", "list"]
# 规则3:操作核心组的 secrets,允许 delete 和 create
- apiGroups: [""]
resources: ["secrets"]
verbs: ["delete","create"]
# kubectl apply -f role-default.yaml
# kubectl get role custom-role
NAME CREATED AT
custom-role 2025-06-07T06:34:52Z
# 查看详情
# kubectl describe role custom-role
Name: custom-role
Labels: <none>
Annotations:<none>
PolicyRule:
Resources Non-Resource URLsResource NamesVerbs
--------- ------------------------------------
secrets [] []
configmaps [] []
daemonsets [] []
deployments [] []
pods [] []
configmaps.apps [] []
daemonsets.apps [] []
deployments.apps[] []
pods.apps [] []
secrets.apps [] [] 使用RoleBinding关联Role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
# RoleBinding 名称
name: develope-rolebinding
# 作用的命名空间
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
# 引用的角色类型(必须是 Role 或 ClusterRole)
kind: Role
# 引用的角色名称
name: custom-role
# 被授权的主体列表
subjects:
# 主体类型(User/ServiceAccount/Group)
- kind: User
# 主体名称,对应生成证书的CN字段
name: develop
#APIGroup 默认是 "rbac.authorization.k8s.io"。这意味着这些权限规则默认只适用于 #RBAC API 资源,例如 Role、RoleBinding、ClusterRole 和 ClusterRoleBinding。
apiGroup: "rbac.authorization.k8s.io"
# cat rolebinding-develop.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
# RoleBinding 名称
name: develope-rolebinding
# 作用的命名空间
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
# 引用的角色类型(必须是 Role 或 ClusterRole)
kind: Role
# 引用的角色名称
name: custom-role
# 被授权的主体列表
subjects:
# 主体类型(User/ServiceAccount/Group)
- kind: User
# 主体名称,对应生成证书的CN字段
name: develop
#APIGroup 默认是 "rbac.authorization.k8s.io"。这意味着这些权限规则默认只适用于 #RBAC API 资源,例如 Role、RoleBinding、ClusterRole 和 ClusterRoleBinding。
apiGroup: "rbac.authorization.k8s.io"
# 创建RoleBinding
# kubectl apply -f rolebinding-develop.yaml
# 查看RoleBinding
rolebinding.rbac.authorization.k8s.io/develope-rolebinding created
# kubectl get rolebinding
NAME ROLE AGE
develope-rolebinding Role/custom-role 11s
# 查看详情
# kubectl describe rolebinding develope-rolebinding
Name: develope-rolebinding
Labels: <none>
Annotations:<none>
Role:
Kind:Role
Name:custom-role
Subjects:
KindName Namespace
-------- ---------
Userdevelop再次使用User测试
查看Pod有权限
# kubectl get po --kubeconfig=/root/cfssl/develop.kubeconfig
NAME READY STATUS RESTARTS AGE
alertmanager-prometheus-kube-prometheus-alertmanager-0 2/2 Running 0 21h
nginx-pod 0/1 Pending 0 6d16h
prometheus-grafana-55cbbf54b7-lmhnd 3/3 Running 0 20h
prometheus-kube-prometheus-operator-847fd659bc-scp4w 1/1 Running 0 21h
prometheus-kube-state-metrics-5fb66759db-nb242 1/1 Running 0 21h
prometheus-prometheus-kube-prometheus-prometheus-0 2/2 Running 0 16h
prometheus-prometheus-node-exporter-89xt7 1/1 Running 0 21h
prometheus-prometheus-node-exporter-cn8s4 1/1 Running 0 21h
prometheus-prometheus-node-exporter-llqgx 1/1 Running 0 21h删除Pod无权限
# kubectl delete po nginx-pod --kubeconfig=/root/cfssl/develop.kubeconfig
Error from server (Forbidden): pods "nginx-pod" is forbidden: User "develop" cannot delete resource "pods" in API group "" in the namespace "default"删除Pod需要添加对应的权限
# 修改Role
# cat role-default.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: custom-role
rules:
- apiGroups: ["","apps"]
resources: ["pods","deployments"]
# 添加delete
verbs: ["get", "list","delete"]
- apiGroups: ["","apps"]
resources: ["configmaps","secrets","daemonsets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["delete","create"]
# 重新应用
# kubectl apply -f role-default.yaml
role.rbac.authorization.k8s.io/custom-role configured重新测试删除Pod
# kubectl delete po nginx-pod --kubeconfig=/root/cfssl/develop.kubeconfig
pod "nginx-pod" deleted # 这里显示正常
来源:程序园用户自行投稿发布,如果侵权,请联系站长删除
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]