11 kubeSphere 基于 SA 实现对多个 NS 下的资源进行管理
11.1 在 default 命名空间创建 ServiceAccount
创建ServiceAccount后,会自动创建一个绑定的 secret ,后面在kubeconfig文件中,会用到该secret中的token.
$ kubectl create serviceaccount dev -n default
$ kubectl get serviceaccount -n default
$ kubectl get sa -n default
NAME SECRETS AGE
default 1 82d
dev 1 24m # 创建成功11.2 创建 UserAccount
该动作需要到 master 节点上的 /etc/kubernetes/pki/ 下生成对应的证书
1.在 K8S 授权目录下创建证书
# 切换到 master1 节点
$ ssh master1
$ cd /etc/kubernetes/pki/
$ openssl genrsa -out dev.key 2048
$ openssl req -new -key dev.key -out dev.csr -subj "/CN=dev"
$ openssl x509 -req -in dev.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dev.crt -days 365
$ openssl x509 -in dev.crt -text -noout2.让 K8S 识别
$ kubectl config set-credentials dev --client-certificate=/etc/kubernetes/pki/dev.crt --client-key=/etc/kubernetes/pki/dev.key --embed-certs=true
$ kubectl config set-context dev@kubernetes --cluster=kubernetes --user=dev
# 切换至 dev 用户
$ kubectl config use-context dev@kubernetes4.验证
# 当前 SA dev 用户没有权限
$ kubectl get pod
Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" in the namespace "default"可以当前的 dev 用户是没有任何访问权限的
11.3 role 绑定授权
认证之后进行授权,根据所有授权策略匹配请求资源属性,决定允许或拒绝请求。授权方式有6种(集群默认开启RBAC):
- AlwayAllow
- ABAC
- RBAC
- Webhook
- Node
role 和 clusterrole
- role: 一系列权限的集合,只能对单个namespaces做出权限处理操作
- clusterrole: 集群全局使用
rolebinding 和 clusterrolebinding:
- rolebinding:将role中定义的权限授予给用户或用户组。它包含一个subjects列(users,groups,serviceaccounts),引用该role
- rolebinding: 对某个namespace内授权,clusterrolebinding 集群范围内使用
1.切换至 admin 用户
# 切换为 admin 用户
$ kubectl config use-context kubernetes-admin@kubernetes2.创建角色绑定 default NS
# cat rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-read-pods
namespace: default # 指定需要绑定的 ns
subjects:
- kind: User
name: dev # 绑定 dev
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: admin # 被绑定角色
apiGroup: rbac.authorization.k8s.io3.创建角色绑定至 lu-lest1 NS 下
# cat rolebinding-lu.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-read-pods
namespace: lu-lest1 # 指定需要绑定的 ns
subjects:
- kind: User
name: dev # 绑定 dev
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: admin # 被绑定角色
apiGroup: rbac.authorization.k8s.io4.创建
$ kubectl apply -f rolebinding.yaml
$ kubectl apply -f rolebinding-lu.yaml 11.4.测试
1.切换至 dev SA
# 切换到 master1 节点
$ ssh master1
# 切换至 dev 用户
$ kubectl config use-context dev@kubernetes11.4.1 查看资源
1.查看其它 NS 下资源
$ kubectl get pod -A
Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" at the cluster scope
$ kubectl get ns
Error from server (Forbidden): namespaces is forbidden: User "dev" cannot list resource "namespaces" in API group "" at the cluster scope
# 我们可以看到查看其它 NS 下资源直接报错,已被服务器禁止2.查看 pod 以及 svc
# 查看 default 空间下 pod
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
busy-box-58894bf4fb-4rc72 1/1 Running 1098 38d
elastic-exporter-5bdfd4bb84-6jcbl 1/1 Running 0 38d
# 查看 lu-lest1 空间下 pod
$ kubectl get pod -n lu-lest1
NAME READY STATUS RESTARTS AGE
details-v1-59c9cb5ccb-gph9b 1/1 Running 0 13d
productpage-v1-558f57946b-wbg69 1/1 Running 0 13d
ratings-v1-75689cb4c9-tkwwh 1/1 Running 0 13d
reviews-v1-7b6f8b88b5-wxlvs 1/1 Running 0 13d
# 查看 default NS 下的 svc
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
es-svc NodePort 10.96.196.145 <none> 9114:30114/TCP 38d
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 82d
# 查看 lu-lest1 NS 下的 svc
$ kubectl get svc -n lu-lest1
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.96.182.99 <none> 9080/TCP 13d
productpage ClusterIP 10.96.26.40 <none> 9080/TCP 13d
ratings ClusterIP 10.96.178.172 <none> 9080/TCP 13d
reviews ClusterIP 10.96.215.214 <none> 9080/TCP 13d
# 由此我们可以看到不管是 default 还是 lu-lest1 我们都可以查看 pod 和 svc 当然其他的资源以此类推11.4.2 创建资源
11.4.2.1 default NS 下创建资源
1.编写 pod
# vim test.yaml
apiVersion: v1
kind: Pod
metadata:
name: saapp
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx:1.14-alpine
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 802.创建
$ kubectl apply -f test.yaml 3.验证
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
saapp 1/1 Running 0 100s
# saapp pod 创建成功11.4.2.2 lu-lest1 NS 下创建资源
1.编写 pod
# vim test-lu.yaml
apiVersion: v1
kind: Pod
metadata:
name: saapp
namespace: lu-lest1 # 这里指定将 pod 创建在 lu-lest1 NS 下
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx:1.14-alpine
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "500m"
memory: "512Mi"2.创建
$ kubectl apply -f test-lu.yaml 3.验证
$kubectl get pod -n lu-lest1
NAME READY STATUS RESTARTS AGE
saapp 1/1 Running 0 26s
# saapp pod 创建成功11.4.3 删除资源
11.4.3.1 删除 default NS 下资源
1.这里我将 saapp 删除
$ kubectl delete pod saapp2.查看当前已经删除
$ kubectl get pod | gre
NAME READY STATUS RESTARTS AGE
busy-box-58894bf4fb-4rc72 1/1 Running 1098 38d
elastic-exporter-5bdfd4bb84-6jcbl 1/1 Running 0 38d11.4.3.2 删除 lu-lest1 NS 下资源
1.删除 pod
$ kubectl delete pod saapp -n lu-lest1
# 删除 lu-lest1 NS 下的 saapp2.已经被删除
$ kubectl get pod -n lu-lest1
NAME READY STATUS RESTARTS AGE
details-v1-59c9cb5ccb-gph9b 1/1 Running 0 13d
productpage-v1-558f57946b-wbg69 1/1 Running 0 13d
ratings-v1-75689cb4c9-tkwwh 1/1 Running 0 13d通过上述方式我们可以基于 role 绑定实现对同一个 SA 进行不同 NS 的资源限制