网站首页 > 技术文章 正文
应用场景
- A.dashboard赋权,授权对应的用户资源
- B.针对不同用户访问不同的资源
- C.实现访问多级集群使用kubectl config 命令切换集群上下问实现
知识要点
1.k8s的用户介绍
2.k8s角色
3.kubeconfig介绍
4 实现
介绍
K8S中有两种用户
- k8s内部服务之间访问的账号ServiceAccount (管理程序之间的访问)
- k8s外部用户访问集群的账号User (管理操作人的访问)
User&ServiceAccount的区别:
1 User是人来使用而ServiceAccount是为某个资源/程序/服务使用的
2 K8S用户的创建管理都无需与K8S API交互,K8S所能认知的只有一个用户名。ServiceAccount是由K8S管理创建
3 User独立在K8S之外并且需要在全局唯一,而ServiceAccount作为K8S内部的某种资源,是存在于某个命名空间之中的,在不同命名空间中的同名ServiceAccount被认为是不同的资源
a k8s的用户创建
root@dev-damon-node1:~/k8s-user# openssl genrsa -out wadequ.key 2048
root@dev-damon-node1:~/k8s-user# ls
wadequ.keyb 创建证书签名请求
root@dev-damon-node1:~/k8s-user# openssl req -new -key wadequ.key -out wadequ.csr -subj "/CN=wadequ/O=MGM"
root@dev-damon-node1:~/k8s-user# ls
wadequ.csr wadequ.keyc 集群证书签署
- -CA和-CAkey参数为集群CA证书所在位置,
- -days参数指定此证书的过期时间,这里为365天
root@dev-damon-node1:~/k8s-user# openssl x509 -req -in wadequ.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out wadequ.crt -days 3650
Certificate request self-signature ok
subject=CN = wadequ, O = MGM
root@dev-damon-node1:~/k8s-user# ls
wadequ.crt wadequ.csr wadequ.key到此 用户创建完成
k8s的角色管理
k8s是基于RBAC(Role-Based Access Control)角色实现访问控制,
官网参考资料:
https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/
主要涉及4个Kind
- Role
- ClusterRole
- RoleBinding
- ClusterRoleBinding
Role & ClusterRole(Role 只能访问所属名字空间的资源,ClusterRole可以访问所以名字空间的资源)
Role 或 ClusterRole 中包含一组代表相关权限的规则
Role是用来在某个名字空间内设置访问权限。所以创建 Role 时必须指定该 Role 所属的名字空间。
ClusterRole 则是一个集群作用域的资源。
基于角色的的创建(针对namespace的方法)
a 创建sa
root@dev-damon-node1:~# cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: damontest
namespace: damon-zkb 创建role
apiVersion: v1
kind: ServiceAccount
metadata:
name: damontest
namespace: damon-zk
root@dev-damon-node1:~# cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: damon-zk
name: damon-test
rules:
- apiGroups: [""] # "" 空字符串,表示核心 API 群
resources: ["pods","pods/log"]
verbs: ["get", "watch", "list"]
- apiGroups: ["extensions","apps"] # "" 空字符串,表示核心 API 群
resources: ["deployments"]
verbs: ["get", "watch", "list","create","update","patch","delete"]c 创建rolebinding
root@dev-damon-node1:~# cat rolebind.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: damon-test
namespace: damon-zk
subjects:
- kind: ServiceAccount //这里使用sa的账号 可切换为User类型的账号(上面创建的账号)
name: damontest
namespace: damon-zk
roleRef:
kind: Role
name: damon-test
apiGroup: rbac.authorization.k8s.io基于集群角色创建
创建clusterrole
apiVersion: rbac.authorization.k8s.io/v1
# 指定类型为ClusterRole
kind: ClusterRole
metadata:
# "namespace" 被忽略,因为 ClusterRoles 不受名字空间限制
name: manger-cluster-role
rules:
- apiGroups: ["","apps"] "" 标明 core API 组
#resources指定此角色可以访问操作那些资源 *代表所有 这里配置只能操作secrets
resources: ["secrets"]
#verbs指资源的具体操作的类型例如 create get delete list update edit watch exec *代表所有
verbs: ["get", "watch", "list"]
创建clusterrolebinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dashboard-clusterrolebinding
subjects:
- kind: User
name: "wadequ" //openssl 创建的用户
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: manger-cluster-role
apiGroup: rbac.authorization.k8s.io至此创建完成
kubeconfig文件介绍
主要组成部分
- clusters (集群)
- users(用户)
- context(上下文)
命令
root@dev-damon-node1:~# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.41.17.2:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTEDkubectl config --help
set-context 指定当前上下文
current-context 查看当前的上下文
get-contexts 查看指定上下文信息
use-context 使用上下文
rename-context 重命名上下文
delete-context 删除指定上下文
delete-cluster 删除集群
set-cluster 创建集群
get-clusters 查询集群
set-credentials 配置用户信息
view 查看kubeconfig 配置文件内容root@dev-damon-node1:~# kubectl config current-context
kubernetes-admin@kubernetes
创建集群配置集群访问证书
kubectl config set-cluster k8s-test-cluster --server=https://192.168.0.160:6443 --embed-certs --certificate-authority=/medcrab/data/ca.crt
创建用户
kubectl config set-credentials jim --client-certificate=/medcrab/data/jim.crt --client-key=/medcrab/data/jim.key
创建上下文
kubectl config set-context jim@k8s-test-cluster --cluster=k8s-test-cluster --namespace=team2 --user=jim
指定上下文开始使用
kubectl get pods --context=jim@k8s-test-cluster
实战演示 创建wadequ的账户访问集群
//1.创建集群配置集群访问证书
kubectl config set-cluster k8s-damon-wadequ --server=https://10.41.17.2:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt
root@dev-damon-node1:~/k8s-user# openssl genrsa -out wadequ.key 2048
root@dev-damon-node1:~/k8s-user# ls
wadequ.key
root@dev-damon-node1:~/k8s-user# openssl req -new -key wadequ.key -out wadequ.csr -subj "/CN=wadequ/O=MGM"
root@dev-damon-node1:~/k8s-user# ls
wadequ.csr wadequ.key
root@dev-damon-node1:~/k8s-user# openssl x509 -req -in wadequ.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out wadequ.crt -days 3650
Certificate request self-signature ok
subject=CN = wadequ, O = MGM
root@dev-damon-node1:~/k8s-user# ls
wadequ.crt wadequ.csr wadequ.key
//上面提示信息为 未对用户镜像相关权限授权
root@dev-damon-node1:~/k8s-user# cat damo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: damon-mysql
name: devops-role
rules:
- apiGroups: ["","apps","batch","autoscaling"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devops-role-binding
namespace: damon-mysql
subjects:
- kind: User
name: wadequ
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: devops-role
apiGroup: rbac.authorization.k8s.io
//验证xinxi
root@dev-damon-node1:~/k8s-user# kubectl get role -n damon-mysql
NAME CREATED AT
devops-role 2023-12-27T07:54:23Z
root@dev-damon-node1:~/k8s-user# kubectl get rolebinding -n damon-mysql
NAME ROLE AGE
devops-role-binding Role/devops-role 67s
//2.创建集群上下文相关信息
root@dev-damon-node1:~/k8s-user# kubectl config set-credentials wadequ --client-certificate=./wadequ.crt --client-key=./wadequ.key
User "wadequ" set.
root@dev-damon-node1:~/k8s-user# kubectl config set-context wadequ@k8s-damon-wadequ --cluster=k8s-damon-wadequ --namespace=damon-mysql --user=wadequ
Context "wadequ@k8s-damon-wadequ" created.
//3 验证访问
root@dev-damon-node1:~/k8s-user# kubectl get pod --context=wadequ@k8s-damon-wadequ
NAME READY STATUS RESTARTS AGE
mysql-primary-0 1/1 Terminating 3 152d
mysql-secondary-0 1/1 Terminating 4 152d
//4查看变化信息context
root@dev-damon-node1:~/k8s-user# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.41.17.2:6443
name: k8s-damon-wadequ
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.41.17.2:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: k8s-damon-wadequ
namespace: damon-mysql
user: wadequ
name: wadequ@k8s-damon-wadequ
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: wadequ
user:
client-certificate: /root/k8s-user/wadequ.crt
client-key: /root/k8s-user/wadequ.key验证以及切换上下文
//切换上下文
root@dev-damon-node1:~/k8s-user# kubectl config use-context wadequ@k8s-damon-wadequ
Switched to context "wadequ@k8s-damon-wadequ".
//查看当前上下文
root@dev-damon-node1:~/k8s-user# kubectl config current-context
wadequ@k8s-damon-wadequ
//验证权限pod
root@dev-damon-node1:~/k8s-user# kubectl get pod
NAME READY STATUS RESTARTS AGE
mysql-primary-0 1/1 Terminating 3 152d
mysql-secondary-0 1/1 Terminating 4 152d
root@dev-damon-node1:~/k8s-user# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysql-primary-0 1/1 Terminating 3 152d 172.16.201.141 dev-damon-node2 <none> <none>
mysql-secondary-0 1/1 Terminating 4 152d 172.16.201.152猜你喜欢
- 2024-10-12 Kong 优雅实现微服务网关鉴权,登录场景落地实战篇
- 2024-10-12 k8s安装与使用入门(k8s安装步骤)
- 2024-10-12 应用无损上下线(应用无损上下线怎么关闭)
- 2024-10-12 另一个Kubernetes(k8s)指南(kubernetesk8s怎么使用)
- 2024-10-12 Kubernetes 安全专家(CKS)必过心得
- 2024-10-12 深入理解K8S网络原理上(k8s网络解决方案)
- 2024-10-12 一次客户需求引发的K8S网络探究(基于客户需求)
- 2024-10-12 今天讲讲k8s的pod控制器及无状态和有状态
- 2024-10-12 k8s如何滚动升级应用(k8s升级组件方法)
- 2024-10-12 k8s基础知识之service类型(k8s的service类型)
- 02-21走进git时代, 你该怎么玩?_gits
- 02-21GitHub是什么?它可不仅仅是云中的Git版本控制器
- 02-21Git常用操作总结_git基本用法
- 02-21为什么互联网巨头使用Git而放弃SVN?(含核心命令与原理)
- 02-21Git 高级用法,喜欢就拿去用_git基本用法
- 02-21Git常用命令和Git团队使用规范指南
- 02-21总结几个常用的Git命令的使用方法
- 02-21Git工作原理和常用指令_git原理详解
- 最近发表
- 标签列表
-
- cmd/c (57)
- c++中::是什么意思 (57)
- sqlset (59)
- ps可以打开pdf格式吗 (58)
- phprequire_once (61)
- localstorage.removeitem (74)
- routermode (59)
- vector线程安全吗 (70)
- & (66)
- java (73)
- org.redisson (64)
- log.warn (60)
- cannotinstantiatethetype (62)
- js数组插入 (83)
- resttemplateokhttp (59)
- gormwherein (64)
- linux删除一个文件夹 (65)
- mac安装java (72)
- reader.onload (61)
- outofmemoryerror是什么意思 (64)
- flask文件上传 (63)
- eacces (67)
- 查看mysql是否启动 (70)
- java是值传递还是引用传递 (58)
- 无效的列索引 (74)