RBAC 访问控制 Users Accounts

前言:
前面已经对ServiceAccount、Users Account认证进行了介绍与创建,但最后的测试发现是Users Account并没有访问权限,本节介绍RBAC授权 对ServiceAccount、Users Account认证进行授权

RBAC是什么？

RBAC 是基于角色的访问控制（Role-Based Access Control ）在 RBAC 中，权限与角色相关联，用户通过成为适当角色的成员而得到这些角色的权限。这就极大地简化了权限的管理。这样管理都是层级相互依赖的，权限赋予给角色，而把角色又赋予用户，这样的权限设计很清楚，管理起来很方便。

角色
　　Role：角色,名称空间级别;授权特定命名空间的访问权限
　　ClusterRole：集群角色,全局级别;授权所有命名空间的访问权限

角色绑定
　　RoleBinding：将角色绑定到主体（即subject）,意味着，用户仅得到了特定名称空间下的Role的权限，作用范围也限于该名称空间;
　　ClusterRoleBinding：将集群角色绑定到主体,让用户扮演指定的集群角色;意味着，用户得到了是集群级别的权限，作用范围也是集群级别;
　　
主体（subject）
　　User：用户
　　Group：用户组
　　ServiceAccount：服务账号

绑定对应关系
主体(Subject) --> RoleBinding --> Role #主体获得名称空间下的Role的权限
主体(Subject) --> ClusterRoleBinding --> clusterRoles #主体获得集群级别clusterRoles的权限
主体(Subject) --> Rolebindig -->ClusterRole #权限降级 主体获得名称空间下的clusterRoles的权限

• rules中的参数说明：
  1、apiGroups：支持的API组列表，例如："apiVersion: batch/v1"等
  2、resources：支持的资源对象列表，例如pods、deplayments、jobs等
  3、resourceNames: 指定resource的名称
  3、verbs：对资源对象的操作方法列表。

• RBAC使用rbac.authorization.k8s.io API Group 来实现授权决策，允许管理员通过 Kubernetes API 动态配置策略，要启用RBAC，需要在 apiserver 中添加参数--authorization-mode=RBAC，如果使用的kubeadm安装的集群，都默认开启了RBAC，可以通过查看 Master 节点上 apiserver 的静态Pod定义文件：

[root@k8s-master usercerts]# cat /etc/kubernetes/manifests/kube-apiserver.yaml 
apiVersion: v1
kind: Pod
metadata:
 ...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=192.168.4.170
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC   #默认支持BRAC 基于角色的访问控制
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
...

• 查看 kube-system名称空间下的role角色详情

[root@k8s-master ~]# kubectl get role -n kube-system
NAME                                             CREATED AT
extension-apiserver-authentication-reader        2021-06-28T17:43:31Z
kube-proxy                                       2021-06-28T17:43:33Z
kubeadm:kubelet-config-1.19                      2021-06-28T17:43:31Z
kubeadm:nodes-kubeadm-config                     2021-06-28T17:43:31Z
system::leader-locking-kube-controller-manager   2021-06-28T17:43:31Z
system::leader-locking-kube-scheduler            2021-06-28T17:43:31Z
system:controller:bootstrap-signer               2021-06-28T17:43:31Z
system:controller:cloud-provider                 2021-06-28T17:43:31Z
system:controller:token-cleaner                  2021-06-28T17:43:31Z

[root@k8s-master ~]# kubectl get role kube-proxy -n kube-system -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2021-06-28T17:43:33Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: kubeadm
    operation: Update
    time: "2021-06-28T17:43:33Z"
  name: kube-proxy
  namespace: kube-system
  resourceVersion: "195"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/kube-proxy
  uid: a5404b1f-90f0-447f-b104-86fcbdd388e0
rules:   #角色规则详细信息
- apiGroups:
  - ""
  resourceNames:
  - kube-proxy
  resources:
  - configmaps
  verbs:   #能执行的操作
  - get

• role角色绑定
• RoleBinding 角色绑定

[root@k8s-master ~]# kubectl explain rolebinding
KIND:     RoleBinding
VERSION:  rbac.authorization.k8s.io/v1
...
   roleRef  <Object> -required-
     RoleRef can reference a Role in the current namespace or a ClusterRole in
     the global namespace. If the RoleRef cannot be resolved, the Authorizer
     must return an error.

   subjects <[]Object>
     Subjects holds references to the objects the role applies to.

示例1: 创建role角色绑定 作用域为名称空间

[root@k8s-master authfiles]# cat pods-reader-rbac.yaml 
kind : Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""]  #空表示默认群组
  resources: ["pods","services","pods/log"]  #对象资源
  verbs: ["get","list","watch"]  #权限

[root@k8s-master authfiles]# cat tom-pods-reader.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tom-pods-reader
  namespace: default
subjects:
- kind: User
  name: tom   #绑定的用户名
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pods-reader  #绑定之前的角色
  apiGroup: rbac.authorization.k8s.io
  
[root@k8s-master authfiles]# kubectl apply -f pods-reader-rbac.yaml 
[root@k8s-master authfiles]# kubectl apply -f tom-pods-reader.yaml 

[root@k8s-master authfiles]# kubectl get role
NAME          CREATED AT
pods-reader   2021-08-24T07:33:54Z
[root@k8s-master authfiles]# kubectl get rolebinding
NAME              ROLE               AGE
tom-pods-reader   Role/pods-reader   15m

• 使用tom用户验证权限 pod、svc

[root@k8s-master authfiles]# kubectl config get-contexts   --kubeconfig=/tmp/mykubeconfig  #查看当前用户
CURRENT   NAME             CLUSTER      AUTHINFO   NAMESPACE
*         tom@kubernetes   kubernetes   tom 

[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
NAME                                 READY   STATUS    RESTARTS   AGE
centos-deployment-66d8cd5f8b-bnnw6   1/1     Running   0          7m8s
[root@k8s-master authfiles]# kubectl get svc --kubeconfig=/tmp/mykubeconfig
NAME          TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
demoapp       ClusterIP   10.97.26.1     <none>        80/TCP     10d
demoapp-svc   ClusterIP   10.99.170.77   <none>        80/TCP     10d
demodb        ClusterIP   None           <none>        9907/TCP   5d22h
kubernetes    ClusterIP   10.96.0.1      <none>        443/TCP    10d

• 验证deployment、nodes权限 没有授权访问失败

[root@k8s-master authfiles]# kubectl get deployment  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"

[root@k8s-master authfiles]# kubectl get nodes  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope

内建管理员admin

• 名称空间管理员admin

• clusterrole admin 名称空间级别资源 拥有所有名称空间下的资源 所有操作权限

• 集群管理员 cluster-admin

• clusterrole cluster-admin 集群级别资源 拥有集群所有空的资源 所有操作权限

• 之前绑定的rolebinding只对默认名称空间有一定的权限

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "longhorn-system"

• clusterrole admin 对所有名称空间下的资源权限

[root@k8s-master authfiles]# kubectl get clusterrole admin
NAME    CREATED AT
admin   2021-06-28T17:43:30Z
[root@k8s-master authfiles]# kubectl get clusterrole admin -o yaml

• 删除绑定,重新绑定到clusterrole admin

[root@k8s-master authfiles]# kubectl get rolebinding
NAME              ROLE               AGE
tom-pods-reader   Role/pods-reader   35m

[root@k8s-master authfiles]# kubectl delete Role/pods-reader
role.rbac.authorization.k8s.io "pods-reader" deleted

[root@k8s-master authfiles]# kubectl delete rolebinding/tom-pods-reader
rolebinding.rbac.authorization.k8s.io "tom-pods-reader" deleted

[root@k8s-master authfiles]# kubectl get pod  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"

示例2: 绑定admin 并验证权限,作用域为名称空间

[root@k8s-master authfiles]# kubectl create --help  
...
Available Commands:
  clusterrole         Create a ClusterRole.
  clusterrolebinding  Create a ClusterRoleBinding for a particular ClusterRole
  configmap           Create a configmap from a local file, directory or literal value
  cronjob             Create a cronjob with the specified name.
  deployment          Create a deployment with the specified name.
  job                 Create a job with the specified name.
  namespace           Create a namespace with the specified name
  poddisruptionbudget Create a pod disruption budget with the specified name.
  priorityclass       Create a priorityclass with the specified name.
  quota               Create a quota with the specified name.
  role                Create a role with single rule.
  rolebinding         Create a RoleBinding for a particular Role or ClusterRole
  secret              Create a secret using specified subcommand
  service             Create a service using specified subcommand.
  serviceaccount      Create a service account with the specified name

• 可以分别对--user、--group、--serviceaccount进行授权

[root@k8s-master authfiles]# kubectl create clusterrolebinding  --help
Create a ClusterRoleBinding for a particular ClusterRole.
....
Usage:  
  kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]

• 绑定并进行权限验证

[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-admin --user=tom  --clusterrole=admin
clusterrolebinding.rbac.authorization.k8s.io/tom-admin created

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
NAME                                        READY   STATUS    RESTARTS   AGE
csi-attacher-54c7586574-bh88g               1/1     Running   5          7d
csi-attacher-54c7586574-fvv4p               1/1     Running   7          19d
csi-attacher-54c7586574-zkzrg               1/1     Running   10         19d
csi-provisioner-5ff5bd6b88-9tqnh            1/1     Running   5          7d
csi-provisioner-5ff5bd6b88-bs687            1/1     Running   8          19d
csi-provisioner-5ff5bd6b88-qkzt4            1/1     Running   12         19d
csi-resizer-7699cdfc4-4w49w                 1/1     Running   8          19d
......

[root@k8s-master authfiles]# kubectl get pod -n kube-system  --kubeconfig=/tmp/mykubeconfig
NAME                                 READY   STATUS    RESTARTS   AGE
coredns-f9fd979d6-l9zck              1/1     Running   16         56d
coredns-f9fd979d6-s8fp5              1/1     Running   15         56d
etcd-k8s-master                      1/1     Running   12         56d
kube-apiserver-k8s-master            1/1     Running   16         56d
kube-controller-manager-k8s-master   1/1     Running   39         56d
kube-flannel-ds-6sppx                1/1     Running   1          6d22h
kube-flannel-ds-j5g9s                1/1     Running   3          6d22h
kube-flannel-ds-nfz77                1/1     Running   1          6d22h
kube-flannel-ds-sqhq2                1/1     Running   1          6d22h

[root@k8s-master authfiles]# kubectl get deployment   --kubeconfig=/tmp/mykubeconfig
NAME                READY   UP-TO-DATE   AVAILABLE   AGE
centos-deployment   1/1     1            1           6d22h

• node是集群级别资源 无权限

[root@k8s-master authfiles]# kubectl get node  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope

[root@k8s-master authfiles]# kubectl get pv  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): persistentvolumes is forbidden: User "tom" cannot list resource "persistentvolumes" in API group "" at the cluster scope

示例3: 绑定cluster-admin 并验证权限 作用域为集群级别资源

[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-admin" deleted

[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-cluste-admin --user=tom  --clusterrole=cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/tom-cluste-admin created
[root@k8s-master authfiles]# kubectl get pv  --kubeconfig=/tmp/mykubeconfig
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM                   STORAGECLASS   REASON   AGE
pv-nfs-demo002                             10Gi       RWX            Retain           Available                                                   21d
pv-nfs-demo003                             1Gi        RWO            Retain           Available                                                   21d
pvc-33e9acff-afd9-417e-bbfb-293cb6305fb1   1Gi        RWX            Retain           Bound       default/data-demodb-1   longhorn                5d23h
pvc-c5a0bfaa-6948-4814-886f-8bf079b00dd1   1Gi        RWX            Retain           Bound       default/data-demodb-0   longhorn                5d23h
[root@k8s-master authfiles]# kubectl get node  --kubeconfig=/tmp/mykubeconfig
NAME         STATUS   ROLES    AGE   VERSION
k8s-master   Ready    master   56d   v1.19.9
k8s-node1    Ready    <none>   56d   v1.19.9
k8s-node2    Ready    <none>   56d   v1.19.9
k8s-node3    Ready    <none>   20d   v1.19.9

• 需要注意的是 cluster-admin 是通过system:masters组方式进行授权,如果我们在创建用户证书时,/CN=XX/O=system:masters;那么这个用户就拥有超级管理员的权限

[root@k8s-master authfiles]# kubectl describe clusterrolebinding cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters   #通过组授权所有system:masters都拥有超级管理员权限

示例4: rolebinding 绑定admin 并验证权限 权限降级

• 前面有提到
  User --> Rolebindig -->ClusterRole:权限降级，
  ClusterRole，用户得到的权限仅是ClusterRole的权限在Rolebinding所属的名称空间上的一个子集;

• 删除之前绑定

[root@k8s-master authfiles]# kubectl delete  clusterrolebinding tom-cluste-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-cluste-admin" deleted

• 创建角色绑定集群角色 权限降级 只对指定名称空间有权限

[root@k8s-master authfiles]# kubectl create  rolebinding tom-admin --user=tom  -n longhorn-system --clusterrole=admin
rolebinding.rbac.authorization.k8s.io/tom-admin created

• 测试权限 作用域尽为longhorn-system名称空间

[root@k8s-master authfiles]# kubectl get pod -n kube-system  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system"

[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"

[root@k8s-master authfiles]# kubectl get deployment  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
NAME                                        READY   STATUS    RESTARTS   AGE
csi-attacher-54c7586574-bh88g               1/1     Running   5          7d
csi-attacher-54c7586574-fvv4p               1/1     Running   7          19d
csi-attacher-54c7586574-zkzrg               1/1     Running   10         19d
csi-provisioner-5ff5bd6b88-9tqnh            1/1     Running   5          7d
csi-provisioner-5ff5bd6b88-bs687            1/1     Running   8          19d
csi-provisioner-5ff5bd6b88-qkzt4            1/1     Running   12         19d
csi-resizer-7699cdfc4-4w49w                 1/1     Running   8          19d
csi-resizer-7699cdfc4-f5jph                 1/1     Running   6          7d
csi-resizer-7699cdfc4-l2j49                 1/1     Running   9          19d
...