【k8s 访问控制--认证与鉴权】

作者：Gausst松鼠会 | 2024-05-16 12:42:20

踩

【k8s 访问控制--认证与鉴权】

1、身份认证与权限

前面我们在操作k8s的所有请求都是通过https的方式进行请求，通过REST协议操作我们的k8s接口，所以在k8s中有一套认证和鉴权的资源。

Kubenetes中提供了良好的多租户认证管理机制，如RBAC、ServiceAccount还有各种策路等。
通过该文件可以看到已经配置了RBAC访问控制
/usr/lib/systemd/system/kube-apiserver.service

2、认证

所有kubernetes集群有两类用户：由Kubernetes管理的ServiceAccounts（服务账户）和（Users Accounts）普通账户。

普通账户是假定被外部或独立服务管理的，由管理员分配key，用户像使用Keystone或google账号一样，被存储在包含usernames和passwords的list的文件里。
需要注意：在Kubernetes中不能通过API调用将普通用户添加到集群中。
- 普通帐户是针对（人）用户的，服务账户针对Pod进程。
- 普通帐户是全局性。在集群所有namespaces中，名称具有唯一性。
- 通常，集群的普通帐户可以与企业数据库同步，新的普通帐户创建需要特殊权限。服务账户创建目的是更轻量化，允许集群用户为特定任务创建服务账户。
- 普通帐户和服务账户的审核注意事项不同。
- 对于复杂系统的配置包，可以包括对该系统的各种组件的服务账户的定义。

2.1 服务账户的控制器（Service Account Adminssion Controller）

通过Admission Controller插件来实现对pod修改，它是apiserver的一部分，创建或更新pod时会同步进行修改pod,当插件处于激活状态（在大多数发行版中都默认情况）创建或修改pod时，会按以下操作执行：

1.如果pod没有设置ServiceAccount,则将ServiceAccount设置为default。
2.如果pod引用的ServiceAccount存在，否则将会拒绝请求。
3.如果pod不包含任何ImagePullSecrets,则将ServiceAccount的ImagePullSecrets会添加到pod中。
4.为包含API访问的Token的pod添加了一个volume。
5.把volumeSource添动加到安装在pod的每个容器中，挂载/var/run/secrets/kubernetes.io/serviceaccount。

2.2 服务账户的控制器（Token Controller）

API的访问是基于token的认证，创建对应的service account 都会关联到对应的token，这个是由Token Controller来进行管理的。Pod去访问API的时候是需要证明具有相对应的权限的。

2.3 服务账户的控制器（Service Account Controller）

Service Account Controller在namespaces里管理ServiceAccount，并确保每个有效的namespaces中都存在一个名为"default"的ServiceAcount。

2.4 拓展命令

[root@k8s-master ~]# kubectl get sa
NAME      SECRETS   AGE
default   0         9d
[root@k8s-master ~]# kubectl get serviceaccounts
NAME      SECRETS   AGE
default   0         9d

[root@k8s-master ~]# kubectl get serviceaccounts   --all-namespaces
NAMESPACE         NAME                                 SECRETS   AGE
default           default                              0         9d
ingress-nginx     default                              0         3d19h
ingress-nginx     ingress-nginx                        0         3d17h
kube-flannel      default                              0         9d
kube-flannel      flannel                              0         9d
kube-node-lease   default                              0         9d
kube-public       default                              0         9d
kube-system       attachdetach-controller              0         9d
kube-system       bootstrap-signer                     0         9d
kube-system       certificate-controller               0         9d
kube-system       clusterrole-aggregation-controller   0         9d
kube-system       coredns                              0         9d
kube-system       cronjob-controller                   0         9d
kube-system       daemon-set-controller                0         9d
kube-system       default                              0         9d
kube-system       deployment-controller                0         9d
kube-system       disruption-controller                0         9d
kube-system       endpoint-controller                  0         9d
kube-system       endpointslice-controller             0         9d
kube-system       endpointslicemirroring-controller    0         9d
kube-system       ephemeral-volume-controller          0         9d
kube-system       expand-controller                    0         9d
kube-system       generic-garbage-collector            0         9d
kube-system       horizontal-pod-autoscaler            0         9d
kube-system       job-controller                       0         9d
kube-system       kube-proxy                           0         9d
kube-system       metrics-server                       0         4d15h
kube-system       namespace-controller                 0         9d
kube-system       nfs-client-provisioner               0         40h
kube-system       node-controller                      0         9d
kube-system       persistent-volume-binder             0         9d
kube-system       pod-garbage-collector                0         9d
kube-system       pv-protection-controller             0         9d
kube-system       pvc-protection-controller            0         9d
kube-system       replicaset-controller                0         9d
kube-system       replication-controller               0         9d
kube-system       resourcequota-controller             0         9d
kube-system       root-ca-cert-publisher               0         9d
kube-system       service-account-controller           0         9d
kube-system       service-controller                   0         9d
kube-system       statefulset-controller               0         9d
kube-system       token-cleaner                        0         9d
kube-system       ttl-after-finished-controller        0         9d
kube-system       ttl-controller                       0         9d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

3、鉴权

3.1 Role 普通角色

代表一个角色，会包含一组权限，没有拒绝规则，只是附加允许。它是Namespaces级别的资源，只能作用与Namespace之内，不可以跨命名空间使用。

查看已有的角色信息
kubectl get role -n ingress-nginx nginx-ingress-role -o yaml

[root@k8s-master ~]# kubectl get role  -n ingress-nginx ingress-nginx -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role   # 角色
metadata:
  annotations:
    meta.helm.sh/release-name: ingress-nginx
    meta.helm.sh/release-namespace: ingress-nginx
  creationTimestamp: "2024-02-25T11:35:57Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
    helm.sh/chart: ingress-nginx-4.9.1
  name: ingress-nginx
  namespace: ingress-nginx
  resourceVersion: "482050"
  uid: a0df64a1-2e1b-4daf-b777-c7afcc23669c


rules:    # 规则，可以根据角色对一些资源做什么操作
- apiGroups:  # api分组
  - ""
  resources: # 资源
  - namespaces   # 增对命名空间
  verbs:   # 动作
  - get    # 获取命名空间的信息
- apiGroups:  
  - ""
  resources:
  - configmaps   
  - pods
  - secrets
  - endpoints
  verbs:
  - get     
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - coordination.k8s.io
  resourceNames:
  - ingress-nginx-leader
  resources:
  - leases
  verbs:
  - get
  - update
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
  - get
[root@k8s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

3.2 ClusterRole 兄弟角色

功能与Role一样，区别是资源类型为集群类型，而Role只在Namespace。

查看某个集群角色的信息
kubectl get clusterrole view -oyaml

[root@k8s-master ~]# kubectl get clusterrole
NAME                                                                   CREATED AT
admin                                                                  2024-02-19T14:04:43Z
cluster-admin                                                          2024-02-19T14:04:43Z
edit                                                                   2024-02-19T14:04:43Z
flannel                                                                2024-02-19T15:33:13Z
ingress-nginx                                                          2024-02-25T11:35:57Z
kubeadm:get-nodes                                                      2024-02-19T14:04:44Z
nfs-client-provisioner-runner                                          2024-02-27T12:25:28Z
system:aggregate-to-admin                                              2024-02-19T14:04:43Z
system:aggregate-to-edit                                               2024-02-19T14:04:43Z
system:aggregate-to-view                                               2024-02-19T14:04:43Z
system:aggregated-metrics-reader                                       2024-02-24T13:26:02Z
system:auth-delegator                                                  2024-02-19T14:04:43Z
system:basic-user                                                      2024-02-19T14:04:43Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient       2024-02-19T14:04:43Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   2024-02-19T14:04:43Z
system:certificates.k8s.io:kube-apiserver-client-approver              2024-02-19T14:04:43Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver      2024-02-19T14:04:43Z
system:certificates.k8s.io:kubelet-serving-approver                    2024-02-19T14:04:43Z
system:certificates.k8s.io:legacy-unknown-approver                     2024-02-19T14:04:43Z
system:controller:attachdetach-controller                              2024-02-19T14:04:43Z
system:controller:certificate-controller                               2024-02-19T14:04:43Z
system:controller:clusterrole-aggregation-controller                   2024-02-19T14:04:43Z
system:controller:cronjob-controller                                   2024-02-19T14:04:43Z
system:controller:daemon-set-controller                                2024-02-19T14:04:43Z
system:controller:deployment-controller                                2024-02-19T14:04:43Z
system:controller:disruption-controller                                2024-02-19T14:04:43Z
system:controller:endpoint-controller                                  2024-02-19T14:04:43Z
system:controller:endpointslice-controller                             2024-02-19T14:04:43Z
system:controller:endpointslicemirroring-controller                    2024-02-19T14:04:43Z
system:controller:ephemeral-volume-controller                          2024-02-19T14:04:43Z
system:controller:expand-controller                                    2024-02-19T14:04:43Z
system:controller:generic-garbage-collector                            2024-02-19T14:04:43Z
system:controller:horizontal-pod-autoscaler                            2024-02-19T14:04:43Z
system:controller:job-controller                                       2024-02-19T14:04:43Z
system:controller:namespace-controller                                 2024-02-19T14:04:43Z
system:controller:node-controller                                      2024-02-19T14:04:43Z
system:controller:persistent-volume-binder                             2024-02-19T14:04:43Z
system:controller:pod-garbage-collector                                2024-02-19T14:04:43Z
system:controller:pv-protection-controller                             2024-02-19T14:04:43Z
system:controller:pvc-protection-controller                            2024-02-19T14:04:43Z
system:controller:replicaset-controller                                2024-02-19T14:04:43Z
system:controller:replication-controller                               2024-02-19T14:04:43Z
system:controller:resourcequota-controller                             2024-02-19T14:04:43Z
system:controller:root-ca-cert-publisher                               2024-02-19T14:04:43Z
system:controller:route-controller                                     2024-02-19T14:04:43Z
system:controller:service-account-controller                           2024-02-19T14:04:43Z
system:controller:service-controller                                   2024-02-19T14:04:43Z
system:controller:statefulset-controller                               2024-02-19T14:04:43Z
system:controller:ttl-after-finished-controller                        2024-02-19T14:04:43Z
system:controller:ttl-controller                                       2024-02-19T14:04:43Z
system:coredns                                                         2024-02-19T14:04:45Z
system:discovery                                                       2024-02-19T14:04:43Z
system:heapster                                                        2024-02-19T14:04:43Z
system:kube-aggregator                                                 2024-02-19T14:04:43Z
system:kube-controller-manager                                         2024-02-19T14:04:43Z
system:kube-dns                                                        2024-02-19T14:04:43Z
system:kube-scheduler                                                  2024-02-19T14:04:43Z
system:kubelet-api-admin                                               2024-02-19T14:04:43Z
system:metrics-server                                                  2024-02-24T13:26:02Z
system:monitoring                                                      2024-02-19T14:04:43Z
system:node                                                            2024-02-19T14:04:43Z
system:node-bootstrapper                                               2024-02-19T14:04:43Z
system:node-problem-detector                                           2024-02-19T14:04:43Z
system:node-proxier                                                    2024-02-19T14:04:43Z
system:persistent-volume-provisioner                                   2024-02-19T14:04:43Z
system:public-info-viewer                                              2024-02-19T14:04:43Z
system:service-account-issuer-discovery                                2024-02-19T14:04:43Z
system:volume-scheduler                                                2024-02-19T14:04:43Z
view                                                                   2024-02-19T14:04:43Z
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

[root@k8s-master ~]# kubectl get clusterrole ingress-nginx -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    meta.helm.sh/release-name: ingress-nginx
    meta.helm.sh/release-namespace: ingress-nginx
  creationTimestamp: "2024-02-25T11:35:57Z"
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.6
    helm.sh/chart: ingress-nginx-4.9.1
  name: ingress-nginx
  resourceVersion: "482047"
  uid: 8f7e381f-75a3-4d6e-90f0-13e6ce14e1ae
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - pods
  - secrets
  - namespaces
  verbs:
  - list
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
  - get
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

3.3 RoleBinding 命名空间级别角色权限绑定

Role或ClusterRole只是用于制定权限集合，具体作用与什么对象上，需要使用RoleBinding来进行绑定。
作用于Namespace内，可以将Role或ClusterRole绑定到User、Group、Service Account上.

查看rolebinding信息
kubectl get rolebinding --all-namespaces
查看指定rolebinding的配置信息
kubectl get rolebinding <role_binding_name> --all-namespaces
-oyaml

[root@k8s-master ~]#  kubectl get rolebinding --all-namespaces
NAMESPACE       NAME                                                ROLE                                                  AGE
default         leader-locking-nfs-client-provisioner               Role/leader-locking-nfs-client-provisioner            41h
ingress-nginx   ingress-nginx                                       Role/ingress-nginx                                    3d17h
kube-public     kubeadm:bootstrap-signer-clusterinfo                Role/kubeadm:bootstrap-signer-clusterinfo             9d
kube-public     system:controller:bootstrap-signer                  Role/system:controller:bootstrap-signer               9d
kube-system     kube-proxy                                          Role/kube-proxy                                       9d
kube-system     kubeadm:kubelet-config                              Role/kubeadm:kubelet-config                           9d
kube-system     kubeadm:nodes-kubeadm-config                        Role/kubeadm:nodes-kubeadm-config                     9d
kube-system     metrics-server-auth-reader                          Role/extension-apiserver-authentication-reader        4d16h
kube-system     system::extension-apiserver-authentication-reader   Role/extension-apiserver-authentication-reader        9d
kube-system     system::leader-locking-kube-controller-manager      Role/system::leader-locking-kube-controller-manager   9d
kube-system     system::leader-locking-kube-scheduler               Role/system::leader-locking-kube-scheduler            9d
kube-system     system:controller:bootstrap-signer                  Role/system:controller:bootstrap-signer               9d
kube-system     system:controller:cloud-provider                    Role/system:controller:cloud-provider                 9d
kube-system     system:controller:token-cleaner                     Role/system:controller:token-cleaner                  9d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

3.4 ClusterRoleBinding 集群角色权限的绑定

查看ClusterRoleBinding信息
kubectl get clusterrolebinding
查看指定ClusterRoleBinding的配置信息
kubectl get clusterrolebinding <clusterrole_binding_name> -o yaml

[root@k8s-master ~]#  kubectl get clusterrolebinding
NAME                                                   ROLE                                                                               AGE
cluster-admin                                          ClusterRole/cluster-admin                                                          9d
flannel                                                ClusterRole/flannel                                                                9d
ingress-nginx                                          ClusterRole/ingress-nginx                                                          3d18h
kubeadm:get-nodes                                      ClusterRole/kubeadm:get-nodes                                                      9d
kubeadm:kubelet-bootstrap                              ClusterRole/system:node-bootstrapper                                               9d
kubeadm:node-autoapprove-bootstrap                     ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient       9d
kubeadm:node-autoapprove-certificate-rotation          ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   9d
kubeadm:node-proxier                                   ClusterRole/system:node-proxier                                                    9d
metrics-server:system:auth-delegator                   ClusterRole/system:auth-delegator                                                  4d16h
run-nfs-client-provisioner                             ClusterRole/nfs-client-provisioner-runner                                          41h
system:basic-user                                      ClusterRole/system:basic-user                                                      9d
system:controller:attachdetach-controller              ClusterRole/system:controller:attachdetach-controller                              9d
system:controller:certificate-controller               ClusterRole/system:controller:certificate-controller                               9d
system:controller:clusterrole-aggregation-controller   ClusterRole/system:controller:clusterrole-aggregation-controller                   9d
system:controller:cronjob-controller                   ClusterRole/system:controller:cronjob-controller                                   9d
system:controller:daemon-set-controller                ClusterRole/system:controller:daemon-set-controller                                9d
system:controller:deployment-controller                ClusterRole/system:controller:deployment-controller                                9d
system:controller:disruption-controller                ClusterRole/system:controller:disruption-controller                                9d
system:controller:endpoint-controller                  ClusterRole/system:controller:endpoint-controller                                  9d
system:controller:endpointslice-controller             ClusterRole/system:controller:endpointslice-controller                             9d
system:controller:endpointslicemirroring-controller    ClusterRole/system:controller:endpointslicemirroring-controller                    9d
system:controller:ephemeral-volume-controller          ClusterRole/system:controller:ephemeral-volume-controller                          9d
system:controller:expand-controller                    ClusterRole/system:controller:expand-controller                                    9d
system:controller:generic-garbage-collector            ClusterRole/system:controller:generic-garbage-collector                            9d
system:controller:horizontal-pod-autoscaler            ClusterRole/system:controller:horizontal-pod-autoscaler                            9d
system:controller:job-controller                       ClusterRole/system:controller:job-controller                                       9d
system:controller:namespace-controller                 ClusterRole/system:controller:namespace-controller                                 9d
system:controller:node-controller                      ClusterRole/system:controller:node-controller                                      9d
system:controller:persistent-volume-binder             ClusterRole/system:controller:persistent-volume-binder                             9d
system:controller:pod-garbage-collector                ClusterRole/system:controller:pod-garbage-collector                                9d
system:controller:pv-protection-controller             ClusterRole/system:controller:pv-protection-controller                             9d
system:controller:pvc-protection-controller            ClusterRole/system:controller:pvc-protection-controller                            9d
system:controller:replicaset-controller                ClusterRole/system:controller:replicaset-controller                                9d
system:controller:replication-controller               ClusterRole/system:controller:replication-controller                               9d
system:controller:resourcequota-controller             ClusterRole/system:controller:resourcequota-controller                             9d
system:controller:root-ca-cert-publisher               ClusterRole/system:controller:root-ca-cert-publisher                               9d
system:controller:route-controller                     ClusterRole/system:controller:route-controller                                     9d
system:controller:service-account-controller           ClusterRole/system:controller:service-account-controller                           9d
system:controller:service-controller                   ClusterRole/system:controller:service-controller                                   9d
system:controller:statefulset-controller               ClusterRole/system:controller:statefulset-controller                               9d
system:controller:ttl-after-finished-controller        ClusterRole/system:controller:ttl-after-finished-controller                        9d
system:controller:ttl-controller                       ClusterRole/system:controller:ttl-controller                                       9d
system:coredns                                         ClusterRole/system:coredns                                                         9d
system:discovery                                       ClusterRole/system:discovery                                                       9d
system:kube-controller-manager                         ClusterRole/system:kube-controller-manager                                         9d
system:kube-dns                                        ClusterRole/system:kube-dns                                                        9d
system:kube-scheduler                                  ClusterRole/system:kube-scheduler                                                  9d
system:metrics-server                                  ClusterRole/system:metrics-server                                                  4d16h
system:monitoring                                      ClusterRole/system:monitoring                                                      9d
system:node                                            ClusterRole/system:node                                                            9d
system:node-proxier                                    ClusterRole/system:node-proxier                                                    9d
system:public-info-viewer                              ClusterRole/system:public-info-viewer                                              9d
system:service-account-issuer-discovery                ClusterRole/system:service-account-issuer-discovery                                9d
system:volume-scheduler                                ClusterRole/system:volume-scheduler                                                9d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

在这里插入图片描述

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/Gausst松鼠会/article/detail/578784