配置k8s集群context-rbac实践

说明

在openshift环境中，可以通过oc project {project_name}命令来切换project，那么在k8s中式如何切换namespace的呢？（ocp的project即相当于k8s中的ns）

实例

创建ns

#创建dev 和 prod ns

kubectl create ns dev

kubectl create ns prod

查看默认上下文用于访问api的信息

#通过kubectl config view或者cat ~/.kube/config 查看默认上下文使用的cluster和user

kc config view

apiVersion: v1

clusters:

- cluster:

    certificate-authority-data: REDACTED

    server: https://172.31.2.130:6443

  name: kubernetes

contexts:

- context:

    cluster: kubernetes  //默认上下文使用的cluster

    user: kubernetes-admin //默认上下文使用的user

  name: kubernetes-admin@kubernetes

current-context: ctx-prod

kind: Config

preferences: {}

users:

- name: kubernetes-admin

  user:

    client-certificate-data: REDACTED

    client-key-data: REDACTED

新增上下文

#定义Context

kubectl config set-context ctx-dev --namespace=dev --cluster=kubernetes --user=kubernetes-admin

kubectl config set-context ctx-prod --namespace=prod --cluster=kubernetes --user=kubernetes-admin

切换上下文

kubectl config use-context ctc-prod
#此时部署应用默认就会到prod ns中

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

上述配置之后可以实现切换ns（类似oc project xxx），但是都是使用的kubernetes-admin这个user，这个用户具有cluster-admin的权限

以下配置实现在prod这个ns中只允许对资源deployment、pod的list等操作，而不允许delete操作

参考链接：https://blog.csdn.net/hy9418/article/details/80268418

创建私钥文件

#使用openssl创建名为view.key的私钥文件

openssl genrsa -out view.key

创建证书签名请求文件

#使用上述的私钥文件创建csr文件

openssl req -new -key view.key -out view.csr -subj "/CN=view/O=mypwd"

生成证书文件

#利用k8s集群证书文件（/etc/kubernetes/pki/下），生成证书view.crt

openssl x509 -req -in view.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out view.crt -days

配置k8s context

#编辑~/.kube/config文件，新增user，name为view，其中client-certificate-data和client-key-data的值如下

client-certificate-data=`cat view.crt | base64 --wrap=`

client-key-data=`cat view.key | base64 --wrap=`

#在prod这个context中指定user为view
- context:
    cluster: kubernetes
    namespace: prod
    user: view
  name: prod

由于未赋权限，报如下错误

[root@node1 manifests]# kc config use-context prod

Switched to context "prod".

[root@node1 manifests]# kc get pod

No resources found.

Error from server (Forbidden): pods is forbidden: User "view" cannot list pods in the namespace "prod"

权限赋值

#新建view_rbac.yaml文件，其中定义了Role对象和RoleBindind对象

kind: Role

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

  name: prod_user_role

  namespace: prod

rules:

# ""表示core这个apiGroups, pod就是在core

  - apiGroups: ["", "extensions", "apps"]

    resources:

      - pods

    verbs:

      - list

---

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

  name: prod_user_rolebinding

  namespace: prod

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: Role

  name: prod_user_role

subjects:

- kind: User

  name: view

  namespace: prod

#通过kubectl create -f view_rbac.yaml，注：需要切回具有cluster-admin权限的context才能执行create动作

verbs 字段的全集：verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

验证

#切换到prod context

kc config use-context prod

#kc get pod，命令正常获取pod

NAME                            READY     STATUS    RESTARTS   AGE

my--game-789f4fb6b5-6nl8n   /       Running             12d

my--game-789f4fb6b5-j59hq   /       Running             12d

my--game-789f4fb6b5-xx2vb   /       Running             12d

kc delete pod my--game-789f4fb6b5-6nl8n

Error from server (Forbidden): pods "my-2048-game-789f4fb6b5-6nl8n" is forbidden: User "view" cannot delete pods in the namespace "prod"

kc get deployment

No resources found.

Error from server (Forbidden): deployments.extensions is forbidden: User "view" cannot list deployments.extensions in the namespace "prod"