This is the 17th day of my participation in Gwen Challenge

User authority system

The user permission system in K8S uses THE RBAC mode. RBAC is role-based AC.

We can have a user play a role, and this role has permissions, and this user has permissions, so in RBAC, user authorization is authorizing a role.

User: A user can have a role. Roles: Roles can have certain permissions. Object permission: A group of operations that can be imposed on an object, called a permission.Copy the code
  • The user types
The Human User:# user accountPod Service Account:# Service account

Copy the code
  • The role type
- Role, roleBinding - ClusterRole, ClusterRoleBindingCopy the code
  • Authorization type
- The user goes via roleBindingbindRule, roleBinding can only be in the current namespace - go via clusterRoleBindingbindClausterrole, clusterRoleBinding will apply to all namespaces - via roleBindingbindClausterrole clusterRole permissions are restricted to the current namespace because roleBinding is only in the current namespaceCopy the code
  • Benefits of using roleBinding to bind clusterRole
If you have many namespaces, if you use roleBinding to bind roles, then you need to define roles in each namespace. If you use Rolebinding to bind a ClausterRole, since clusterRole has permissions on all namespaces, Rolebinding can only bind to the current namespace, eliminating the need to create a role for each namespace.Copy the code

14.1 Permission List

kubectl get clusterrole admin -o yaml

Copy the code

14.2 create a Role

  • Command Line definition
kubectl create role pods-reader --verb=get,list,watch --resource=pods

Copy the code
  • Use a list definition
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reder
  namespace: default
rules:
- apiGroups:                           Which API groups to operate on resources
  - ""
  resources:                           Which resources are authorized
  - pods
  verbs:                               What operations are authorized to do
  - get
  - list
  - watch

Copy the code

14.3 create rolebinding

  • Created using the RoleBinding object, the user is bound to the role
kubectl create rolebinding kaliarch-read-pods --role=pods-reader --user=kaliarch

Copy the code
  • Use a list definition
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kaliarch-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kaliarch

Copy the code
  • Switch user and environment contexts
$ kubectl config use-context kaliarch@kubernetes

Copy the code
  • Test whether the user has the GET permission
kubectl get pods

Copy the code

14.4 create clusterrole

  • Command Line definition
kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods

Copy the code
  • Use a list definition
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

Copy the code
  • There are many clusterRoles built into the system. For details, see Kubectl GET ClusterRole
NAME                                                                   AGE
admin                                                                  5d16h
cluster-admin                                                          5d16h
cluster-reader                                                         4m32s
edit                                                                   5d16h
flannel                                                                5d6h
system:aggregate-to-admin                                              5d16h
system:aggregate-to-edit                                               5d16h
system:aggregate-to-view                                               5d16h
system:auth-delegator                                                  5d16h
system:aws-cloud-provider                                              5d16h
system:basic-user                                                      5d16h
system:certificates.k8s.io:certificatesigningrequests:nodeclient       5d16h
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   5d16h
system:controller:attachdetach-controller                              5d16h
system:controller:certificate-controller                               5d16h
system:controller:clusterrole-aggregation-controller                   5d16h
system:controller:cronjob-controller                                   5d16h
system:controller:daemon-set-controller                                5d16h

Copy the code

14.5 create clusterrolebinding

  • Command Line definition
kubectl create clusterrolebinding kaliarch-read-all-pods --clusterrole=cluster-reader --user=kaliarch

Copy the code
  • Listing definition
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: kaliarch-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kaliarch
Copy the code
  • Switch user and environment contexts
$ kubectl config use-context kaliarch@kubernetes
Copy the code
  • Test whether the user has the GET permission
$ kubectl get pods -n kube-system
$ kubectl config use-context kubernetes-admin@kubernetes
Copy the code

14.6 rolebinding clusterrole

If you bind a ClusterRole with a RoleBinding, since clusterRoles have permissions for all namespaces and roleBinding can only bind to the current namespace, you eliminate the need to create a new role for each namespace.

  • Command definition
$ kubectl create rolebinding kaliarch-cluster-reader --clusterrole=cluster-reader --user=kaliarch
Copy the code
  • Listing definition
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kaliarch-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kaliarch
Copy the code
  • Switch user and environment contexts
$ kubectl config use-context kaliarch@kubernetes
Copy the code
  • Cluster-reader is restricted to the current namespace because roleBinding is used
$ kubectl get pods -n kube-system
$ kubectl config use-context kubernetes-admin@kubernetes
Copy the code

14.7 RBAC authorization

During bind authorization, the user principals that can be bound are user and group

  • Use the RoleBinding and ClusterRoleBinding bindings
Bind to user: Only the user has the rights of role or ClusterRole. Bind to group: All users in the group have the rights of Role or ClusterRoleCopy the code
  • When a user is added to a group, the account is automatically integrated with the permissions of the group
Create private key
(umask 077; openssl genrsa -out kaliarch.key 2048)

O is the group, CN is the account, this account is used by K8S to identify the identity, authorization also needs to authorize this account
openssl req -new -key kaliarch.key -out kaliarch.csr -subj "O=system:masters/CN=kaliarch/"

Use the CA to sign the certificate and it is valid for 1800 days
openssl x509 -req -in kaliarch.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out kaliarch.crt -days 1800

# check the certificate
openssl x509 -in kaliarch.crt -text -noout
Copy the code

other

Send your notes to: github.com/redhatxl/aw… Welcome one button three links