K8s中的RBAC认证授权之基于HTTPS证书给User授权认证
<h2 id="概述">概述</h2><p>本文主要介绍在K8s中如何使用证书给User进行授权认证。</p>
<p>在生产环境中,当你想给对应的人员分配不同的权限,则可以阅读这篇文章</p>
<p>阅读这篇文章之前,你应该有一些前置知识,应该知道K8s的授权认证</p>
<blockquote>
<p>可以阅读这篇文章:一文搞懂K8s中的RBAC认证授权</p>
</blockquote>
<h2 id="实操">实操</h2>
<h3 id="使用cfssl生成user的ca证书">使用cfssl生成User的CA证书</h3>
<blockquote>
<p>cfssl可以阅读这篇文章:https://www.cnblogs.com/huangSir-devops/p/18876361</p>
</blockquote>
<pre><code>## 创建CA证书
# cat ca-config.json
{
"signing": {
"default": {
# 配置默认证书有效期为10年
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": ["signing", "key encipherment", "server auth", "client auth"]
}
}
}
}
# 创建CA证书请求
# cat ca-csr.json
{
# CN表示用户名称
"CN": "develop",
"hosts": [],
"key": {
# 加密算法
"algo": "rsa",
# 密钥长度
"size": 4096
},
"names": [
{
# 国家代码,CN代表是中国
"C": "CN",
# 省份
"ST": "Beijing",
# 城市或地区
"L": "Beijing",
# 这里O表示用户组
"O": "dev
# 组织单位(Organizational Unit),可以理解成公司部门
"OU": "ca"
}
]
}
# 创建证书存储目录
# mkdir -p develop
# 生成证书
# cfssl gencert \
-ca=/etc/kubernetes/pki/ca.crt \
-ca-key=/etc/kubernetes/pki/ca.key \
-config=ca-config.json \
-profile=kubernetes \
ca-csr.json| cfssljson -bare develop/develop
2025/06/07 13:52:37 generate received request
2025/06/07 13:52:37 received CSR
# 查看文件
# tree
.
├── ca-config.json
├── ca-csr.json
└── develop
├── develop-key.pem # 公钥
├── develop.csr
└── develop.pem# 私钥
</code></pre>
<h3 id="生成kubeconfig文件">生成kubeconfig文件</h3>
<p>创建集群入口</p>
<pre><code># 配置集群,集群可以设置多套,此处只配置了一套
# --certificate-authority
# 指定K8s的ca根证书文件路径
# --embed-certs
# 如果设置为true,表示将根证书文件的内容写入到配置文件中,
# 如果设置为false,则只是引用配置文件,将kubeconfig
# --server
# 指定APIServer的地址。
# --kubeconfig
# 指定kubeconfig的配置文件名称
# kubectl config set-cluster dev \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=https://apiserver.cluster.local:6443 \
--kubeconfig=develop.kubeconfig
# 检查kubeconfig的配置文件
# ll develop.kubeconfig
-rw------- 1 root root 5336 Jun4 11:27 develop.kubeconfig
</code></pre>
<p>设置客户端认证,客户端将来需要携带证书让服务端验证</p>
<pre><code># kubectl config set-credentials develop \
--client-key=/root/cfssl/develop/develop-key.pem \
--client-certificate=/root/cfssl/develop/develop.pem \
--embed-certs=true \
--kubeconfig=develop.kubeconfig
</code></pre>
<p>设置默认上下文,可以用于绑定多个客户端和服务端的对应关系。</p>
<pre><code># kubectl config set-context develop \
--cluster=dev \
--user=develop \
--kubeconfig=develop.kubeconfig
</code></pre>
<h3 id="测试使用生成的kubeconfig文件访问k8s集群资源">测试使用生成的kubeconfig文件访问K8s集群资源</h3>
<pre><code># 设置当前使用的上下文
# kubectl config use-context develop --kubeconfig=/root/cfssl/develop.kubeconfig
Switched to context "develop"
# 访问测试,这里显示无权限
# kubectl get po --kubeconfig=/root/cfssl/develop.kubeconfig
Error from server (Forbidden): pods is forbidden: User "develop" cannot list resource "pods" in API group "" in the namespace "default"
</code></pre>
<h3 id="为用户配置role">为用户配置Role</h3>
<p>上面的步骤,是认证没有问题了,但是对应的用户对集群没有权限操作</p>
<pre><code># cat role-default.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: custom-role
rules:
# 规则1:操作核心组和 apps 组的 pods、deployments,仅允许 get 和 list
- apiGroups: ["","apps"]
resources: ["pods","deployments"]
verbs: ["get", "list"]
# 规则2:操作核心组和 apps 组的 configmaps、secrets、daemonsets,仅允许 get 和 list
- apiGroups: ["","apps"]
resources: ["configmaps","secrets","daemonsets"]
verbs: ["get", "list"]
# 规则3:操作核心组的 secrets,允许 delete 和 create
- apiGroups: [""]
resources: ["secrets"]
verbs: ["delete","create"]
# kubectl apply -f role-default.yaml
# kubectl get role custom-role
NAME CREATED AT
custom-role 2025-06-07T06:34:52Z
# 查看详情
# kubectl describe role custom-role
Name: custom-role
Labels: <none>
Annotations:<none>
PolicyRule:
Resources Non-Resource URLsResource NamesVerbs
--------- ------------------------------------
secrets [] []
configmaps [] []
daemonsets [] []
deployments [] []
pods [] []
configmaps.apps [] []
daemonsets.apps [] []
deployments.apps[] []
pods.apps [] []
secrets.apps [] []
</code></pre>
<h3 id="使用rolebinding关联role">使用RoleBinding关联Role</h3>
<pre><code>apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
# RoleBinding 名称
name: develope-rolebinding
# 作用的命名空间
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
# 引用的角色类型(必须是 Role 或 ClusterRole)
kind: Role
# 引用的角色名称
name: custom-role
# 被授权的主体列表
subjects:
# 主体类型(User/ServiceAccount/Group)
- kind: User
# 主体名称,对应生成证书的CN字段
name: develop
#APIGroup 默认是 "rbac.authorization.k8s.io"。这意味着这些权限规则默认只适用于 #RBAC API 资源,例如 Role、RoleBinding、ClusterRole 和 ClusterRoleBinding。
apiGroup: "rbac.authorization.k8s.io"
# cat rolebinding-develop.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
# RoleBinding 名称
name: develope-rolebinding
# 作用的命名空间
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
# 引用的角色类型(必须是 Role 或 ClusterRole)
kind: Role
# 引用的角色名称
name: custom-role
# 被授权的主体列表
subjects:
# 主体类型(User/ServiceAccount/Group)
- kind: User
# 主体名称,对应生成证书的CN字段
name: develop
#APIGroup 默认是 "rbac.authorization.k8s.io"。这意味着这些权限规则默认只适用于 #RBAC API 资源,例如 Role、RoleBinding、ClusterRole 和 ClusterRoleBinding。
apiGroup: "rbac.authorization.k8s.io"
# 创建RoleBinding
# kubectl apply -f rolebinding-develop.yaml
# 查看RoleBinding
rolebinding.rbac.authorization.k8s.io/develope-rolebinding created
# kubectl get rolebinding
NAME ROLE AGE
develope-rolebinding Role/custom-role 11s
# 查看详情
# kubectl describe rolebinding develope-rolebinding
Name: develope-rolebinding
Labels: <none>
Annotations:<none>
Role:
Kind:Role
Name:custom-role
Subjects:
KindName Namespace
-------- ---------
Userdevelop
</code></pre>
<h3 id="再次使用user测试">再次使用User测试</h3>
<p>查看Pod有权限</p>
<pre><code># kubectl get po --kubeconfig=/root/cfssl/develop.kubeconfig
NAME READY STATUS RESTARTS AGE
alertmanager-prometheus-kube-prometheus-alertmanager-0 2/2 Running 0 21h
nginx-pod 0/1 Pending 0 6d16h
prometheus-grafana-55cbbf54b7-lmhnd 3/3 Running 0 20h
prometheus-kube-prometheus-operator-847fd659bc-scp4w 1/1 Running 0 21h
prometheus-kube-state-metrics-5fb66759db-nb242 1/1 Running 0 21h
prometheus-prometheus-kube-prometheus-prometheus-0 2/2 Running 0 16h
prometheus-prometheus-node-exporter-89xt7 1/1 Running 0 21h
prometheus-prometheus-node-exporter-cn8s4 1/1 Running 0 21h
prometheus-prometheus-node-exporter-llqgx 1/1 Running 0 21h
</code></pre>
<p>删除Pod无权限</p>
<pre><code># kubectl delete po nginx-pod --kubeconfig=/root/cfssl/develop.kubeconfig
Error from server (Forbidden): pods "nginx-pod" is forbidden: User "develop" cannot delete resource "pods" in API group "" in the namespace "default"
</code></pre>
<p>删除Pod需要添加对应的权限</p>
<pre><code># 修改Role
# cat role-default.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: custom-role
rules:
- apiGroups: ["","apps"]
resources: ["pods","deployments"]
# 添加delete
verbs: ["get", "list","delete"]
- apiGroups: ["","apps"]
resources: ["configmaps","secrets","daemonsets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["delete","create"]
# 重新应用
# kubectl apply -f role-default.yaml
role.rbac.authorization.k8s.io/custom-role configured
</code></pre>
<p>重新测试删除Pod</p>
<pre><code># kubectl delete po nginx-pod --kubeconfig=/root/cfssl/develop.kubeconfig
pod "nginx-pod" deleted # 这里显示正常
</code></pre>
</div>
<div id="MySignature" role="contentinfo">
<p>本文来自博客园,作者:huangSir-devops,转载请注明原文链接:https://www.cnblogs.com/huangSir-devops/p/18916651,微信Vac6666666,欢迎交流</p><br><br>
来源:https://www.cnblogs.com/huangSir-devops/p/18916651
頁:
[1]