Kubernetes 安全框架
K8S安全控制框架主要由下面3个阶段进行控制,每一个阶段都支持插件方式,通过API Server配置来启用插件。
001 Authentication(鉴权)
002 Authorization(授权)
003 Admission Control(准入控制)
客户端要想访问K8s集群API Server,一般需要证书、Token或者用户名+密码;如果Pod访问,需要ServiceAccount
1637718831958.png
鉴权(Authentication)
三种客户端身份认证:
001 HTTPS 证书认证:基于CA证书签名的数字证书认证
002 HTTP Token认证:通过一个Token来识别用户
003 HTTP Base认证:用户名+密码的方式认证
授权(Authentication)
RBAC(Role-Based Access Control,基于角色的访问控制):负责完成授权(Authorization)工作。
RBAC根据API请求属性,决定允许还是拒绝。
比较常见的授权维度:
001 user:用户名
002 group:用户分组
003 资源,例如pod、deployment
004 资源操作方法:get,list,create,update,patch,watch,delete
005 命名空间
006 API组
准入控制(Admission Control)
001 Adminssion Control实际上是一个准入控制器插件列表
002 发送到API Server的请求都需要经过这个列表中的每个准入控制器插件的检查
003 检查不通过,则拒绝请求
基于角色的权限访问控制:RBAC
RBAC(Role-Based Access Control,基于角色的访问控制),允许通过Kubernetes API动态配置策略。
角色
001 Role:授权特定命名空间的访问权限
002 ClusterRole:授权所有命名空间的访问权限
角色绑定
001 RoleBinding:将角色绑定到主体(即subject)
002 ClusterRoleBinding:将集群角色绑定到主体
主体(subject)
001 User:用户
002 Group:用户组
003 ServiceAccount:服务账号
1637719365848.png
案例:为指定用户授权访问不同命名空间权限
用K8S CA签发客户端证书
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
cat > aliang-csr.json <<EOF
{
"CN": "aliang",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes aliang-csr.json | cfssljson -bare aliang
---------------------------------------------------------------------------
[root@k8smaster rbac]# ./cert.sh
生成kubeconfig授权文件
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=https://192.168.153.21:6443 \
--kubeconfig=aliang.kubeconfig
# 设置客户端认证
kubectl config set-credentials aliang \
--client-key=aliang-key.pem \
--client-certificate=aliang.pem \
--embed-certs=true \
--kubeconfig=aliang.kubeconfig
# 设置默认上下文
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=aliang \
--kubeconfig=aliang.kubeconfig
# 设置当前使用配置
kubectl config use-context kubernetes --kubeconfig=aliang.kubeconfig
-------------------------------------------------------------------------------
创建RBAC权限策略
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: ["","apps"]
resources: ["pods","deployments","services"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: aliang
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
---------------------------------------------------------------------------
apiGroups: ["","app"]
""为核心组,可以操作pod、service...
app组可以操作deployment...
#绑定
subjects:
- kind: User
name: aliang
roleRef:
kind: Role
name: pod-reader
aliang-csr.json:
-- 用户 : "CN": "aliang",
-- 组: "O": "k8s",
[root@k8smaster rbac]# kubectl apply -f rbac.yaml
role.rbac.authorization.k8s.io/pod-reader created
rolebinding.rbac.authorization.k8s.io/read-pods created
验证
[root@k8smaster rbac]# kubectl get pods,deployment,svc --kubeconfig=aliang.kubeconfig
#将aliang.kubeconfig拷贝到node上
[root@k8smaster rbac]# scp -r aliang.kubeconfig root@192.168.153.22:/root/
#node上执行
[root@k8snode1 ~]# kubectl get pods --kubeconfig=aliang.kubeconfig
#将文件移动到指定目录,查询时可以不指定配置文件
[root@k8snode1 ~]# mv aliang.kubeconfig .kube/config
[root@k8snode1 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nfs-client-provisioner-5f98b5cdfb-rm7dd 1/1 Running 1 3h54m
statefulpod-0 1/1 Running 1 3h49m
statefulpod-1 1/1 Running 1 3h49m
statefulpod-2 1/1 Running 1 3h48m
网友评论