美文网首页
LFS258-LAB-Security

LFS258-LAB-Security

作者: xiao_b4b1 | 来源:发表于2018-12-11 11:54 被阅读0次

认证授权

1.创建namespace

student@ubuntu:~/helm/linux-amd64$kubectl create namespace development
namespace/development created

2.查看kubectl配置

student@ubuntu:~/helm/linux-amd64$kubectl config get-contexts 
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin

3.创建新用户student

student@ubuntu:~/security$openssl genrsa -out student.key 2048
Generating RSA private key, 2048 bit long modulus
...............................+++
..............+++
e is 65537 (0x10001)
student@ubuntu:~/security$openssl req -new -key student.key  -out student.csr -subj "/CN=student/O=school"
student@ubuntu:~/security$ll
total 16
drwxrwxr-x  2 student student 4096 Dec 11 11:35 ./
drwxr-xr-x 18 student student 4096 Dec 11 11:25 ../
-rw-rw-r--  1 student student  911 Dec 11 11:35 student.csr
-rw-rw-r--  1 student student 1679 Dec 11 11:34 student.key

student@ubuntu:~/security$sudo openssl x509 -req -in student.csr \
> -CA /etc/kubernetes/pki/ca.crt \
> -CAkey /etc/kubernetes/pki/ca.key \
> -CAcreateserial \
> -out student.crt -days 45
[sudo] password for student: 
Signature ok
subject=/CN=student/O=school
Getting CA Private Key
student@ubuntu:~/security$ll
total 20
drwxrwxr-x  2 student student 4096 Dec 11 11:37 ./
drwxr-xr-x 18 student student 4096 Dec 11 11:25 ../
-rw-r--r--  1 root    root     997 Dec 11 11:37 student.crt
-rw-rw-r--  1 student student  911 Dec 11 11:35 student.csr
-rw-rw-r--  1 student student 1679 Dec 11 11:34 student.key

student@ubuntu:~/security$kubectl config set-credentials student --client-certificate=./student.crt --client-key=./student.key 
User "student" set.

student@ubuntu:~/security$kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.30.81.194:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: student
  user:
    client-certificate: /home/student/security/student.crt
    client-key: /home/student/security/student.key

student@ubuntu:~/security$kubectl config set-context student \
> --cluster=kubernetes \
> --namespace=development \
> --user=student
Context "student" created.

student@ubuntu:~/security$kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.30.81.194:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    --namespace=development
    --user=student
  name: student
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: student
  user:
    client-certificate: /home/student/security/student.crt
    client-key: /home/student/security/student.key

student@ubuntu:~/security$kubectl config get-contexts 
CURRENT   NAME                          CLUSTER                                           AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes                                        kubernetes-admin   
          student                       kubernetes--namespace=development--user=student

4.测试student用户

student@ubuntu:~/security$kubectl --context=student get pods
Error from server (Forbidden): pods is forbidden: User "student" cannot list resource "pods" in API group "" in the namespace "development"

5.给student赋予rbac权限

student@ubuntu:~/security$cat role-student.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: development
  name: student
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
student@ubuntu:~/security$kubectl create -f role-student.yaml 
role.rbac.authorization.k8s.io/student created


student@ubuntu:~/security$cat rolebind.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: student-role-binding
  namespace: development
subjects:
- kind: User
  name: student
  apiGroup: ""
roleRef:
  kind: Role
  name: student
  apiGroup: ""
student@ubuntu:~/security$kubectl create -f rolebind.yaml 
rolebinding.rbac.authorization.k8s.io/student-role-binding created

6.再次测试student

student@ubuntu:~/security$kubectl --context=student get pods
No resources found.

7.添加资源

student@ubuntu:~/security$kubectl --context=student get jobs
Error from server (Forbidden): jobs.batch is forbidden: User "student" cannot list resource "jobs" in API group "batch" in the namespace "development"

student@ubuntu:~/security$kubectl -n development describe role student 
Name:         student
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources               Non-Resource URLs  Resource Names  Verbs
  ---------               -----------------  --------------  -----
  deployments             []                 []              [list get watch create update patch delete]
  pods                    []                 []              [list get watch create update patch delete]
  replicasets             []                 []              [list get watch create update patch delete]
  deployments.apps        []                 []              [list get watch create update patch delete]
  pods.apps               []                 []              [list get watch create update patch delete]
  replicasets.apps        []                 []              [list get watch create update patch delete]
  deployments.extensions  []                 []              [list get watch create update patch delete]
  pods.extensions         []                 []              [list get watch create update patch delete]
  replicasets.extensions  []                 []              [list get watch create update patch delete]



student@ubuntu:~/security$cat role-student.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: development
  name: student
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]

student@ubuntu:~/security$kubectl -n development describe role student 
Name:         student
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [list get watch create update patch delete]

student@ubuntu:~/security$kubectl --context=student get pods
No resources found.

相关文章

  • LFS258-LAB-Security

    认证授权 1.创建namespace 2.查看kubectl配置 3.创建新用户student 4.测试stude...

网友评论

      本文标题:LFS258-LAB-Security

      本文链接:https://www.haomeiwen.com/subject/sfyshqtx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|LFS258-LAB-Security|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!