最近在看 K8s 的安全这一块,涉及的有认证,授权及证书一块,Tony Bai 的文章和官方文档可以作为一个起步,要深入的话就是相关源码了。
认证/授权
RBAC
通过定义角色(role)和使用角色绑定(role binding)赋予用户或者服务用户以角色,实现管理资源的访问权限,
角色有两类:Role 和 ClusterRole,相应的角色绑定也有两类:RoleBinding 和 ClusterRoleBinding,区别在于作用在一个或者多个 namespace。
可以使用 kubectl 创建。
详情参阅官方文档:Using RBAC Authorization
Role-Based Access Control (“RBAC”) uses the “rbac.authorization.k8s.io” API group to drive authorization decisions, allowing admins to dynamically configure policies through the Kubernetes API.
As of 1.8, RBAC mode is stable and backed by the rbac.authorization.k8s.io/v1 API.
To enable RBAC, start the apiserver with --authorization-mode=RBAC.
User Account & Service Account
User accounts are for humans. Service accounts are for processes, which run in pods.
网友评论