K8S安全控制框架主要由下面3个阶段进行控制,每一个阶段都支持插件方式,通过API Server配置来启用插件。
1. Authentication(认证)
2. Authorization(授权)
3. Admission Control(准入控制)
客户端(kubectl或curl等)要想访问K8s集群API Server,一般需要证书、Token或者用户名+密码。如果Pod访问,需要ServiceAccount。
认证(Authentication)
三种客户端身份认证:
HTTPS 证书认证:基于CA证书签名的数字证书认证
HTTP Token认证:通过一个Token来识别用户
HTTP Base认证:用户名+密码的方式认证
鉴权(Authentication)
RBAC(Role-Based Access Control,基于角色的访问控制):负责完成授权(Authorization)工作。 RBAC根据API请求属性,决定允许还是拒绝。
比较常见的授权维度:
? user:用户名
? group:用户分组
? 资源,例如pod、deployment
? 资源操作方法:get,list,create,update,patch,watch,delete
? 命名空间
? API组
基于角色的权限访问控制:RBAC
RBAC(Role-Based Access Control,基于角色的访问控 制),允许通过Kubernetes API动态配置策略。
角色
? Role:授权特定命名空间的访问权限
? ClusterRole:授权 所有命名空间 的访问权限
角色绑定
? RoleBinding:将角色绑定到主体(即subject)
? ClusterRoleBinding:将 集群角色绑定到主体
主体(subject)
? User:用户
? Group:用户组
? ServiceAccount:服务账号
Kubernetes RBAC 为指定用户授权访问不同命名空间权限_k8s dashbord 用户授权-CSDN博客
第一种:客户端访问
证书
1)ca根证书
[root@k8s-node02 ~]# grep certificate-auth ~/.kube/config | cut -d " " -f 6 |base64 -d>ca.pem
2)client-cert
[root@k8s-node02 ~]# grep client-cert ~/.kube/config | cut -d " " -f 6 | base64 -d>client-cert.cert
3)client-key
[root@k8s-node02 ~]# grep client-key-data ~/.kube/config | cut -d " " -f 6 |base64 -d>client-key.key
4)然后访问集群:
[root@k8s-node02 ~]# curl -k --cert ./client-cert.cert --key ./client-key.key https://rancher.jettech.cn
5)访问某个节点的监控接口:
[root@k8s-node02 ~]# netstat -atunpl |grep kubelet tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 4014/kubelet tcp 0 0 127.0.0.1:42873 0.0.0.0:* LISTEN 4014/kubelet tcp 0 0 127.0.0.1:36198 127.0.0.1:6443 ESTABLISHED 4014/kubelet tcp 0 0 127.0.0.1:36179 127.0.0.1:6443 ESTABLISHED 4014/kubelet tcp 0 0 127.0.0.1:36206 127.0.0.1:6443 ESTABLISHED 4014/kubelet tcp 0 0 127.0.0.1:36202 127.0.0.1:6443 ESTABLISHED 4014/kubelet tcp 0 0 127.0.0.1:36204 127.0.0.1:6443 ESTABLISHED 4014/kubelet tcp6 0 0 :::10250 :::* LISTEN 4014/kubelet tcp6 0 0 172.16.10.59:10250 10.42.14.65:56272 ESTABLISHED 4014/kubelet [root@k8s-node02 ~]# curl -k --cert ./client-cert.cert --key ./client-key.key https://localhost:10250/metrics
第二种:pod访问
创建k8s的用户,用户分为普通用户和serviceAccount用户
useraccount:外部用户
serviceAccount:内部集群资源直接访问的用户
1.serviceAccount用户的创建:
1.1)创建一个namespace
[root@k8s-node02 ~]# kubectl create namespace wubo
1.2)创建serviceaccount 会自动创建一个secret资源
apiVersion: v1 kind: ServiceAccount metadata: name: wubo-service-account namespace: wubo
查看serviceaccount
[root@k8s-node02 ~]# kubectl get sa -n wubo wubo-service-account -o yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2024-01-22T04:35:54Z" name: wubo-service-account namespace: wubo resourceVersion: "14544" uid: 3db644bc-2f2a-4183-a0f2-c8178d288bde secrets: - name: wubo-service-account-token-2vxk4
查看secret
[root@k8s-node02 ~]# kubectl get secrets -n wubo wubo-service-account-token-2vxk4 -o yaml
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0VENDQWNtZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFTTVJBd0RnWURWUVFERXdkcmRXSmwKTFdOaE1CNFhEVEkwTURFeU1qQXlOVFl3TWxvWERUTTBNREV4T1RBeU5UWXdNbG93RWpFUU1BNEdBMVVFQXhNSAphM1ZpWlMxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1tZDJEOVZxaHdzCjl6aEFMNDYvRzc0UGxHRC9yWkRHNHBHdlg0YWRNNVcxTUlySitXOFIzMzBOL2toazdoWTNTTnBudFRtY1NKQ0kKcm5UMCtMTjZMWTBqaFdtUDhGQTNJZWNRU3FNTmU0Wi9XUnB3bzBDK1lIV3lGMjFyNXhpMGZJOUxZcXQ1VHBWaApMVW43cGMrekhBQUR1RStTeE93QWw1QmNkNFZKK3ZzUkhUSWh5TnU4YmhFUGJqMVFHMDBOd20xMmZJMHNuRkU4CncrMEozb3V6NEVUcXFTSjBLVWpNenZFYnYxZjZ0K1d2d2puakZFNEVWWkJReFRQRGxlNkFqcExXZlBpMnJDRWYKeEhEbVkweUtsNk9FMHlZdjRQT3laSHdKclN1aW5walk1L01oUzh0OXRqVjJ0RGR2aUxKbFJuQi91MmxoZWJxLwpsYWh2dE9nY01FOENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CCkFmOHdIUVlEVlIwT0JCWUVGTDRqZVA0TmdKMnlURUNtZFFvdHVwL1dHVHJuTUEwR0NTcUdTSWIzRFFFQkN3VUEKQTRJQkFRQzQwMUhXYmRqYmthQnBTOE5iVlBvcEdPNFN1dnZFWm55YVlEcHdYZEVCWk5nSTVkS2hJSk9CcHhrNQpPVFh5ZW9adm9pL2lXcUlDOEVLZnFGZGRlU0Z6T0RZcHFsTHo2b1BoZUE2ZDJBbmFjUGJJZEE4VGF4VWpDNWJvCjRBMW1TVk04djVNcjQxSUZuTStVNHBKTXh6OGxuZUxRNkVBWjFWdWxWVWtnZlBiczZHczFpYW9hQXFKS05ZRngKOWZDWW9ub3A4YzB4ZzEvUEZBV0M0Z01zSzEwTTlEM04zbkNxcWlwdFJuekhRMTF1ZFpYUERwS3ZOZHdrSmpiUAo3WTdTMFFFVUF5K2pOVjlmcUswLzJienovWldNY3Q3SENPVnFGRlpMMm1WZU1nYytVY0ZFSlIrMUZROFEyeDJzCllTRUk1c2w0bXdLenhqNk5wc0ViZFlkcDgvTG8KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
namespace: d3Vibw==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqZzJhVWszVFZWdU0xVjJjbloyYkhBd2VUVnZPVUZVYUdwMFNFaFRValZaYTFSck1tWkVhVEF3YWtVaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUozZFdKdklpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkluZDFZbTh0YzJWeWRtbGpaUzFoWTJOdmRXNTBMWFJ2YTJWdUxUSjJlR3MwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW5kMVltOHRjMlZ5ZG1salpTMWhZMk52ZFc1MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVkV2xrSWpvaU0yUmlOalEwWW1NdE1tWXlZUzAwTVRnekxXRXdaakl0WXpneE56aGtNamc0WW1SbElpd2ljM1ZpSWpvaWMzbHpkR1Z0T25ObGNuWnBZMlZoWTJOdmRXNTBPbmQxWW04NmQzVmlieTF6WlhKMmFXTmxMV0ZqWTI5MWJuUWlmUS5Sb3hOVlhBMVdnUXgxYUFiVUdJek5CeGZXVnVIVVRrdjJlVzhuTzFjeEVUY2txZUd3N1kyeWZsVEJwckVocDkzYkxkMjJsZVBFams4NjRXdTM5YmtDWFNQRE1GX09jbUhNUnN0M3ZNZEE1STZ0YVRySTVoSVVMekd2OUQ0Mm5HU1pPcmt5OERweDJ1UHFYcWdfdEZpNzh1SkRXZ283Yl9wS0lmX3pRM1FqNFpQbUlhQXNVczNuNk5OdTgwcUl1d2FaQ0xHaGxLTVR5TF9iSXBpRkhSUGFpa1JSaWNaaEU4bmgtR1hHYlVUVVNTZ2YwRkNDa1FxVXl6eTdubFBYMTFuZjdZYnJqdkJSVjB3bGFDU3dYak5feEI2UDJoQTFHWXhuSC1XLTEtS3RVY1lMVTBtZ1QzUFVXdlh2UUxjSS1wdm5ZZ3JEU0l1c2FGMFFEVjgzdFhWZHc=
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: wubo-service-account
kubernetes.io/service-account.uid: 3db644bc-2f2a-4183-a0f2-c8178d288bde
creationTimestamp: "2024-01-22T04:35:54Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ca.crt: {}
f:namespace: {}
f:token: {}
f:metadata:
f:annotations:
.: {}
f:kubernetes.io/service-account.name: {}
f:kubernetes.io/service-account.uid: {}
f:type: {}
manager: kube-controller-manager
operation: Update
time: "2024-01-22T04:35:54Z"
name: wubo-service-account-token-2vxk4
namespace: wubo
resourceVersion: "14543"
uid: 70ae3e2a-1b91-498d-9bc8-56c8522d42b1
type: kubernetes.io/service-account-token
此时就可以获取token了和ca.crt
[root@k8s-node02 ~]# kubectl get secret -n wubo wubo-service-account-token-2vxk4 -o jsonpath={.data.token} | base64 -d
namespace:
[root@k8s-node02 ~]# kubectl get secret -n wubo wubo-service-account-token-2vxk4 -o jsonpath={.data.namespace} |base64 -d
ca.crt
[root@k8s-node02 ~]# kubectl get secret -n wubo wubo-service-account-token-2vxk4 -o jsonpath={.data.ca\.crt} |base64 -d
1.3)创建全局的资源权限ClusterRole是全局的,不分namespace
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: wubo-cluster-role rules: - apiGroups: - "" resources: - '*' #- ["pods","pods/log","pods/exec", "pods/attach", "pods/status","services","nodes/metrics","nodes/stats","nodes/proxy",] verbs: #- ["get", "watch", "list", "create", "update", "patch", "delete","exec"] - '*'
1.4)创建绑定 用户和集群角色绑定
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: wubo-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: wubo-cluster-role subjects: - kind: ServiceAccount name: wubo-service-account namespace: wubo
all文件:
[root@k8s-node02 ~]# cat auth.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: wubo-cluster-role rules: - apiGroups: - "" resources: - '*' #- ["pods","pods/log","pods/exec", "pods/attach", "pods/status","services","nodes/metrics","nodes/stats","nodes/proxy",] verbs: #- ["get", "watch", "list", "create", "update", "patch", "delete","exec"] - '*' --- apiVersion: v1 kind: ServiceAccount metadata: name: wubo-service-account namespace: wubo --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: wubo-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: wubo-cluster-role subjects: - kind: ServiceAccount name: wubo-service-account namespace: wubo