网站备案 湖北,鹿泉城乡建设局网站,展示型网站建设多少钱,网站开发流程管理1、集群安全机制概述
1.1 访问k8s的三个步骤 1、认证 2、鉴权(授权) 3、准入控制 进行访问的时候#xff0c;过程中都需要经过apiserver#xff0c;apiserver做统一协调#xff0c;比如门卫。且访问过程中需要证书、token、或者用户名密码。如果需要访问pod#xff0c;…1、集群安全机制概述
1.1 访问k8s的三个步骤 1、认证 2、鉴权(授权) 3、准入控制 进行访问的时候过程中都需要经过apiserverapiserver做统一协调比如门卫。且访问过程中需要证书、token、或者用户名密码。如果需要访问pod需要serviceAccount。
1.2 认证
传输安全对外不会暴露8080端口只能内部访问。对外使用端口6443认证客户端身份认证的常用方式有三种 1https证书认证基于ca证书。2 httptoken认证通过token识别用户。3http基本认证用户名密码不常用前两种更安全
1.3 鉴权
基于RBAC进行鉴权操作基于角色进行访问控制
1.4 准入控制
就是准入控制器的列表如果该列表有请求内容通过。没有则拒绝。
2、RBAC基于角色的访问控制 2.1 角色
Role特定命名空间具体操作。 ClusterRole所有命名空间访问权限
[rootmaster ~]# kubectl get ns # 查看命名空间
[rootmaster ~]# kubectl create ns role
namespace/role created
[rootmaster ~]# kubectl get ns
NAME STATUS AGE
default Active 63d
kube-node-lease Active 63d
kube-public Active 63d
kube-system Active 63d
role Active 3s
[rootmaster ~]# kubectl delete ns role
namespace role deleted
2.2 角色绑定
roleBinding: 将角色绑定到主体上ClusterroleBinding: 将集群角色绑定到主体
2.3 主体
user 用户group: 用户组serviceAcoount: 服务账号。用于pod访问
3、RBAC实现鉴权
3.1 生成证书文件
#下载并使用cfssl证书生成工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo# 生成自签证书
[rootmaster mary]# cat ca-config.json
{signing: {default: {expiry: 87600h},profiles: {kubernetes: {expiry: 87600h,usages: [signing,key encipherment,server auth,client auth]}}}
}
[rootmaster mary]# cat ca-csr.json
{CN: kubernetes,key: {algo: rsa,size: 2048},names: [{C: CN,L: Beijing,ST: Beijing,O: k8s,OU: System}]
}
[rootmaster mary]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #生成自签证书
2022/05/13 13:47:19 [INFO] generating a new CA key and certificate from CSR
2022/05/13 13:47:19 [INFO] generate received request
2022/05/13 13:47:19 [INFO] received CSR
2022/05/13 13:47:19 [INFO] generating key: rsa-2048
2022/05/13 13:47:19 [INFO] encoded CSR
2022/05/13 13:47:19 [INFO] signed certificate with serial number 533587145625742162082018478504710590695605538243
[rootmaster mary]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem mary-csr.json rabc-user.sh
3.2 创建命名空间和对应得pod
[rootmaster ~]# kubectl create ns roledemo
namespace/roledemo created[rootmaster ~]# kubectl get ns
NAME STATUS AGE
roledemo Active 3s[rootmaster ~]# kubectl run nginx --imagenginx -n roledemo
pod/nginx created
[rootmaster ~]# kubectl get pod -n roledemo
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 36s
3.3 创建角色
[rootmaster Roledemo]# vim rbac-role.yaml
[rootmaster Roledemo]# cat rbac-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:namespace: roledemoname: pod-reader
rules:
- apiGroups: [] #组resources: [pods] #资源verbs: [get,watch,list] #角色权限[rootmaster Roledemo]# kubectl apply -f rbac-role.yaml
role.rbac.authorization.k8s.io/pod-reader created[rootmaster Roledemo]# kubectl get role -n roledemo
NAME CREATED AT
pod-reader 2022-05-13T04:13:46Z
3.4 创建角色绑定
[rootmaster Roledemo]# vim rbac-rolebinding.yaml
[rootmaster Roledemo]# cat rbac-rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata: name: read-podsnamespace: roledemo
subjects:
- kind: Username: mary # Name is case sensitiveapiGroup: rbac.authorization.k8s.io
roleRef:kind: Role #this must be Role or ClusterRolename: pod-reader # this must match the name of the Role or ClusterRole you wish to bind toapiGroup: rbac.authorization.k8s.io[rootmaster Roledemo]# kubectl apply -f rbac-rolebinding.yaml
rolebinding.rbac.authorization.k8s.io/read-pods created
[rootmaster Roledemo]# kubectl get role,rolebinding -n roledemo #查看角色和角色绑定
NAME CREATED AT
role.rbac.authorization.k8s.io/pod-reader 2022-05-13T04:13:46ZNAME ROLE AGE
rolebinding.rbac.authorization.k8s.io/read-pods Role/pod-reader 25s
3.5 使用证书识别身份 [rootmaster ~]# mkdir mary #充当用户文件夹
[rootmaster ~]# cd mary/ #目录下需要所有的ca文件
[rootmaster mary]# cat mary-csr.json
{CN: mary,hosts: [],key: {algo: rsa,size: 2048},names: [{C: CN,L: BeiJing,ST: BeiJing}]
}[rootmaster mary]# vim rabc-user.sh ##rbac鉴权文件
[rootmaster mary]# cat rabc-user.sh
cat mary-csr.json EOF
{CN: mary,hosts: [],key: {algo: rsa,size: 2048},names: [{C: CN,L: BeiJing,ST: BeiJing}]
}
EOFcfssl gencert -caca.pem -ca-keyca-key.pem -configca-config.json -profilekubernetes mary-csr.json | cfssljson -bare mary kubectl config set-cluster kubernetes \--certificate-authorityca.pem \--embed-certstrue \--serverhttps://192.168.172.128:6443 \--kubeconfigmary-kubeconfigkubectl config set-credentials mary \--client-keymary-key.pem \--client-certificatemary.pem \--embed-certstrue \--kubeconfigmary-kubeconfigkubectl config set-context default \--clusterkubernetes \--usermary \--kubeconfigmary-kubeconfigkubectl config use-context default --kubeconfigmary-kubeconfig## 执行
[rootmaster mary]# bash rabc-user.sh
2022/05/13 13:53:26 [INFO] generate received request
2022/05/13 13:53:26 [INFO] received CSR
2022/05/13 13:53:26 [INFO] generating key: rsa-2048
2022/05/13 13:53:26 [INFO] encoded CSR
2022/05/13 13:53:26 [INFO] signed certificate with serial number 697056282839922252602077574108282807182420364565
2022/05/13 13:53:26 [WARNING] This certificate lacks a hosts field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 (Information Requirements).
Cluster kubernetes set.
User mary set.
Context default created.
Switched to context default.
[rootmaster mary]# ls ##生成了mary-kubeconfig文件
ca-config.json ca-csr.json ca.pem mary-csr.json mary-kubeconfig rabc-user.sh
ca.csr ca-key.pem mary.csr mary-key.pem mary.pem[rootmaster mary]# cat mary-kubeconfig ##里面是证书内容
3.6测试
#只有查看pod得权限所以查看svc是没有任何东西的(不对) #应该是这里只是使用了文件夹模拟所以出错。需要真实得用户
[rootmaster mary]# kubectl get pod -n roledemo
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 140m
[rootmaster mary]# kubectl create service clusterip test --clusteripNone -n roledemo# 创建svc测试
[rootmaster mary]# kubectl get svc -n roledemo # 但是不对
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
test ClusterIP None none none 25m
