当前位置: 首页 > news >正文

(2022版)一套教程搞定k8s安装到实战 | RBAC

视频来源:B站《(2022版)最新、最全、最详细的Kubernetes(K8s)教程,从K8s安装到实战一套搞定》

一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持!

附上汇总贴:(2022版)一套教程搞定k8s安装到实战 | 汇总_COCOgsta的博客-CSDN博客


基于角色的访问控制,Role Based Access Control。它是一种基于企业内个人角色来管理一些资源的访问方法。

[root@k8s-master-lb ~]# more /usr/lib/systemd/system/kube-apiserver.service 
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target

[Service]
ExecStart=/usr/local/bin/kube-apiserver \
      --v=2 \
      --logtostderr=true \
      --allow-privileged=true \
      --bind-address=0.0.0.0 \
      --secure-port=6443 \
      --insecure-port=0 \
      --advertise-address=192.168.1.107 \
      --service-cluster-ip-range=10.96.0.0/12 \
      --service-node-port-range=30000-32767 \
      --etcd-servers=https://192.168.1.107:2379,https://192.168.1.108:2379,https://192.168.1.109:2379 \
      --etcd-cafile=/etc/etcd/ssl/etcd-ca.pem \
      --etcd-certfile=/etc/etcd/ssl/etcd.pem \
      --etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
      --client-ca-file=/etc/kubernetes/pki/ca.pem \
      --tls-cert-file=/etc/kubernetes/pki/apiserver.pem \
      --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem \
      --kubelet-client-certificate=/etc/kubernetes/pki/apiserver.pem \
      --kubelet-client-key=/etc/kubernetes/pki/apiserver-key.pem \
      --service-account-key-file=/etc/kubernetes/pki/sa.pub \
      --service-account-signing-key-file=/etc/kubernetes/pki/sa.key \
      --service-account-issuer=https://kubernetes.default.svc.cluster.local \
      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
      --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
      --authorization-mode=Node,RBAC \
      --enable-bootstrap-token-auth=true \
      --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
      --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.pem \
      --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client-key.pem \
      --requestheader-allowed-names=aggregator \
      --requestheader-extra-headers-prefix=X-Remote-Group \
      --requestheader-username-headers=X-Remote-User
      # --token-auth-file=/etc/kubernetes/token.csv

Restart=on-failure
RestartSec=10s
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target
[root@k8s-master-lb ~]# 
复制代码

Jenkins使用基于角色的用户权限管理。

RBAC:4种顶级资源,Role、ClusterRole、RoleBinding、ClusterRoleBinding。

Role:角色,包含一组权限的规则。没有拒绝规则,只是附加允许。Namespace隔离,只作用于命名空间内。

[root@k8s-master-lb ~]# kubectl get role -n ingress-nginx ingress-nginx -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2022-08-20T04:59:54Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/version: 0.40.2
    helm.sh/chart: ingress-nginx-3.6.0
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:app.kubernetes.io/component: {}
          f:app.kubernetes.io/instance: {}
          f:app.kubernetes.io/managed-by: {}
          f:app.kubernetes.io/name: {}
          f:app.kubernetes.io/version: {}
          f:helm.sh/chart: {}
      f:rules: {}
    manager: Go-http-client
    operation: Update
    time: "2022-08-20T04:59:54Z"
  name: ingress-nginx
  namespace: ingress-nginx
  resourceVersion: "461437"
  uid: b46670cc-21ac-4e7d-88bb-0cb14d815baa
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - endpoints
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resourceNames:
  - ingress-controller-leader-nginx
  resources:
  - configmaps
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - create
  - get
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
[root@k8s-master-lb ~]# 
复制代码

ClusterRole:和Role的区别,Role是只作用于命名空间内,作用于整个集群。

[root@k8s-master-lb ~]# kubectl get clusterrole view -oyaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-view: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2022-06-21T13:12:31Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:aggregationRule:
        .: {}
        f:clusterRoleSelectors: {}
      f:metadata:
        f:annotations:
          .: {}
          f:rbac.authorization.kubernetes.io/autoupdate: {}
        f:labels:
          .: {}
          f:kubernetes.io/bootstrapping: {}
          f:rbac.authorization.k8s.io/aggregate-to-edit: {}
    manager: kube-apiserver
    operation: Update
    time: "2022-06-21T13:12:31Z"
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: kube-controller-manager
    operation: Update
    time: "2022-06-21T13:16:31Z"
  name: view
  resourceVersion: "34722"
  uid: 709188e2-dc10-4fce-8c36-66caba981ed5
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - persistentvolumeclaims/status
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - services/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - replicasets
  - replicasets/scale
  - replicasets/status
  - statefulsets
  - statefulsets/scale
  - statefulsets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  - horizontalpodautoscalers/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - cronjobs/status
  - jobs
  - jobs/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - ingresses
  - ingresses/status
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicasets/status
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  - poddisruptionbudgets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - ingresses/status
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch
[root@k8s-master-lb ~]# 
复制代码

RoleBinding:作用于命名空间内,将ClusterRole或者Role绑定到User、Group、ServiceAccount。

[root@k8s-master-lb ~]# kubectl get rolebinding ingress-nginx -n ingress-nginx -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2022-08-20T04:59:54Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/version: 0.40.2
    helm.sh/chart: ingress-nginx-3.6.0
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:app.kubernetes.io/component: {}
          f:app.kubernetes.io/instance: {}
          f:app.kubernetes.io/managed-by: {}
          f:app.kubernetes.io/name: {}
          f:app.kubernetes.io/version: {}
          f:helm.sh/chart: {}
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: Go-http-client
    operation: Update
    time: "2022-08-20T04:59:54Z"
  name: ingress-nginx
  namespace: ingress-nginx
  resourceVersion: "461438"
  uid: 1633ad2d-b46b-4212-ab8d-1c19a7ec35ca
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
- kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
[root@k8s-master-lb ~]# 
复制代码

ClusterRolebinding:作用于整个集群。

[root@k8s-master-lb ~]# kubectl get clusterrolebinding admin-user -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2022-06-22T06:25:56Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:rbac.authorization.kubernetes.io/autoupdate: {}
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: kubectl-create
    operation: Update
    time: "2022-06-22T06:25:56Z"
  name: admin-user
  resourceVersion: "35909"
  uid: d4e47393-e698-4405-9bb1-823a6814f7dd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
[root@k8s-master-lb ~]# 
复制代码

kind分类:ServiceAccount、User、Group。

--basic-auth-file:格式为'password','username','group1,group2'

参考文档:kubernetes.io/docs/refere…

\

基于用户名密码实现不同用户有不同的权限

基于ServiceAccount实现不同的SA有不同的权限

相关文章:

  • 海川QK1209 低压按键台灯充电 LED 驱动 IC- 昱灿电子
  • 受邀参加中日韩创新人才主题交流研讨会
  • 优炫软件董事长梁继良当选新一届北京市商会副会长
  • 5G与UWB定位技术融合的四种方式
  • 企业为什么难创新?5个常见的创新障碍
  • leetcode:762. 二进制表示中质数个计算置位
  • PASCAL VOC数据集格式文件夹下文件配置
  • Sulfo-Cy3 羧酸,Sulfo-Cy3 carboxylic acid,水溶性Cy3荧光染料标记羧酸
  • 银行笔试题 java笔试题
  • Apache Doris 系列: 入门篇-安装部署
  • 阿里P8MySQL,基础/索引/锁/日志/调优都不误,一锅深扒端给你
  • 虹科分享 | 简单实用的CANopen介绍,看完你就明白了(3)——对象字典、SDO、PDO
  • java语言程序设计教程pdf,java面试简历
  • Ant Design Mobile 5.6.0版本来了
  • 有几种人工神经网络算法,人工神经网络是算法吗
  • 分享的文章《人生如棋》
  • 《Java编程思想》读书笔记-对象导论
  • 【刷算法】求1+2+3+...+n
  • CODING 缺陷管理功能正式开始公测
  • cookie和session
  • Django 博客开发教程 8 - 博客文章详情页
  • Java 最常见的 200+ 面试题:面试必备
  • JavaScript对象详解
  • Mac 鼠须管 Rime 输入法 安装五笔输入法 教程
  • PHP 程序员也能做的 Java 开发 30分钟使用 netty 轻松打造一个高性能 websocket 服务...
  • seaborn 安装成功 + ImportError: DLL load failed: 找不到指定的模块 问题解决
  • yii2中session跨域名的问题
  • 技术胖1-4季视频复习— (看视频笔记)
  • 前端学习笔记之原型——一张图说明`prototype`和`__proto__`的区别
  • 浅谈Golang中select的用法
  • 一道闭包题引发的思考
  • 阿里云服务器如何修改远程端口?
  • # 透过事物看本质的能力怎么培养?
  • #我与Java虚拟机的故事#连载05:Java虚拟机的修炼之道
  • $().each和$.each的区别
  • (附源码)spring boot球鞋文化交流论坛 毕业设计 141436
  • (附源码)springboot金融新闻信息服务系统 毕业设计651450
  • (附源码)ssm航空客运订票系统 毕业设计 141612
  • (四)汇编语言——简单程序
  • (提供数据集下载)基于大语言模型LangChain与ChatGLM3-6B本地知识库调优:数据集优化、参数调整、Prompt提示词优化实战
  • (一)Spring Cloud 直击微服务作用、架构应用、hystrix降级
  • (转)Linux下编译安装log4cxx
  • (转)拼包函数及网络封包的异常处理(含代码)
  • (转)四层和七层负载均衡的区别
  • (转载)微软数据挖掘算法:Microsoft 时序算法(5)
  • .bat批处理(三):变量声明、设置、拼接、截取
  • .NET Core 实现 Redis 批量查询指定格式的Key
  • .Net Core与存储过程(一)
  • .NET DevOps 接入指南 | 1. GitLab 安装
  • .net 写了一个支持重试、熔断和超时策略的 HttpClient 实例池
  • .NET 中 GetHashCode 的哈希值有多大概率会相同(哈希碰撞)
  • .NET/ASP.NETMVC 深入剖析 Model元数据、HtmlHelper、自定义模板、模板的装饰者模式(二)...
  • .NET/C# 如何获取当前进程的 CPU 和内存占用?如何获取全局 CPU 和内存占用?
  • .Net面试题4
  • /dev/sda2 is mounted; will not make a filesystem here!