一. Kubernetes的安全框架
• 访问K8S集群的资源(API访问)需要过三关:认证、鉴权、准入控制
• 普通用户若要安全访问集群API Server,往往需要证书、Token
或者用户名+密码;Pod访问,需要ServiceAccount
• K8S安全控制框架主要由下面3个阶段进行控制,每一个阶段都
支持插件方式,通过API Server配置来启用插件。
- Authentication
- Authorization
-
Admission Control
image.png
二. 传输安全过三关
传输安全过三关:认证,授权,准入控制
传输安全: 告别8080,迎接6443
1. 认证
三种客户端身份认证:
• HTTPS 证书认证: 基于CA证书签名的数字证书认证
• HTTP Token认证: 通过一个Token来识别用户
• HTTP Base认证: 用户名+密码的方式认证
2. 授权
RBAC(Role-Based Access Control,基于角色的访问控制):负责完成授权(Authorization)工作。
3. 准入控制
Adminssion Control实际上是一个准入控制器插件列表,发送到API Server的请求都需要经过这个列表中的每个准入控制器 插件的检查,检查不通过,则拒绝请求。
1.11版本以上推荐使用的插件:
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds, ResourceQuota
三. RBAC核心概念
RBAC(Role-Based Access Control,基于角色的访问控制),允许通过Kubernetes API动态配置策略。
1. 角色(Role)
角色(Role):
(1). Role:授权特定命名空间的访问权限
(2). ClusterRole:授权所有命名空间的访问权限
2. 主体(subject)
主体(subject):
(1). User:用户
(2). Group:用户组
(3). ServiceAccount:服务账号
3. 角色绑定(RoleBinding)
角色绑定(RoleBinding):
(1). RoleBinding:将角色绑定到主体(即subject)
(2). ClusterRoleBinding:将集群角色绑定到主体
四. RBAC授权普通用户
RBAC授权普通用户对命名空间访问权限控制
需求:liuzhousheng用户访问进来,对ctnrs命名空间只有读取pod的权限:
1. 创建ctnrs命名空间
# kubectl create ns ctnrs
# kubectl run nginx --image=nginx --replicas=3 -n ctnrs
2. 创建角色
创建只有读取pod权限的角色pod-reader-role
# cat rbac-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: ctnrs
name: pod-reader-role
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
# kubectl create -f rbac-role.yaml
# kubectl get role -n ctnrs
NAME AGE
pod-reader-role 53s
3. 用户主体角色绑定
创建rolebinding,主体角色绑定,这里的subjects主体对象是user, 名为liuzhousheng, 将其绑定到pod-reader-role角色。
# cat rbac-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods-rolebinding
namespace: ctnrs
subjects:
- kind: User
name: liuzhousheng # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: pod-reader-role # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
# kubectl create -f rbac-rolebinding.yaml
# kubectl get role,rolebinding -n ctnrs
NAME AGE
role.rbac.authorization.k8s.io/pod-reader-role 5m5s
NAME AGE
rolebinding.rbac.authorization.k8s.io/read-pods-rolebinding 87s
4. 创建认证证书
通过kube-apiserver 读取pod 信息,得使用kube-apiserver 部署时的根证书颁发证书
# mkdir liuzhousheng && cd liuzhousheng
# cp /usr/local/src/k8s/kube-apiserver/{ca.pem,ca-key.pem,ca-config.json} ./
# cat rbac-user.sh
#!/bin/bash
cat > liuzhousheng-csr.json <<EOF
{
"CN": "liuzhousheng",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
###签发一个客户端证书,注意要指定根证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes liuzhousheng-csr.json | cfssljson -bare liuzhousheng
#-----------------------------------
##生成配置文件,使用配置文件连接集群
#配置集群,这里的ca.pem为集群ca证书
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://10.40.6.175:6443 \
--kubeconfig=liuzhousheng-kubeconfig
#客户端证书配置
kubectl config set-credentials liuzhousheng \
--client-key=liuzhousheng-key.pem \
--client-certificate=liuzhousheng.pem \
--embed-certs=true \
--kubeconfig=liuzhousheng-kubeconfig
#配置上下文
kubectl config set-context default \
--cluster=kubernetes \
--user=liuzhousheng \
--kubeconfig=liuzhousheng-kubeconfig
kubectl config use-context default --kubeconfig=liuzhousheng-kubeconfig
# bash rbac-user.sh
生成liuzhousheng-kubeconfig配置文件,使用此配置连接集群读取资源
# kubectl --kubeconfig=liuzhousheng-kubeconfig get pod -n ctnrs
NAME READY STATUS RESTARTS AGE
nginx-dbddb74b8-dfj29 1/1 Running 0 74m
nginx-dbddb74b8-jqc7r 1/1 Running 0 74m
nginx-dbddb74b8-zlkvj 1/1 Running 0 74m
没权限读取service
# kubectl --kubeconfig=liuzhousheng-kubeconfig get svc -n ctnrs
Error from server (Forbidden): services is forbidden: User "liuzhousheng" cannot list resource "services" in API group "" in the namespace "ctnrs"
五. RBAC授权ServiceAccount
RBAC授权ServiceAccount访问命名空间权限,之前有部署过kubernetes UI,访问地址:https://NodeIP:30899,使用token登录,获取之前对token 值。
# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.0.0.198 <none> 443:30899/TCP 25d
# kubectl get secret -n kube-system
NAME TYPE DATA AGE
dashboard-admin-token-tbszw kubernetes.io/service-account-token 3 25d
# kubectl describe secret dashboard-admin-token-tbszw -n kube-system
1. 创建ServiceAccount
创建 pod-reader-sa ServiceAccount。
# cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: pod-reader-sa
namespace: ctnrs
# kubectl create -f sa.yaml
# kubectl get sa -n ctnrs
NAME SECRETS AGE
pod-reader-sa 1 40s
2. 创建角色
创建只有读取ctnrs命名空间pod权限的角色 pod-reader-role。
# cat rbac-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: ctnrs
name: pod-reader-role
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
# kubectl create -f rbac-role.yaml
# kubectl get role -n ctnrs
NAME AGE
pod-reader-role 53s
3. ServiceAccount主体角色绑定
将pod-reader-sa ServiceAccount主体绑定到角色pod-reader-role。
# cat sa-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: sa-read-pods-rolebinding
namespace: ctnrs
subjects:
- kind: ServiceAccount
name: pod-reader-sa #serviceaccount name
roleRef:
kind: Role
name: pod-reader-role #授权角色名
apiGroup: rbac.authorization.k8s.io
# kubectl create -f sa-rolebinding.yaml
# kubectl get sa -n ctnrs
NAME SECRETS AGE
pod-reader-sa 1 7m16s
查看pod-reader-sa ServiceAccount 的token值,使用此token登录k8s UI, 只能查看ctnrs命名空间的Pod。
kubectl describe secret pod-reader-sa -n ctnrs
