RBAC，基于角色的访问控制(Role-Based Access Control)
本文对k8s的rbac仅做资源简单介绍，具体参数以及详细用法请移步官方链接 Using RBAC Authorization

1. 集群开启rbac

需要修改master上的kube-apiserver.yaml文件（静态pod方式）

$ kube-apiserver --authorization-mode=Example,RBAC --<其他选项> --<其他选项>

示例：

[root@10 ~]# cd /etc/kubernetes/manifests/

[root@10 manifests]# ls
etcd.yaml  kube-apiserver.yaml  kube-controller-manager.yaml  kube-scheduler.yaml

[root@10 manifests]# cat kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=10.0.0.0
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - --tls-min-version=VersionTLS12
    - --runtime-config=apps/v1beta1=true
    - --authentication-token-webhook-config-file=/etc/kubernetes/pki/webhook_config
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction

2. rbac资源简介

rbac有四种资源：

2.1 Role

namespace级别的角色，用来定义某角色可以访问的k8s资源（apiGroups、resources）以及方式（verbs）

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

2.2 ClusterRole

集群级别的角色

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

2.3 RoleBinding

namespace级别的角色绑定，将角色赋予一个或一组用户（subjects）

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
  name: jane # "name" is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

2.4 ClusterRoleBinding

集群级别的角色绑定，其中roleRef只能是ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "dave" to read secrets in the "development" namespace.
# You need to already have a ClusterRole named "secret-reader".
kind: RoleBinding
metadata:
  name: read-secrets
  #
  # The namespace of the RoleBinding determines where the permissions are granted.
  # This only grants permissions within the "development" namespace.
  namespace: development
subjects:
- kind: User
  name: dave # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

RoleBinding/ClusterRoleBinding中的主体(subjects)有三种：

• User

集群外生成，k8s集群不做管理，一般用x509客户端证书方式生成（根据私钥生成csr命令参数 -****subj "/CN=username" 中指定用户名）
给集群外的服务访问APIServer使用

• ServiceAccount

集群内生成，k8s的namespace级别资源
给集群内的pod访问APIServer使用

• Group

没研究过，感兴趣的同学自行研究...