配置k8s集群context-rbac实践

说明

在openshift环境中，可以通过oc project {project_name}命令来切换project，那么在k8s中式如何切换namespace的呢？（ocp的project即相当于k8s中的ns）

实例

创建ns

#创建dev 和 prod ns
kubectl create ns dev
kubectl create ns prod

查看默认上下文用于访问api的信息

#通过kubectl config view或者cat ~/.kube/config 查看默认上下文使用的cluster和user
kc config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://172.31.2.130:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes  //默认上下文使用的cluster
    user: kubernetes-admin //默认上下文使用的user
  name: kubernetes-admin@kubernetes
current-context: ctx-prod
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

新增上下文

#定义Context
kubectl config set-context ctx-dev --namespace=dev --cluster=kubernetes --user=kubernetes-admin
kubectl config set-context ctx-prod --namespace=prod --cluster=kubernetes --user=kubernetes-admin

切换上下文

kubectl config use-context ctc-prod
#此时部署应用默认就会到prod ns中

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

上述配置之后可以实现切换ns（类似oc project xxx），但是都是使用的kubernetes-admin这个user，这个用户具有cluster-admin的权限

以下配置实现在prod这个ns中只允许对资源deployment、pod的list等操作，而不允许delete操作

参考链接：https://blog.csdn.net/hy9418/article/details/80268418

创建私钥文件

#使用openssl创建名为view.key的私钥文件
openssl genrsa -out view.key 

创建证书签名请求文件

#使用上述的私钥文件创建csr文件
openssl req -new -key view.key -out view.csr -subj "/CN=view/O=mypwd"

生成证书文件

#利用k8s集群证书文件（/etc/kubernetes/pki/下），生成证书view.crt
openssl x509 -req -in view.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out view.crt -days 

配置k8s context

#编辑~/.kube/config文件，新增user，name为view，其中client-certificate-data和client-key-data的值如下

client-certificate-data=`cat view.crt | base64 --wrap=`

client-key-data=`cat view.key | base64 --wrap=`

#在prod这个context中指定user为view
- context:
    cluster: kubernetes
    namespace: prod
    user: view
  name: prod

由于未赋权限，报如下错误

[root@node1 manifests]# kc config use-context prod
Switched to context "prod".
[root@node1 manifests]# kc get pod
No resources found.
Error from server (Forbidden): pods is forbidden: User "view" cannot list pods in the namespace "prod"

权限赋值

#新建view_rbac.yaml文件，其中定义了Role对象和RoleBindind对象
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: prod_user_role
  namespace: prod
rules:
# ""表示core这个apiGroups, pod就是在core
  - apiGroups: ["", "extensions", "apps"]
    resources:
      - pods
    verbs:
      - list
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: prod_user_rolebinding
  namespace: prod
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: prod_user_role
subjects:
- kind: User
  name: view
  namespace: prod

#通过kubectl create -f view_rbac.yaml，注：需要切回具有cluster-admin权限的context才能执行create动作

verbs 字段的全集：verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

验证

#切换到prod context
kc config use-context prod

#kc get pod，命令正常获取pod
NAME                            READY     STATUS    RESTARTS   AGE
my--game-789f4fb6b5-6nl8n   /       Running             12d
my--game-789f4fb6b5-j59hq   /       Running             12d
my--game-789f4fb6b5-xx2vb   /       Running             12d

kc delete pod my--game-789f4fb6b5-6nl8n
Error from server (Forbidden): pods "my-2048-game-789f4fb6b5-6nl8n" is forbidden: User "view" cannot delete pods in the namespace "prod"

kc get deployment
No resources found.
Error from server (Forbidden): deployments.extensions is forbidden: User "view" cannot list deployments.extensions in the namespace "prod"