k8s安全管理认证

1、SA

Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的。

• 是为Pod中的进程调用Kubernetes API而设计；

• 仅局限它所在的namespace；

• 每个namespace都会自动创建一个default service account；

• Token controller检测service account的创建，并为它们创建secret；

开启ServiceAccount Admission Controller后，每个Pod在创建后都会自动设置spec.serviceAccount为default（除非指定了其他ServiceAccout）；验证Pod引用的service account已经存在，否则拒绝创建；如果Pod没有指定ImagePullSecrets，则把service account的ImagePullSecrets加到Pod中；每个container启动后都会挂载该service account的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/

创建SA用户

   

    

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    
    
# vim 01_k8s_pod_test.ymlapiVersion: v1kind: ServiceAccountmetadata:  name: superopsmsb-sa---apiVersion: v1kind: Podmetadata:  name: my-nginx-1spec:  containers:  - image: nginx:1.23.0    name: my-nginx  serviceAccountName: superopsmsb-sa
# kubectl apply -f 01_k8s_pod_test.yml # kubectl get sa# kubectl get pods -o wide# kubectl describe pod my-nginx-1
   

2、UA

创建UA

   

    

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    
    
# vim test-csr.json  {  "CN": "test",  "hosts": [],  "key": {    "algo": "rsa",    "size": 2048  },  "names": [    {      "C": "CN",      "ST": "Beijing",      "L": "Beijing",      "O": "system:test",                   "OU": "system"    }  ]}

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes test-csr.json | cfssljson -bare test      # cp test*.pem /etc/kubernetes/ssl/## 创建集群# kubectl config set-cluster kubernetes --certificate-authority=ca.pem  --embed-certs=true --server=https://192.168.16.250:16443 --kubeconfig=test.kubeconfig## 创建用户# kubectl config set-credentials test --client-certificate=test.pem --client-key=test-key.pem --embed-certs=true --kubeconfig=test.kubeconfig
## 创建上下文，用户和集群关联# kubectl config set-context kubernetes --cluster=kubernetes --user=test --kubeconfig=test.kubeconfig# kubectl config current-context --kubeconfig=test.kubeconfig# kubectl config view --kubeconfig=test.kubeconfig
## 设置使用默认的上下文# kubectl config use-context kubernetes --kubeconfig=test.kubeconfig
# kubectl --kubeconfig=test.kubeconfig get podsError from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"      # kubectl --kubeconfig=kube.config get podsNAME                READY   STATUS    RESTARTS   AGEmy-nginx-1          1/1     Running   0          4h26mpod-cm1             1/1     Running   3          4d22hpod-harbor          1/1     Running   2          26hpod-mysql-secret1   1/1     Running   5          4d21hpod-mysql-secret2   1/1     Running   2          4d21h

   

3、config文件

• 创建登录k8s集群的用户，基于证书和密钥信息创建用户

• 创建登录k8s集群的地址

• 将登录用户和目标k8s集群关联在一起，形成k8s集群入口

• 设定默认的k8s集群入口

config文件优先级

• --kubeconfig 指定文件

• 设置系统环境 KUBECONFIG

• /root/.kube/config

4、role创建

资源对象的权限集合定义

   

    

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    
    
# kubectl create role myrole --verb=get,list --resource=pods --dry-run=client -o yaml > 02_k8s_secure_role.yaml# vim 02_k8s_secure_role.yaml apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: myrolerules:- apiGroups:  - ""  - "apps"  resources:  - pods  - deployments  - replicasets  verbs:  - get  - list  - delete
# kubectl apply -f 02_k8s_secure_role.yaml 
# kubectl get roleNAME     CREATED ATmyrole   2023-11-30T02:34:21Z# kubectl describe role myroleName:         myroleLabels:       <none>Annotations:  <none>PolicyRule:  Resources         Non-Resource URLs  Resource Names  Verbs  ---------         -----------------  --------------  -----  deployments       []                 []              [get list delete]  pods              []                 []              [get list delete]  replicasets       []                 []              [get list delete]  deployments.apps  []                 []              [get list delete]  pods.apps         []                 []              [get list delete]  replicasets.apps  []                 []              [get list delete]
   

5、rolebinding创建

   

    

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    
    
# kubectl create rolebinding test-myrole --role=myrole --user=test --dry-run=client -o yaml > 03_k8s_test-myrole.yaml# kubectl apply -f 03_k8s_test-myrole.yaml # kubectl describe rolebinding test-myroleName:         test-myroleLabels:       <none>Annotations:  <none>Role:  Kind:  Role  Name:  myroleSubjects:  Kind  Name  Namespace  ----  ----  ---------  User  test  

# kubectl get pods --kubeconfig=test.kubeconfigNAME                READY   STATUS    RESTARTS   AGEmy-nginx-1          1/1     Running   1          25hpod-cm1             1/1     Running   5          5d20h
# kubectl get deployment --kubeconfig=test.kubeconfig
# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-systemError from server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"# kubectl get svc --kubeconfig=test.kubeconfigError from server (Forbidden): services is forbidden: User "test" cannot list resource "services" in API group "" in the namespace "default"
   

6、clusterrole和clusterrolebinding创建

   

    

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    
    
# kubectl create clusterrole myclusterrole --verb=get,list,delete --resource=pods --dry-run=client -o yaml > 04_k8s_secure-clsterrole.yaml# kubectl apply -f 04_k8s_secure-clsterrole.yaml 
# kubectl create clusterrolebinding test-myclusterrole --clusterrole=myclusterrole --user=test
# kubectl edit clusterrolebinding test-myclusterrole
[root@k8s-master01 tools]# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-systemError from server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"# kubectl get pods --kubeconfig=test.kubeconfig -n kube-systemNAME                                       READY   STATUS    RESTARTS   AGEcalico-kube-controllers-7cc8dd57d9-hvkz5   1/1     Running   55         6d23hcalico-node-c4dxg                          1/1     Running   7          6d22hcalico-node-srqch                          1/1     Running   8          6d22hcalico-node-tcdmv                          0/1     Running   7          6d22hcalico-node-tvjzj                          1/1     Running   7          6d22hcoredns-675db8b7cc-5fbjk                   1/1     Running   7          6d22h
   

role和clusterrole混合使用，赋予clusterrole权限，但又限制命名空间权限

# kubectl create rolebinding test-myclusterrole --clusterrole=myclusterrole --user=test

接：https://www.cnblogs.com/zbc230/p/17864665.html

（版权归原作者所有，侵删）