Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

k8s 利用 Service Account + RBAC 访问资源 #45

Open
lqshow opened this issue Sep 8, 2018 · 0 comments
Open

k8s 利用 Service Account + RBAC 访问资源 #45

lqshow opened this issue Sep 8, 2018 · 0 comments
Labels

Comments

@lqshow
Copy link
Owner

lqshow commented Sep 8, 2018

Work flow

  1. 在指定 namespace 下创建 serviceaccount ,获取 secret
  2. 查看 secret,获取 token
  3. 在 kubeconfig 中设置 token
  4. RBAC 权限控制
  5. 使用 kubectl 访问

Service Account

创建 namespace

kubectl create ns dev

创建服务账号

kubectl -n dev create sa lqshow

获取 Secret 信息

SECRET=$(kubectl -n dev get secrets | grep ^lqshow | cut -f1 -d ' ')

从 secret 中获取 ca.crt

kubectl -n dev get secret $SECRET -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt

从 secret 获取 token

USER_TOKEN=$(kubectl -n dev get secret $SECRET -o json | jq -r '.data["token"]' | base64 -D)

Kubectl config set-cluster

在kubeconfig配置文件中设置一个集群项。

options

key desc
--server 设置kuebconfig配置文件中集群选项中的server
--certificate-authority 设置kuebconfig配置文件中集群选项中的certificate-authority路径
--embed-certs 是否在kubeconfig配置文件中嵌入客户端证书/key

获取 cluster 上下文信息

CURRENT_CONTEXT=$(kubectl config current-context)

获取 cluster name

CLUSTER_NAME=$(kubectl config get-contexts $CURRENT_CONTEXT | awk '{print $3}' | tail -n 1)

获取 API Server 地址

KUBE_APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"$CLUSTER_NAME\")].cluster.server}")

在当前目录下建立一名为cluster-staging的 Config

kubectl config set-cluster cluster-staging \
--certificate-authority=./ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=dev.kubeconfig

设置用户凭证

kubectl config set-credentials lqshow \
    --token=$USER_TOKEN \
    --kubeconfig=dev.kubeconfig

绑定用户

kubectl config set-context lqshow-staging \
    --cluster=cluster-staging \
    --user=lqshow \
    --kubeconfig=dev.kubeconfig

切换当前上下文

kubectl config use-context lqshow-staging \
    --kubeconfig=dev.kubeconfig

Role

创建一个 Role 配置

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: dev-user-pod
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "update", "create", "delete"]
kubectl create -f dev-user-role.yml

Rolebinding

创建 Rolebinding 配置

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-pod-rolebinding
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-user-pod
subjects:
- kind: ServiceAccount
  name: lqshow
  namespace: dev

或者直接执行命令绑定角色

kubectl create rolebinding dev-pod-rolebinding \
    --role=dev-user-pod \
    --serviceaccount=dev:lqshow

References

@lqshow lqshow added the k8s label Sep 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant