一 kubernetes API 访问控制
Authentication(认证)
-
认证方式现共有8种,可以启用一种或多种认证方式,只要有一种认证方式通过,就不再进行其它方式的认证。通常启用X509 Client Certs和Service Accout Tokens两种认证方式。
-
Kubernetes集群有两类用户:由Kubernetes管理的Service Accounts (服务账户)和(Users Accounts) 普通账户。k8s中账号的概念不是我们理解的账号,它并不真的存在,它只是形式上存在。
Authorization(授权)
- 必须经过认证阶段,才到授权请求,根据所有授权策略匹配请求资源属性,决定允许或拒绝请求。授权方式现共有6种,AlwaysDeny、AlwaysAllow、ABAC、RBAC、Webhook、Node。默认集群强制开启RBAC。
Admission Control(准入控制)
- 用于拦截请求的一种方式,运行在认证、授权之后,是权限认证链上的最后一环,对请求API资源对象进行修改和校验。
1.1 UserAccount与ServiceAccount
-
用户账户是针对人而言的。 服务账户是针对运行在 pod 中的进程而言的。
-
用户账户是全局性的。 其名称在集群各 namespace 中都是全局唯一的,未来的用户资源不会做 namespace 隔离, 服务账户是 namespace 隔离的。
-
集群的用户账户可能会从企业数据库进行同步,其创建需要特殊权限,并且涉及到复杂的业务流程。 服务账户创建的目的是为了更轻量,允许集群用户为了具体的任务创建服务账户 ( 即权限最小化原则 )。
1.1.1 ServiceAccount
-
服务账户控制器(Service account controller)
-
服务账户管理器管理各命名空间下的服务账户
-
每个活跃的命名空间下存在一个名为 “default” 的服务账户
-
-
服务账户准入控制器(Service account admission controller)
-
相似pod中 ServiceAccount默认设为 default。
-
保证 pod 所关联的 ServiceAccount 存在,否则拒绝该 pod。
-
如果pod不包含ImagePullSecrets设置那么ServiceAccount中的ImagePullSecrets 被添加到pod中
-
将挂载于 /var/run/secrets/kubernetes.io/serviceaccount 的 volumeSource 添加到 pod 下的每个容器中
-
将一个包含用于 API 访问的 token 的 volume 添加到 pod 中
-
1.1.2 ServiceAccount示例:
建立名字为admin的ServiceAccount
[root@master ~]# kubectl create sa ch
serviceaccount/ch created
[root@master ~]# kubectl describe sa ch
Name: ch
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>
建立secrets
[root@master ~]# kubectl create secret docker-registry docker-login --docker-username admin --docker-password 123 --docker-server reg.ch.org --docker-email 123@ch.org
secret/docker-login created
[root@master ~]# kubectl describe secrets docker-login
Name: docker-login
Namespace: default
Labels: <none>
Annotations: <none>Type: kubernetes.io/dockerconfigjsonData
====
.dockerconfigjson: 105 bytes
将secrets注入到sa中
[root@master ~]# kubectl edit sa ch
apiVersion: v1
kind: ServiceAccount
imagePullSecrets:
- name: docker-login
metadata:creationTimestamp: "2025-08-24T14:08:48Z"name: chnamespace: defaultresourceVersion: "331848"uid: 75a67b01-1be8-4e05-ab4f-584173ceace5[root@master ~]# kubectl describe sa ch
Name: ch
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: docker-login
Mountable secrets: <none>
Tokens: <none>
Events: <none>
建立私有仓库并且利用pod访问私有仓库
[root@master auth]# kubectl apply -f test1.yml
pod/testpod created
[root@master auth]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
testpod 0/1 ImagePullBackOff 0 10s 10.244.166.183 node1 <none> <none>
[root@master auth]# kubectl describe pod testpodWarning Failed 19s (x2 over 20s) kubelet Error: ImagePullBackOffNormal Pulling 4s (x2 over 21s) kubelet Pulling image "reg.ch.org/private/myapp:v1"Warning Failed 4s (x2 over 21s) kubelet Failed to pull image "reg.ch.org/private/myapp:v1": Error response from daemon: unknown: artifact private/myapp:v1 not foundWarning Failed 4s (x2 over 21s) kubelet Error: ErrImagePull
[root@master auth]#[!WARNING]
在创建pod时会镜像下载会受阻,因为docker私有仓库下载镜像需要认证
pod绑定sa
[root@master auth]# vim test1.yml
apiVersion: v1
kind: Pod
metadata:name: testpod
spec:serviceAccountName: chcontainers:- image: reg.ch.org/private/nginx:latestname: testpod[root@master auth]# kubectl apply -f example1.yml
pod/testpod created
[root@master auth]# kubectl get pods
NAME READY STATUS RESTARTS AGE
testpod 1/1 Running 0 2s
二 认证(在k8s中建立认证用户)
2.1 创建UserAccount
#建立证书
[root@master auth]# cd /etc/kubernetes/pki/
[root@master pki]# openssl genrsa -out ch.key 2048[root@master pki]# openssl req -new -key ch.key -out ch.csr -subj "/CN=ch"
[root@master pki]# openssl x509 -req -in ch.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ch.crt -days 365
Certificate request self-signature ok[root@master pki]# openssl x509 -in ch.crt -text -noout
Certificate:Data:Version: 1 (0x0)Serial Number:77:50:b8:37:d5:96:2c:36:85:95:b4:3a:13:10:ae:45:54:b0:4c:fbSignature Algorithm: sha256WithRSAEncryptionIssuer: CN = kubernetesValidityNot Before: Aug 19 07:49:14 2025 GMTNot After : Aug 19 07:49:14 2026 GMTSubject: CN = chSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d8:5e:e3:a1:aa:15:38:5b:ff:c6:8b:d0:a4:0e:0b:3d:09:8b:95:ab:76:cb:72:8d:71:00:39:a7:af:75:f4:ac:e6:9a:3c:1b:54:e4:77:a6:b6:a6:a3:86:25:ae:3d:d1:27:9b:fc:32:f5:c2:22:89:b8:b5:ed:45:80:99:30:ef:35:70:2a:cd:75:60:ce:c5:3b:35:93:c6:85:0d:94:a2:85:9e:f4:2d:b8:30:fc:b4:89:d1:4d:5a:87:5e:66:84:2f:19:04:e4:e5:fe:b3:45:c3:35:af:f2:0c:1b:6f:17:1c:60:4b:71:ae:49:d9:42:ae:9f:c9:02:38:07:ee:39:72:46:b8:75:cb:b4:c0:76:8e:7b:3d:f9:a9:9b:d7:b2:36:ba:cf:8c:b8:02:9c:84:43:22:0b:d0:ed:7e:79:e5:9f:59:66:ce:8e:1d:1c:bb:a4:fe:58:81:6b:4b:77:81:03:9f:42:e9:86:35:cd:95:16:a2:f3:4b:74:15:c7:57:5b:5f:92:9a:9f:6b:61:05:98:0c:c1:69:4a:7c:78:fa:92:47:2c:47:bf:38:61:d7:7b:e8:41:05:c8:f3:34:c9:0a:0b:29:af:c6:ec:a0:ce:0f:b7:d6:e7:63:b3:05:1d:af:a3:0e:c0:58:58:03:e4:19:09:bd:f5:76:a9:0f:51Exponent: 65537 (0x10001)Signature Algorithm: sha256WithRSAEncryptionSignature Value:57:2f:4f:56:74:43:d1:b7:39:7a:de:c9:f2:f8:2a:e2:b9:61:28:0b:66:94:bb:a8:90:d3:43:98:fb:b9:6d:8b:eb:9c:5f:45:8b:ff:fa:1a:4a:c7:3a:a4:59:ed:26:31:ce:50:f6:67:2b:f5:5e:f1:00:fa:bf:64:38:20:88:aa:c3:5d:9e:00:85:5e:96:da:c1:fb:cc:ee:9e:4a:b6:58:5a:e3:4b:46:ec:e4:60:80:be:f5:fe:03:2c:70:14:59:a5:b1:7d:39:27:59:1b:67:62:05:f5:fe:05:be:cd:4c:da:d8:5f:96:71:f9:bf:3f:4a:c7:19:04:8e:48:04:d3:54:db:00:ea:0d:57:a2:39:88:7c:30:60:68:56:2c:e0:4b:8c:67:9d:68:7e:24:6b:86:d3:b4:58:0b:a1:66:5f:2a:ee:a8:02:ad:ce:ab:00:bc:c3:b9:fa:14:91:68:e0:7e:00:ff:5a:f9:2b:16:0c:86:19:68:65:ca:23:87:0c:92:08:98:19:c5:8e:3b:07:13:94:2c:5f:8a:4f:c9:14:10:e3:77:44:84:63:5b:32:7c:99:5e:d7:70:74:a6:e3:24:09:f4:cc:ea:61:53:26:7b:be:1e:d8:a9:f3:be:67:3d:1f:ec:bf:5d:3d:2f:85:3b:14:c0:21:19:20:d2:38#建立k8s中的用户
[root@master pki]# kubectl config set-credentials ch --client-certificate /etc/kubernetes/pki/ch.crt --client-key /etc/kubernetes/pki/ch.key --embed-certs=true
User "ch" set.[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:certificate-authority-data: DATA+OMITTEDserver: https://192.168.1.100:6443name: kubernetes
contexts:
- context:cluster: kubernetesuser: chname: ch@kubernetes
- context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: chuser:client-certificate-data: DATA+OMITTEDclient-key-data: DATA+OMITTED
- name: kubernetes-adminuser:client-certificate-data: DATA+OMITTEDclient-key-data: DATA+OMITTED#为用户创建集群的安全上下文
[root@master pki]# kubectl config set-context ch@kubernetes --cluster kubernetes --user ch
Context "ch@kubernetes" created.#切换用户,用户在集群中只有用户身份没有授权
[root@master ~]# kubectl config use-context ch@kubernetes
Switched to context "ch@kubernetes".
[root@master ~]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "ch" cannot list resource "pods" in API group "" in the namespace "default"#切换回集群管理
[root@master ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".#如果需要删除用户
[root@master pki]# kubectl config delete-user ch
deleted user ch from /etc/kubernetes/admin.conf
2.2 RBAC(Role Based Access Control)
2.2.1 基于角色访问控制授权:
-
允许管理员通过Kubernetes API动态配置授权策略。RBAC就是用户通过角色与权限进行关联。
-
RBAC只有授权,没有拒绝授权,所以只需要定义允许该用户做什么即可
-
RBAC的三个基本概念
-
Subject:被作用者,它表示k8s中的三类主体, user, group, serviceAccount
-
Role:角色,它其实是一组规则,定义了一组对 Kubernetes API 对象的操作权限。
-
RoleBinding:定义了“被作用者”和“角色”的绑定关系
-
-
RBAC包括四种类型:Role、ClusterRole、RoleBinding、ClusterRoleBinding
-
Role 和 ClusterRole
-
Role是一系列的权限的集合,Role只能授予单个namespace 中资源的访问权限。
-
ClusterRole 跟 Role 类似,但是可以在集群中全局使用。
-
Kubernetes 还提供了四个预先定义好的 ClusterRole 来供用户直接使用
-
cluster-amdin、admin、edit、view
-
2.2.2 role授权实施
#生成role的yaml文件
[root@master role]# kubectl create role myrole --dry-run=client --verb=get --resource pods --resource=services -o yaml > myrole.yml#更改文件内容
[root@master role]# cat myrole.yml
aapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:name: myrole
rules:
- apiGroups:- ""resources:- pods- servicesverbs:- get- watch- list- create- update- path- delete#创建role
[root@master role]# kubectl apply -f myrole.yml
role.rbac.authorization.k8s.io/myrole created
[root@master role]# kubectl describe role myrole
Name: myrole
Labels: <none>
Annotations: <none>
PolicyRule:Resources Non-Resource URLs Resource Names Verbs--------- ----------------- -------------- -----pods [] [] [get watch list create update path delete]services [] [] [get watch list create update path delete]
#建立角色绑定
[root@master role]# kubectl create rolebinding ch --role myrole --namespace default --user ch --dry-run=client -o yaml > rolebinding-myrole.yml[root@master role]# vim rolebinding-ch.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: chnamespace: default #角色绑定必须指定namespace
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: myrole
subjects:- apiGroup: rbac.authorization.k8s.iokind: Username: ch[root@master role]# kubectl apply -f rolebinding-ch.yml
rolebinding.rbac.authorization.k8s.io/ch created
[root@master role]# kubectl get rolebindings.rbac.authorization.k8s.io ch
NAME ROLE AGE
ch Role/myrole 6s
#切换用户测试授权
[root@master role]# kubectl config use-context ch@kubernetes
Switched to context "ch@kubernetes".
[root@master role]# kubectl get pod
NAME READY STATUS RESTARTS AGE
testpod 1/1 Running 0 19m[root@master role]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d
test1 ClusterIP 10.96.146.141 <none> 80/TCP 6h1m[root@master role]# kubectl get namespaces #只针对pod和svc进行了授权,所以namespaces依然不能操作
Error from server (Forbidden): namespaces is forbidden: User "ch" cannot list resource "namespaces" in API group "" at the cluster scope#切换回管理员
[root@master role]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
2.2.3 clusterrole授权实施
#建立集群角色
[root@master rbac]# kubectl create clusterrole myclusterrole --resource=deployment --verb get --dry-run=client -o yaml > myclusterrole.yml
[root@master rbac]# vim myclusterrole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: myclusterrole
rules:- apiGroups:- ""resources:- pods- servicesverbs:- get- list- watch- create- update- path- delete
- apiGroups:- appsresources:- deploymentsverbs:- get- list- watch- create- update- path- delete[root@master rbac]# kubectl describe clusterrole myclusterrole
Name: myclusterrole
Labels: <none>
Annotations: <none>
PolicyRule:Resources Non-Resource URLs Resource Names Verbs--------- ----------------- -------------- -----deployments.apps [] [] [get list watch create update path delete]pods.apps [] [] [get list watch create update path delete]#建立集群角色绑定
[root@master rbac]# kubectl create clusterrolebinding clusterrolebind-myclusterrole --clusterrole myclusterrole --user ch --dry-run=client -o yaml > clusterrolebind-myclusterrole.yml
[root@master rbac]# vim clusterrolebind-myclusterrole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: clusterrolebind-myclusterrole
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: myclusterrole
subjects:- apiGroup: rbac.authorization.k8s.iokind: Username: ch[root@master rbac]# kubectl describe clusterrolebindings.rbac.authorization.k8s.io clusterrolebind-myclusterrole
Name: clusterrolebind-myclusterrole
Labels: <none>
Annotations: <none>
Role:Kind: ClusterRoleName: myclusterrole
Subjects:Kind Name Namespace---- ---- ---------User ch
#测试:
[root@master role]# kubectl config use-context ch@kubernetes
Switched to context "ch@kubernetes".
[root@master role]# kubectl get pods
NAME READY STATUS RESTARTS AGE
testpod 1/1 Running 0 29m
[root@master role]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d
test1 ClusterIP 10.96.146.141 <none> 80/TCP 6h11m
[root@master role]# kubectl get deployments.apps
No resources found in default namespace.
[root@master role]# kubectl get namespaces
Error from server (Forbidden): namespaces is forbidden: User "ch" cannot list resource "namespaces" in API group "" at the cluster scope
2.2.4 服务账户的自动化
服务账户准入控制器(Service account admission controller)
-
如果该 pod 没有 ServiceAccount 设置,将其 ServiceAccount 设为 default。
-
保证 pod 所关联的 ServiceAccount 存在,否则拒绝该 pod。
-
如果 pod 不包含 ImagePullSecrets 设置,那么 将 ServiceAccount 中的 ImagePullSecrets 信息添加到 pod 中。
:『AI已开始重塑劳动力市场,美国年轻科技从业者首当其冲』)
 --- TCP/IP网络结构(运输层))
Java 对象创建的完整过程)
JSON数据类型在酒店管理系统搜索—仙盟创梦IDE)
)
)
