CKS学习笔记—2.集群加固部分

 

CKS学习笔记—RBAC

 

RBAC包括四类对象：Role，ClusterRole，RoleBinding，ClusterRoleBinding。

 

Role和ClusterRole可以定义一定的权限，比如Read pods，Edit Pods或者两者都有。

 

Role是定义在一个namespace内部，而ClusterRole不限制namespace。

ClusterRole有几种用途：

定义namespace资源的权限，并授权到某个namespace中

定义namespace资源的权限，并授权到所有namespace

定义集群资源的权限

 

一般来说，如果在namespace中定义角色，使用Role；在集群层面定义角色，使用ClusterRole。

 

Role的例子：

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

  namespace: default

  name: pod-reader

rules:

- apiGroups: [""] # "" indicates the core API group

  resources: ["pods"]

  verbs: ["get", "watch", "list"]

 

ClusterRole的例子：

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

  # "namespace" omitted since ClusterRoles are not namespaced

  name: secret-reader

rules:

- apiGroups: [""]

  #

  # at the HTTP level, the name of the resource for accessing Secret

  # objects is "secrets"

  resources: ["secrets"]

  verbs: ["get", "watch", "list"]

 

 

在K8s中Role和ClusterRole是需要关联到用户，这个能力就是使用RoleBinding和ClusterRoleBinding。

 

RoleBinding在一个namespace范围内授权role到一个用户或一组用户。

ClusterRoleBinding在集群范围内授权role到用户。

 

RoleBinding可以引用同一个namespace中的任何Role，也可以引用ClusterRole，并将ClusterRole绑定到RoleBinding的namespace。

ClusterRoleBinding将ClusterRole绑定到集群的所有namespace。

 

RoleBinding绑定Role的例子：

apiVersion: rbac.authorization.k8s.io/v1

# This role binding allows "jane" to read pods in the "default" namespace.

# You need to already have a Role named "pod-reader" in that namespace.

kind: RoleBinding

metadata:

  name: read-pods

  namespace: default

subjects:

# You can specify more than one "subject"

- kind: User

  name: jane # "name" is case sensitive

  apiGroup: rbac.authorization.k8s.io

roleRef:

  # "roleRef" specifies the binding to a Role / ClusterRole

  kind: Role #this must be Role or ClusterRole

  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to

  apiGroup: rbac.authorization.k8s.io

 

RoleBinding绑定ClusterRole的例子：

apiVersion: rbac.authorization.k8s.io/v1

# This role binding allows "dave" to read secrets in the "development" namespace.

# You need to already have a ClusterRole named "secret-reader".

kind: RoleBinding

metadata:

  name: read-secrets

  #

  # The namespace of the RoleBinding determines where the permissions are granted.

  # This only grants permissions within the "development" namespace.

  namespace: development

subjects:

- kind: User

  name: dave # Name is case sensitive

  apiGroup: rbac.authorization.k8s.io

roleRef:

  kind: ClusterRole

  name: secret-reader

  apiGroup: rbac.authorization.k8s.io

 

 

ClusterRoleBinding的例子：

apiVersion: rbac.authorization.k8s.io/v1

# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.

kind: ClusterRoleBinding

metadata:

  name: read-secrets-global

subjects:

- kind: Group

  name: manager # Name is case sensitive

  apiGroup: rbac.authorization.k8s.io

roleRef:

  kind: ClusterRole

  name: secret-reader

  apiGroup: rbac.authorization.k8s.io

 

Role例子（只列出rules字段）：

允许读pods资源

rules:

- apiGroups: [""]

  #

  # at the HTTP level, the name of the resource for accessing Pod

  # objects is "pods"

  resources: ["pods"]

  verbs: ["get", "list", "watch"]

 

允许在apps API groups中读写Deployment

rules:

- apiGroups: ["apps"]

  #

  # at the HTTP level, the name of the resource for accessing Deployment

  # objects is "deployments"

  resources: ["deployments"]

  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

 

允许读pods资源，允许在batch API groups中读写jobs资源

rules:

- apiGroups: [""]

  #

  # at the HTTP level, the name of the resource for accessing Pod

  # objects is "pods"

  resources: ["pods"]

  verbs: ["get", "list", "watch"]

- apiGroups: ["batch"]

  #

  # at the HTTP level, the name of the resource for accessing Job

  # objects is "jobs"

  resources: ["jobs"]

  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

 

允许读名称为my-config的configmaps资源

rules:

- apiGroups: [""]

  #

  # at the HTTP level, the name of the resource for accessing ConfigMap

  # objects is "configmaps"

  resources: ["configmaps"]

  resourceNames: ["my-config"]

  verbs: ["get"]

 

允许读nodes资源

rules:

- apiGroups: [""]

  #

  # at the HTTP level, the name of the resource for accessing Node

  # objects is "nodes"

  resources: ["nodes"]

  verbs: ["get", "list", "watch"]

 

允许GET、POST到URL /healthz

rules:

- nonResourceURLs: ["/healthz", "/healthz/*"] # '*' in a nonResourceURL is a suffix glob match

  verbs: ["get", "post"]

 

RoleBinding例子（只列出subjects字段）：

 

名称为alice@example.com的用户

subjects:

- kind: User

name: "alice@example.com"

apiGroup: rbac.authorization.k8s.io

 

名称为frontend-admins的用户组

subjects:

- kind: Group

  name: "frontend-admins"

  apiGroup: rbac.authorization.k8s.io

 

在kube-system namespace中默认的service account

subjects:

- kind: ServiceAccount

  name: default

  namespace: kube-system

 

在qa namespace中所有的service account

subjects:

- kind: Group

  name: system:serviceaccounts:qa

  apiGroup: rbac.authorization.k8s.io

 

 

在所有namespace中的所有service account

subjects:

- kind: Group

  name: system:serviceaccounts

  apiGroup: rbac.authorization.k8s.io

 

所有认证的用户

subjects:

- kind: Group

  name: system:authenticated

  apiGroup: rbac.authorization.k8s.io

 

所有未认证的用户

subjects:

- kind: Group

  name: system:unauthenticated

  apiGroup: rbac.authorization.k8s.io

 

 

所有用户

subjects:

- kind: Group

  name: system:authenticated

  apiGroup: rbac.authorization.k8s.io

- kind: Group

  name: system:unauthenticated

  apiGroup: rbac.authorization.k8s.io