认证授权

• Authentication - AuthN
  • Client Certificates
  • Bear Token
  • HTTP Basic Auth
  • OpenID Connect
  • Webhook Token
• Authorization - AuthZ
  • RBAC - Role-Based Access Control
    • Role & ClusterRole - 定义一组权限
    • RoleBinding & ClusterRoleBinding - 将角色赋予特定用户或组
  • ABAC - Attribute-Based Access Control
  • Webhook
  • Node
• 内置
  • ClusterRoles
    • cluster-admin - 集群范围内的所有权限
    • admin - 管理命名空间中大多数资源的权限, 但不包括资源配额或命名空间的绑定操作
    • edit - 可以修改命名空间中的大多数资源，但不能进行权限管理。
    • view - 仅具有读取权限，不能修改任何资源。
    • system:aggregate-to-admin
    • system:aggregate-to-edit
    • system:aggregate-to-view
    • system:aggregate-to-*
      • 不会直接分配给用户
      • rbac.authorization.k8s.io/aggregate-to-admin: "true"
• system:
  • system:serviceaccount:
  • system:node:
  • system:masters
• 参考
  • AuthN
  • AuthZ

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin
rules:
  - apiGroups: ['*']
    resources: ['*']
    verbs: ['*']

Authentication

• 支持模块
  • Client Certificates - v1.19
    • 需要 API Server 有 CA - 都会有 --client-ca-file=SOMEFILE
    • openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=jbeda/O=app1/O=app2"
  • Password
  • Plain Tokens
    • 需要 API Server 配置 --token-auth-file=SOMEFILE.csv
      • CSV token,user,uid,"group1,group2,group3"
    • Authorization: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269
  • Bootstrap Tokens - v1.18+
    • Authorization: Bearer 781292.db7bc3a58fc5f07e
  • Service Account
    • kubectl create serviceaccount jenkins
  • OIDC - 需要配置 API Server
    1. kubectl config set-credentials --auth-provider=oidc
    2. kubectl --token=
• 支持多种方式，按顺序尝试，直到成功
• 错误返回 401
• 用户分为 Kubernetes 管理的服务账号 和 一般用户
• dex 可以作为 auth broker
  • client -> dex -> provider
    • dex -> k8s
  • API Server 统一对接 dex，dex 对接其他 provider
  • mintel/dex-k8s-authenticator

X509 Client Certs

# List CSR
kubectl get csr
# Approve/Deny CSR
kubectl certificate approve myuser
kubectl certificate deny myuser

# CSR
kubectl get csr/myuser -o yaml

kubectl get csr myuser -o jsonpath='{.status.certificate}' | base64 -d > myuser.crt

# RB
kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser

# kubeconfig
kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true
kubectl config set-context myuser --cluster=kubernetes --user=myuser
kubectl config use-context myuser

# username: wener groups: infra, dev
openssl req -new -key wener.pem -out wener-csr.pem -subj "/CN=wener/O=infra/O=dev"

创建 CSR

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser
spec:
  request: <csr-base64> # cat myuser.csr | base64 | tr -d "\n" 或 {{file john.csr | b64enc}}
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400 # one day
  usages:
    - client auth

操作 CSR 需要的权限

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: csr-creator # 创建
rules:
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests
    verbs:
      - create
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: csr-approver # 同意
rules:
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests/approval
    verbs:
      - update
  - apiGroups:
      - certificates.k8s.io
    resources:
      - signers
    resourceNames:
      - example.com/my-signer-name # example.com/* can be used to authorize for all signers in the 'example.com' domain
    verbs:
      - approve

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: csr-signer # 允许对 CSR 签名
rules:
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests/status
    verbs:
      - update
  - apiGroups:
      - certificates.k8s.io
    resources:
      - signers
    resourceNames:
      - example.com/my-signer-name # example.com/* can be used to authorize for all signers in the 'example.com' domain
    verbs:
      - sign

signer

• kubernetes.io/kube-apiserver-client
• kubernetes.io/kube-apiserver-client-kubelet
• kubernetes.io/kubelet-serving
• kubernetes.io/legacy-unknown

Authorization

• 请求包含请求者的用户名、动作、影响对象
• 错误返回 403
• 支持模块
  • ABAC
  • RBAC
  • Webhook

策略

{
  "apiVersion": "abac.authorization.kubernetes.io/v1beta1",
  "kind": "Policy",
  "spec": {
    "user": "bob",
    "namespace": "projectCaribou",
    "resource": "pods",
    "readonly": true
  }
}

请求审核

{
  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "spec": {
    "resourceAttributes": {
      "namespace": "projectCaribou",
      "verb": "get",
      "group": "unicorn.example.org",
      "resource": "pods"
    }
  }
}

Admission Control

• 用于修改或驳回请求
• 用于 create, modify, delete, connect (proxy) 对象时
• 不影响读取
• 多个访问控制按顺序判断
• 有一个驳回则马上驳回
• 可设置复杂的字段