Skip to main content

认证授权

Tips#

Authentication#

  • 支持模块
    • Client Certificates - v1.19
      • 需要 API Server 有 CA - 都会有 --client-ca-file=SOMEFILE
      • openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=jbeda/O=app1/O=app2"
    • Password
    • Plain Tokens
      • 需要 API Server 配置 --token-auth-file=SOMEFILE.csv
        • CSV token,user,uid,"group1,group2,group3"
      • Authorization: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269
    • Bootstrap Tokens - v1.18+
      • Authorization: Bearer 781292.db7bc3a58fc5f07e
    • Service Account
      • kubectl create serviceaccount jenkins
    • OIDC - 需要配置 API Server
      1. kubectl config set-credentials --auth-provider=oidc
      2. kubectl --token=
  • 支持多种方式,按顺序尝试,直到成功
  • 错误返回 401
  • 用户分为 Kubernetes 管理的服务账号 和 一般用户
  • dex 可以作为 auth broker

X509 Client Certs#

# List CSRkubectl get csr# Approve/Deny CSRkubectl certificate approve myuserkubectl certificate deny myuser
# CSRkubectl get csr/myuser -o yaml
kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > myuser.crt
# RBkubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=podskubectl create rolebinding developer-binding-myuser --role=developer --user=myuser
# kubeconfigkubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=truekubectl config set-context myuser --cluster=kubernetes --user=myuserkubectl config use-context myuser
# username: wener groups: infra, devopenssl req -new -key wener.pem -out wener-csr.pem -subj "/CN=wener/O=infra/O=dev"

创建 CSR

apiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata:  name: myuserspec:  request: <csr-base64> # cat myuser.csr | base64 | tr -d "\n" 或 {{file john.csr | b64enc}}  signerName: kubernetes.io/kube-apiserver-client  expirationSeconds: 86400 # one day  usages:    - client auth

操作 CSR 需要的权限

apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: csr-creator # 创建rules:  - apiGroups:      - certificates.k8s.io    resources:      - certificatesigningrequests    verbs:      - create      - get      - list      - watch---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: csr-approver # 同意rules:  - apiGroups:      - certificates.k8s.io    resources:      - certificatesigningrequests    verbs:      - get      - list      - watch  - apiGroups:      - certificates.k8s.io    resources:      - certificatesigningrequests/approval    verbs:      - update  - apiGroups:      - certificates.k8s.io    resources:      - signers    resourceNames:      - example.com/my-signer-name # example.com/* can be used to authorize for all signers in the 'example.com' domain    verbs:      - approve
---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: csr-signer # 允许对 CSR 签名rules:  - apiGroups:      - certificates.k8s.io    resources:      - certificatesigningrequests    verbs:      - get      - list      - watch  - apiGroups:      - certificates.k8s.io    resources:      - certificatesigningrequests/status    verbs:      - update  - apiGroups:      - certificates.k8s.io    resources:      - signers    resourceNames:      - example.com/my-signer-name # example.com/* can be used to authorize for all signers in the 'example.com' domain    verbs:      - sign

signer#

  • kubernetes.io/kube-apiserver-client
  • kubernetes.io/kube-apiserver-client-kubelet
  • kubernetes.io/kubelet-serving
  • kubernetes.io/legacy-unknown

Authorization#

  • 请求包含请求者的用户名、动作、影响对象
  • 错误返回 403
  • 支持模块
    • ABAC
    • RBAC
    • Webhook

策略

{  "apiVersion": "abac.authorization.kubernetes.io/v1beta1",  "kind": "Policy",  "spec": {    "user": "bob",    "namespace": "projectCaribou",    "resource": "pods",    "readonly": true  }}

请求审核

{  "apiVersion": "authorization.k8s.io/v1beta1",  "kind": "SubjectAccessReview",  "spec": {    "resourceAttributes": {      "namespace": "projectCaribou",      "verb": "get",      "group": "unicorn.example.org",      "resource": "pods"    }  }}

Admission Control#

  • 用于修改或驳回请求
  • 用于 create, modify, delete, connect (proxy) 对象时
  • 不影响读取
  • 多个访问控制按顺序判断
  • 有一个驳回则马上驳回
  • 可设置复杂的字段