Kubernetes RBAC Based on Role Access Control

By Software Design

Role-based access control

How does   kubectl connection server authenticate? If you don’t use the token method to authenticate through serviceAccount, we should configure it as a configuration file. All the components of the k8s cluster except apiserver components such as controller-manager need to be connected to the apiserver and must be authenticated by the apiserver, so they are counted. The above is the client of apiserver, including kubectl. In order for each component to connect to the correct cluster and provide the correct account, certificate, private key and other authentication information, we need to save this configuration information to a file. This configuration The file has a name called kubeconfig. This kubeconfig is the client configuration file in the authentication format used when the apiserver client connects to the apiserver. Our kubectl is also such a client. It also has its own configuration file. You can print the content of the configuration file. Use the kubectl config view command to view, you can see that it is also a standard k8s resource object. 

kubectl config view

share picture

   You can see that this configuration file not only allows you to access a k8s cluster, if you have multiple The k8s cluster has only one host as the client. In order to allow us to control multiple clusters with one kubectl, we can do this and provide the configuration file first called the cluster list, so that we have multiple clusters, for each cluster Say we may use multiple accounts, or may all use admin, so we define several accounts in advance, so we next define the context, which indicates which account we use to access which cluster. A context contains a user name and cluster, which is used to specify which account is used to access which cluster

We make a certificate and private key as another account to authenticate to k8s apiserver, let’s find out what he is How it was generated.

  • First create a private key to generate a signed certificate. The certificate holder and user name in the certificate must be the same, because the name of the certificate holder is our user account name, our server The account is the subject of the certificate.
  • First, we make a private key
cd /etc/kubernetes /pki/
ls
(umask 077; openssl genrsa -out wohaoshuai.key 2048)
ls

share picture

Next, we generate a certificate based on this private key, signed by our ca.crt (the name is your user account name)

openssl req -new -key wohaoshuai.key -out wohaoshuai.csr -subj "/CN=wohaoshuai"

Share pictures

Connect You can get the visa after you come down. Use the certificate to sign

openssl x509 -req -in wohaoshuai.csr -CA /etc /kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out wohaoshuai.crt -days 365

Share pictures

Use There is a problem with kubeadm deploying clusters. The certificate is valid for 1000 days or three years. It is more troublesome if the certificate expires.

Now the certificate is already available, self-signed certificate, of course, you can also check the certificate information

< div class="Highlighter"> 

openssl x509 -in wohaoshuai.crt -text -noout

Share pictures

< /p>

Next, we add this user account information to him to authenticate as the information to connect to the k8s cluster. And he is authorized by the CA of the same k8s cluster, so there is no problem with the certificate authentication he created.

We will create a user next

  • wohaoshuai (identifier of the user)
  • –embed-certs=true (Hide the corresponding information) 
kubectl config set-credentials wohaoshuai --client-certificate=/etc/kubernetes/pki/ wohaoshuai.crt --client-key=/etc/kubernetes/pki/wohaoshuai.key --embed-certs=true

Share pictures

< /p>

View configuration

kubectl config view

Share pictures

Set Set the context so that wohaoshuai can also access kubernetes

 kubectl config set-context [emailprotected] --cluster=kubernetes- -user=wohaoshuai

Share pictures

< /p>

View the configuration again

kubectl config view

Share pictures

Now Switch to wohaoshuai account, this account does not have administrator rights

kubectl config use-context [email protected]

Share pictures

< /p>

Perform some operations (you can see that there is no permission)

kubectl get pods

Share a picture< /p>

   Of course, we will show you one step less, which is to set up the cluster. If we generate a new configuration file or define a new cluster in the current configuration file, the method of setting up the cluster is actually relatively simple. First, specify Cluster name, and then specify the certificate of the CA of the cluster. Because we want to use this CA certificate to verify the certificate sent by the cluster APIserver, then how do we trust this server certificate? So when we specify the certificate, the apiserver can only complete the authentication when it sends the information for authentication. So the most important thing is to set which cluster specifies the cluster name, specify the access address of the cluster service, and specify the cluster certificate. That is, the certificate of the higher authority serving the service. That is, ca.crt under the current pki path, so our easiest way is to specify who the server is, specify who the ca certificate is, and specify to hide the certificate (–embed-certs=true).

First change the user to the default kubernetes-admin  

share Image 

Sets a cluster entry in kubeconfig.



Specifying a name that already exists will merge new fields on top of existing values ​​for those fields.



Examples:

 # Set only the server field on the e2e cluster entry without touching other values.

 kubectl config set-cluster e2e --server=https:// 1.2.3.4



 # Embed certificate authority data for the e2e cluster entry

 kubectl config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt



 # Disable cert checking for the dev cluster entry

 kubectl config set-cluster e2e --insecure-skip-tls-verify=true



Options:

 --embed-certs=false: embed-certs for the cluster entry in kubeconfig



Usage:

 kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/ authority]

[--insecure-skip-tls-verify=true] [ options]



Use "kubectl options" for a list of global command- line options (applies to all commands).

[[email protected] ~]# cd /etc/kubernetes/pki/ && ls

apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-client.crt sa.key wohaoshuai.crt wohaoshuai.key

apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.key sa.pub wohaoshuai.csr< /pre>
kubectl config set-cluster --help

Execute command

kubectl config use-context [email protected]

Share pictures

Now We set up a cluster, we define a new configuration file, we do not use the default configuration file, we just saved all the settings in the default configuration file. By default, kubectl loads the configuration file path as the config file in the .kube directory in the current user's home directory. If you want to save it in another location, you can use the --kubeconfig option. 

kubectl config set-cluster mycluster --kubeconfig=/tmp/test.config --server="https: //192.168.10.10:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-cer
kubectl config view --kubeconfig=/tmp/test.config

Share a picture< /p>

kubectl config view

cd /etc/kubernetes/pki/
ls
(umask 077; openssl genrsa -out wohaoshuai.key 2048)
ls

openssl req -new -key wohaoshuai.key -out wohaoshuai.csr -subj "/CN=wohaoshuai"


openssl x509 -req -in wohaoshuai.csr -CA /etc/kubernetes/pki/ca.crt -CAkey / etc/kubernetes/pki/ca.key -CAcreateserial -out wohaoshuai.crt -days 365


openssl x509 -in wohaoshuai.crt -text -noout


kubectl config set-credentials wohaoshuai --client-certificate=/etc/kubernetes/pki/wohaoshuai.crt - client-key=/etc/kubernetes/pki/wohaoshuai.key --embed-certs=true


kubectl config view


 kubectl config set-context [emailprotected] --cluster=kubernetes --user=wohaoshuai


kubectl config view


kubectl config use-context [emailprotected]


kubectl get pods

share picture 

Sets a cluster entry in kubeconfig.



Specifying a name that already exists will merge new fields on top of existing values ​​for those fields.



Examples:

 # Set only the server field on the e2e cluster entry without touching other values.

 kubectl config set-cluster e2e --server=https:// 1.2.3.4



 # Embed certificate authority data for the e2e cluster entry

 kubectl config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt



 # Disable cert checking for the dev cluster entry

 kubectl config set-cluster e2e --insecure-skip-tls-verify=true



Options:

 --embed-certs=false: embed-certs for the cluster entry in kubeconfig



Usage:

 kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/ authority]

[--insecure-skip-tls-verify=true] [ options]



Use "kubectl options" for a list of global command- line options (applies to all commands).

[[email protected] ~]# cd /etc/kubernetes/pki/ && ls

apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-client.crt sa.key wohaoshuai.crt wohaoshuai.key

apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.key sa.pub wohaoshuai.csr< /pre>
kubectl config set-cluster --help

Sets a cluster entry in kubeconfig.



Specifying a name that already exists will merge new fields on top of existing values ​​for those fields.



Examples:

 # Set only the server field on the e2e cluster entry without touching other values.

 kubectl config set-cluster e2e --server=https:// 1.2.3.4



 # Embed certificate authority data for the e2e cluster entry

 kubectl config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt



 # Disable cert checking for the dev cluster entry

 kubectl config set-cluster e2e --insecure-skip-tls-verify=true



Options:

 --embed-certs=false: embed-certs for the cluster entry in kubeconfig



Usage:

 kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/ authority]

[--insecure-skip-tls-verify=true] [ options]



Use "kubectl options" for a list of global command- line options (applies to all commands).

[[email protected] ~]# cd /etc/kubernetes/pki/ && ls

apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-client.crt sa.key wohaoshuai.crt wohaoshuai.key

apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.key sa.pub wohaoshuai.csr< /pre>
kubectl config use-context [emailprotected]





kubectl config set-cluster mycluster --kubeconfig=/tmp/test.config --server="https:/ /192.168.10.10:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-cer
kubectl config view --kubeconfig=/tmp/test.config
, , , , ,

Leave a Comment

Your email address will not be published.