kubernetes(k8s) note authentication, authorization and access control access control

admission control

1, What is K8S access control
After the resource is created and authenticated, Kube apiserver intercepts the data before writing it to etcd, and then changes the resource and determines its correctness.

LimitRange,ResourceQuota

Objective: to control the resource usage in a specific namespace, and finally realize the fair use and cost control of the cluster

  1. LimitRange: add default computing resource requirements and computing resource limits for Pod; And storage resource requirements and storage resource constraints;
    Supports restrictions at the container and Pod levels respectively;
    For example, specify the minimum and maximum amount of CPU and memory for each pod in the namespace
  2. ResourceQuota: limit the number of resources, limit the total amount of calculated resources, and limit the total amount of stored resources;
    For example, under the specified namespace, only the number of pods and SVCS can be created, and the minimum and maximum amount of all Pod CPUs and memory
  • The functions to be realized are as follows:
    Limit the consumption of computing resources of Pod in running state
    Limit the number of persistent storage volumes to control access to storage
    Limit the number of load balancers to control costs
    Prevent misuse of network ports
    Provide the default computing resource Requests to facilitate the system to make more optimized scheduling
  • The restrictions provided by a LimitRange object can:
    Implement minimum and maximum resource usage limits for each Pod or Container in a namespace.
    Implement the minimum and maximum storage space that each PersistentVolumeClaim can apply for in a namespace.
    Implement the control of the ratio of the request value and the limit value of a resource in a namespace.
    Set the default request / limit value for computing resources in a namespace, and automatically inject it into multiple containers at run time.

2, Enable LimitRang
Support for LimitRange is enabled by default since kubernetes version 1.10.
LimitRange support is also enabled by default in many Kubernetes distributions.
The name of LimitRange must be a legal DNS subdomain name.

3, Overview of limits
The administrator creates a LimitRange object in a namespace.
Users create resources such as Pod, Container and PersistentVolumeClaim in the namespace.
The LimitRange admission controller sets default and limit values for all pods and containers that do not have calculation resource requirements set, and tracks their usage to ensure that the minimum and maximum resource usage and usage ratio values in any LimitRange object existing in the namespace are not exceeded.
If the creation or update of resources (Pod, Container, PersistentVolumeClaim) violates the LimitRange constraint, the request to the API server will fail and return the HTTP status code 403 FORBIDDEN and a message describing which constraint is violated.
If the LimitRange in the namespace enables restrictions on cpu and memory, the user must specify the required and limited usage of these values. Otherwise, the system will reject the creation of Pod.
The verification of LimitRange is only carried out in the Pod admission stage, and the running Pod is not verified

Example 1: create a LimitRange admission control policy

  • Limit Pod, container, PVC and other resources
[root@k8s-master authfiles]# cat limitrange-demo.yaml 
apiVersion: v1
kind: LimitRange
metadata:
  name: core-resource-limits
  namespace: dev  #Namespace level resources take effect for the entire namespace
spec:
  limits:
  - type: Pod  #Limit Pod
    max:
      cpu: "4"  #The maximum CPU can not exceed 4 cores
      memory: "4Gi"  #Memory cannot exceed 4G
    min:
      cpu: "500m"  #The minimum CPU shall not be less than 500m
      memory: "16Mi"  #Memory cannot be less than 16M
  - type: Container  #Restrictions on containers
    max:
      cpu: "4"
      memory: "1Gi"
    min:
      cpu: "100m"
      memory: "4Mi"
    default:  #Upper threshold  #If there are no requests or limits in the container, the additional default value will be used
      cpu: "2"
      memory: "512Mi"
    defaultRequest:  #Lower threshold
      cpu: "500m" 
      memory: "64Mi"
    maxLimitRequestRatio:  #The upper threshold / lower threshold of the maximum limit request ratio can also be limited by multiples
      cpu: "4"
  - type: PersistentVolumeClaim  #Limit PV
    max:
      storage: "10Gi"
    min:
      storage: "1Gi"
    default:
      storage: "5Gi"
    defaultRequest:
      storage: "1Gi"
    maxLimitRequestRatio:  #Multiple can also be used as a limit without lower threshold
      storage: "5"
  • Create LimitRange policy
[root@k8s-master authfiles]# kubectl apply -f limitrange-demo.yaml 
limitrange/core-resource-limits created
[root@k8s-master authfiles]# kubectl get limitrange -n dev
NAME                   CREATED AT
core-resource-limits   2021-08-25T02:29:04Z
[root@k8s-master authfiles]# kubectl get pod -n dev
NAME                              READY   STATUS    RESTARTS   AGE
deployment-demo-fb544c5d8-4jvgh   1/1     Running   0          16h
deployment-demo-fb544c5d8-7fq8f   1/1     Running   0          16h
deployment-demo-fb544c5d8-hdsz4   1/1     Running   0          16h
deployment-demo-fb544c5d8-qq7mp   1/1     Running   0          16h

[root@k8s-master authfiles]# kubectl describe  limitrange core-resource-limits -n dev
Name:                  core-resource-limits
Namespace:             dev
Type                   Resource  Min   Max   Default Request  Default Limit  Max Limit/Request Ratio
----                   --------  ---   ---   ---------------  -------------  -----------------------
Pod                    cpu       500m  4     -                -              -
Pod                    memory    16Mi  4Gi   -                -              -
Container              memory    4Mi   1Gi   64Mi             512Mi          -
Container              cpu       100m  4     500m             2              4
PersistentVolumeClaim  storage   1Gi   10Gi  1Gi              5Gi            5
  • Verify that the test strategy is in effect
[root@k8s-master authfiles]# kubectl run testpod-$RANDOM --image="ikubernetes/demoapp:v1.0" -n dev
pod/testpod created

[root@k8s-master authfiles]# kubectl get pod -n dev
NAME            READY   STATUS              RESTARTS   AGE
testpod-1017    1/1     Running             0          93s

[root@k8s-master authfiles]# kubectl get pods testpod -n dev -o yaml
...
spec:
  containers:
  - image: kubernetes/demoapp:v1.0
    imagePullPolicy: IfNotPresent
    name: testpod
    resources:  #Default value
      limits:
        cpu: "2"   #Maximum 2 cores
        memory: 512Mi
      requests:
        cpu: 500m #Minimum 500m
        memory: 64Mi
  • Failed to create Pod less than memory limit
[root@k8s-master authfiles]# kubectl run testpod-$RANDOM  --image="ikubernetes/demoapp:v1.0" -n dev  --limits='cpu=2,memory=1Gi' --requests='cpu=1,memory=8Mi'
Error from server (Forbidden): pods "testpod-10340" is forbidden: minimum memory usage per Pod is 16Mi, but request is 8388608

ResourceQuota

  • The ResourceQuota resource limits the computational resource requirements and the total amount of computational resource limits for all Pod objects in a non terminating state in the namespace.
  • CPU or requests.cpu: the total amount of requests related to CPU resources;
  • Memory or requests.memory: the total amount of requests related to memory resources;
  • Limits.cpu: total amount limit of CPU resource related restrictions;
  • limits.memory: total limit of memory resource related limits;
  • The concurcebuota resource also supports the quota for the total demand and limit of PVC storage resources in the local namespace. It can be defined from three categories: all PVC in the namespace, PVC belonging to a specific storage class and PVC based on local temporary storage.
  • requests.storage: total amount limit of all PVC storage requirements; Space constraints;
  • persistentvolumeclaims: total PVC quota that can be created; Quantity limit;
  • < storage class name >. Storageclass. Storage. K8s. IO / requests. Storage: the total amount limit of all PVC storage requirements available on a specific storage class;
  • < storage class name >. Storageclass. Storage. K8s. IO / persistentvolumeclaims: the total amount of PVC available on a specific storage class;
  • requests.ephemeral-storage: the total number of requests for local temporary storage resources that can be used by all pods;
  • limits.ephemeral-storage: the total limits of local temporary storage resources available to all pods.

Example 2: create a ResourceQuota admission control policy

[root@k8s-master authfiles]# cat resourcequota-demo.yaml 
apiVersion: v1
kind: ResourceQuota
metadata:
  name: resourcequota-demo
  namespace: dev
spec:
  hard :
    pods: "5"  #Total Pod
    count/services: "5"  #Total svc
    count/configmaps: "5"
    count/secrets: "5"
    count/cronjobs.batch: "2"
    requests.cpu: "2"  #Total threshold under cpu
    requests.memory: "4Gi"
    limits.cpu: "4"  #Total threshold on cpu
    limits.memory: "8Gi"
    count/deployments.apps: "2"
    count/statefulsets.apps: "2"
    persistentvolumeclaims: "6"
    requests.storage: "20Gi"
    longhorn.storageclass.storage.k8s.io/requests.storage: "20Gi"
    longhorn.storageclass.storage.k8s.io/persistentvolumeclaims: "6"

[root@k8s-master authfiles]# kubectl apply -f resourcequota-demo.yaml 
resourcequota/resourcequota-demo created
[root@k8s-master authfiles]# kubectl get ResourceQuota -n dev
NAME                 AGE   REQUEST                                                                                                                                                                                                                                                                                                                                                                                                    LIMIT
resourcequota-demo   33s   count/configmaps: 0/5, count/cronjobs.batch: 0/2, count/deployments.apps: 0/2, count/secrets: 3/5, count/services: 0/5, count/statefulsets.apps: 0/2, longhorn.storageclass.storage.k8s.io/persistentvolumeclaims: 0/6, longhorn.storageclass.storage.k8s.io/requests.storage: 0/20Gi, persistentvolumeclaims: 0/6, pods: 1/5, requests.cpu: 500m/2, requests.memory: 64Mi/4Gi, requests.storage: 0/20Gi   limits.cpu: 2/4, limits.memory: 512Mi/8Gi
  • Create a Pod that does not meet the standard to verify whether the test strategy is effective
[root@k8s-master authfiles]# kubectl describe resourcequota resourcequota-demo -n dev
Name:                                                        resourcequota-demo
Namespace:                                                   dev
Resource                                                     Used   Hard
--------                                                     ----   ----
count/configmaps                                             0      5
count/cronjobs.batch                                         0      2
count/deployments.apps                                       0      2
count/secrets                                                3      5
count/services                                               0      5
count/statefulsets.apps                                      0      2
limits.cpu                                                   2      4
limits.memory                                                512Mi  8Gi
longhorn.storageclass.storage.k8s.io/persistentvolumeclaims  0      6
longhorn.storageclass.storage.k8s.io/requests.storage        0      20Gi
persistentvolumeclaims                                       0      6
pods                                                         1      5
requests.cpu                                                 500m   2
requests.memory                                              64Mi   4Gi
requests.storage                                             0      20Gi


[root@k8s-master authfiles]# kubectl run testpod-$RANDOM --image="ikubernetes/demoapp:v1.0" -n dev
pod/testpod-10678 created

[root@k8s-master authfiles]# kubectl describe resourcequota resourcequota-demo -n dev
Name:                                                        resourcequota-demo
Namespace:                                                   dev
Resource                                                     Used   Hard
--------                                                     ----   ----
count/configmaps                                             0      5
count/cronjobs.batch                                         0      2
count/deployments.apps                                       0      2
count/secrets                                                3      5
count/services                                               0      5
count/statefulsets.apps                                      0      2
limits.cpu                                                   4      4   #Quota has been used up. Cannot create Pod at
limits.memory                                                1Gi    8Gi
longhorn.storageclass.storage.k8s.io/persistentvolumeclaims  0      6
longhorn.storageclass.storage.k8s.io/requests.storage        0      20Gi
persistentvolumeclaims                                       0      6
pods                                                         2      5
requests.cpu                                                 1      2
requests.memory                                              128Mi  4Gi
requests.storage                                             0      20Gi

[root@k8s-master authfiles]# kubectl run testpod-$RANDOM --image="ikubernetes/demoapp:v1.0" -n dev 
Error from server (Forbidden): pods "testpod-30200" is forbidden: exceeded quota: resourcequota-demo, requested: limits.cpu=2, used: limits.cpu=4, limited: limits.cpu=4
#Error reporting policy has taken effect

Tags: Operation & Maintenance Kubernetes Container

Posted on Fri, 03 Dec 2021 18:52:24 -0500 by PHPycho