kubernetes(k8s) note authentication, authorization and admission control RBAC access control

RBAC access control Users Accounts

preface:

ServiceAccount and Users Account authentication have been introduced and created earlier, but the final test found that Users Account does not have access rights. This section describes RBAC authorization for ServiceAccount and Users Account authentication

  • What is RBAC?
    RBAC is Role-Based Access Control. In RBAC, permissions are associated with roles. Users get the permissions of these roles by becoming members of appropriate roles. This greatly simplifies the management of permissions. In this way, the management is hierarchical and interdependent. Permissions are given to roles and roles are given to users. This permission design is very clear and easy to manage.
  • role
    Role: role, namespace level; Grant access to a specific namespace
    ClusterRole: cluster role, global level; Grant access to all namespaces
  • Role binding
    Role binding: binding roles to principals (i.e. subject s), which means that users only get the permissions of roles under a specific namespace, and the scope of action is limited to that namespace;
    ClusterRoleBinding: bind the cluster role to the principal and let the user play the specified cluster role; This means that the user is granted cluster level permissions, and the scope of action is also cluster level;
      
  • subject
    User: user
    Group: user group
    ServiceAccount: service account
  • Binding correspondence
    Subject -- > rolebinding -- > the Role # principal obtains the permission of the Role under the namespace
    Subject -- > clusterrolebinding -- > clusterRoles # principal obtains cluster level clusterRoles permission
    Subject -- > rolebindig -- > clusterrole # permission demote the principal to obtain the permission of clusterRoles under the namespace
  • Parameter description in rules:
    1. apiGroups: list of supported API groups, such as "apiVersion: batch/v1"
    2. resources: list of supported resource objects, such as pods, displays, jobs, etc
    3. resourceNames: Specifies the name of the resource
    3. verbs: list of operation methods on resource objects.

  • RBAC uses rbac.authorization.k8s.io API Group to implement authorization decisions, allowing administrators to dynamically configure policies through Kubernetes API. To enable RBAC, you need to add the parameter -- authorization mode = RBAC in apiserver. If the clusters installed with kubedm are all enabled by default, you can view the static Pod definition file of apiserver on the Master node:
[root@k8s-master usercerts]# cat /etc/kubernetes/manifests/kube-apiserver.yaml 
apiVersion: v1
kind: Pod
metadata:
 ...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=192.168.4.170
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC   #BRAC role-based access control is supported by default
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
...
  • View role details under Kube system namespace
[root@k8s-master ~]# kubectl get role -n kube-system
NAME                                             CREATED AT
extension-apiserver-authentication-reader        2021-06-28T17:43:31Z
kube-proxy                                       2021-06-28T17:43:33Z
kubeadm:kubelet-config-1.19                      2021-06-28T17:43:31Z
kubeadm:nodes-kubeadm-config                     2021-06-28T17:43:31Z
system::leader-locking-kube-controller-manager   2021-06-28T17:43:31Z
system::leader-locking-kube-scheduler            2021-06-28T17:43:31Z
system:controller:bootstrap-signer               2021-06-28T17:43:31Z
system:controller:cloud-provider                 2021-06-28T17:43:31Z
system:controller:token-cleaner                  2021-06-28T17:43:31Z

[root@k8s-master ~]# kubectl get role kube-proxy -n kube-system -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2021-06-28T17:43:33Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: kubeadm
    operation: Update
    time: "2021-06-28T17:43:33Z"
  name: kube-proxy
  namespace: kube-system
  resourceVersion: "195"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/kube-proxy
  uid: a5404b1f-90f0-447f-b104-86fcbdd388e0
rules:   #Role rule details
- apiGroups:
  - ""
  resourceNames:
  - kube-proxy
  resources:
  - configmaps
  verbs:   #Actions that can be performed
  - get
  • role binding
  • RoleBinding role binding
[root@k8s-master ~]# kubectl explain rolebinding
KIND:     RoleBinding
VERSION:  rbac.authorization.k8s.io/v1
...
   roleRef    <Object> -required-
     RoleRef can reference a Role in the current namespace or a ClusterRole in
     the global namespace. If the RoleRef cannot be resolved, the Authorizer
     must return an error.

   subjects    <[]Object>
     Subjects holds references to the objects the role applies to.

Example 1: create role binding scope as namespace

[root@k8s-master authfiles]# cat pods-reader-rbac.yaml 
kind : Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""]  #Empty indicates the default group
  resources: ["pods","services","pods/log"]  #Object resource
  verbs: ["get","list","watch"]  #jurisdiction

[root@k8s-master authfiles]# cat tom-pods-reader.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tom-pods-reader
  namespace: default
subjects:
- kind: User
  name: tom   #Bound user name
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pods-reader  #Roles before binding
  apiGroup: rbac.authorization.k8s.io
  
[root@k8s-master authfiles]# kubectl apply -f pods-reader-rbac.yaml 
[root@k8s-master authfiles]# kubectl apply -f tom-pods-reader.yaml 

[root@k8s-master authfiles]# kubectl get role
NAME          CREATED AT
pods-reader   2021-08-24T07:33:54Z
[root@k8s-master authfiles]# kubectl get rolebinding
NAME              ROLE               AGE
tom-pods-reader   Role/pods-reader   15m
  • Use the tom user to verify the permissions pod and svc
[root@k8s-master authfiles]# kubectl config get-contexts   --kubeconfig=/tmp/mykubeconfig  #View current user
CURRENT   NAME             CLUSTER      AUTHINFO   NAMESPACE
*         tom@kubernetes   kubernetes   tom 

[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
NAME                                 READY   STATUS    RESTARTS   AGE
centos-deployment-66d8cd5f8b-bnnw6   1/1     Running   0          7m8s
[root@k8s-master authfiles]# kubectl get svc --kubeconfig=/tmp/mykubeconfig
NAME          TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
demoapp       ClusterIP   10.97.26.1     <none>        80/TCP     10d
demoapp-svc   ClusterIP   10.99.170.77   <none>        80/TCP     10d
demodb        ClusterIP   None           <none>        9907/TCP   5d22h
kubernetes    ClusterIP   10.96.0.1      <none>        443/TCP    10d
  • Failed to verify that the deployment and nodes permissions are not authorized
[root@k8s-master authfiles]# kubectl get deployment  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"

[root@k8s-master authfiles]# kubectl get nodes  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope

Built in administrator admin

  • Namespace administrator admin
  • clusterrole admin namespace level resources have all operation permissions for resources under all namespaces
  • Cluster Administrator cluster admin
  • Clusterrole cluster admin cluster level resources have all operation permissions for all empty resources in the cluster
  • The previously bound rolebinding only has certain permissions on the default namespace
[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "longhorn-system"
  • clusterrole admin has permissions on resources under all namespaces
[root@k8s-master authfiles]# kubectl get clusterrole admin
NAME    CREATED AT
admin   2021-06-28T17:43:30Z
[root@k8s-master authfiles]# kubectl get clusterrole admin -o yaml
  • Delete the binding and rebind to clusterrole admin
[root@k8s-master authfiles]# kubectl get rolebinding
NAME              ROLE               AGE
tom-pods-reader   Role/pods-reader   35m

[root@k8s-master authfiles]# kubectl delete Role/pods-reader
role.rbac.authorization.k8s.io "pods-reader" deleted

[root@k8s-master authfiles]# kubectl delete rolebinding/tom-pods-reader
rolebinding.rbac.authorization.k8s.io "tom-pods-reader" deleted

[root@k8s-master authfiles]# kubectl get pod  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"

Example 2: bind admin and verify permissions. The scope is namespace

[root@k8s-master authfiles]# kubectl create --help  
...
Available Commands:
  clusterrole         Create a ClusterRole.
  clusterrolebinding  Create a ClusterRoleBinding for a particular ClusterRole
  configmap           Create a configmap from a local file, directory or literal value
  cronjob             Create a cronjob with the specified name.
  deployment          Create a deployment with the specified name.
  job                 Create a job with the specified name.
  namespace           Create a namespace with the specified name
  poddisruptionbudget Create a pod disruption budget with the specified name.
  priorityclass       Create a priorityclass with the specified name.
  quota               Create a quota with the specified name.
  role                Create a role with single rule.
  rolebinding         Create a RoleBinding for a particular Role or ClusterRole
  secret              Create a secret using specified subcommand
  service             Create a service using specified subcommand.
  serviceaccount      Create a service account with the specified name
  • You can authorize -- user, -- group, -- serviceaccount respectively
[root@k8s-master authfiles]# kubectl create clusterrolebinding  --help
Create a ClusterRoleBinding for a particular ClusterRole.
....
Usage:  
  kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
  • Bind and verify permissions
[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-admin --user=tom  --clusterrole=admin
clusterrolebinding.rbac.authorization.k8s.io/tom-admin created

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
NAME                                        READY   STATUS    RESTARTS   AGE
csi-attacher-54c7586574-bh88g               1/1     Running   5          7d
csi-attacher-54c7586574-fvv4p               1/1     Running   7          19d
csi-attacher-54c7586574-zkzrg               1/1     Running   10         19d
csi-provisioner-5ff5bd6b88-9tqnh            1/1     Running   5          7d
csi-provisioner-5ff5bd6b88-bs687            1/1     Running   8          19d
csi-provisioner-5ff5bd6b88-qkzt4            1/1     Running   12         19d
csi-resizer-7699cdfc4-4w49w                 1/1     Running   8          19d
......

[root@k8s-master authfiles]# kubectl get pod -n kube-system  --kubeconfig=/tmp/mykubeconfig
NAME                                 READY   STATUS    RESTARTS   AGE
coredns-f9fd979d6-l9zck              1/1     Running   16         56d
coredns-f9fd979d6-s8fp5              1/1     Running   15         56d
etcd-k8s-master                      1/1     Running   12         56d
kube-apiserver-k8s-master            1/1     Running   16         56d
kube-controller-manager-k8s-master   1/1     Running   39         56d
kube-flannel-ds-6sppx                1/1     Running   1          6d22h
kube-flannel-ds-j5g9s                1/1     Running   3          6d22h
kube-flannel-ds-nfz77                1/1     Running   1          6d22h
kube-flannel-ds-sqhq2                1/1     Running   1          6d22h

[root@k8s-master authfiles]# kubectl get deployment   --kubeconfig=/tmp/mykubeconfig
NAME                READY   UP-TO-DATE   AVAILABLE   AGE
centos-deployment   1/1     1            1           6d22h
  • node is a cluster level resource without permission
[root@k8s-master authfiles]# kubectl get node  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope

[root@k8s-master authfiles]# kubectl get pv  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): persistentvolumes is forbidden: User "tom" cannot list resource "persistentvolumes" in API group "" at the cluster scope

Example 3: bind cluster admin and verify that the permission scope is cluster level resources

[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-admin" deleted

[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-cluste-admin --user=tom  --clusterrole=cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/tom-cluste-admin created
[root@k8s-master authfiles]# kubectl get pv  --kubeconfig=/tmp/mykubeconfig
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM                   STORAGECLASS   REASON   AGE
pv-nfs-demo002                             10Gi       RWX            Retain           Available                                                   21d
pv-nfs-demo003                             1Gi        RWO            Retain           Available                                                   21d
pvc-33e9acff-afd9-417e-bbfb-293cb6305fb1   1Gi        RWX            Retain           Bound       default/data-demodb-1   longhorn                5d23h
pvc-c5a0bfaa-6948-4814-886f-8bf079b00dd1   1Gi        RWX            Retain           Bound       default/data-demodb-0   longhorn                5d23h
[root@k8s-master authfiles]# kubectl get node  --kubeconfig=/tmp/mykubeconfig
NAME         STATUS   ROLES    AGE   VERSION
k8s-master   Ready    master   56d   v1.19.9
k8s-node1    Ready    <none>   56d   v1.19.9
k8s-node2    Ready    <none>   56d   v1.19.9
k8s-node3    Ready    <none>   20d   v1.19.9
  • It should be noted that cluster admin is authorized through the system:masters group. If we create a user certificate, / CN=XX/O=system:masters; Then this user has the authority of super administrator
[root@k8s-master authfiles]# kubectl describe clusterrolebinding cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters   #Authorize all system:masters to have super administrator privileges through the group

Example 4: rolebinding binding admin permission degradation

  • As mentioned earlier
    User -- > rolebindig -- > clusterrole: permission degradation,
    ClusterRole: the permissions obtained by the user are only a subset of the permissions of ClusterRole in the namespace to which Rolebinding belongs;
  • Delete previous binding
[root@k8s-master authfiles]# kubectl delete  clusterrolebinding tom-cluste-admin
clusterrolebinding.rbac.authorization.k8s.io "tom-cluste-admin" deleted
  • Create a role binding cluster. Role permission degradation only has permission for the specified namespace
[root@k8s-master authfiles]# kubectl create  rolebinding tom-admin --user=tom  -n longhorn-system --clusterrole=admin
rolebinding.rbac.authorization.k8s.io/tom-admin created
  • The scope of test permission should be Longhorn system namespace
[root@k8s-master authfiles]# kubectl get pod -n kube-system  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system"

[root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"

[root@k8s-master authfiles]# kubectl get deployment  --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default"

[root@k8s-master authfiles]# kubectl get pod -n longhorn-system  --kubeconfig=/tmp/mykubeconfig
NAME                                        READY   STATUS    RESTARTS   AGE
csi-attacher-54c7586574-bh88g               1/1     Running   5          7d
csi-attacher-54c7586574-fvv4p               1/1     Running   7          19d
csi-attacher-54c7586574-zkzrg               1/1     Running   10         19d
csi-provisioner-5ff5bd6b88-9tqnh            1/1     Running   5          7d
csi-provisioner-5ff5bd6b88-bs687            1/1     Running   8          19d
csi-provisioner-5ff5bd6b88-qkzt4            1/1     Running   12         19d
csi-resizer-7699cdfc4-4w49w                 1/1     Running   8          19d
csi-resizer-7699cdfc4-f5jph                 1/1     Running   6          7d
csi-resizer-7699cdfc4-l2j49                 1/1     Running   9          19d
...

Tags: Operation & Maintenance Kubernetes Container

Posted on Fri, 03 Dec 2021 19:22:23 -0500 by nodehopper