RBAC access control Users Accounts
preface:
ServiceAccount and Users Account authentication have been introduced and created earlier, but the final test found that Users Account does not have access rights. This section describes RBAC authorization for ServiceAccount and Users Account authentication
- What is RBAC?
RBAC is Role-Based Access Control. In RBAC, permissions are associated with roles. Users get the permissions of these roles by becoming members of appropriate roles. This greatly simplifies the management of permissions. In this way, the management is hierarchical and interdependent. Permissions are given to roles and roles are given to users. This permission design is very clear and easy to manage.
- role
Role: role, namespace level; Grant access to a specific namespace
ClusterRole: cluster role, global level; Grant access to all namespaces
- Role binding
Role binding: binding roles to principals (i.e. subject s), which means that users only get the permissions of roles under a specific namespace, and the scope of action is limited to that namespace;
ClusterRoleBinding: bind the cluster role to the principal and let the user play the specified cluster role; This means that the user is granted cluster level permissions, and the scope of action is also cluster level;
- subject
User: user
Group: user group
ServiceAccount: service account
- Binding correspondence
Subject -- > rolebinding -- > the Role # principal obtains the permission of the Role under the namespace
Subject -- > clusterrolebinding -- > clusterRoles # principal obtains cluster level clusterRoles permission
Subject -- > rolebindig -- > clusterrole # permission demote the principal to obtain the permission of clusterRoles under the namespace
- Parameter description in rules:
1. apiGroups: list of supported API groups, such as "apiVersion: batch/v1"
2. resources: list of supported resource objects, such as pods, displays, jobs, etc
3. resourceNames: Specifies the name of the resource
3. verbs: list of operation methods on resource objects.
- RBAC uses rbac.authorization.k8s.io API Group to implement authorization decisions, allowing administrators to dynamically configure policies through Kubernetes API. To enable RBAC, you need to add the parameter -- authorization mode = RBAC in apiserver. If the clusters installed with kubedm are all enabled by default, you can view the static Pod definition file of apiserver on the Master node:
[root@k8s-master usercerts]# cat /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
...
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=192.168.4.170
- --allow-privileged=true
- --authorization-mode=Node,RBAC #BRAC role-based access control is supported by default
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
...- View role details under Kube system namespace
[root@k8s-master ~]# kubectl get role -n kube-system
NAME CREATED AT
extension-apiserver-authentication-reader 2021-06-28T17:43:31Z
kube-proxy 2021-06-28T17:43:33Z
kubeadm:kubelet-config-1.19 2021-06-28T17:43:31Z
kubeadm:nodes-kubeadm-config 2021-06-28T17:43:31Z
system::leader-locking-kube-controller-manager 2021-06-28T17:43:31Z
system::leader-locking-kube-scheduler 2021-06-28T17:43:31Z
system:controller:bootstrap-signer 2021-06-28T17:43:31Z
system:controller:cloud-provider 2021-06-28T17:43:31Z
system:controller:token-cleaner 2021-06-28T17:43:31Z
[root@k8s-master ~]# kubectl get role kube-proxy -n kube-system -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2021-06-28T17:43:33Z"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:rules: {}
manager: kubeadm
operation: Update
time: "2021-06-28T17:43:33Z"
name: kube-proxy
namespace: kube-system
resourceVersion: "195"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/roles/kube-proxy
uid: a5404b1f-90f0-447f-b104-86fcbdd388e0
rules: #Role rule details
- apiGroups:
- ""
resourceNames:
- kube-proxy
resources:
- configmaps
verbs: #Actions that can be performed
- get- role binding
- RoleBinding role binding
[root@k8s-master ~]# kubectl explain rolebinding
KIND: RoleBinding
VERSION: rbac.authorization.k8s.io/v1
...
roleRef <Object> -required-
RoleRef can reference a Role in the current namespace or a ClusterRole in
the global namespace. If the RoleRef cannot be resolved, the Authorizer
must return an error.
subjects <[]Object>
Subjects holds references to the objects the role applies to.
Example 1: create role binding scope as namespace
[root@k8s-master authfiles]# cat pods-reader-rbac.yaml kind : Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pods-reader rules: - apiGroups: [""] #Empty indicates the default group resources: ["pods","services","pods/log"] #Object resource verbs: ["get","list","watch"] #jurisdiction [root@k8s-master authfiles]# cat tom-pods-reader.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tom-pods-reader namespace: default subjects: - kind: User name: tom #Bound user name apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pods-reader #Roles before binding apiGroup: rbac.authorization.k8s.io [root@k8s-master authfiles]# kubectl apply -f pods-reader-rbac.yaml [root@k8s-master authfiles]# kubectl apply -f tom-pods-reader.yaml [root@k8s-master authfiles]# kubectl get role NAME CREATED AT pods-reader 2021-08-24T07:33:54Z [root@k8s-master authfiles]# kubectl get rolebinding NAME ROLE AGE tom-pods-reader Role/pods-reader 15m
- Use the tom user to verify the permissions pod and svc
[root@k8s-master authfiles]# kubectl config get-contexts --kubeconfig=/tmp/mykubeconfig #View current user CURRENT NAME CLUSTER AUTHINFO NAMESPACE * tom@kubernetes kubernetes tom [root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig NAME READY STATUS RESTARTS AGE centos-deployment-66d8cd5f8b-bnnw6 1/1 Running 0 7m8s [root@k8s-master authfiles]# kubectl get svc --kubeconfig=/tmp/mykubeconfig NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE demoapp ClusterIP 10.97.26.1 <none> 80/TCP 10d demoapp-svc ClusterIP 10.99.170.77 <none> 80/TCP 10d demodb ClusterIP None <none> 9907/TCP 5d22h kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 10d
- Failed to verify that the deployment and nodes permissions are not authorized
[root@k8s-master authfiles]# kubectl get deployment --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default" [root@k8s-master authfiles]# kubectl get nodes --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope
Built in administrator admin
- Namespace administrator admin
- clusterrole admin namespace level resources have all operation permissions for resources under all namespaces
- Cluster Administrator cluster admin
- Clusterrole cluster admin cluster level resources have all operation permissions for all empty resources in the cluster
- The previously bound rolebinding only has certain permissions on the default namespace
[root@k8s-master authfiles]# kubectl get pod -n longhorn-system --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "longhorn-system"
- clusterrole admin has permissions on resources under all namespaces
[root@k8s-master authfiles]# kubectl get clusterrole admin NAME CREATED AT admin 2021-06-28T17:43:30Z [root@k8s-master authfiles]# kubectl get clusterrole admin -o yaml
- Delete the binding and rebind to clusterrole admin
[root@k8s-master authfiles]# kubectl get rolebinding NAME ROLE AGE tom-pods-reader Role/pods-reader 35m [root@k8s-master authfiles]# kubectl delete Role/pods-reader role.rbac.authorization.k8s.io "pods-reader" deleted [root@k8s-master authfiles]# kubectl delete rolebinding/tom-pods-reader rolebinding.rbac.authorization.k8s.io "tom-pods-reader" deleted [root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"
Example 2: bind admin and verify permissions. The scope is namespace
[root@k8s-master authfiles]# kubectl create --help ... Available Commands: clusterrole Create a ClusterRole. clusterrolebinding Create a ClusterRoleBinding for a particular ClusterRole configmap Create a configmap from a local file, directory or literal value cronjob Create a cronjob with the specified name. deployment Create a deployment with the specified name. job Create a job with the specified name. namespace Create a namespace with the specified name poddisruptionbudget Create a pod disruption budget with the specified name. priorityclass Create a priorityclass with the specified name. quota Create a quota with the specified name. role Create a role with single rule. rolebinding Create a RoleBinding for a particular Role or ClusterRole secret Create a secret using specified subcommand service Create a service using specified subcommand. serviceaccount Create a service account with the specified name
- You can authorize -- user, -- group, -- serviceaccount respectively
[root@k8s-master authfiles]# kubectl create clusterrolebinding --help Create a ClusterRoleBinding for a particular ClusterRole. .... Usage: kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
- Bind and verify permissions
[root@k8s-master authfiles]# kubectl create clusterrolebinding tom-admin --user=tom --clusterrole=admin clusterrolebinding.rbac.authorization.k8s.io/tom-admin created [root@k8s-master authfiles]# kubectl get pod -n longhorn-system --kubeconfig=/tmp/mykubeconfig NAME READY STATUS RESTARTS AGE csi-attacher-54c7586574-bh88g 1/1 Running 5 7d csi-attacher-54c7586574-fvv4p 1/1 Running 7 19d csi-attacher-54c7586574-zkzrg 1/1 Running 10 19d csi-provisioner-5ff5bd6b88-9tqnh 1/1 Running 5 7d csi-provisioner-5ff5bd6b88-bs687 1/1 Running 8 19d csi-provisioner-5ff5bd6b88-qkzt4 1/1 Running 12 19d csi-resizer-7699cdfc4-4w49w 1/1 Running 8 19d ...... [root@k8s-master authfiles]# kubectl get pod -n kube-system --kubeconfig=/tmp/mykubeconfig NAME READY STATUS RESTARTS AGE coredns-f9fd979d6-l9zck 1/1 Running 16 56d coredns-f9fd979d6-s8fp5 1/1 Running 15 56d etcd-k8s-master 1/1 Running 12 56d kube-apiserver-k8s-master 1/1 Running 16 56d kube-controller-manager-k8s-master 1/1 Running 39 56d kube-flannel-ds-6sppx 1/1 Running 1 6d22h kube-flannel-ds-j5g9s 1/1 Running 3 6d22h kube-flannel-ds-nfz77 1/1 Running 1 6d22h kube-flannel-ds-sqhq2 1/1 Running 1 6d22h [root@k8s-master authfiles]# kubectl get deployment --kubeconfig=/tmp/mykubeconfig NAME READY UP-TO-DATE AVAILABLE AGE centos-deployment 1/1 1 1 6d22h
- node is a cluster level resource without permission
[root@k8s-master authfiles]# kubectl get node --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope [root@k8s-master authfiles]# kubectl get pv --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): persistentvolumes is forbidden: User "tom" cannot list resource "persistentvolumes" in API group "" at the cluster scope
Example 3: bind cluster admin and verify that the permission scope is cluster level resources
[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-admin clusterrolebinding.rbac.authorization.k8s.io "tom-admin" deleted [root@k8s-master authfiles]# kubectl create clusterrolebinding tom-cluste-admin --user=tom --clusterrole=cluster-admin clusterrolebinding.rbac.authorization.k8s.io/tom-cluste-admin created [root@k8s-master authfiles]# kubectl get pv --kubeconfig=/tmp/mykubeconfig NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE pv-nfs-demo002 10Gi RWX Retain Available 21d pv-nfs-demo003 1Gi RWO Retain Available 21d pvc-33e9acff-afd9-417e-bbfb-293cb6305fb1 1Gi RWX Retain Bound default/data-demodb-1 longhorn 5d23h pvc-c5a0bfaa-6948-4814-886f-8bf079b00dd1 1Gi RWX Retain Bound default/data-demodb-0 longhorn 5d23h [root@k8s-master authfiles]# kubectl get node --kubeconfig=/tmp/mykubeconfig NAME STATUS ROLES AGE VERSION k8s-master Ready master 56d v1.19.9 k8s-node1 Ready <none> 56d v1.19.9 k8s-node2 Ready <none> 56d v1.19.9 k8s-node3 Ready <none> 20d v1.19.9
- It should be noted that cluster admin is authorized through the system:masters group. If we create a user certificate, / CN=XX/O=system:masters; Then this user has the authority of super administrator
[root@k8s-master authfiles]# kubectl describe clusterrolebinding cluster-admin Name: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- Group system:masters #Authorize all system:masters to have super administrator privileges through the group
Example 4: rolebinding binding admin permission degradation
- As mentioned earlier
User -- > rolebindig -- > clusterrole: permission degradation,
ClusterRole: the permissions obtained by the user are only a subset of the permissions of ClusterRole in the namespace to which Rolebinding belongs; - Delete previous binding
[root@k8s-master authfiles]# kubectl delete clusterrolebinding tom-cluste-admin clusterrolebinding.rbac.authorization.k8s.io "tom-cluste-admin" deleted
- Create a role binding cluster. Role permission degradation only has permission for the specified namespace
[root@k8s-master authfiles]# kubectl create rolebinding tom-admin --user=tom -n longhorn-system --clusterrole=admin rolebinding.rbac.authorization.k8s.io/tom-admin created
- The scope of test permission should be Longhorn system namespace
[root@k8s-master authfiles]# kubectl get pod -n kube-system --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "kube-system" [root@k8s-master authfiles]# kubectl get pod --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default" [root@k8s-master authfiles]# kubectl get deployment --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): deployments.apps is forbidden: User "tom" cannot list resource "deployments" in API group "apps" in the namespace "default" [root@k8s-master authfiles]# kubectl get pod -n longhorn-system --kubeconfig=/tmp/mykubeconfig NAME READY STATUS RESTARTS AGE csi-attacher-54c7586574-bh88g 1/1 Running 5 7d csi-attacher-54c7586574-fvv4p 1/1 Running 7 19d csi-attacher-54c7586574-zkzrg 1/1 Running 10 19d csi-provisioner-5ff5bd6b88-9tqnh 1/1 Running 5 7d csi-provisioner-5ff5bd6b88-bs687 1/1 Running 8 19d csi-provisioner-5ff5bd6b88-qkzt4 1/1 Running 12 19d csi-resizer-7699cdfc4-4w49w 1/1 Running 8 19d csi-resizer-7699cdfc4-f5jph 1/1 Running 6 7d csi-resizer-7699cdfc4-l2j49 1/1 Running 9 19d ...