视频来源:B站《(2022版)最新、最全、最详细的Kubernetes(K8s)教程,从K8s安装到实战一套搞定》
一边学习一边整理老师的课程内容及试验笔记,并与大家分享,侵权即删,谢谢支持!
附上汇总贴:(2022版)一套教程搞定k8s安装到实战 | 汇总_COCOgsta的博客-****博客
基于角色的访问控制,Role Based Access Control。它是一种基于企业内个人角色来管理一些资源的访问方法。
[root@k8s-master-lb ~]# more /usr/lib/systemd/system/
[Unit]
Description=Kubernetes API Server
Documentation=/kubernetes/kubernetes
After=
[Service]
ExecStart=/usr/local/bin/kube-apiserver \
--v=2 \
--logtostderr=true \
--allow-privileged=true \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--insecure-port=0 \
--advertise-address=192.168.1.107 \
--service-cluster-ip-range=10.96.0.0/12 \
--service-node-port-range=30000-32767 \
--etcd-servers=https://192.168.1.107:2379,https://192.168.1.108:2379,https://192.168.1.109:2379 \
--etcd-cafile=/etc/etcd/ssl/ \
--etcd-certfile=/etc/etcd/ssl/ \
--etcd-keyfile=/etc/etcd/ssl/ \
--client-ca-file=/etc/kubernetes/pki/ \
--tls-cert-file=/etc/kubernetes/pki/ \
--tls-private-key-file=/etc/kubernetes/pki/ \
--kubelet-client-certificate=/etc/kubernetes/pki/ \
--kubelet-client-key=/etc/kubernetes/pki/ \
--service-account-key-file=/etc/kubernetes/pki/ \
--service-account-signing-key-file=/etc/kubernetes/pki/ \
--service-account-issuer= \
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
--authorization-mode=Node,RBAC \
--enable-bootstrap-token-auth=true \
--requestheader-client-ca-file=/etc/kubernetes/pki/ \
--proxy-client-cert-file=/etc/kubernetes/pki/ \
--proxy-client-key-file=/etc/kubernetes/pki/ \
--requestheader-allowed-names=aggregator \
--requestheader-extra-headers-prefix=X-Remote-Group \
--requestheader-username-headers=X-Remote-User
# --token-auth-file=/etc/kubernetes/
Restart=on-failure
RestartSec=10s
LimitNOFILE=65535
[Install]
WantedBy=
[root@k8s-master-lb ~]#
复制代码Jenkins使用基于角色的用户权限管理。
RBAC:4种*资源,Role、ClusterRole、RoleBinding、ClusterRoleBinding。
Role:角色,包含一组权限的规则。没有拒绝规则,只是附加允许。Namespace隔离,只作用于命名空间内。
[root@k8s-master-lb ~]# kubectl get role -n ingress-nginx ingress-nginx -oyaml
apiVersion: ./v1
kind: Role
metadata:
creationTimestamp: "2022-08-20T04:59:54Z"
labels:
/component: controller
/instance: ingress-nginx
/managed-by: Helm
/name: ingress-nginx
/version: 0.40.2
/chart: ingress-nginx-3.6.0
managedFields:
- apiVersion: ./v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:/component: {}
f:/instance: {}
f:/managed-by: {}
f:/name: {}
f:/version: {}
f:/chart: {}
f:rules: {}
manager: Go-http-client
operation: Update
time: "2022-08-20T04:59:54Z"
name: ingress-nginx
namespace: ingress-nginx
resourceVersion: "461437"
uid: b46670cc-21ac-4e7d-88bb-0cb14d815baa
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
- networking.
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader-nginx
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
[root@k8s-master-lb ~]#
复制代码ClusterRole:和Role的区别,Role是只作用于命名空间内,作用于整个集群。
[root@k8s-master-lb ~]# kubectl get clusterrole view -oyaml
aggregationRule:
clusterRoleSelectors:
- matchLabels:
./aggregate-to-view: "true"
apiVersion: ./v1
kind: ClusterRole
metadata:
annotations:
/autoupdate: "true"
creationTimestamp: "2022-06-21T13:12:31Z"
labels:
/bootstrapping: rbac-defaults
./aggregate-to-edit: "true"
managedFields:
- apiVersion: ./v1
fieldsType: FieldsV1
fieldsV1:
f:aggregationRule:
.: {}
f:clusterRoleSelectors: {}
f:metadata:
f:annotations:
.: {}
f:/autoupdate: {}
f:labels:
.: {}
f:/bootstrapping: {}
f:./aggregate-to-edit: {}
manager: kube-apiserver
operation: Update
time: "2022-06-21T13:12:31Z"
- apiVersion: ./v1
fieldsType: FieldsV1
fieldsV1:
f:rules: {}
manager: kube-controller-manager
operation: Update
time: "2022-06-21T13:16:31Z"
name: view
resourceVersion: "34722"
uid: 709188e2-dc10-4fce-8c36-66caba981ed5
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- cronjobs/status
- jobs
- jobs/status
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- ingresses
- ingresses/status
- networkpolicies
- replicasets
- replicasets/scale
- replicasets/status
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.
resources:
- ingresses
- ingresses/status
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- metrics.
resources:
- pods
- nodes
verbs:
- get
- list
- watch
[root@k8s-master-lb ~]#
复制代码RoleBinding:作用于命名空间内,将ClusterRole或者Role绑定到User、Group、ServiceAccount。
[root@k8s-master-lb ~]# kubectl get rolebinding ingress-nginx -n ingress-nginx -oyaml
apiVersion: ./v1
kind: RoleBinding
metadata:
creationTimestamp: "2022-08-20T04:59:54Z"
labels:
/component: controller
/instance: ingress-nginx
/managed-by: Helm
/name: ingress-nginx
/version: 0.40.2
/chart: ingress-nginx-3.6.0
managedFields:
- apiVersion: ./v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:/component: {}
f:/instance: {}
f:/managed-by: {}
f:/name: {}
f:/version: {}
f:/chart: {}
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: Go-http-client
operation: Update
time: "2022-08-20T04:59:54Z"
name: ingress-nginx
namespace: ingress-nginx
resourceVersion: "461438"
uid: 1633ad2d-b46b-4212-ab8d-1c19a7ec35ca
roleRef:
apiGroup: .
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
[root@k8s-master-lb ~]#
复制代码ClusterRolebinding:作用于整个集群。
[root@k8s-master-lb ~]# kubectl get clusterrolebinding admin-user -oyaml
apiVersion: ./v1
kind: ClusterRoleBinding
metadata:
annotations:
/autoupdate: "true"
creationTimestamp: "2022-06-22T06:25:56Z"
managedFields:
- apiVersion: ./v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:/autoupdate: {}
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: kubectl-create
operation: Update
time: "2022-06-22T06:25:56Z"
name: admin-user
resourceVersion: "35909"
uid: d4e47393-e698-4405-9bb1-823a6814f7dd
roleRef:
apiGroup: .
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
[root@k8s-master-lb ~]#
复制代码kind分类:ServiceAccount、User、Group。
--basic-auth-file:格式为'password','username','group1,group2'
参考文档:/docs/refere…
\
基于用户名密码实现不同用户有不同的权限
基于ServiceAccount实现不同的SA有不同的权限