k8s安全管理认证

# vim 01_k8s_pod_test.ymlapiVersion: v1kind: ServiceAccountmetadata:  name: superopsmsb-sa---apiVersion: v1kind: Podmetadata:  name: my-nginx-1spec:  containers:  - image: nginx:1.23.0    name: my-nginx  serviceAccountName: superopsmsb-sa
# kubectl apply -f 01_k8s_pod_test.yml # kubectl get sa# kubectl get pods -o wide# kubectl describe pod my-nginx-1

# vim test-csr.json  {  "CN": "test",  "hosts": [],  "key": {    "algo": "rsa",    "size": 2048  },  "names": [    {      "C": "CN",      "ST": "Beijing",      "L": "Beijing",      "O": "system:test",                   "OU": "system"    }  ]}

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes test-csr.json | cfssljson -bare test      # cp test*.pem /etc/kubernetes/ssl/## 创建集群# kubectl config set-cluster kubernetes --certificate-authority=ca.pem  --embed-certs=true --server=https://192.168.16.250:16443 --kubeconfig=test.kubeconfig## 创建用户# kubectl config set-credentials test --client-certificate=test.pem --client-key=test-key.pem --embed-certs=true --kubeconfig=test.kubeconfig
## 创建上下文，用户和集群关联# kubectl config set-context kubernetes --cluster=kubernetes --user=test --kubeconfig=test.kubeconfig# kubectl config current-context --kubeconfig=test.kubeconfig# kubectl config view --kubeconfig=test.kubeconfig
## 设置使用默认的上下文# kubectl config use-context kubernetes --kubeconfig=test.kubeconfig
# kubectl --kubeconfig=test.kubeconfig get podsError from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"      # kubectl --kubeconfig=kube.config get podsNAME                READY   STATUS    RESTARTS   AGEmy-nginx-1          1/1     Running   0          4h26mpod-cm1             1/1     Running   3          4d22hpod-harbor          1/1     Running   2          26hpod-mysql-secret1   1/1     Running   5          4d21hpod-mysql-secret2   1/1     Running   2          4d21h

# kubectl create role myrole --verb=get,list --resource=pods --dry-run=client -o yaml > 02_k8s_secure_role.yaml# vim 02_k8s_secure_role.yaml apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: myrolerules:- apiGroups:  - ""  - "apps"  resources:  - pods  - deployments  - replicasets  verbs:  - get  - list  - delete
# kubectl apply -f 02_k8s_secure_role.yaml 
# kubectl get roleNAME     CREATED ATmyrole   2023-11-30T02:34:21Z# kubectl describe role myroleName:         myroleLabels:       <none>Annotations:  <none>PolicyRule:  Resources         Non-Resource URLs  Resource Names  Verbs  ---------         -----------------  --------------  -----  deployments       []                 []              [get list delete]  pods              []                 []              [get list delete]  replicasets       []                 []              [get list delete]  deployments.apps  []                 []              [get list delete]  pods.apps         []                 []              [get list delete]  replicasets.apps  []                 []              [get list delete]

# kubectl create rolebinding test-myrole --role=myrole --user=test --dry-run=client -o yaml > 03_k8s_test-myrole.yaml# kubectl apply -f 03_k8s_test-myrole.yaml # kubectl describe rolebinding test-myroleName:         test-myroleLabels:       <none>Annotations:  <none>Role:  Kind:  Role  Name:  myroleSubjects:  Kind  Name  Namespace  ----  ----  ---------  User  test  

# kubectl get pods --kubeconfig=test.kubeconfigNAME                READY   STATUS    RESTARTS   AGEmy-nginx-1          1/1     Running   1          25hpod-cm1             1/1     Running   5          5d20h
# kubectl get deployment --kubeconfig=test.kubeconfig
# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-systemError from server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"# kubectl get svc --kubeconfig=test.kubeconfigError from server (Forbidden): services is forbidden: User "test" cannot list resource "services" in API group "" in the namespace "default"

# kubectl create clusterrole myclusterrole --verb=get,list,delete --resource=pods --dry-run=client -o yaml > 04_k8s_secure-clsterrole.yaml# kubectl apply -f 04_k8s_secure-clsterrole.yaml 
# kubectl create clusterrolebinding test-myclusterrole --clusterrole=myclusterrole --user=test
# kubectl edit clusterrolebinding test-myclusterrole
[root@k8s-master01 tools]# kubectl get deployment --kubeconfig=test.kubeconfig -n kube-systemError from server (Forbidden): deployments.apps is forbidden: User "test" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"# kubectl get pods --kubeconfig=test.kubeconfig -n kube-systemNAME                                       READY   STATUS    RESTARTS   AGEcalico-kube-controllers-7cc8dd57d9-hvkz5   1/1     Running   55         6d23hcalico-node-c4dxg                          1/1     Running   7          6d22hcalico-node-srqch                          1/1     Running   8          6d22hcalico-node-tcdmv                          0/1     Running   7          6d22hcalico-node-tvjzj                          1/1     Running   7          6d22hcoredns-675db8b7cc-5fbjk                   1/1     Running   7          6d22h

# kubectl create rolebinding test-myclusterrole --clusterrole=myclusterrole --user=test