RBAC

IAM user RBAC权限控制

这一节将分两部分:

第一部分创建一个admin用户,具有所有权限;

第二部分创建一个readonly用户,这个用户只有对某个namespace的读权限。


创建一个cluster admin用户

步骤:

  1. 创建一个IAM用户。
  2. 新用户map到k8s role。
  3. 测试

创建IAM用户

不用给用户任何权限。

image-20200211112715826

将用户的ak/sk写到credential:

image-20200211140822414


新用户map到k8s role

aws-auth这个configmap导出为yaml:

kubectl -n kube-system get configmap aws-auth -o yaml > aws-auth-configmap.yaml

原来yaml如下:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::431960127954:role/eksctl-eks-asm-nodegroup-ng-1-NodeInstanceRole-17BLFFIM5K6VO
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2020-02-06T08:48:21Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "997"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 6da2df00-48bd-11ea-b43f-06e5306805a0

mapUsers部分加以下部分:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::431960127954:role/eksctl-eks-asm-nodegroup-ng-1-NodeInstanceRole-17BLFFIM5K6VO
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    - userarn: arn:aws:iam::431960127954:user/k8s-cluster-admin
      username: k8s-cluster-admin
      groups:
        - system:masters
kind: ConfigMap
metadata:
  creationTimestamp: "2020-02-06T08:48:21Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "997"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 6da2df00-48bd-11ea-b43f-06e5306805a0

system:masters是k8s内置的clusterRoleBinding:

image-20200211114039319


然后kubectl apply -f xxx.yaml应用更改。


测试

此时用户身份是k8s-cluster-admin,但依然有权限执行k8s的各个操作:

image-20200211141123759



创建readonly用户

  1. 创建一个namespace
  2. 创建一个iam用户。
  3. 创建role & rolebinding
  4. 将用户map到k8s role
  5. 测试

首先创建一个namespace:

kubectl create ns production

创建一个iam用户,同样不给用户任何权限。将用户ak/sk写到crendential:

image-20200218205546600

image-20200218195945772


创建role & rolebinding:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: production
  name: prod-viewer-role
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"] # can be further limited, e.g. ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch"]
  • 这个role有production namespace的读权限。


kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: prod-viewer-binding
  namespace: production
subjects:
- kind: User
  name: k8s-read-only
  apiGroup: ""
roleRef:
  kind: Role
  name: prod-viewer-role
  apiGroup: ""

kubectl apply -f role.yaml rolebinding.yaml


aws-auth这个configmap导出为yaml:

kubectl -n kube-system get configmap aws-auth -o yaml > aws-auth-configmap.yaml

mapUsers加入新的用户然后apply:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::431960127954:role/eksctl-eks-asm-nodegroup-ng-1-NodeInstanceRole-17BLFFIM5K6VO
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    - userarn: arn:aws:iam::431960127954:user/k8s-cluster-admin
      username: k8s-cluster-admin
      groups:
        - system:masters
    - userarn: arn:aws:iam::431960127954:user/k8s-read-only
      username: k8s-read-only
      groups:
        - prod-viewer-role
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"mapRoles":"- groups:\n - system:bootstrappers\n - system:nodes\n rolearn: arn:aws:iam::431960127954:role/eksctl-eks-asm-nodegroup-ng-1-NodeInstanceRole-17BLFFIM5K6VO\n username: system:node:{{EC2PrivateDNSName}}\n","mapUsers":"- userarn: arn:aws:iam::431960127954:user/k8s-cluster-admin\n username: k8s-cluster-admin\n groups:\n - system:masters\n- userarn: arn:aws:iam::431960127954:user/k8s-read-only\n username: k8s-read-only\n groups:\n - prod-viewer-role\n"},"kind":"ConfigMap","metadata":{"annotations":{},"creationTimestamp":"2020-02-06T08:48:21Z","name":"aws-auth","namespace":"kube-system","resourceVersion":"728396","selfLink":"/api/v1/namespaces/kube-system/configmaps/aws-auth","uid":"6da2df00-48bd-11ea-b43f-06e5306805a0"}}
  creationTimestamp: "2020-02-06T08:48:21Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "748245"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 6da2df00-48bd-11ea-b43f-06e5306805a0


验证

aws sts get-caller-identity
export AWS_PROFILE="readonly"
aws sts get-caller-identity

image-20200218210851055 可以看到,新用户只在production空间下有读权限。

总结

  • Authentication is held by IAM
  • Authorization is done by Kubernetes RBAC (native auth for k8s)

整个Authentication及Authorization流程如下:

image-20200218215343829