这一节将分两部分:
第一部分创建一个admin用户,具有所有权限;
第二部分创建一个readonly用户,这个用户只有对某个namespace的读权限。
步骤:
不用给用户任何权限。
将用户的ak/sk写到credential
:
将aws-auth
这个configmap导出为yaml:
kubectl -n kube-system get configmap aws-auth -o yaml > aws-auth-configmap.yaml
原来yaml如下:
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::431960127954:role/eksctl-eks-asm-nodegroup-ng-1-NodeInstanceRole-17BLFFIM5K6VO
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2020-02-06T08:48:21Z"
name: aws-auth
namespace: kube-system
resourceVersion: "997"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 6da2df00-48bd-11ea-b43f-06e5306805a0
在mapUsers
部分加以下部分:
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::431960127954:role/eksctl-eks-asm-nodegroup-ng-1-NodeInstanceRole-17BLFFIM5K6VO
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- userarn: arn:aws:iam::431960127954:user/k8s-cluster-admin
username: k8s-cluster-admin
groups:
- system:masters
kind: ConfigMap
metadata:
creationTimestamp: "2020-02-06T08:48:21Z"
name: aws-auth
namespace: kube-system
resourceVersion: "997"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 6da2df00-48bd-11ea-b43f-06e5306805a0
system:masters
是k8s内置的clusterRoleBinding:
然后kubectl apply -f xxx.yaml
应用更改。
此时用户身份是k8s-cluster-admin
,但依然有权限执行k8s的各个操作:
首先创建一个namespace:
kubectl create ns production
创建一个iam用户,同样不给用户任何权限。将用户ak/sk写到crendential
:
创建role & rolebinding:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: production
name: prod-viewer-role
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"] # can be further limited, e.g. ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch"]
production namespace
的读权限。kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: prod-viewer-binding
namespace: production
subjects:
- kind: User
name: k8s-read-only
apiGroup: ""
roleRef:
kind: Role
name: prod-viewer-role
apiGroup: ""
kubectl apply -f role.yaml rolebinding.yaml
将aws-auth
这个configmap导出为yaml:
kubectl -n kube-system get configmap aws-auth -o yaml > aws-auth-configmap.yaml
在mapUsers
加入新的用户然后apply:
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::431960127954:role/eksctl-eks-asm-nodegroup-ng-1-NodeInstanceRole-17BLFFIM5K6VO
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- userarn: arn:aws:iam::431960127954:user/k8s-cluster-admin
username: k8s-cluster-admin
groups:
- system:masters
- userarn: arn:aws:iam::431960127954:user/k8s-read-only
username: k8s-read-only
groups:
- prod-viewer-role
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"mapRoles":"- groups:\n - system:bootstrappers\n - system:nodes\n rolearn: arn:aws:iam::431960127954:role/eksctl-eks-asm-nodegroup-ng-1-NodeInstanceRole-17BLFFIM5K6VO\n username: system:node:{{EC2PrivateDNSName}}\n","mapUsers":"- userarn: arn:aws:iam::431960127954:user/k8s-cluster-admin\n username: k8s-cluster-admin\n groups:\n - system:masters\n- userarn: arn:aws:iam::431960127954:user/k8s-read-only\n username: k8s-read-only\n groups:\n - prod-viewer-role\n"},"kind":"ConfigMap","metadata":{"annotations":{},"creationTimestamp":"2020-02-06T08:48:21Z","name":"aws-auth","namespace":"kube-system","resourceVersion":"728396","selfLink":"/api/v1/namespaces/kube-system/configmaps/aws-auth","uid":"6da2df00-48bd-11ea-b43f-06e5306805a0"}}
creationTimestamp: "2020-02-06T08:48:21Z"
name: aws-auth
namespace: kube-system
resourceVersion: "748245"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 6da2df00-48bd-11ea-b43f-06e5306805a0
aws sts get-caller-identity
export AWS_PROFILE="readonly"
aws sts get-caller-identity
可以看到,新用户只在production
空间下有读权限。
整个Authentication及Authorization流程如下: