K8S创建只读用户并授权访问资源
场景:在某些场景中,如自动化加入节点到集群中。执行完加入动作后需要在节点上验证在集群中的状态是否正常。最后再返回结果。这时可以创建ServiceAccount只读用户,获取其token用于api访问node的状态。操作如下:
1)创建用户yaml文件:
cat viewonly.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-reader
rules:
- apiGroups: [“”]
resources: [“nodes”]
verbs: [“get”, “list”]
apiVersion: v1
kind: ServiceAccount
metadata:
name: read-nodes
namespace: kube-system
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-nodes
subjects:
- kind: ServiceAccount
name: read-nodes
namespace: kube-system
roleRef:
kind: ClusterRole
name: node-reader
apiGroup: rbac.authorization.k8s.io
2)执行创建后获取用户token:
kubectl apply -f viewonly.yaml
clusterrole.rbac.authorization.k8s.io/node-reader created
serviceaccount/read-nodes created
clusterrolebinding.rbac.authorization.k8s.io/read-nodes created
//获取token
kubectl -n kube-system get secret $(kubectl -n kube-system get secret | grep read-nodes | awk ‘{print $1}’) -o jsonpath='{.data.token}’ | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlsdWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZWFkLW5vZGVzLXRva2VuLWtzZzliIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InJlYWQtbm9kZXMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51sdqiOiIzYzk3Y2YyYi03YTRmLTExZWEtOGU3Zi0wZTcyMTk4NTA3NGIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06cmVhZC1ub2RlcyJ9.WrUxDB1zxMQWrKyinoevBQ1Y-tcOcSYSjCoTr4nF0oTkBySfrNelL6OsTunf6_b2zPz5WSH2xh0M0dh5g5H7q25g47-U12dLNRPvXawzrIFWriKqz51EnNRX64ZEal5m44RGA72aAi2vVAqxzW_3yszqa2O18nzsbBWQkz2Ktl_xrqn1-xy5xizspw5t6OrguIxdTk0mRk_xqBZsCB8aFJ9xzfrAwR2GTcVoguVuLmD2MQXz5eKgh8nGhmo2mNi9peXLEk83u-wcS1Q3NDTAd6-V0h7LfpLXBWMMBTHmlNCDglXzOJF-MJQN6XwYS2WVJBcRwNtV4WCtM4OLXBQ06A
3)验证权限(以边缘节点为例):
3.1)获取node信息
curl –insecure https://xxx.xxx.xxx.xxx:6443/api/v1/nodes/k8s-node-xxx.xxx.xxx.xxx –header “Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlsdWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZWFkLW5vZGVzLXRva2VuLWtzZzliIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InJlYWQtbm9kZXMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51sdqiOiIzYzk3Y2YyYi03YTRmLTExZWEtOGU3Zi0wZTcyMTk4NTA3NGIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06cmVhZC1ub2RlcyJ9.WrUxDB1zxMQWrKyinoevBQ1Y-tcOcSYSjCoTr4nF0oTkBySfrNelL6OsTunf6_b2zPz5WSH2xh0M0dh5g5H7q25g47-U12dLNRPvXawzrIFWriKqz51EnNRX64ZEal5m44RGA72aAi2vVAqxzW_3yszqa2O18nzsbBWQkz2Ktl_xrqn1-xy5xizspw5t6OrguIxdTk0mRk_xqBZsCB8aFJ9xzfrAwR2GTcVoguVuLmD2MQXz5eKgh8nGhmo2mNi9peXLEk83u-wcS1Q3NDTAd6-V0h7LfpLXBWMMBTHmlNCDglXzOJF-MJQN6XwYS2WVJBcRwNtV4WCtM4OLXBQ06A”
{
“kind”: “Node”,
“apiVersion”: “v1”,
“metadata”: {
“name”: “k8s-node-xxx.xxxx.xxx.xxx”,
…
{
“type”: “Ready”,
“status”: “True”, //节点状态为Ready
“lastHeartbeatTime”: “2020-04-25T10:50:01Z”,
“lastTransitionTime”: “2020-04-25T18:03:50Z”,
“reason”: “KubeletReady”, //节点状态为Ready
“message”: “kubelet is posting ready status”
}
],
…
3.1)获取pods信息,没有权限
curl –insecure https://xxx.xxx.xxx.xxx:6443/api/v1/pods –header “Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlsdWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZWFkLW5vZGVzLXRva2VuLWtzZzliIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InJlYWQtbm9kZXMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51sdqiOiIzYzk3Y2YyYi03YTRmLTExZWEtOGU3Zi0wZTcyMTk4NTA3NGIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06cmVhZC1ub2RlcyJ9.WrUxDB1zxMQWrKyinoevBQ1Y-tcOcSYSjCoTr4nF0oTkBySfrNelL6OsTunf6_b2zPz5WSH2xh0M0dh5g5H7q25g47-U12dLNRPvXawzrIFWriKqz51EnNRX64ZEal5m44RGA72aAi2vVAqxzW_3yszqa2O18nzsbBWQkz2Ktl_xrqn1-xy5xizspw5t6OrguIxdTk0mRk_xqBZsCB8aFJ9xzfrAwR2GTcVoguVuLmD2MQXz5eKgh8nGhmo2mNi9peXLEk83u-wcS1Q3NDTAd6-V0h7LfpLXBWMMBTHmlNCDglXzOJF-MJQN6XwYS2WVJBcRwNtV4WCtM4OLXBQ06A”
{
“kind”: “Status”,
“apiVersion”: “v1”,
“metadata”: {
},
“status”: “Failure”,
“message”: “pods is forbidden: User \”system:serviceaccount:kube-system:read-nodes\” cannot list resource \”pods\” in API group \”\” at the cluster scope”,
“reason”: “Forbidden”,
“details”: {
“kind”: “pods”
},
“code”: 403
}
声明:文中观点不代表本站立场。本文传送门:https://eyangzhen.com/235153.html
