RBAC-基于角色的访问控制
在Kubernetes中,最佳的做法是,为特定的应用程序的服务帐户授予角色,确保应用程序在指定的范围内运行。要详细了解服务帐户权限请阅读官方Kubernetes文档.
Bitnami写了一个在集群中配置RBAC的指导,可让你了解RBAC基础知识。
我在网址 https://whmzsu.github.io/helm-doc-zh-cn/ 不断更新,同时也会搬运到这里,大家有兴趣加入https://github.com/whmzsu/helm-doc-zh-cn/的可以给我提交意见和建议。
本指南面向希望对Helm限制如下权限的用户:
- Tiller将资源安装到特定namespace能力
- 授权Helm客户端对Tiller实例的访问
Tiller和基于角色的访问控制
可以在配置Helm时使用--service-account <NAME>参数将服务帐户添加到Tiller 。前提条件是必须创建一个角色绑定,来指定预先设置的角色role和服务帐户service account 名称。
在前提条件下,并且有了一个具有正确权限的服务帐户,就可以像这样运行一个命令来初始化Tiller: helm init --service-account <NAME>
Example: 服务账户带有cluster-admin 角色权限
<code class="lang-bash">$ kubectl create serviceaccount tiller --namespace kube-system serviceaccount <span class="token string">"tiller"</span> created </code>
www#gaodaima.com来源gaodai$ma#com搞$代*码网搞代码
文件 rbac-config.yaml:
<code class="lang-yaml"><span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1
<span class="token key atrule">kind</span><span class="token punctuation">:</span> ServiceAccount
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
<span class="token key atrule">name</span><span class="token punctuation">:</span> tiller
<span class="token key atrule">namespace</span><span class="token punctuation">:</span> kube<span class="token punctuation">-</span>system
<span class="token punctuation">---</span>
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1
<span class="token key atrule">kind</span><span class="token punctuation">:</span> ClusterRoleBinding
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
<span class="token key atrule">name</span><span class="token punctuation">:</span> tiller
<span class="token key atrule">roleRef</span><span class="token punctuation">:</span>
<span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io
<span class="token key atrule">kind</span><span class="token punctuation">:</span> ClusterRole
<span class="token key atrule">name</span><span class="token punctuation">:</span> cluster<span class="token punctuation">-</span>admin
<span class="token key atrule">subjects</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> ServiceAccount
<span class="token key atrule">name</span><span class="token punctuation">:</span> tiller
<span class="token key atrule">namespace</span><span class="token punctuation">:</span> kube<span class="token punctuation">-</span>system
</code>
Note: cluster-admin角色是在Kubernetes集群中默认创建的,因此不必再显式地定义它。.
<code class="lang-bash">$ kubectl create -f rbac-config.yaml serviceaccount <span class="token string">"tiller"</span> created clusterrolebinding <span class="token string">"tiller"</span> created $ helm init --service-account tiller </code>
在特定namespace中部署Tiller,并仅限于在该namespace中部署资源
在上面的例子中,我们让Tiller管理访问整个集群。当然,Tiller正常工作并不一定要为它设置集群管理员访问权限。我们可以指定Role和RoleBinding来将Tiller的范围限制为特定的namespace,而不是指定ClusterRole或ClusterRoleBinding。
<code class="lang-bash">$ kubectl create namespace tiller-world namespace <span class="token string">"tiller-world"</span> created $ kubectl create serviceaccount tiller --namespace tiller-world serviceaccount <span class="token string">"tiller"</span> created </code>
定义允许Tiller管理namespace tiller-world 中所有资源的角色 ,文件role-tiller.yaml:
<code class="lang-yaml"><span class="token key atrule">kind</span><span class="token punctuation">:</span> Role <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1 <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>manager <span class="token key atrule">namespace</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>world <span class="token key atrule">rules</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token key atrule">apiGroups</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">""</span><span class="token punctuation">,</span> <span class="token string">"extensions"</span><span class="token punctuation">,</span> <span class="token string">"apps"</span><span class="token punctuation">]</span> <span class="token key atrule">resources</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">"*"</span><span class="token punctuation">]</span> <span class="token key atrule">verbs</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">"*"</span><span class="token punctuation">]</span> </code>
<code class="lang-bash">$ kubectl create -f role-tiller.yaml role <span class="token string">"tiller-manager"</span> created </code>
文件 rolebinding-tiller.yaml,
<code class="lang-yaml"><span class="token key atrule">kind</span><span class="token punctuation">:</span> RoleBinding <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1 <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>binding <span class="token key atrule">namespace</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>world <span class="token key atrule">subjects</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> ServiceAccount <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller <span class="token key atrule">namespace</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>world <span class="token key atrule">roleRef</span><span class="token punctuation">:</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> Role <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>manager <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io </code>
<code class="lang-bash">$ kubectl create -f rolebinding-tiller.yaml rolebinding <span class="token string">"tiller-binding"</span> created </code>
之后,运行helm init来在tiller-world namespace中安装Tiller 。
<code class="lang-bash">$ helm init --service-account tiller --tiller-namespace tiller-world <span class="token variable">$HELM_HOME</span> has been configured at /Users/awesome-user/.helm. Tiller <span class="token punctuation">(</span>the Helm server side component<span class="token punctuation">)</span> has been installed into your Kubernetes Cluster. Happy Helming<span class="token operator">!</span> $ helm <span class="token function">install</span> nginx --tiller-namespace tiller-world --namespace tiller-world NAME: wayfaring-yak LAST DEPLOYED: Mon Aug 7 16:00:16 2017 NAMESPACE: tiller-world STATUS: DEPLOYED RESOURCES: <span class="token operator">==</span><span class="token operator">></span> v1/Pod NAME READY STATUS RESTARTS AGE wayfaring-yak-alpine 0/1 ContainerCreating 0 0s </code>
Example: 在一个namespace中部署Tiller,并限制它在另一个namespace部署资源
在上面的例子中,我们让Tiller管理它部署所在的namespace。现在,让我们限制Tiller的范围,将资源部署在不同的namespace中!
下面例子中,让我们在myorg-system namespace中安装Tiller,并允许Tiller在myorg-users namespace中部署资源。
<code class="lang-bash">$ kubectl create namespace myorg-system namespace <span class="token string">"myorg-system"</span> created $ kubectl create serviceaccount tiller --namespace myorg-system serviceaccount <span class="token string">"tiller"</span> created </code>
在role-tiller.yaml中,定义了一个允许Tiller管理所有myorg-users资源的角色:
<code class="lang-yaml"><span class="token key atrule">kind</span><span class="token punctuation">:</span> Role <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1 <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>manager <span class="token key atrule">namespace</span><span class="token punctuation">:</span> myorg<span class="token punctuation">-</span>users <span class="token key atrule">rules</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token key atrule">apiGroups</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">""</span><span class="token punctuation">,</span> <span class="token string">"extensions"</span><span class="token punctuation">,</span> <span class="token string">"apps"</span><span class="token punctuation">]</span> <span class="token key atrule">resources</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">"*"</span><span class="token punctuation">]</span> <span class="token key atrule">verbs</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">"*"</span><span class="token punctuation">]</span> </code>
<code class="lang-bash">$ kubectl create -f role-tiller.yaml role <span class="token string">"tiller-manager"</span> created </code>
将 service account 与那个role绑定. rolebinding-tiller.yaml,
<code class="lang-yaml"><span class="token key atrule">kind</span><span class="token punctuation">:</span> RoleBinding <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1 <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>binding <span class="token key atrule">namespace</span><span class="token punctuation">:</span> myorg<span class="token punctuation">-</span>users <span class="token key atrule">subjects</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> ServiceAccount <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller <span class="token key atrule">namespace</span><span class="token punctuation">:</span> myorg<span class="token punctuation">-</span>system <span class="token key atrule">roleRef</span><span class="token punctuation">:</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> Role <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>manager <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io </code>
<code class="lang-bash">$ kubectl create -f rolebinding-tiller.yaml rolebinding <span class="token string">"tiller-binding"</span> created </code>
我们还需要授予Tiller访问权限来读取myorg-system中的configmaps,以便它可以存储release信息。如 role-tiller-myorg-system.yaml:
<code class="lang-yaml"><span class="token key atrule">kind</span><span class="token punctuation">:</span> Role <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1 <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">namespace</span><span class="token punctuation">:</span> myorg<span class="token punctuation">-</span>system <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>manager <span class="token key atrule">rules</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token key atrule">apiGroups</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">""</span><span class="token punctuation">,</span> <span class="token string">"extensions"</span><span class="token punctuation">,</span> <span class="token string">"apps"</span><span class="token punctuation">]</span> <span class="token key atrule">resources</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">"configmaps"</span><span class="token punctuation">]</span> <span class="token key atrule">verbs</span><span class="token punctuation">:</span> <span class="token punctuation">[</span><span class="token string">"*"</span><span class="token punctuation">]</span> </code>
<code class="lang-bash">$ kubectl create -f role-tiller-myorg-system.yaml role <span class="token string">"tiller-manager"</span> created </code>
相应的role 绑定. 如 rolebinding-tiller-myorg-system.yaml:
<code class="lang-yaml"><span class="token key atrule">kind</span><span class="token punctuation">:</span> RoleBinding <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1 <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>binding <span class="token key atrule">namespace</span><span class="token punctuation">:</span> myorg<span class="token punctuation">-</span>system <span class="token key atrule">subjects</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> ServiceAccount <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller <span class="token key atrule">namespace</span><span class="token punctuation">:</span> myorg<span class="token punctuation">-</span>system <span class="token key atrule">roleRef</span><span class="token punctuation">:</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> Role <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>manager <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io </code>
<code class="lang-bash">$ kubectl create -f rolebinding-tiller-myorg-system.yaml rolebinding <span class="token string">"tiller-binding"</span> created </code>
Helm 和基于角色的访问控制
在pod中运行Helm客户端时,为了让Helm客户端与Tiller实例进行通信,需要授予某些特权。具体来说,Helm客户端需要能够创建pods,转发端口并能够在Tiller运行的namespace中列出pod(这样它才可以找到Tiller)。
Example: 在一个namespace中部署helm,与在另一个namespace中与Tiller交互
在这个例子中,我们将假设Tiller在名为tiller-world 的namespace中运行,并且Helm客户端在helm-world中运行。默认情况下,Tiller在kube-system namespace中运行。
如 helm-user.yaml:
<code class="lang-yaml"><span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> ServiceAccount <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> helm <span class="token key atrule">namespace</span><span class="token punctuation">:</span> helm<span class="token punctuation">-</span>world <span class="token punctuation">---</span> <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> Role <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>user <span class="token key atrule">namespace</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>world <span class="token key atrule">rules</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token key atrule">apiGroups</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token string">""</span> <span class="token key atrule">resources</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> pods/portforward <span class="token key atrule">verbs</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> create <span class="token punctuation">-</span> <span class="token key atrule">apiGroups</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token string">""</span> <span class="token key atrule">resources</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> pods <span class="token key atrule">verbs</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> list <span class="token punctuation">---</span> <span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1beta1 <span class="token key atrule">kind</span><span class="token punctuation">:</span> RoleBinding <span class="token key atrule">metadata</span><span class="token punctuation">:</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>user<span class="token punctuation">-</span>binding <span class="token key atrule">namespace</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>world <span class="token key atrule">roleRef</span><span class="token punctuation">:</span> <span class="token key atrule">apiGroup</span><span class="token punctuation">:</span> rbac.authorization.k8s.io <span class="token key atrule">kind</span><span class="token punctuation">:</span> Role <span class="token key atrule">name</span><span class="token punctuation">:</span> tiller<span class="token punctuation">-</span>user <span class="token key atrule">subjects</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> ServiceAccount <span class="token key atrule">name</span><span class="token punctuation">:</span> helm <span class="token key atrule">namespace</span><span class="token punctuation">:</span> helm<span class="token punctuation">-</span>world </code>
<code class="lang-bash">$ kubectl create -f helm-user.yaml serviceaccount <span class="token string">"helm"</span> created role <span class="token string">"tiller-user"</span> created rolebinding <span class="token string">"tiller-user-binding"</span> created</code>
搞代码网(gaodaima.com)提供的所有资源部分来自互联网,如果有侵犯您的版权或其他权益,请说明详细缘由并提供版权或权益证明然后发送到邮箱[email protected],我们会在看到邮件的第一时间内为您处理,或直接联系QQ:872152909。本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:Helm 用户指南-系列(7)-RBAC
转载请注明原文链接:Helm 用户指南-系列(7)-RBAC
