使用RBAC Manager 简化Kubernetes 中的授权

rbac k8s

字数统计: 1.1k阅读时长: 5 min

 2021/08/05 

简介

RBAC Manager是Fairwinds公司开源的一个项目，旨在简化 Kubernetes 中的授权，它使用新的自定义资源来支持 RBAC 声明式配置的c rd。我们可以指定所需的状态，而不是直接管理role bindings 或 service accounts ，RBAC Manager将进行必要的更改以实现该状态。

这个项目有三个主要目标：

为 RBAC 提供一种更易于理解和可扩展的声明式方法。
减少身份验证所需的配置量。
使用 CI/CD 实现 RBAC 配置更新的自动化。

安装

安装我们可以使用helm安装或者使用直接使用yaml文件安装

helm安装

1 2	helm repo add fairwinds-stable https://charts.fairwinds.com/stable helm install fairwinds-stable/rbac-manager --name rbac-manager --namespace rbac-manager

yaml文件安装

[root@master-01 deploy]# git clone https://github.com/FairwindsOps/rbac-manager.git
[root@master-01 deploy]# cd rbac-manager/deploy
#我们先查看一下有哪些文件
[root@master-01 deploy]# ls
0_namespace.yaml  1_rbac.yaml  2_crd.yaml  3_deployment.yaml
##部署
[root@master-01 deploy]# kubectl apply -f ./
namespace/rbac-manager created
serviceaccount/rbac-manager created
clusterrole.rbac.authorization.k8s.io/rbac-manager created
clusterrolebinding.rbac.authorization.k8s.io/rbac-manager created
customresourcedefinition.apiextensions.k8s.io/rbacdefinitions.rbacmanager.reactiveops.io created
deployment.apps/rbac-manager created
[root@master-01 deploy]# kubectl -n rbac-manager  get pod
NAME                            READY   STATUS    RESTARTS   AGE
rbac-manager-664c9df47f-sjwwh   1/1     Running   0          48s

使用

正常情况如果我们允许k8s集群的用户lishuai 通过edit访问名称空间test以及view访问名称空间devops,我们需要创建如下文件

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lishuai-test
  namespace: test
subjects:
- kind: User
  name: [email protected]
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lishuai-devops
  namespace: devops
subjects:
- kind: User
  name: [email protected]
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

使用了RBAC Manager 我们可以使用下面文件实现同样效果

apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: lishuai-access
rbacBindings:
  - name: jlishuai
    subjects:
      - kind: User
        name: [email protected]
    roleBindings:
      - namespace: devops
        clusterRole: view
      - namespace: test
        clusterRole: edit

我们使用上述文件创建后我们可以发现RBAC Manager会帮我们在devops和test这两个名称空间创建对应的rolebinding

[root@master-01 deploy]# kubectl get rolebindings.rbac.authorization.k8s.io  -n devops
NAME                                    ROLE                                         AGE
leader-locking-nfs-client-provisioner   Role/leader-locking-nfs-client-provisioner   6d3h
lishuai-access-jlishuai-view            ClusterRole/view                             13s
[root@master-01 deploy]# kubectl get rolebindings.rbac.authorization.k8s.io  -n test
NAME                           ROLE               AGE
lishuai-access-jlishuai-edit   ClusterRole/edit   21s

我们可以查看一下 rolebinding 文件的内容

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-08-05T06:24:11Z"
  labels:
    rbac-manager: reactiveops
  managedFields:
     ......
  name: lishuai-access-jlishuai-edit
  namespace: test
  ownerReferences:
  - apiVersion: rbacmanager.reactiveops.io/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: RBACDefinition
    name: lishuai-access
    uid: bf249ecb-42d3-4df0-a905-3b391dfe0778
  resourceVersion: "107926623"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/test/rolebindings/lishuai-access-jlishuai-edit
  uid: 3112d042-abbb-4d54-9980-7a36aae65a2e
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: [email protected]

使用RBACDefinition，我们可以将配置量减少一半甚至更多，RBAC Manager被部署为operator并侦听新的和更新的RBACDefinition，进行必要的更改以实现所需的状态。

动态创建

在指定角色绑定配置时，BACDefinition现在可以用namespaceSelectors代替namespace属性。这在使用动态配置的命名空间时非常有用

[root@master-01 deploy]# cat demo-ns.yaml 
apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: lishuai-access
rbacBindings:
  - name: lishuai
    subjects:
      - kind: User
        name: [email protected]
    roleBindings:
      - clusterRole: edit
        namespaceSelector:
          matchLabels:
            team: test

上面的示例会给每个带有label team=test的名称空间创建rolebinding

 #查看带有team=test标签的名称空间
[root@master-01 deploy]# kubectl get ns -l=team=test
NAME     STATUS   AGE
devops   Active   197d
test     Active   128d

[root@master-01 deploy]# kubectl get rolebindings.rbac.authorization.k8s.io  -n devops
NAME                                    ROLE                                         AGE
leader-locking-nfs-client-provisioner   Role/leader-locking-nfs-client-provisioner   6d3h
lishuai-access-lishuai-edit             ClusterRole/edit                             23s
[root@master-01 deploy]# kubectl get rolebindings.rbac.authorization.k8s.io  -n test
NAME                          ROLE               AGE
lishuai-access-lishuai-edit   ClusterRole/edit   26s

下面我们看一个官方提供的例子

apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: rbac-manager-users-example
rbacBindings:
  - name: cluster-admins
    subjects:
      - kind: User
        name: [email protected]
    clusterRoleBindings:
      - clusterRole: cluster-admin
  - name: web-developers
    subjects:
      - kind: User
        name: [email protected]
      - kind: User
        name: [email protected]
    roleBindings:
      - clusterRole: edit
        namespace: web
      - clusterRole: view
        namespace: api
  - name: ci-bot
    subjects:
      - kind: ServiceAccount
        name: ci-bot
        namespace: rbac-manager
    roleBindings:
      - clusterRole: edit
        namespaceSelector:
          matchLabels:
            ci: edit
      - clusterRole: admin
        namespaceSelector:
          matchExpressions:
            - key: app
              operator: In
              values:
                - web
                - queue