misterli's Blog.

使用RBAC Manager 简化Kubernetes 中的授权

字数统计: 1.1k阅读时长: 5 min
2021/08/05

简介

RBAC ManagerFairwinds公司开源的一个项目,旨在简化 Kubernetes 中的授权,它使用新的自定义资源来支持 RBAC 声明式配置的c rd。我们可以指定所需的状态,而不是直接管理role bindings service accountsRBAC Manager将进行必要的更改以实现该状态。

这个项目有三个主要目标:

  1. 为 RBAC 提供一种更易于理解和可扩展的声明式方法。
  2. 减少身份验证所需的配置量。
  3. 使用 CI/CD 实现 RBAC 配置更新的自动化。

安装

安装我们可以使用helm安装或者使用直接使用yaml文件安装

helm安装

1
2
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install fairwinds-stable/rbac-manager --name rbac-manager --namespace rbac-manager

yaml文件安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@master-01 deploy]# git clone https://github.com/FairwindsOps/rbac-manager.git
[root@master-01 deploy]# cd rbac-manager/deploy
#我们先查看一下有哪些文件
[root@master-01 deploy]# ls
0_namespace.yaml 1_rbac.yaml 2_crd.yaml 3_deployment.yaml
##部署
[root@master-01 deploy]# kubectl apply -f ./
namespace/rbac-manager created
serviceaccount/rbac-manager created
clusterrole.rbac.authorization.k8s.io/rbac-manager created
clusterrolebinding.rbac.authorization.k8s.io/rbac-manager created
customresourcedefinition.apiextensions.k8s.io/rbacdefinitions.rbacmanager.reactiveops.io created
deployment.apps/rbac-manager created
[root@master-01 deploy]# kubectl -n rbac-manager get pod
NAME READY STATUS RESTARTS AGE
rbac-manager-664c9df47f-sjwwh 1/1 Running 0 48s

使用

正常情况如果我们允许k8s集群的用户lishuai 通过edit访问名称空间test以及view访问名称空间devops,我们需要创建如下文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: lishuai-test
namespace: test
subjects:
- kind: User
name: lishuai@example.com
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: lishuai-devops
namespace: devops
subjects:
- kind: User
name: lishuai@example.com
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io

使用了RBAC Manager 我们可以使用下面文件实现同样效果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
name: lishuai-access
rbacBindings:
- name: jlishuai
subjects:
- kind: User
name: lishuai@example.com
roleBindings:
- namespace: devops
clusterRole: view
- namespace: test
clusterRole: edit

我们使用上述文件创建后我们可以发现RBAC Manager会帮我们在devopstest这两个名称空间创建对应的rolebinding

1
2
3
4
5
6
7
8
[root@master-01 deploy]# kubectl get rolebindings.rbac.authorization.k8s.io  -n devops
NAME ROLE AGE
leader-locking-nfs-client-provisioner Role/leader-locking-nfs-client-provisioner 6d3h
lishuai-access-jlishuai-view ClusterRole/view 13s
[root@master-01 deploy]# kubectl get rolebindings.rbac.authorization.k8s.io -n test
NAME ROLE AGE
lishuai-access-jlishuai-edit ClusterRole/edit 21s

我们可以查看一下 rolebinding 文件的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2021-08-05T06:24:11Z"
labels:
rbac-manager: reactiveops
managedFields:
......
name: lishuai-access-jlishuai-edit
namespace: test
ownerReferences:
- apiVersion: rbacmanager.reactiveops.io/v1beta1
blockOwnerDeletion: true
controller: true
kind: RBACDefinition
name: lishuai-access
uid: bf249ecb-42d3-4df0-a905-3b391dfe0778
resourceVersion: "107926623"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/test/rolebindings/lishuai-access-jlishuai-edit
uid: 3112d042-abbb-4d54-9980-7a36aae65a2e
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: edit
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: lishuai@example.com

使用RBACDefinition,我们可以将配置量减少一半甚至更多,RBAC Manager被部署为operator并侦听新的和更新的RBACDefinition,进行必要的更改以实现所需的状态。

动态创建

在指定角色绑定配置时,BACDefinition现在可以用namespaceSelectors代替namespace属性。这在使用动态配置的命名空间时非常有用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@master-01 deploy]# cat demo-ns.yaml 
apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
name: lishuai-access
rbacBindings:
- name: lishuai
subjects:
- kind: User
name: lishuai@example.com
roleBindings:
- clusterRole: edit
namespaceSelector:
matchLabels:
team: test

上面的示例会给每个带有label team=test的名称空间创建rolebinding

1
2
3
4
5
6
7
8
9
10
11
12
13
 #查看带有team=test标签的名称空间
[root@master-01 deploy]# kubectl get ns -l=team=test
NAME STATUS AGE
devops Active 197d
test Active 128d

[root@master-01 deploy]# kubectl get rolebindings.rbac.authorization.k8s.io -n devops
NAME ROLE AGE
leader-locking-nfs-client-provisioner Role/leader-locking-nfs-client-provisioner 6d3h
lishuai-access-lishuai-edit ClusterRole/edit 23s
[root@master-01 deploy]# kubectl get rolebindings.rbac.authorization.k8s.io -n test
NAME ROLE AGE
lishuai-access-lishuai-edit ClusterRole/edit 26s

下面我们看一个官方提供的例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
name: rbac-manager-users-example
rbacBindings:
- name: cluster-admins
subjects:
- kind: User
name: jane@example.com
clusterRoleBindings:
- clusterRole: cluster-admin
- name: web-developers
subjects:
- kind: User
name: dave@example.com
- kind: User
name: joe@example.com
roleBindings:
- clusterRole: edit
namespace: web
- clusterRole: view
namespace: api
- name: ci-bot
subjects:
- kind: ServiceAccount
name: ci-bot
namespace: rbac-manager
roleBindings:
- clusterRole: edit
namespaceSelector:
matchLabels:
ci: edit
- clusterRole: admin
namespaceSelector:
matchExpressions:
- key: app
operator: In
values:
- web
- queue

在上面的示例中,RBAC Manager 将创建以下资源:

  • 授予 Jane 集群管理员权限
  • 授予 Dave 和 Joe 在 Web 命名空间中edit权限的角色绑定
  • 授 Dave 和 Joe 在 api 命名空间中view权限的角色绑定
  • rbac-manager 命名空间中名为 ci-bot 的服务帐户
  • 在有ci=edit标签的名称空间授予CI-BOT服务帐户的edit权限
  • 在有app=webapp=queue标签的名称空间的CI-BOT服务帐户admin权限
CATALOG
  1. 1. 简介
  2. 2. 安装
    1. 2.1. helm安装
    2. 2.2. yaml文件安装
  3. 3. 使用
    1. 3.1. 动态创建