misterli's Blog.

K8s RBAC工具之akcess

kubernetes k8s RBAC
字数统计: 1.2k阅读时长: 5 min
2022/04/06

akcess是一个命令行工具,我们可以用其来生成kubeconfig从而授权对kubernetes集群的访问。

当我们执行akcess allow命令时候,它会创建相应的role,rolebinding 以及CertificateSigningRequest资源.

安装

这里以x86架构64位的linux系统为例,其余架构请参考 release

1
2
3
4
5
6
export VERSION=0.0.3
wget https://github.com/viveksinghggits/akcess/releases/download/v${VERSION}/akcess_${VERSION}_Linux_x86_64.tar.gz
tar xf akcess_0.0.3_Linux_x86_64.tar.gz
mv akcess /usr/local/bin
[root@master-01 ~]# akcess version 
0.0.3

akcess支持如下命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@master-01 ~]# akcess  -h
Create kubeconfig file with specified fine-grained authorization

Usage:
  akcess [flags]
  akcess [command]

Available Commands:
  allow       Allow the access to the resources
  completion  Generate the autocompletion script for the specified shell
  delete      Delete the kubernetes resources that were made specific allow command
  help        Help about any command
  list        List the number of times we ran the allow command
  version     Print the version of akcess

Flags:
  -h, --help   help for akcess

Use "akcess [command] --help" for more information about a command.

简单demo展示

允许列出monitoring空间的pod,这里我们直接将输出重定向到文件akcess-demo文件中

1
[root@master-01 ~]# akcess allow --verb list --resource pods -n monitoring > akcess-demo

我们可以简单查看一下文件内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@master-01 ~]# cat akcess-demo
apiVersion: v1
clusters:
    - cluster:
        certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5akNDQWJLZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJeE1ERXhOREF6TlRFek1Wb1lEekl4TWpBeE1qSXhNRE0xTVRNeFdqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZ*******p3Z1k4RzlnUGthNDVVU2tTQVdUL2g0TkU3VlVTCjRidXhWV3JBWUVXaHJHVGhROFZKUUZtT0R1RmxWak9UdXkrQndRbFl1eEbnNmVnZsekZycDZLV0Jrb1pOajBqYjRzWm9LVFBXMUxLeHJKbWFvaHdEcG9SYTNTWHdTUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
        server: https://********:6443
      name: kubernetes
contexts:
    - context:
        cluster: kubernetes
        user: akcess-rf4md
      name: test-context
current-context: test-context
kind: Config
preferences: {}
users:
    - user:
        client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4VENDQWRtZ0F3SUJBZ0lRWUhLSEhNVWlzODZtRVgwUk8rYzFLakFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1DQVhEVEl5TURRd05URTNNREl6TTFvWUR6SXhNakF4TWpJeApNRE0xTVRNeFdqQXJNUkl3RUFZRFZRUUtFd*************sbzQ2Yk92cW9oYW5jNHd6VHdQSU10Y0w2YXlqRks2ZG1ORkRkaTVjM2R6ZXlhQ1R5dEt1eWlKCkZLckdhS3JXWjFWnJCaWl0VkU3K2Z6dXF2K1dlc210ckVEVzJjMldpCnovNGljUWJxemw5YlZoc3FDKy9tQ2pYeEplaHN1SUQ2MUU1YkVWQUhwR3NzZlpaWEVBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
        client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBd2lMc29ZSWRhVVBIdlNSbU51SXVORkROV1d4cHdTY1ltaHRzNmVqc2xlZ045RTJQCmg4Q21RTWpEeUNobWtEZnF2bndDbUxJaUhxenB5bEE1MWxjTnk2QjJXampwczYrcWlGcWR6akROUEE4Z3kxd3YKcHJLTVVycDJZMFVOMkxsemQzTjdKb0******F2em8yQkY1ZgpodHNxR3lsWWVYRmlycDhQaG5yczBvYmp6ZDUwYzFrMjBDbnF0Nk44dkNyQklrQmQ4cmloUXF3PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
      name: akcess-rf4md

我们是用这个kubeconfig验证一下,我们可以看到这个kubeconfig只能列出monitoring空间的pod列表,而无法对pod以及其余资源进行操作

1
2
3
4
5
6
7
8
9
10
[root@master-01 ~]# kubectl --kubeconfig=akcess-demo  get pod -n monitoring
NAME                                   READY   STATUS    RESTARTS   AGE
kube-state-metrics-6d66b8ffbd-qvrwz    3/3     Running   0          6d11h
prometheus-adapter-5579d9df79-ftdsm    1/1     Running   0          6d13h
prometheus-operator-8554b997bf-xz2pt   2/2     Running   0          6d13h
[root@master-01 ~]# kubectl --kubeconfig=akcess-demo  get svc -n monitoring
Error from server (Forbidden): services is forbidden: User "akcess-rf4md" cannot list resource "services" in API group "" in the namespace "monitoring"
[root@master-01 ~]# kubectl --kubeconfig=akcess-demo  delete pod kube-state-metrics-6d66b8ffbd-qvrwz   -n monitoring
Error from server (Forbidden): pods "kube-state-metrics-6d66b8ffbd-qvrwz" is forbidden: User "akcess-rf4md" cannot delete resource "pods" in API group "" in the namespace "monitoring"

这里我们还可以看一下刚才执行的 akcess allow --verb list --resource pods -n monitoring > akcess-demo操作创建了哪些kub reneges资源

1
2
3
4
5
6
7
8
9
[root@master-01 ~]# kubectl -n monitoring  get role  
NAME           CREATED AT
akcess-jtq84   2022-04-05T17:07:34Z
[root@master-01 ~]# kubectl -n monitoring  get rolebindings.rbac.authorization.k8s.io 
NAME           ROLE                AGE
akcess-zh5ss   Role/akcess-jtq84   5m51s
[root@master-01 ~]# kubectl get csr
NAME           AGE     SIGNERNAME                            REQUESTOR          CONDITION
akcess-w7dqg   6m19s   kubernetes.io/kube-apiserver-client   kubernetes-admin   Approved,Issued

命令补全

执行命令source <(akcess completion bash)可以开启命令补全,仅对当前终端生效,如果想长期有效需要执行akcess completion bash > /etc/bash_completion.d/akcess

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#这里支持如下shell
[root@master-01 ~]# akcess completion  -h
Generate the autocompletion script for akcess for the specified shell.
See each sub-command's help for details on how to use the generated script.

Usage:
  akcess completion [command]

Available Commands:
  bash        Generate the autocompletion script for bash
  fish        Generate the autocompletion script for fish
  powershell  Generate the autocompletion script for powershell
  zsh         Generate the autocompletion script for zsh
#支持不同的系统
#### Linux:

        akcess completion bash > /etc/bash_completion.d/akcess

#### macOS:

        akcess completion bash > /usr/local/etc/bash_completion.d/akcess

使用

允许访问从default命名空间获取 pod

1
akcess allow --verb list --resource pods

允许访问以查看命名空间test 中名称为 nginx的pod日志

1
2
# log is sub resource for pod resource
akcess allow --verb get --resource pods,pods/log -n test --resource-name nginx

允许使用exec访问名称空间databese的中的pod

1
» akcess allow  --verb get,create --resource pods,pods/exec -n database

允许访问查看在名称空间backend中设置了标签component=database的 pod 的日志

1
2
# more than one labels can be comma separated
» akcess allow  --verb get --resource pods,pods/log -l component=database -n backend

允许访问查看在名称空间backend中设置了标签component=database的service

1
» akcess allow  --verb get --resource services -l component=database -n backend

指定访问允许的时间范围,默认是一天,单位为分钟

需要Kubernetes 集群版本为1.22 或更高版本

1
2
# value of --for is in minutes and can not be less than 10
» akcess allow --verb get --resource pods,pods/log -n <namespace> --for 10

查看akcess allow 运行的次数,每当我们创建一个 Kubernetes 资源时,我们都会用一个 keyallow.akcess.id和 value 对其进行注释,使其成为UUID. 已经创建的资源集合或者akcess allow已经运行的次数可以通过运行算出 ,我么也可以查看文件~/.akcess/config

1
2
3
4
5
6
7
8
9
10
11
[root@master-01 ~]# akcess list
- id: af1226f0-7b18-40e5-9f83-b00f4a5d4666
  createdAt: 2022-04-06T01:07:33.060177754+08:00
  namespace: monitoring
- id: bb086e14-01e3-4ee6-be20-67749bb8aeec
  createdAt: 2022-04-06T01:21:52.931533984+08:00
  namespace: default
[root@master-01 ~]# cat ~/.akcess/config   ##这里只显示一个,是因为我先执行了下面的删除操作
- id: bb086e14-01e3-4ee6-be20-67749bb8aeec
  createdAt: 2022-04-06T01:21:52.931533984+08:00
  namespace: default

撤销kubeconfig,改命令会删除创建的role,rolebinding和CertificateSigningRequest,删除后kubeconfig文件无法使用

1
akcess  delete --id af1226f0-7b18-40e5-9f83-b00f4a5d4666

原文作者:Mister Li

原文链接:https://www.lishuai.fun/2022/04/06/akcess/

发表日期:April 6th 2022, 1:49:27 am

更新日期:May 3rd 2022, 11:25:55 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 安装
  2. 2. 简单demo展示
  3. 3. 命令补全
  4. 4. 使用
Total : 46
2023
2022
2021
2020
kubernetes rbac k8s vulnerability ingress-nginx RBAC argocd devops gitlab harbor slb hugo pv csi s3 kubesphere prometheus sso kubevela k8s准入控制 kyverno longhorn oomkill event configmap secret sync ingress cert-manager chaos-mesh minio vpa 动态扩缩容 k8s kubevela oamm 报警 ssl-exporter traefik 混沌工程 rke k8s pvc nfs prometheus redis umami etcd kuboard docker ci buildkit redis