使用Permission manager动态为k8s集群创建用户及kubeconfig

kubernetes rbac

字数统计: 1.1k阅读时长: 5 min

 2021/08/09 

简介

Permission manager是一个简单便捷的RBAC管理界面工具，支持通过web界面创建用户，分配Namespace权限，并可以生成kubeconfig文件

项目地址https://github.com/sighupio/permission-manager.git

安装

[root@master-01 k8s]# git clone https://github.com/sighupio/permission-manager.git 
正克隆到 'permission-manager'...
remote: Enumerating objects: 2350, done.
remote: Counting objects: 100% (593/593), done.
remote: Compressing objects: 100% (395/395), done.
remote: Total 2350 (delta 388), reused 349 (delta 189), pack-reused 1757
接收对象中: 100% (2350/2350), 10.79 MiB | 3.57 MiB/s, done.
处理 delta 中: 100% (1427/1427), done.
[root@master-01 k8s]# cd permission-manager/
[root@master-01 permission-manager]# ls
cmd          development              Dockerfile  e2e-test  go.sum      internal    Makefile   reltag.sh  tests
deployments  development-compose.yml  docs        go.mod    helm_chart  LICENSE.md  README.md  statik     web-client
##部署文件位于deployments/kubernetes下
[root@master-01 permission-manager]# ls deployments/kubernetes/
deploy.yml  seeds
[root@master-01 permission-manager]# ls deployments/kubernetes/seeds/
crd.yml  seed.yml

#

创建namespace

1	kubectl create namespace permission-manager

创建一个secert存储一些配置

---
apiVersion: v1
kind: Secret
metadata:
  name: permission-manager
  namespace: permission-manager
type: Opaque
stringData:
  PORT: "4000" # port where server is exposed
  CLUSTER_NAME: "my-cluster" # name of the cluster to use in the generated kubeconfig file
  CONTROL_PLANE_ADDRESS: "https://apiserver.cluster.local:6443" # full address of the control plane to use in the generated kubeconfig file
  BASIC_AUTH_PASSWORD: "changeMe" # password used by basic auth (username is `admin`)

参数解释：

PORT	服务端口号
CLUSTER_NAME	要在生成的kubeconfig中使用的集群名称
CONTROL_PLANE_ADDRESS	在生成的kubeconfig文件中使用的控制平面的地址
BASIC_AUTH_PASSWORD	web页面密码默认登录账户为admin

部署crd以及预定义的一些权限

[root@master-01 permission-manager]# kubectl apply -f seeds/
customresourcedefinition.apiextensions.k8s.io/permissionmanagerusers.permissionmanager.user created
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___operation created
clusterrole.rbac.authorization.k8s.io/template-namespaced-resources___developer created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___read-only created
clusterrole.rbac.authorization.k8s.io/template-cluster-resources___admin created
#会创建admin,read-only,developer三个权限供web页面使用
[root@master-01 permission-manager]# kubectl get clusterrole|grep ^template
template-cluster-resources___admin                                     2021-08-06T02:55:10Z
template-cluster-resources___read-only                                 2021-08-06T02:55:10Z
template-namespaced-resources___developer                              2021-08-06T02:55:10Z
template-namespaced-resources___operation                              2021-08-06T02:55:10Z

部署deployment

[root@master-01 permission-manager]# kubectl apply -f deploy.yml 
service/permission-manager created
deployment.apps/permission-manager created
serviceaccount/permission-manager created
clusterrole.rbac.authorization.k8s.io/permission-manager created
clusterrolebinding.rbac.authorization.k8s.io/permission-manager created
[root@master-01 ingress-route]# kubectl get pod -n permission-manager 
NAME                                 READY   STATUS    RESTARTS   AGE
permission-manager-bdddff74b-4pv67   1/1     Running   0          5m9s

创建ingerss 文件（traefik）

[root@master-01 ingress-route]# cat permission-manager-ingress.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: permission-manager
  namespace: permission-manager
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`rbac.lishuai.fun`)
    kind: Rule
    services:
    - name: permission-manager
      port: 4000
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    prometheus.io/http-probe: "true"
  name: permission-manager-tls
  namespace: permission-manager
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`rbac.lishuai.fun`)
    kind: Rule
    services:
    - name: permission-manager
      port: 4000
  tls:
    certResolver: myresolver

使用

首次打开会让我们输入用户名和密码，用户名为admin密码就是上面的secert.yaml文件中定义的BASIC_AUTH_PASSWORD

打开后首页如下

新建用户

我们点击首页的create new user去创建一个用户授予其拥有访问monitoring这个namespace的权限

注意：这里可以使用预先定义的模版，模版的权限我们可以选中后再下方的summay或者选中模板时左侧的info里查看

点击save后页面下方的shou kubeconfig for xxx可以查看生成的kubeconfig 我们可以复制保存为文件joy-config

验证

[root@master-01 permission-manager]# kubectl   --kubeconfig joy-config  -n monitoring  get pod 
NAME                                       READY   STATUS    RESTARTS   AGE
alertmanager-main-0                        2/2     Running   0          6d23h
alertmanager-main-1                        2/2     Running   0          6d23h
blackbox-exporter-7cc588b854-zbvhg         3/3     Running   0          22d
grafana-d99d69764-ck87h                    1/1     Running   0          22d
kube-state-metrics-859b6bf99-9b94p         3/3     Running   0          22d
node-exporter-x4h2l                        2/2     Running   0          191d
node-exporter-xxwkb                        2/2     Running   0          23d
prometheus-adapter-7586ffcbdb-2zhzb        1/1     Running   0          22d
prometheus-alert-center-5655c9c95c-8jqx9   1/1     Running   0          22d
prometheus-k8s-0                           2/2     Running   1          21d
prometheus-operator-69999459d6-s69xv       2/2     Running   0          22d
redis-exporter-6b694dfc97-rk5d2            1/1     Running   0          16d
redis-exporter-test-5795d6db56-2k886       1/1     Running   0          16d
ssl-exporter-6654bc6694-xvpmd              1/1     Running   0          22d
thanos-ruler-kubesphere-0                  2/2     Running   0          21d
webhook-dingtalk-6769f4d79c-kmg4w          1/1     Running   0          22d
[root@master-01 permission-manager]# kubectl   --kubeconfig joy-config  -n kube-system  get pod 
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:permission-manager:joy" cannot list resource "pods" in API group "" in the namespace "kube-system"

自定义规则模板

模板是一个带有前缀的 ClusterRole，例如

1 2	template-namespaced-resources___ template-namespaced-resources___developer

我们可以简单看一下我们的seed.yaml文件中定义的模板

[root@master-01 seeds]# cat seed.yml 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: template-namespaced-resources___operation
rules:
  - apiGroups:
      - "*"
    resources:
      - "*"
    verbs:
      - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: template-namespaced-resources___developer
rules:
  - apiGroups:
      - "*"
    resources:
      - "configmaps"

我们这里定义一个名为test的模板，只允许查看pod

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: template-namespaced-resources___test
rules:
  - apiGroups:
      - "*"
    resources:
      - "pods"
      - "pods/log"
      - "pods/portforward"
      - "podtemplates"
      - "deployments"
    verbs:
      - "*"