认证与授权 #

一、Kubernetes安全概述 #

Kubernetes安全模型包含三个层次：认证、授权、准入控制。

1.1 安全流程 #

text

API请求安全流程
    │
    ├── 1. 认证 (Authentication)
    │       └── 验证用户身份
    │
    ├── 2. 授权 (Authorization)
    │       └── 检查操作权限
    │
    ├── 3. 准入控制 (Admission Control)
    │       └── 验证和修改请求
    │
    └── 4. 执行操作

1.2 用户类型 #

用户类型	说明
普通用户	外部用户，由外部系统管理
ServiceAccount	集群内部服务账户

二、认证机制 #

2.1 认证方式 #

text

认证方式
    │
    ├── 证书认证
    │   └── X.509客户端证书
    │
    ├── Token认证
    │   ├── 静态Token
    │   ├── Bootstrap Token
    │   └── OIDC Token
    │
    ├── Webhook认证
    │   └── 外部认证服务
    │
    └── 匿名认证
        └── 未认证请求

2.2 证书认证 #

bash

# 创建用户证书
openssl genrsa -out user.key 2048
openssl req -new -key user.key -out user.csr -subj "/CN=admin/O=system:masters"
openssl x509 -req -in user.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user.crt -days 365

# 配置kubeconfig
kubectl config set-credentials admin --client-certificate=user.crt --client-key=user.key
kubectl config set-context admin-context --cluster=kubernetes --user=admin
kubectl config use-context admin-context

2.3 Token认证 #

yaml

# 静态Token文件
apiVersion: v1
kind: Secret
metadata:
  name: admin-token
  namespace: kube-system
type: Opaque
data:
  token: YWRtaW4tdG9rZW4=

三、ServiceAccount #

3.1 ServiceAccount概述 #

ServiceAccount是Pod的身份标识，用于集群内部服务访问API。

yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default

3.2 创建ServiceAccount #

bash

# 创建ServiceAccount
kubectl create serviceaccount my-sa

# 查看ServiceAccount
kubectl get sa

# 查看ServiceAccount Token
kubectl describe sa my-sa

3.3 在Pod中使用 #

yaml

apiVersion: v1
kind: Pod
metadata:
  name: sa-pod
spec:
  serviceAccountName: my-sa
  containers:
  - name: app
    image: nginx

3.4 自动挂载Token #

yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa
automountServiceAccountToken: false

四、RBAC授权 #

4.1 RBAC概述 #

RBAC（Role-Based Access Control）基于角色进行权限控制。

text

RBAC组件
    │
    ├── Role
    │   └── 命名空间级别角色
    │
    ├── ClusterRole
    │   └── 集群级别角色
    │
    ├── RoleBinding
    │   └── 命名空间角色绑定
    │
    └── ClusterRoleBinding
        └── 集群角色绑定

4.2 创建Role #

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get"]

4.3 创建ClusterRole #

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

4.4 创建RoleBinding #

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
  name: my-sa
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

4.5 创建ClusterRoleBinding #

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io

五、常用角色示例 #

5.1 只读角色 #

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: readonly
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments", "statefulsets", "daemonsets"]
  verbs: ["get", "list", "watch"]

5.2 开发者角色 #

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments", "statefulsets", "daemonsets"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: ["batch"]
  resources: ["jobs", "cronjobs"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]

5.3 管理员角色 #

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-admin
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

六、RBAC管理 #

6.1 查看权限 #

bash

# 查看Role
kubectl get roles -n <namespace>

# 查看ClusterRole
kubectl get clusterroles

# 查看RoleBinding
kubectl get rolebindings -n <namespace>

# 查看ClusterRoleBinding
kubectl get clusterrolebindings

6.2 检查权限 #

bash

# 检查用户权限
kubectl auth can-i list pods --as jane

# 检查ServiceAccount权限
kubectl auth can-i list pods --as=system:serviceaccount:default:my-sa

# 检查特定命名空间权限
kubectl auth can-i list pods --as jane -n development

七、最佳实践 #

7.1 最小权限原则 #

yaml

# 只授予必要的权限
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]

7.2 使用命名空间隔离 #

yaml

# 不同命名空间使用不同Role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-access
  namespace: development
subjects:
- kind: User
  name: developer
roleRef:
  kind: Role
  name: developer

7.3 定期审计权限 #

bash

# 查看所有绑定
kubectl get rolebindings,clusterrolebindings -A

# 查看用户权限
kubectl auth can-i --list --as jane

八、总结 #

8.1 核心要点 #

组件	说明
ServiceAccount	Pod身份标识
Role	命名空间角色
ClusterRole	集群角色
RoleBinding	角色绑定

8.2 下一步 #

掌握了认证与授权后，让我们学习 Pod安全，了解Pod级别的安全配置。