2023年6月30日发(作者：)

⼗六、kubernetes之安全实验案例实验案例1、kubernetes对普通⽤户授权RBAC是基于⾓⾊的访问控制创建⼀个kaka⽤户来管理namespace=dev的dashboard账户第⼀步：在指定namespace创建账户kakaroot@k8s-master01:/apps/k8s-yaml/auth-case# kubectl create namespace devnamespace/dev createdroot@k8s-master01:/apps/k8s-yaml/auth-case# kubectl create serviceaccount kaka -n devserviceaccount/kaka created第⼆步：创建kaka-role规则root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl api-resources

NAME SHORTNAMES APIVERSION NAMESPACED KINDbindings v1 true Bindingcomponentstatuses cs v1 false ComponentStatusconfigmaps cm v1 true ConfigMapendpoints ep v1 true Endpointsevents ev v1 true Eventlimitranges limits v1 true LimitRangenamespaces ns v1 false Namespacenodes no v1 false Nodepersistentvolumeclaims pvc v1 true PersistentVolumeClaimpersistentvolumes pv v1 false PersistentVolumepods po v1 true Podpodtemplates v1 true PodTemplatereplicationcontrollers rc v1 true ReplicationControllerresourcequotas quota v1 true ResourceQuotasecrets v1 true Secretserviceaccounts sa v1 true ServiceAccountservices svc v1 true Servicemutatingwebhookconfigurations /v1 false MutatingWebhookConfigurationvalidatingwebhookconfigurations /v1 false ValidatingWebhookConfigurationcustomresourcedefinitions crd,crds /v1 false CustomResourceDefinitionapiservices /v1 false APIServicecontrollerrevisions apps/v1 true ControllerRevisiondaemonsets ds apps/v1 true DaemonSetdeployments deploy apps/v1 true Deploymentreplicasets rs apps/v1 true ReplicaSetstatefulsets sts apps/v1 true StatefulSettokenreviews /v1 false TokenReviewlocalsubjectaccessreviews /v1 true LocalSubjectAccessReviewselfsubjectaccessreviews /v1 false SelfSubjectAccessReviewselfsubjectrulesreviews /v1 false SelfSubjectRulesReviewsubjectaccessreviews /v1 false SubjectAccessReviewhorizontalpodautoscalers hpa autoscaling/v1 true HorizontalPodAutoscalercronjobs cj batch/v1 true CronJobjobs batch/v1 true Jobcertificatesigningrequests csr /v1 false CertificateSigningRequestleases /v1 true Leaseendpointslices /v1 true EndpointSliceevents ev /v1 true Eventingresses ing extensions/v1beta1 true Ingressflowschemas /v1beta1 false FlowSchemaprioritylevelconfigurations /v1beta1 false PriorityLevelConfigurationnodes /v1beta1 false NodeMetricspods /v1beta1 true PodMetricsingressclasses /v1 false IngressClassingresses ing /v1 true Ingressnetworkpolicies netpol /v1 true NetworkPolicyruntimeclasses /v1 false RuntimeClasspoddisruptionbudgets pdb policy/v1 true PodDisruptionBudgetpodsecuritypolicies psp policy/v1beta1 false PodSecurityPolicyclusterrolebindings /v1 false ClusterRoleBindingclusterroles /v1 false ClusterRolerolebindings /v1 true RoleBindingroles /v1 true Rolepriorityclasses pc /v1 false PriorityClasscsidrivers /v1 false CSIDrivercsinodes /v1 false CSINodecsistoragecapacities /v1beta1 true CSIStorageCapacitystorageclasses sc /v1 false StorageClassvolumeattachments /v1 false t >> << EOFkind: RoleapiVersion: /v1metadata: namespace: dev name: kaka-rolerules:- apiGroups: ["*"] #资源的版本信息,"*"表⽰所有版本 resources: ["pods","pods/exec"] #资源信息，pods表⽰pod资源，pods/exec表⽰可以进⼊pod执⾏命令 verbs: ["*"] #做什么操作，"*"表⽰所有操作 ##RO-Role #verbs: ["get", "watch", "list"]- apiGroups: ["extensions", "apps/v1"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ##RO-Role #verbs: ["get", "watch", "list"]EOFroot@k8s-master01:/apps/k8s-yaml/auth-case# kubectl apply -f

/kaka-role created第三步：将规则与账户进⾏绑定cat >> << EOFkind: RoleBindingapiVersion: /v1metadata: name: role-bind-kaka namespace: devsubjects:- kind: ServiceAccount name: kaka namespace: devroleRef: kind: Role name: kaka-role apiGroup: oot@k8s-master01:/apps/k8s-yaml/auth-case# kubectl apply -f

/role-bind-kaka created第四步：获取token名称root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl get secrets -n dev | grep kakakaka-token-mpbwh /service-account-token 3 17m#root@k8s-master01:/apps/k8s-yaml/auth-case# kubectl get secret kaka-token-mpbwh -o jsonpath={.} -n dev |base64 -droot@k8s-master01:/apps/k8s-yaml/auth-case# kubectl describe secrets kaka-token-mpbwh -n devName: kaka-token-mpbwhNamespace: devLabels: Annotations: /: kaka /: 632d6a30-aa82-4145-9504-f0343f6a71f4Type: /service-account-tokenData====: 1350 bytesnamespace: 3 bytestoken: eyJhbGciOiJSUzI1NiIsImtpZCI3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW第五步：使⽤token登录dashboard

原因是kaka⽤户⽆获取pods/exec的权限2、kubernetes对普通⽤户的认证基于kube-config⽂件登录第六步到第⼋步在kubernetes的kubeasz部署机上操作，本实验为172.168.33.201第九步及其之后是在k8s-master01上操作，本实验为172.168.33.207第六步：创建csr⽂件root@harbor:/apps/certs# pwd/apps/certsroot@harbor:/apps/certs# cat >> << EOF{ "CN": "China", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ]}EOF第七步：使⽤cfssl签发证书#安装cfssl命令root@harbor:/etc/kubeasz# apt install golang-cfssl -y#⽣成证书root@harbor:/etc/kubeasz# cfssl gencert -ca=/etc/kubeasz/clusters/k8s-ywx/ssl/ -ca-key=//etc/kubeasz/clusters/k8s-ywx/ssl/ -config=/etc/kubeasz/clusters/k8s-ywx/ssl/ -profile=kubernetes | cfsslroot@harbor:/apps/certs# 第⼋步：将kaka的证书拷贝到k8s-master节点root@harbor:/apps/certs# scp -r ./* 172.168.33.207:/etc/kubernetes/ssl/ 100% 218 230.1KB/s 00:00

100% 1679 2.8MB/s 00:00

100% 993 1.2MB/s 00:00

100% 1383 2.3MB/s 00:00

第九步：⽣成普通⽤户kaka的kubeconfig⽂件root@k8s-master01:/etc/kubernetes/ssl# kubectl config set-cluster k8s-ywx --certificate-authority=/etc/kubernetes/ssl/ --embed-certs=true --server=172.168.33.50:6443 --kubeconfig=nfig

#--embed-certs=true 为嵌⼊证书信息第⼗步：设置客户端认证参数root@k8s-master01:/etc/kubernetes/ssl# kubectl config set-credentials kaka --client-certificate=/etc/kubernetes/ssl/ --client-key=/etc/kubernetes/ssl/ --embed-certs=true --kubeconfig=nfig第⼗⼀步：设置上下⽂参数(多集群使⽤上下⽂区分)root@k8s-master01:/etc/kubernetes/ssl# kubectl config set-context k8s-ywx --cluster=k8s-ywx --user=kaka --namespace=dev --kubeconfig=nfig第⼗⼆步：设置默认上下⽂root@k8s-master01:/etc/kubernetes/ssl# kubectl config use-context k8s-ywx --kubeconfig=nfig第⼗三步：将第四步中获取的token值写⼊nfig的最后root@k8s-master01:/etc/kubernetes/ssl# vim nfig

name: k8s-ywxcontexts:- context: cluster: k8s-ywx namespace: dev user: kaka name: k8s-ywxcurrent-context: k8s-ywxkind: Configpreferences: {}users:- name: kaka user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXJpZ0F3SUJBZ0lVQ09naVNmSkMvb1BITkFWY2liTFpValBoYkVzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RVRBU client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBekZTd0VXTkszd3hKMkc3ZXpUZVFwQnJxbElRQjRSY1hRNlNsSFpTc0Q4c0RIbnhLClFzMEY5cURWeVk2TmF3SkRndU1HV2w5MzYyUm token: eyJhbGciOiJSUzI1NiIsImtpZCI3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1第⼗四步：使⽤nfig登录dashboard并测试