User Tools
управление_правами_в_kubernetes
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
управление_правами_в_kubernetes [2025/11/01 07:44] val [Вариант 2.1 Использование сертификатов] |
управление_правами_в_kubernetes [2025/11/01 13:31] (current) val [Управление правами в Kubernetes] |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| * [[https://habr.com/ru/articles/779190/|Как работает аутентификация в Kubernetes: ServiceAccount и RBAC]] | * [[https://habr.com/ru/articles/779190/|Как работает аутентификация в Kubernetes: ServiceAccount и RBAC]] | ||
| * [[https://medium.com/@muppedaanvesh/a-hand-on-guide-to-kubernetes-rbac-with-a-user-creation-%EF%B8%8F-1ad9aa3cafb1|A Hands-On Guide to Kubernetes RBAC With a User Creation]] | * [[https://medium.com/@muppedaanvesh/a-hand-on-guide-to-kubernetes-rbac-with-a-user-creation-%EF%B8%8F-1ad9aa3cafb1|A Hands-On Guide to Kubernetes RBAC With a User Creation]] | ||
| + | * [[https://kubernetes.io/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set-credentials/|Kubernetes Documentation kubectl config set-credentials]] | ||
| + | * [[https://www.container-security.site/security_research/node_proxy.html|Node/Proxy in Kubernetes RBAC]] | ||
| + | * [[https://stackoverflow.com/questions/60445336/how-to-grant-access-to-specify-namespace-in-kubernetes-dashboard|How to grant access to specify namespace in kubernetes dashboard?]] | ||
| + | * [[https://docs.sc.otc.t-systems.com/cloud-container-engine/umn/permissions_management/namespace_permissions_kubernetes_rbac-based.html|Namespace Permissions (Kubernetes RBAC-based)]] | ||
| * [[https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28|Kubernetes RBAC Port Forward]] | * [[https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28|Kubernetes RBAC Port Forward]] | ||
| + | |||
| ===== Реклама ===== | ===== Реклама ===== | ||
| Line 26: | Line 31: | ||
| * [[Система Kubernetes]] | * [[Система Kubernetes]] | ||
| - | * [[Сервис Keycloak#rancher local-path-provisioner]] и кластер [[Сервис PostgreSQL#CloudNativePG]] для Keycloak в [[Сервис Keycloak#Kubernetes]] | + | |
| * Cloud native distributed block storage for Kubernetes [[Сервис Keycloak#longhorn]] | * Cloud native distributed block storage for Kubernetes [[Сервис Keycloak#longhorn]] | ||
| + | * [[Сервис Keycloak#rancher local-path-provisioner]] и кластер [[Сервис PostgreSQL#CloudNativePG]] для Keycloak в [[Сервис Keycloak#Kubernetes]] | ||
| * [[Система Kubernetes#Kubernetes Dashboard]] без ServiceAccout | * [[Система Kubernetes#Kubernetes Dashboard]] без ServiceAccout | ||
| Line 78: | Line 84: | ||
| ==== Вариант 2.2 Использование ServiceAccount ==== | ==== Вариант 2.2 Использование ServiceAccount ==== | ||
| - | * [[Система Kubernetes#Kubernetes Dashboard]] ServiceAccout можно создать в ns default | + | * Для примера можно использовать ServiceAccout из темы [[Система Kubernetes#Kubernetes Dashboard]] в Namespace default |
| + | * Показать временные и long-lived Bearer Token для ServiceAccount | ||
| - | ==== Шаг 2.3 Создание файла конфигурации для kubectl ==== | + | ==== Шаг 2.3 Создание файла конфигурации kubectl ==== |
| * [[Система Kubernetes#Инструмент командной строки kubectl]] | * [[Система Kubernetes#Инструмент командной строки kubectl]] | ||
| Line 91: | Line 98: | ||
| user1@client1:~$ kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.key --embed-certs=true | user1@client1:~$ kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.key --embed-certs=true | ||
| ИЛИ | ИЛИ | ||
| - | student@client1:~$ kubectl config set-credentials user1 --token=................................... | + | user1@client1:~$ kubectl config set-credentials user1 --token=................................... |
| + | |||
| + | user1@client1:~$ kubectl config get-users | ||
| user1@client1:~$ kubectl config set-context default-context --cluster=cluster.local --user=user1 | user1@client1:~$ kubectl config set-context default-context --cluster=cluster.local --user=user1 | ||
| Line 103: | Line 112: | ||
| </code> | </code> | ||
| - | ===== Шаг 3. Предоставление доступа к services/proxy в Namespace ===== | + | ===== Шаг 3. Использование Role и RoleBinding ===== |
| + | |||
| + | ==== Предоставление доступа к services/proxy в Namespace ==== | ||
| + | |||
| + | * Cloud native distributed block storage for Kubernetes [[Сервис Keycloak#longhorn]] | ||
| <code> | <code> | ||
| kube1:~/users# cat lh-svc-proxy-role.yaml | kube1:~/users# cat lh-svc-proxy-role.yaml | ||
| Line 139: | Line 153: | ||
| student@client1:~$ curl http://localhost:8001/api/v1/namespaces/longhorn-system/services/longhorn-frontend:80/proxy/ | student@client1:~$ curl http://localhost:8001/api/v1/namespaces/longhorn-system/services/longhorn-frontend:80/proxy/ | ||
| - | kube1:~/users# kubectl get rolebindings --all-namespaces -o=json | jq '.items[] | select(.subjects[]?.name == "user1")' | + | student@client1:~$ curl http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ |
| </code> | </code> | ||
| - | ===== Шаг 4. Предоставление доступа к services/port-forward в Cluster ===== | + | ==== Предоставление полного доступа к Namespace ==== |
| <code> | <code> | ||
| - | kube1:~/users# kubectl get clusterroles |less | + | </code> |
| - | kube1:~/users# kubectl get clusterrolebindings cluster-admin -o yaml | + | * [[Система Kubernetes#Базовые объекты k8s]] |
| - | + | ==== Поиск предоставленных ролей для учетной записи ==== | |
| - | kube1:~/users# kubectl get clusterrole view -o yaml | + | <code> |
| - | + | kube1:~/users# kubectl get rolebindings --all-namespaces -o=json | jq '.items[] | select(.subjects[]?.name == "user1")' | |
| - | kube1:~/users# cat user1-view-clusterrolebinding.yaml | + | </code> |
| - | </code><code> | + | ===== Шаг 4. Использование ClusterRole и ClusterRoleBinding на ===== |
| - | apiVersion: rbac.authorization.k8s.io/v1 | + | |
| - | kind: ClusterRoleBinding | + | |
| - | metadata: | + | |
| - | name: user1-view-clusterrolebinding | + | |
| - | subjects: | + | |
| - | - kind: User | + | |
| - | name: user1 | + | |
| - | apiGroup: rbac.authorization.k8s.io | + | |
| - | roleRef: | + | |
| - | kind: ClusterRole | + | |
| - | name: view | + | |
| - | apiGroup: rbac.authorization.k8s.io | + | |
| - | </code><code> | + | |
| - | kube1:~/users# kubectl apply -f user1-view-clusterrolebinding.yaml | + | |
| - | + | ||
| - | student@client1:~$ kubectl get pods -A | + | |
| - | + | ||
| - | student@client1:~$ kubectl port-forward -n my-pgcluster-ns services/my-pgcluster-rw 5432:5432 | + | |
| - | error: error upgrading connection: pods "my-pgcluster-3" is forbidden: User "user1" cannot create resource "pods/portforward" in API group "" in the namespace "my-pgcluster-ns" | + | |
| + | ==== Предоставление доступа к services/port-forward в Cluster ==== | ||
| + | <code> | ||
| kube1:~/users# cat svc-pfw-role.yaml | kube1:~/users# cat svc-pfw-role.yaml | ||
| </code><code> | </code><code> | ||
| Line 214: | Line 211: | ||
| student@client1:~$ psql postgres://keycloak:strongpassword@127.0.0.1:5432/postgres | student@client1:~$ psql postgres://keycloak:strongpassword@127.0.0.1:5432/postgres | ||
| + | </code> | ||
| + | ==== Предоставление полного доступа к Cluster ==== | ||
| + | |||
| + | <code> | ||
| + | kube1:~/users# kubectl get clusterroles |less | ||
| + | |||
| + | kube1:~/users# kubectl get clusterrolebindings cluster-admin -o yaml | ||
| + | |||
| + | kube1:~/users# kubectl get clusterrole view -o yaml | ||
| + | |||
| + | kube1:~/users# cat user1-view-clusterrolebinding.yaml | ||
| + | </code><code> | ||
| + | apiVersion: rbac.authorization.k8s.io/v1 | ||
| + | kind: ClusterRoleBinding | ||
| + | metadata: | ||
| + | name: user1-view-clusterrolebinding | ||
| + | subjects: | ||
| + | - kind: User | ||
| + | name: user1 | ||
| + | apiGroup: rbac.authorization.k8s.io | ||
| + | roleRef: | ||
| + | kind: ClusterRole | ||
| + | name: view | ||
| + | apiGroup: rbac.authorization.k8s.io | ||
| + | </code><code> | ||
| + | kube1:~/users# kubectl apply -f user1-view-clusterrolebinding.yaml | ||
| + | |||
| + | student@client1:~$ kubectl get pods -A | ||
| + | |||
| + | student@client1:~$ kubectl port-forward -n my-pgcluster-ns services/my-pgcluster-rw 5432:5432 | ||
| + | error: error upgrading connection: pods "my-pgcluster-3" is forbidden: User "user1" cannot create resource "pods/portforward" in API group "" in the namespace "my-pgcluster-ns" | ||
| + | </code> | ||
| + | |||
| + | ==== Поиск предоставленных кластерных ролей для учетной записи ==== | ||
| + | <code> | ||
| kube1:~/users# kubectl get clusterrolebindings -o=json | jq '.items[] | select(.subjects[]?.name == "user1")' | kube1:~/users# kubectl get clusterrolebindings -o=json | jq '.items[] | select(.subjects[]?.name == "user1")' | ||
| </code> | </code> | ||
| - | ===== Черновик ===== | + | ===== Шаг 5. Использование JSON Web Token (JWT) для доступа в Kubernetes ===== |
| + | |||
| + | * Возвращаемся на [[#Вариант 2.2 Использование ServiceAccount]] | ||
| + | |||
| + | ===== Вопросы? ===== | ||
| + | |||
| + | ===== Домашнее задание ===== | ||
| - | * https://www.container-security.site/security_research/node_proxy.html | + | - Куда и через сколько исчезает "kubectl get csr" после "approve" ? |
управление_правами_в_kubernetes.1761972250.txt.gz · Last modified: 2025/11/01 07:44 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
