Kubernetes RBAC与安全访问控制与权限管理引言在Kubernetes集群中安全是至关重要的。RBACRole-Based Access Control是Kubernetes的核心安全机制之一它允许您精细地控制用户和服务账户对集群资源的访问权限。本文将深入探讨RBAC的设计原理和最佳实践。一、RBAC概述1.1 RBAC核心概念User/ServiceAccount ──绑定── Role/ClusterRole ──授权── Resources1.2 RBAC组成部分组件说明作用域Role定义命名空间级别的权限单个命名空间ClusterRole定义集群级别的权限整个集群RoleBinding将Role绑定到用户/服务账户单个命名空间ClusterRoleBinding将ClusterRole绑定到用户/服务账户整个集群二、Role与ClusterRole2.1 Role定义apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: default rules: - apiGroups: [] resources: [pods] verbs: [get, list, watch] - apiGroups: [] resources: [pods/log] verbs: [get]2.2 ClusterRole定义apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-admin rules: - apiGroups: [*] resources: [*] verbs: [*]2.3 常用ClusterRoleClusterRole权限范围cluster-admin所有资源的所有权限admin命名空间内所有权限不含RoleBinding修改edit命名空间内读写权限view命名空间内只读权限2.4 Go语言创建Rolepackage rbac import ( context fmt rbacv1 k8s.io/api/rbac/v1 metav1 k8s.io/apimachinery/pkg/apis/meta/v1 ) type RBACManager struct { client *K8sClient } func NewRBACManager(client *K8sClient) *RBACManager { return RBACManager{client: client} } func (r *RBACManager) CreateRole(ctx context.Context, name, namespace string, rules []rbacv1.PolicyRule) error { role : rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, }, Rules: rules, } _, err : r.client.clientset.RbacV1().Roles(namespace).Create(ctx, role, metav1.CreateOptions{}) if err ! nil { return fmt.Errorf(failed to create role: %w, err) } return nil } func (r *RBACManager) CreateClusterRole(ctx context.Context, name string, rules []rbacv1.PolicyRule) error { role : rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ Name: name, }, Rules: rules, } _, err : r.client.clientset.RbacV1().ClusterRoles().Create(ctx, role, metav1.CreateOptions{}) if err ! nil { return fmt.Errorf(failed to create cluster role: %w, err) } return nil } func (r *RBACManager) GetRole(ctx context.Context, name, namespace string) (*rbacv1.Role, error) { role, err : r.client.clientset.RbacV1().Roles(namespace).Get(ctx, name, metav1.GetOptions{}) if err ! nil { return nil, fmt.Errorf(failed to get role: %w, err) } return role, nil }三、RoleBinding与ClusterRoleBinding3.1 RoleBinding配置apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pod-reader-binding namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io - kind: ServiceAccount name: app-serviceaccount namespace: default roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io3.2 ClusterRoleBinding配置apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-admin-binding subjects: - kind: User name: adminexample.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io3.3 Go语言创建Bindingpackage rbac func (r *RBACManager) CreateRoleBinding(ctx context.Context, name, namespace, roleName string, subjects []rbacv1.Subject) error { binding : rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, }, Subjects: subjects, RoleRef: rbacv1.RoleRef{ Kind: Role, Name: roleName, APIGroup: rbac.authorization.k8s.io, }, } _, err : r.client.clientset.RbacV1().RoleBindings(namespace).Create(ctx, binding, metav1.CreateOptions{}) if err ! nil { return fmt.Errorf(failed to create role binding: %w, err) } return nil } func (r *RBACManager) CreateClusterRoleBinding(ctx context.Context, name, roleName string, subjects []rbacv1.Subject) error { binding : rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: name, }, Subjects: subjects, RoleRef: rbacv1.RoleRef{ Kind: ClusterRole, Name: roleName, APIGroup: rbac.authorization.k8s.io, }, } _, err : r.client.clientset.RbacV1().ClusterRoleBindings().Create(ctx, binding, metav1.CreateOptions{}) if err ! nil { return fmt.Errorf(failed to create cluster role binding: %w, err) } return nil } func (r *RBACManager) DeleteRoleBinding(ctx context.Context, name, namespace string) error { err : r.client.clientset.RbacV1().RoleBindings(namespace).Delete(ctx, name, metav1.DeleteOptions{}) if err ! nil { return fmt.Errorf(failed to delete role binding: %w, err) } return nil }四、ServiceAccount4.1 ServiceAccount配置apiVersion: v1 kind: ServiceAccount metadata: name: app-serviceaccount namespace: default automountServiceAccountToken: true secrets: - name: app-serviceaccount-token4.2 Pod使用ServiceAccountapiVersion: v1 kind: Pod metadata: name: app-pod spec: serviceAccountName: app-serviceaccount containers: - name: app image: myapp:1.04.3 自动挂载TokenapiVersion: v1 kind: ServiceAccount metadata: name: app-serviceaccount automountServiceAccountToken: true五、权限验证与审计5.1 kubectl授权测试# 测试用户权限 kubectl auth can-i create deployments --namespace default # 测试服务账户权限 kubectl auth can-i get pods --namespace kube-system --assystem:serviceaccount:default:app-serviceaccount # 列出用户所有权限 kubectl auth can-i --list # 检查某个操作是否允许 kubectl auth can-i delete pods --namespace default5.2 权限检查代码package rbac import ( context fmt k8s.io/apiserver/pkg/authentication/user rbacv1 k8s.io/api/rbac/v1 ) func (r *RBACManager) CheckPermission(ctx context.Context, userInfo user.Info, namespace, resource, verb string) (bool, error) { rules, err : r.client.clientset.RbacV1().RoleBindings(namespace).List(ctx, metav1.ListOptions{}) if err ! nil { return false, fmt.Errorf(failed to list role bindings: %w, err) } for _, binding : range rules.Items { for _, subject : range binding.Subjects { if subject.Kind User subject.Name userInfo.GetName() { role, err : r.GetRole(ctx, binding.RoleRef.Name, namespace) if err ! nil { continue } for _, rule : range role.Rules { for _, rsc : range rule.Resources { if rsc resource { for _, v : range rule.Verbs { if v verb || v * { return true, nil } } } } } } } } return false, nil }六、Pod Security Policy6.1 PSP配置apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - configMap - emptyDir - persistentVolumeClaim hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 655356.2 PSP绑定apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp-restricted rules: - apiGroups: [policy] resources: [podsecuritypolicies] verbs: [use] resourceNames: [restricted] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: psp-restricted roleRef: kind: ClusterRole name: psp-restricted apiGroup: rbac.authorization.k8s.io subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io七、Network Policy7.1 网络策略配置apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all namespace: default spec: podSelector: {} policyTypes: - Ingress - EgressapiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend namespace: default spec: podSelector: matchLabels: app: backend policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 8080八、最佳实践8.1 最小权限原则apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: limited-access namespace: production rules: - apiGroups: [] resources: [pods] verbs: [get, list] - apiGroups: [apps] resources: [deployments] verbs: [get, list, watch, update]8.2 ServiceAccount隔离apiVersion: v1 kind: ServiceAccount metadata: name: database-serviceaccount namespace: production --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: database-access namespace: production rules: - apiGroups: [] resources: [secrets] verbs: [get] resourceNames: [database-credentials] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: database-access-binding namespace: production subjects: - kind: ServiceAccount name: database-serviceaccount roleRef: kind: Role name: database-access apiGroup: rbac.authorization.k8s.io九、总结Kubernetes RBAC是一个强大的访问控制机制Role vs ClusterRoleRole是命名空间级别的权限ClusterRole是集群级别的权限BindingRoleBinding绑定Role到SubjectClusterRoleBinding绑定ClusterRole到SubjectServiceAccount应用程序使用ServiceAccount而不是用户账户最小权限原则只为应用程序授予所需的最小权限Pod Security Policy限制Pod的安全配置Network Policy控制Pod间的网络流量通过合理配置RBAC可以有效保护Kubernetes集群的安全。