Kubernetes RBAC 权限控制
Kubernetes RBAC 权限控制
什么是 RBAC
RBAC(Role-Based Access Control)是 Kubernetes 中基于角色的访问控制机制。它通过定义角色(Role)和绑定(Binding)来控制用户或服务账号对集群资源的访问权限,实现最小权限原则。
核心概念
Role(角色)
Role 定义在特定命名空间内的权限:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: dev
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
ClusterRole(集群角色)
ClusterRole 定义集群级别的权限:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "delete"]
RoleBinding(角色绑定)
将 Role 绑定到用户、组或服务账号:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: dev
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: my-sa
namespace: dev
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
ClusterRoleBinding(集群角色绑定)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-secrets
subjects:
- kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: devops
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
管理 RBAC 资源
创建 RBAC 资源
kubectl apply -f role.yaml
kubectl apply -f clusterrole.yaml
kubectl apply -f rolebinding.yaml
kubectl apply -f clusterrolebinding.yaml
查看 RBAC 资源
# 查看 Role
kubectl get roles -n dev
kubectl describe role pod-reader -n dev
# 查看 ClusterRole
kubectl get clusterroles
kubectl describe clusterrole secret-reader
# 查看 RoleBinding
kubectl get rolebindings -n dev
# 查看 ClusterRoleBinding
kubectl get clusterrolebindings
删除 RBAC 资源
kubectl delete role pod-reader -n dev
kubectl delete clusterrole secret-reader
kubectl delete rolebinding read-pods -n dev
内置 ClusterRole
Kubernetes 提供了几个预定义的 ClusterRole:
# 查看所有 ClusterRole
kubectl get clusterroles
# 常用内置角色
# admin: 完整管理权限(不含资源配额)
# edit: 读写权限(不含 Role/RoleBinding)
# view: 只读权限
# cluster-admin: 完整集群管理员权限
使用内置 ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dev-admin
subjects:
- kind: User
name: admin@example.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
服务账号权限
创建服务账号并分配权限
# 创建服务账号
kubectl create serviceaccount my-sa -n dev
# 绑定 Role
kubectl create rolebinding my-sa-binding \
--role=pod-reader \
--serviceaccount=dev:my-sa \
-n dev
验证权限
使用 can-i 命令
# 检查当前用户权限
kubectl auth can-i get pods -n dev
kubectl auth can-i create deployments -n dev
kubectl auth can-i '*' '*' --as=admin@example.com
# 查看所有权限
kubectl auth can-i --list -n dev
实践案例:多团队权限管理
# 为开发团队创建权限
kubectl create role dev-team \
--verb=get,list,watch,create,update,delete \
--resource=pods,deployments,services \
-n dev
# 绑定到开发团队组
kubectl create rolebinding dev-team-binding \
--role=dev-team \
--group=developers \
-n dev
# 为运维团队创建集群权限
kubectl create clusterrole ops-team \
--verb=get,list,watch,create,update,delete \
--resource='*'
kubectl create clusterrolebinding ops-team-binding \
--clusterrole=ops-team \
--group=ops
最佳实践
- 遵循最小权限原则
- 使用命名空间隔离权限
- 定期审计 RBAC 配置
- 使用组而非单个用户管理权限
- 避免使用 cluster-admin 角色
总结
RBAC 是 Kubernetes 安全模型的核心组件。通过合理配置 Role、ClusterRole 和对应的 Binding,可以实现细粒度的权限控制,确保集群安全。