概念解析
RBAC(Role-Based Access Control,基於角色的訪問控制)是Kubernetes中用於控制用户和服務賬户對集羣資源訪問權限的安全機制。它通過定義角色和角色綁定來實現細粒度的權限管理。
核心概念
- Role:定義在特定命名空間內的一組權限規則
- ClusterRole:定義在整個集羣範圍內的權限規則
- RoleBinding:將角色綁定到用户或組,在特定命名空間內生效
- ClusterRoleBinding:將集羣角色綁定到用户或組,在整個集羣範圍內生效
- Subject:可以是用户、組或服務賬户
- Resource:Kubernetes中的各種資源,如Pod、Service、Deployment等
RBAC工作原理
- 權限定義:通過Role或ClusterRole定義權限規則
- 權限綁定:通過RoleBinding或ClusterRoleBinding將權限授予用户或組
- 權限驗證:API Server根據RBAC規則驗證用户請求
- 權限繼承:用户可以同時擁有多個角色的權限
核心特性
- 細粒度控制:支持對具體資源和操作的精細權限控制
- 命名空間隔離:Role和RoleBinding作用於特定命名空間
- 集羣範圍控制:ClusterRole和ClusterRoleBinding作用於整個集羣
- 權限聚合:支持將多個ClusterRole聚合為一個
- 動態權限:支持運行時動態調整權限
- 審計支持:與Kubernetes審計日誌集成
實踐教程
創建Role和RoleBinding
# 創建Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
# 創建RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
創建ClusterRole和ClusterRoleBinding
# 創建ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
# 創建ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
使用kubectl創建RBAC資源
# 創建Role
kubectl create role pod-reader --verb=get,list,watch --resource=pods
# 創建RoleBinding
kubectl create rolebinding read-pods --role=pod-reader --user=jane
# 創建ClusterRole
kubectl create clusterrole secret-reader --verb=get,list,watch --resource=secrets
# 創建ClusterRoleBinding
kubectl create clusterrolebinding read-secrets-global --clusterrole=secret-reader --group=manager
真實案例
案例:企業級權限管理體系
某大型科技公司需要為開發、運維、安全等不同團隊設置不同的Kubernetes訪問權限,通過RBAC實現精細化權限管理:
# 開發團隊角色 - 僅限開發環境
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: dev
name: dev-developer
rules:
# Pod相關權限
- apiGroups: [""]
resources: ["pods", "pods/log", "pods/exec"]
verbs: ["get", "list", "create", "update", "delete"]
# Deployment相關權限
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "create", "update", "delete"]
# Service相關權限
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "create", "update", "delete"]
# ConfigMap和Secret相關權限
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "list", "create", "update", "delete"]
---
# 運維團隊角色 - 所有環境
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: operations-admin
rules:
# 核心資源管理權限
- apiGroups: [""]
resources: ["nodes", "namespaces", "persistentvolumes"]
verbs: ["get", "list", "create", "update", "delete"]
# 工作負載管理權限
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["get", "list", "create", "update", "delete"]
# 網絡資源管理權限
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies", "ingresses"]
verbs: ["get", "list", "create", "update", "delete"]
# 存儲資源管理權限
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "create", "update", "delete"]
# 監控和日誌權限
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list"]
---
# 安全團隊角色 - 安全相關資源
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: security-auditor
rules:
# 安全相關資源查看權限
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["get", "list"]
# 網絡策略查看權限
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["get", "list"]
# 審計日誌查看權限
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list"]
# Secrets查看權限(受限)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
resourceNames: ["ca.crt", "service-account-token"]
---
# 開發團隊RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-team-access
namespace: dev
subjects:
- kind: User
name: dev-user-1
apiGroup: rbac.authorization.k8s.io
- kind: User
name: dev-user-2
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: developers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: dev-developer
apiGroup: rbac.authorization.k8s.io
---
# 運維團隊ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ops-team-access
subjects:
- kind: User
name: ops-user-1
apiGroup: rbac.authorization.k8s.io
- kind: User
name: ops-user-2
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: operators
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: operations-admin
apiGroup: rbac.authorization.k8s.io
---
# 安全團隊ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: security-team-access
subjects:
- kind: User
name: sec-user-1
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: security
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: security-auditor
apiGroup: rbac.authorization.k8s.io
---
# 服務賬户權限 - 應用程序訪問
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: app-service-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-service-binding
namespace: production
subjects:
- kind: ServiceAccount
name: app-service-account
namespace: production
roleRef:
kind: Role
name: app-service-role
apiGroup: rbac.authorization.k8s.io
這種權限管理體系的優勢:
- 職責分離:不同團隊擁有不同的權限
- 最小權限原則:每個角色只擁有必要的權限
- 統一管理:通過組管理用户權限
- 安全審計:權限分配清晰可追溯
- 靈活性:支持用户、組和服務賬户
配置詳解
複雜Role配置
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: example
name: advanced-role
rules:
# 基本資源操作
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "create", "update", "delete"]
# 子資源操作
- apiGroups: [""]
resources: ["pods/exec", "pods/portforward"]
verbs: ["create"]
# 限定特定資源名稱
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["special-config"]
verbs: ["get", "update"]
# 多API組資源
- apiGroups: ["apps", "extensions"]
resources: ["deployments"]
verbs: ["get", "list"]
# 自定義資源
- apiGroups: ["example.com"]
resources: ["widgets"]
verbs: ["get", "list", "create", "update", "delete"]
ClusterRole聚合
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring-viewer
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [""]
resources: ["events", "pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: logging-viewer
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
RoleBinding多主體綁定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: multi-subject-binding
namespace: example
subjects:
- kind: User
name: user1
apiGroup: rbac.authorization.k8s.io
- kind: User
name: user2
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: developers
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: bot-account
namespace: example
roleRef:
kind: Role
name: example-role
apiGroup: rbac.authorization.k8s.io
故障排除
常見問題及解決方案
-
權限不足錯誤
# 檢查用户權限 kubectl auth can-i <verb> <resource> --namespace <namespace> # 查看Role和RoleBinding kubectl get roles,rolebindings -n <namespace> # 查看ClusterRole和ClusterRoleBinding kubectl get clusterroles,clusterrolebindings -
RoleBinding未生效
# 檢查RoleBinding配置 kubectl describe rolebinding <name> -n <namespace> # 檢查Role配置 kubectl describe role <name> -n <namespace> # 驗證用户身份 kubectl config view -
ClusterRoleBinding權限範圍問題
# 檢查ClusterRoleBinding kubectl describe clusterrolebinding <name> # 檢查ClusterRole kubectl describe clusterrole <name> # 驗證集羣級別權限 kubectl auth can-i <verb> <resource> -
服務賬户權限問題
# 檢查服務賬户 kubectl describe serviceaccount <name> -n <namespace> # 檢查關聯的RoleBinding kubectl get rolebindings -n <namespace> -o jsonpath='{range .items[?(@.subjects[*].name=="<sa-name>")]}{.metadata.name}{"\n"}{end}' # 驗證服務賬户權限 kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<sa-name>
最佳實踐
-
權限最小化:
- 遵循最小權限原則
- 定期審查和清理不必要的權限
- 使用Role而非ClusterRole,除非確實需要集羣級別權限
-
命名規範:
- 使用有意義的角色和綁定名稱
- 建立統一的命名約定
- 為角色添加描述性註解
-
組管理:
- 使用組管理用户權限
- 建立清晰的組層次結構
- 定期同步組成員關係
-
審計和監控:
- 啓用RBAC審計日誌
- 監控權限變更事件
- 定期生成權限報告
-
文檔化:
- 記錄所有角色和權限分配
- 建立權限申請和審批流程
- 維護權限矩陣文檔
安全考慮
使用PodSecurityPolicy增強安全
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted-psp
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp-restricted
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- restricted-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: psp-restricted-binding
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: psp-restricted
apiGroup: rbac.authorization.k8s.io
限制Secret訪問
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: limited-secret-access
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["public-cert", "app-config"]
verbs: ["get", "list"]
啓用審計日誌
# kube-apiserver配置
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-log-maxbackup=10
--audit-log-maxsize=100
審計策略示例:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets", "configmaps"]
verbs: ["create", "update", "delete"]
- level: Request
resources:
- group: "rbac.authorization.k8s.io"
resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
- level: None
命令速查
| 命令 | 描述 |
|---|---|
kubectl get roles |
查看Role列表 |
kubectl get clusterroles |
查看ClusterRole列表 |
kubectl get rolebindings |
查看RoleBinding列表 |
kubectl get clusterrolebindings |
查看ClusterRoleBinding列表 |
kubectl describe role <name> |
查看Role詳細信息 |
kubectl describe clusterrole <name> |
查看ClusterRole詳細信息 |
kubectl auth can-i <verb> <resource> |
檢查權限 |
kubectl create role <name> --verb=<verbs> --resource=<resources> |
創建Role |
kubectl create clusterrole <name> --verb=<verbs> --resource=<resources> |
創建ClusterRole |
kubectl create rolebinding <name> --role=<role> --user=<user> |
創建RoleBinding |
總結
RBAC是Kubernetes中實現細粒度訪問控制的核心機制。通過本文檔的學習,你應該能夠:
- 理解RBAC的核心概念和工作機制
- 創建和管理Role、ClusterRole、RoleBinding和ClusterRoleBinding
- 實現企業級權限管理體系
- 配置複雜的權限規則
- 排查常見的RBAC問題
- 遵循RBAC的最佳實踐和安全考慮
在下一文檔中,我們將學習Helm包管理器,它是管理Kubernetes應用部署的強大工具。