实战：RBAC(基于角色的权限控制)-2021.11.28

目录
实验环境
实验软件(无)
1、RBAC(基于角色的权限控制)
2、API 对象
3、RBAC
- :cupid:1.演示：只能访问某个 namespace 的普通用户
- - (1)创建用户凭证
  - (2)创建角色
  - (3)创建角色权限绑定
  - (4)测试
- :cupid:2.演示：只能访问某个 namespace 的 ServiceAccount
- :cupid:3.演示：可以全局访问的 ServiceAccount
4、注意事项
- 1.`noResources概念`
- 2.这个`cluster-admin`clusterrole的权限是无敌的哈哈
- 3.2种方式访问k8s集群
- 4.RBAC流程
- 5.Role资源清单文件里`rules`字段可以按如下方式编写
- 6.`Forbidden`字段报错更大可能性要想到的可能是权限问题
- 7.我们可以去分析系统自带的 `clusterrole`、`clusterrolebinding` 这些资源对象的编写方法
- 8.如何确定某个资源对象属于哪个apiGroup呢？
关于我
最后

实验环境

实验环境：
1、win10,vmwrokstation虚机；
2、k8s集群：3台centos7.6 1810虚机，1个master节点,2个node节点k8s version：v1.22.2containerd://1.5.5

实验软件(无)

1、RBAC(基于角色的权限控制)

前面我们已经学习一些常用的资源对象的使用，我们知道对于资源对象的操作都是通过 APIServer 进行的，那么集群是怎样知道我们的请求就是合法的请求呢？这个就需要了解 Kubernetes 中另外一个非常重要的知识点了：RBAC（基于角色的权限控制）。

管理员可以通过 Kubernetes API 动态配置策略来启用RBAC，需要在 kube-apiserver 中添加参数--authorization-mode=RBAC，如果使用的 kubeadm 安装的集群那么是默认开启了 RBAC 的，可以通过查看 Master 节点上 apiserver 的静态 Pod 定义文件：

[root@master1 ~]#cat /etc/kubernetes/manifests/kube-apiserver.yaml |grep mode- --authorization-mode=Node,RBAC
[root@master1 ~]#

⚠️如果是二进制的方式搭建的集群，添加这个参数过后，记得要重启 kube-apiserver 服务。（如何重启？是删除pod吗？？）

2、API 对象

在学习 RBAC 之前，我们还需要再去理解下 Kubernetes 集群中的对象，我们知道，**在 Kubernetes 集群中，Kubernetes 对象是我们持久化的实体，就是最终存入 etcd 中的数据，集群中通过这些实体来表示整个集群的状态。**前面我们都直接编写的 YAML 文件，通过 kubectl 来提交的资源清单文件，然后创建的对应的资源对象，那么它究竟是如何将我们的 YAML 文件转换成集群中的一个 API 对象的呢？

这个就需要去了解下声明式 API的设计，Kubernetes API 是一个以 JSON 为主要序列化方式的 HTTP 服务(可以理解为一个web server)，除此之外也支持 Protocol Buffers 序列化方式，主要用于集群内部组件间的通信。为了可扩展性，Kubernetes 在不同的 API 路径（比如/api/v1 或者 /apis/batch）下面支持了多个 API 版本，不同的 API 版本意味着不同级别的稳定性和支持：

Alpha 级别，例如 v1alpha1 默认情况下是被禁用的，可以随时删除对功能的支持，所以要慎用
Beta 级别，例如 v2beta1 默认情况下是启用的，表示代码已经经过了很好的测试，但是对象的语义可能会在随后的版本中以不兼容的方式更改
稳定级别，比如 v1 表示已经是稳定版本了，也会出现在后续的很多版本中。

在 Kubernetes 集群中，一个 API 对象在 Etcd 里的完整资源路径，是由：Group（API 组）、Version（API 版本）和 Resource（API 资源类型）三个部分组成的。通过这样的结构，整个 Kubernetes 里的所有 API 对象，实际上就可以用如下的树形结构表示出来：

从上图中我们也可以看出 Kubernetes 的 API 对象的组织方式，在顶层，我们可以看到有一个核心组（由于历史原因，是 /api/v1 下的所有内容而不是在 /apis/core/v1 下面）和命名组（路径 /apis/$NAME/$VERSION）和系统范围内的实体，比如 /metrics。

⚠️我们也可以用下面的命令来查看集群中的 API 组织形式：

[root@master1 ~]#kubectl get --raw /
{"paths": ["/.well-known/openid-configuration","/api","/api/v1","/apis","/apis/","/apis/admissionregistration.k8s.io","/apis/admissionregistration.k8s.io/v1","/apis/apiextensions.k8s.io","/apis/apiextensions.k8s.io/v1","/apis/apiregistration.k8s.io","/apis/apiregistration.k8s.io/v1","/apis/apps","/apis/apps/v1","/apis/authentication.k8s.io","/apis/authentication.k8s.io/v1","/apis/authorization.k8s.io","/apis/authorization.k8s.io/v1","/apis/autoscaling","/apis/autoscaling/v1","/apis/autoscaling/v2beta1","/apis/autoscaling/v2beta2","/apis/batch","/apis/batch/v1","/apis/batch/v1beta1","/apis/certificates.k8s.io","/apis/certificates.k8s.io/v1","/apis/coordination.k8s.io","/apis/coordination.k8s.io/v1","/apis/discovery.k8s.io","/apis/discovery.k8s.io/v1","/apis/discovery.k8s.io/v1beta1","/apis/events.k8s.io","/apis/events.k8s.io/v1","/apis/events.k8s.io/v1beta1","/apis/flowcontrol.apiserver.k8s.io","/apis/flowcontrol.apiserver.k8s.io/v1beta1","/apis/metrics.k8s.io","/apis/metrics.k8s.io/v1beta1","/apis/networking.k8s.io","/apis/networking.k8s.io/v1","/apis/node.k8s.io","/apis/node.k8s.io/v1","/apis/node.k8s.io/v1beta1","/apis/policy","/apis/policy/v1","/apis/policy/v1beta1","/apis/rbac.authorization.k8s.io","/apis/rbac.authorization.k8s.io/v1","/apis/scheduling.k8s.io","/apis/scheduling.k8s.io/v1","/apis/storage.k8s.io","/apis/storage.k8s.io/v1","/apis/storage.k8s.io/v1beta1","/healthz","/healthz/autoregister-completion","/healthz/etcd","/healthz/log","/healthz/ping","/healthz/poststarthook/aggregator-reload-proxy-client-cert","/healthz/poststarthook/apiservice-openapi-controller","/healthz/poststarthook/apiservice-registration-controller","/healthz/poststarthook/apiservice-status-available-controller","/healthz/poststarthook/bootstrap-controller","/healthz/poststarthook/crd-informer-synced","/healthz/poststarthook/generic-apiserver-start-informers","/healthz/poststarthook/kube-apiserver-autoregistration","/healthz/poststarthook/priority-and-fairness-config-consumer","/healthz/poststarthook/priority-and-fairness-config-producer","/healthz/poststarthook/priority-and-fairness-filter","/healthz/poststarthook/rbac/bootstrap-roles","/healthz/poststarthook/scheduling/bootstrap-system-priority-classes","/healthz/poststarthook/start-apiextensions-controllers","/healthz/poststarthook/start-apiextensions-informers","/healthz/poststarthook/start-cluster-authentication-info-controller","/healthz/poststarthook/start-kube-aggregator-informers","/healthz/poststarthook/start-kube-apiserver-admission-initializer","/livez","/livez/autoregister-completion","/livez/etcd","/livez/log","/livez/ping","/livez/poststarthook/aggregator-reload-proxy-client-cert","/livez/poststarthook/apiservice-openapi-controller","/livez/poststarthook/apiservice-registration-controller","/livez/poststarthook/apiservice-status-available-controller","/livez/poststarthook/bootstrap-controller","/livez/poststarthook/crd-informer-synced","/livez/poststarthook/generic-apiserver-start-informers","/livez/poststarthook/kube-apiserver-autoregistration","/livez/poststarthook/priority-and-fairness-config-consumer","/livez/poststarthook/priority-and-fairness-config-producer","/livez/poststarthook/priority-and-fairness-filter","/livez/poststarthook/rbac/bootstrap-roles","/livez/poststarthook/scheduling/bootstrap-system-priority-classes","/livez/poststarthook/start-apiextensions-controllers","/livez/poststarthook/start-apiextensions-informers","/livez/poststarthook/start-cluster-authentication-info-controller","/livez/poststarthook/start-kube-aggregator-informers","/livez/poststarthook/start-kube-apiserver-admission-initializer","/logs","/metrics","/openapi/v2","/openid/v1/jwks","/readyz","/readyz/autoregister-completion","/readyz/etcd","/readyz/informer-sync","/readyz/log","/readyz/ping","/readyz/poststarthook/aggregator-reload-proxy-client-cert","/readyz/poststarthook/apiservice-openapi-controller","/readyz/poststarthook/apiservice-registration-controller","/readyz/poststarthook/apiservice-status-available-controller","/readyz/poststarthook/bootstrap-controller","/readyz/poststarthook/crd-informer-synced","/readyz/poststarthook/generic-apiserver-start-informers","/readyz/poststarthook/kube-apiserver-autoregistration","/readyz/poststarthook/priority-and-fairness-config-consumer","/readyz/poststarthook/priority-and-fairness-config-producer","/readyz/poststarthook/priority-and-fairness-filter","/readyz/poststarthook/rbac/bootstrap-roles","/readyz/poststarthook/scheduling/bootstrap-system-priority-classes","/readyz/poststarthook/start-apiextensions-controllers","/readyz/poststarthook/start-apiextensions-informers","/readyz/poststarthook/start-cluster-authentication-info-controller","/readyz/poststarthook/start-kube-aggregator-informers","/readyz/poststarthook/start-kube-apiserver-admission-initializer","/readyz/shutdown","/version"]
}
[root@master1 ~]#

比如我们来查看批处理这个操作，在我们当前这个版本中存在两个版本的操作：/apis/batch/v1 和 /apis/batch/v1beta1，分别暴露了可以查询和操作的不同实体集合.