iam身份验证以及访问控制

介绍 (Introduction)

Elastic Kubernetes Service (EKS) is the fully managed Kubernetes service from AWS. It is deeply integrated with many AWS services, such as AWS Identity and Access Management (IAM) (for authentication to the cluster), Amazon CloudWatch (for logging), Auto Scaling Groups (for scaling worker nodes), and Amazon Virtual Private Cloud (VPC) (for networking). Many companies trust Amazon EKS to run their containerized workloads.

Elastic Kubernetes服务(EKS)是AWS的完全托管的Kubernetes服务。 它与许多AWS服务深度集成，例如AWS Identity and Access Management(IAM)(用于对集群进行身份验证)，Amazon CloudWatch(用于日志记录)，Auto Scaling Groups(用于扩展工作节点)和Amazon Virtual Private Cloud( VPC)(用于联网)。 许多公司信任Amazon EKS来运行其容器化工作负载。

EKS uses IAM to provide authentication to your Kubernetes cluster (via the aws eks get-token command, or the AWS IAM Authenticator for Kubernetes). For authorization it relies on native Kubernetes Role Based Access Control (RBAC). IAM is used for authentication to your EKS Cluster. And you can manage the permissions for interacting with your cluster’s Kubernetes API through the native Kubernetes RBAC system.

EKS使用IAM为您的Kubernetes集群提供身份验证(通过aws eks get-token eks aws eks get-token命令或适用于Kubernetes的AWS IAM Authenticator )。 对于授权，它依赖于本地Kubernetes基于角色的访问控制(RBAC) 。 IAM用于对EKS群集进行身份验证。 而且，您可以通过本地Kubernetes RBAC系统管理与群集的Kubernetes API交互的权限。

如何创建IAM用户 (How to create an IAM User)

Go to your AWS Console where you will find the IAM service listed under the “Security, Identity & Compliance” group. Inside the IAM dashboard click on the Users tab and click the “Add User” button.

转到您的AWS控制台 ，您将在其中找到“安全性，身份和合规性”组下列出的IAM服务 。 在IAM仪表板内，单击“用户”选项卡，然后单击“添加用户”按钮。

Create a new user and allow the user programmatic access by clicking on the "Programmatic access" checkbox. You do not need any particular permission for your user to access EKS. You can go ahead without selecting any permission.

创建一个新用户，并通过单击“程序访问”复选框来允许该用户以程序访问 。 您不需要用户的任何特殊权限即可访问EKS。 您无需选择任何权限即可继续操作。

After the user is created, you will have access to the user's Access Key ID and Secret Access Key. You will be required to use these keys in the next step.

创建用户后，您将有权访问用户的访问密钥ID和秘密访问密钥 。 您将需要在下一步中使用这些键。

配置AWS CLI (Configure the AWS CLI)

Configuring your AWS CLI with a new user is as simple as running the aws configure command and providing the AWS Access Key ID and the AWS Secret Access Key. The Default region name and Default Output format are optional, though.

使用新用户配置AWS CLI就像运行aws configure命令并提供AWS Access Key ID和AWS Secret Access Key 。 但是， Default region name和Default Output format是可选的。

$ aws configure --profile eks-user
AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: text

Once configured you can test to see if the user is properly configured using the aws sts get-caller-identity command:

配置完成后，您可以使用aws sts get-caller-identity命令测试是否正确配置了用户：

$ aws sts get-caller-identity --profile eks-user

If the user is properly configured with the aws cli utility you should see a response like the one shown below:

如果使用aws cli实用程序正确配置了用户，您应该会看到如下所示的响应：

{"UserId": "AIDAX7JPBEM4A6FTJRTMB","Account": "123456789012","Arn": "arn:aws:iam::123456789012:user/eks-user"
}

为用户创建角色和RoleBinding (Creating a Role and RoleBinding for the user)

With your IAM user properly configured, you can go ahead and create a role for the user. This snippet of code creates a role named eks-user-role with a modest list permission to the pods resource in your cluster.

正确配置IAM用户后，您可以继续为该用户创建角色。 此代码段创建一个名为eks-user-role ，对集群中的pods资源具有适度的list权限。

kind: Role
metadata:name: eks-user-role
rules:
- apiGroups: [""]resources: ["pods"]verbs: ["list"]

Save the above snippet of code in a file and then apply the Role to your Kubernetes cluster:

将上述代码片段保存在文件中，然后apply Role应用于您的Kubernetes集群：

$ kubectl apply -f role.yaml

With the role configured you need to create a corresponding RoleBinding:

配置了角色后，您需要创建相应的RoleBinding：

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: eks-user-role-binding
subjects:
- kind: Username: eks-userapiGroup: rbac.authorization.k8s.io
roleRef:kind: Rolename: eks-user-roleapiGroup: rbac.authorization.k8s.io

Save the above snippet of code in a file and then apply the Role Binding to your Kubernetes cluster:

将上述代码片段保存在文件中，然后apply角色绑定应用于您的Kubernetes集群：

$ kubectl apply -f role-binding.yaml

将用户添加到aws-auth配置图 (Adding the user to the aws-auth configmap)

If you want to grant additional AWS users or roles the ability to interact with your EKS cluster, you must add the users/roles to the aws-auth ConfigMap within Kubernetes in the kube-system namespace.

如果要授予其他AWS用户或角色与EKS集群进行交互的能力，则必须将用户/角色添加到kube-system命名空间中Kubernetes中的aws-auth ConfigMap中。

You can do this by either editing it using the kubectl edit command:

您可以使用kubectl edit命令kubectl edit ：

$ kubectl edit configmap aws-auth -n kube-system

Or by importing the aws-auth ConfigMap and applying the changes:

或通过导入aws-auth ConfigMap并应用更改：

$ kubectl get configmap aws-auth -n kube-system -o yaml > aws-auth.yaml

Add the user under the mapUsers as an item in the aws-auth ConfigMap:

将用户添加到mapUsers下，作为aws-auth ConfigMap中的一项：

data:mapUsers: |- userarn: arn:aws:iam::123456789012:user/eks-userusername: eks-usergroups:- eks-role

If the user is properly configured you should be able to list pods in the Cluster:

如果正确配置了用户，则您应该能够在集群中列出Pod：

$ kubectl get pods --as eks-user

The --as flag impersonates the request to Kubernetes as the given user. You can use this flag to test permissions for any given user.

--as标志以给定用户身份向Kubernetes发出请求。 您可以使用此标志来测试任何给定用户的权限。

配置用户权限 (Configuring permissions for the user)

The role which you defined previously only had permission to list pods. The eks-user cannot access any other Kubernetes resources like Deployments, ConfigMaps, Events, Secrets, logs or even shell into a given pod.

您先前定义的角色仅具有列出窗格的权限。 eks eks-user无法访问任何其他Kubernetes资源，如Deployments，ConfigMap，Events，Secrets，日志甚至是shell到给定的pod中。

In a real-world scenario, you will need to provide permissions to a user to access the required resources. The below snippet of code provides access to resources such as events, pods, deployments, configmaps and secrets.

在实际情况下，您将需要向用户提供访问所需资源的权限。 下面的代码段提供对资源的访问，例如events ， pods ， deployments ， configmaps和secrets 。

rules:
- apiGroups: [""]resources: ["events"]verbs: ["get", "list", "watch"]
- apiGroups: [""]resources: ["pods", "pods/log", "pods/exec"]verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: ["extensions", "apps"]resources: ["deployments"]verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]resources: ["configmaps"]verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]resources: ["secrets"]verbs: ["list", "get", "create", "update", "delete"]

Add the above permissions to the role.yaml file and apply the changes, using kubectl apply -f.

使用kubectl apply -f将以上权限添加到role.yaml文件并应用更改。

测试，测试和测试！ (Test, test and test!)

Now go ahead and test to see if the permissions have been properly applied to the eks-user. You can test the same using the above mentioned --as USERNAME flag or set the eks-user as the default profile for the aws cli.

现在继续进行测试，以查看权限是否已正确地应用于eks-user 。 您可以使用上面提到的--as USERNAME标志进行测试，或者将--as USERNAME eks-user设置为aws cli的默认配置文件。

$ export AWS_PROFILE=eks-user

Once configured you can test to see if the user is properly configured using the aws sts get-caller-identity command:

配置完成后，您可以使用aws sts get-caller-identity命令测试用户是否配置正确：

$ aws sts get-caller-identity

You should see a response like the following, indicating the user is properly configured with your aws cli utility:

您应该看到类似以下的响应，表明已使用aws cli实用程序正确配置了用户：

{"UserId": "AIDAX7JPBEM4A6FTJRTMB","Account": "123456789012","Arn": "arn:aws:iam::123456789012:user/eks-user"
}

Test the permissions of the user with the below-mentioned commands.

使用以下命令测试用户的权限。

$ kubectl get pods
$ kubectl get secrets
$ kubectl get configmaps
$ kubectl get deployments
$ kubectl logs <pod-name>
$ kubectl exec -it <pod-name> sh
$ kubectl create configmap my-cm --from-literal=db_username=<USERNAME> --from-literal=db_host=<HOSTNAME>
$ kubectl create secret generic my-secret --from-literal=db_password=<SOME_STRONG_PASSWORD>

Simply put, the eks-user user should be able to perform all the actions specified in the verbs array for pods, secrets, configmaps, deployments, and events. You can read more about it here Kubernetes Authorization Overview.

简而言之， eks-user用户应该能够执行verbs数组中针对pods ， secrets ， configmaps ， deployments和events所指定的所有动作。 您可以在此处阅读有关Kubernetes授权概述的更多信息。

是否可以 (Can-I or Not)

You can use auth can-i to check if you have permission to a resource. To see if you have the permission to get pods simply run:

您可以使用auth can-i来检查您是否有权使用资源。 要查看您是否有权获得吊舱，只需运行：

$ kubectl auth can-i get pods

The answer will be a simple yes or no. Amazing, isn’t it?

答案将是简单的yes或no 。 太神奇了，不是吗？

Wanna check if you have cluster-admin permissions? Fire this:

想检查您是否具有cluster-admin权限？ 触发此：

$ kubectl auth can-i "*" "*"

结语 (Wrap up)

EKS provides the Kubernetes control plane with the backend persistence layer. The Kubernetes API server and the master nodes are provisioned and scaled across various availability zones, resulting in high availability and eliminating a single point of failure. An AWS-managed Kubernetes cluster can withstand the loss of an availability zone.

EKS为​​Kubernetes控制平面提供了后端持久层。 Kubernetes API服务器和主节点在各种可用性区域中进行配置和扩展，从而实现了高可用性并消除了单点故障。 由AWS管理的Kubernetes集群可以承受可用性区域的丢失。

Access and authorization controls are critical for any security system. Kubernetes provides us with an awesome robust RBAC permission mechanism.

访问和授权控制对于任何安全系统都是至关重要的。 Kubernetes为我们提供了强大的RBAC许可机制。

Originally published at faizanbashir.me

最初发表在 faizanbashir.me

翻译自: https://www.freecodecamp.org/news/adding-limited-access-iam-user-to-eks-cluster/

iam身份验证以及访问控制