探究Kubectl默认使用的Role和Rolebinding,以及如何通过认证和授权的
通过kubectl访问集群过程中是如何通过认证和授权过程的,以及在默认开启了RABC时,它使用了什么样的角色和角色绑定呢?
首先,我们查看下~/.kube/config文件,找到默认使用的用户
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1Ea3lOakE1TXpFd01sb1hEVE15TURreU16QTVNekV3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGVLCmxmeEVvTFFJZ1JxSkd1VzhYMUJibG5HQXphM3d3V2EzdkFreGhpemZaV0dvTyt4M05KemlnQXZTZEpONDdwcEQKZm10bXdrTWhKOUNIRGY0TTRRd1FmdzFWUmRIOVlXYmZzQVlpN0xsOXZOM04yVDlyZVFBelZpMnRaQlU2aTVjeQpkbnhKQXlFTnRocmoxdHN6MGh5OVVXTm1URUpRZVZ6aW55T0t1UFVEcGlzQjRscy9jbEdKT1JsVG5LY3RFU0FiCkk5RGpFbno4a3diUDVIMXdsWUxMUEc5KzBLMGlYSmRzcUR1SVlKQjhaem9WRHQ0SHI3SVovdm5KZkhFVU8yNVYKbHhUaHF2WDlRRklRM3dNSVk1LzR0aWVFdVFMbjV4UDFyOGtpQzdENkJhVUVqMTZ5eThlaXkwTmErVnVBcHlmdApHUE85MldNbStZQU16Y3k1NGcwQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZBVVVHQlF0alJtQzZTRnBmN256VnNyaVdLeFdNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSnRPOWFMeVRrQ0dKVWhkcUFmaQp3RnNleXloUk8zVzJjVlF3OGZqRnU1blRvZnpDV2JlSHYwY20xUUxXb3hDTmJwY3JNUHVBUWNteEV5cVpHZld6CndQSm5aVGRVa1NTZEtvd2V5Y2ZaTU1FQnZwYkgyTkVNbGVEeDluN0FzZ3hoZTQ2ZUxoZlVwZ1YwOUMyRThFMVoKNS9tTVIrb3lraXQ3N0UyTGRjREN4cnBxUEZ6LzdtMVA4WXJrR1g1YVVYUDV0aFZ3UmlaaUZEV0Zuc1YrTWJGdAo1VDJnWmgrMm03ek14aTUvd2ZJYkZWQlFsOGZwbERtWE05c1FRUWE0RkZwTERkWUpXTGo5OFN5dXFGaGV1ZXdTCkd2WkdKQXBxSjV1VmVmajJ5STRYa014Rktqak81cjk1YXh3Ti9uTnZmbi9wOFYwc0YwK25PbkdoZkV5ZjVYNmIKUXZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.0.41:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJRThicjZjNExiVDR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBNU1qWXdPVE14TURKYUZ3MHlNekE1TWpZd09UTXhNRFJhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTVqT00rU3ZiYVdYeDdENTgKSnRyQ25FSmlzc1c0a1h4MC83NWVKb0dxRGpRUmpVQlBsdDIwYkFNK0lqR3BzNlV2c3RXSWFuZ20rc1Vnb3d4awpZVVhpNTNHZktld242QVR5QWY5RnVKQ2p1TS9MbnhIdmYveEp1UlYrVk9Zbk4vaEUrT25MZU0xeC9LTExCeEFHCllZMllpS0pHQk1hcGtlYUhWZ1ZpZmt1RXd2SjJhMkpnWDhpWmNFcWc2Q2xqWTBGWEpoek5keUVkdmc1STY4VWwKQzI5ZW5OUzNnaEtOODYzeHNDeVF0T1BrTGZ1WW95TXUzT2lFcHY2RnNiUkR4NUh5M2M0cHFGVGR4MmQ0SWRhQQo2NjIxZ1lqbms2elZqbFJpd21QQUNVQ0QrbCs1QlFWU2lwa0dQZi9CUUV2L0dtR2FiS0NTRU5zdWF6VGlERnM4CkUxZVpWd0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRRkZCZ1VMWTBaZ3VraGFYKzU4MWJLNGxpcwpWakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZ1lHRHJNM01oaEg4RmR1UWxwc2JtTnFBNy83eGQwekpOd1lxCjdUaU4wd3dOMGwxOEEvR1NkYWd0Sm1vNUVqdVdaajQ5RGc1WStvWHlUK3QyZE1GQzB3NURXTVJlbGMzV0Z1ODQKdXZxa3RjRHUzcFoxNWtBTjlNS1Q0ZStPaXJkNVkwZDdobllNNkxyUUxMOUw3ZnRrb0xCRUZkZTl5dHAwbUFlVgpoT1Rvc2ZWUkxLNmtJNkpjdkFMM0tmRGdZNEJDbFZiM3NBdFZnVkhuQ3R0MFBBbk9hU0dveTg4K1JmVk9LdlR3CitSTjNFaTA2NFhzZy9waThJa2NYcVZOT1BWUDRyQWlkWjNDNStpSnNIZEszVkJDaVJZV3FqLzk0RkRuMm03N00KN0xRK0RUSmNvMzZEajh6S1lWS25WOUVGNjRPbHJmOFVkMFFPSjlMYmc0QkJISEFjWmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNWpPTStTdmJhV1h4N0Q1OEp0ckNuRUppc3NXNGtYeDAvNzVlSm9HcURqUVJqVUJQCmx0MjBiQU0rSWpHcHM2VXZzdFdJYW5nbStzVWdvd3hrWVVYaTUzR2ZLZXduNkFUeUFmOUZ1SkNqdU0vTG54SHYKZi94SnVSVitWT1luTi9oRStPbkxlTTF4L0tMTEJ4QUdZWTJZaUtKR0JNYXBrZWFIVmdWaWZrdUV3dkoyYTJKZwpYOGlaY0VxZzZDbGpZMEZYSmh6TmR5RWR2ZzVJNjhVbEMyOWVuTlMzZ2hLTjg2M3hzQ3lRdE9Qa0xmdVlveU11CjNPaUVwdjZGc2JSRHg1SHkzYzRwcUZUZHgyZDRJZGFBNjYyMWdZam5rNnpWamxSaXdtUEFDVUNEK2wrNUJRVlMKaXBrR1BmL0JRRXYvR21HYWJLQ1NFTnN1YXpUaURGczhFMWVaVndJREFRQUJBb0lCQUFkbHZLLzlJczNlUXNudQpzQnFuaVAxd2ZLOTEveHBkdjN6QVoxSWhkSStFU05RYkx2T1FLRTRZUkpUZ3Q2MVlMNUkxbm02ZGNkTTVKblZXCjNwcnBuZ01GK2JGbEwxc2JYWk9HMm55MTJTMEZNR3ZxTGFJVlAyRTlPWlFNMlZISkhwNUpGUXJLdjFENUFrRTEKMko2bDZETHIxQWd2UWgrNElyMDI2eFZYNCtwSHhMMXQ5NS9QUkc5cXRFcE9CeDRXcVByRDRXbTcrQ0hQS3BaSwpSdGtjaEFyYlhrTDlkMng3RllWazhLNUZadFljUDhKd2swT1ZSTFdLaG9sMTIxQzJEOE5lbDFBby9vQXBhSURBCkgrLzB4d3U5eitLZTN6RDJlTGJEajREaWhqVGVBUm5XNDNUZGhPT0YxLzE0L3o1bUlsTE80bXJFY21GS2RzWEEKRDZ6bUZpRUNnWUVBNmNBR0dFM2hobXE3SWdOTHR5MGRKV3BpQ3hFR0xIV1RYOFdtcndNNWg0UXZRNFBDWnpRbAo5blJuVGJRQ2RHWXRCUkpRMzJQT0J0TVpTc040ZDhrTTBPN29JK0hmNGxzOFYySkVJTkQ3MCtudGhPY0hpWk5PCmtjTWtvSFk3bVJvN3Q1UVlBSmRsMkxmbVNOUmc1VHM2MExidEhDOGhQOGJOSmxVWlpVQXJpTzhDZ1lFQS9CME4KWWxwOFVTME12RWVJS3AzNmZlWHRUanlia1FsYkE3YnBGSjRMNGxzV205SVpabk5mM2dCaytxYXN5Z2tTcWhkMwphK1gwU1hXbzdaOHNZdVpJeUVyKyt2eWlYVUhncDJvcGdsK25EL2JOd1cvR1loL0dLTnErK0NLeVhtM1ozQVU2CmVSOFZ5bk1NS0lVVkVxYlRFWTZuNHBpdjB6TzlpNDJWVENINFpoa0NnWUVBcDZ4eDhzOHkvbnZqUHBQRXBXSTgKTFJHeHdLUjJuRCsrOW8xT2N1NUtQemFIdk5Od0NSMzBPV1Rva1dtVjlTOHlEaGhFWU9vejZOdFdvald6WGFHZgppdVJGS3pBa3JEZXNBamJnRGZZN0hwa0lJelNpU0lLZGNwdmIweXJjdDRlRTNMdmp0OURpWXVJUDA2QmMzVEp1Cmp6Y1l3UVhod09EM1dnN2pSNmtQVVlzQ2dZRUE5SGREYkRTcnlaY3llenV0dVExNVFTMThmOW5iUzdkVHJ2VmwKYkIyWkRvUWZGemVTYzdxNm9pMmx2VHR6MzNFT3pTcDJIWVZjN1FLUHJPTWxDajJkSThNOUhxbHMwNXMydVlBRApBaTI0ZEkxd2xQcksxb2xUQUhpa3B6NFYwZVVaVlBVbzd4d0thRVpJNnQycFFtM0x5NEdXSCs3SXg3YXJQTEFzCnJpZGVrN2tDZ1lCUm9vUWZqMHZ1SDEzeDRxeDU5SjdhQTQrV1dIeldVRzIyU3lrdlJ4MzdOdkhXNlpHZXUxbzEKWWhFQ0JzMk9meVpESVpsKzIwRHQrUUJSYTlNclJhUm5nV0tlelI2WkUrR3ZxZm5mcFR6RTM0UFIrUDN5RnN6QQp2b21ISWIxQm5UVElhR0xsV3pnaDU5WjVsMngrQkhKeVRZZ2dZWTlOTGVIaUNVUjhtdWR6bkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=然而证书都被编码了,我们需要对它进行解码
$ echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJRThicjZjNExiVDR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBNU1qWXdPVE14TURKYUZ3MHlNekE1TWpZd09UTXhNRFJhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTVqT00rU3ZiYVdYeDdENTgKSnRyQ25FSmlzc1c0a1h4MC83NWVKb0dxRGpRUmpVQlBsdDIwYkFNK0lqR3BzNlV2c3RXSWFuZ20rc1Vnb3d4awpZVVhpNTNHZktld242QVR5QWY5RnVKQ2p1TS9MbnhIdmYveEp1UlYrVk9Zbk4vaEUrT25MZU0xeC9LTExCeEFHCllZMllpS0pHQk1hcGtlYUhWZ1ZpZmt1RXd2SjJhMkpnWDhpWmNFcWc2Q2xqWTBGWEpoek5keUVkdmc1STY4VWwKQzI5ZW5OUzNnaEtOODYzeHNDeVF0T1BrTGZ1WW95TXUzT2lFcHY2RnNiUkR4NUh5M2M0cHFGVGR4MmQ0SWRhQQo2NjIxZ1lqbms2elZqbFJpd21QQUNVQ0QrbCs1QlFWU2lwa0dQZi9CUUV2L0dtR2FiS0NTRU5zdWF6VGlERnM4CkUxZVpWd0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRRkZCZ1VMWTBaZ3VraGFYKzU4MWJLNGxpcwpWakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZ1lHRHJNM01oaEg4RmR1UWxwc2JtTnFBNy83eGQwekpOd1lxCjdUaU4wd3dOMGwxOEEvR1NkYWd0Sm1vNUVqdVdaajQ5RGc1WStvWHlUK3QyZE1GQzB3NURXTVJlbGMzV0Z1ODQKdXZxa3RjRHUzcFoxNWtBTjlNS1Q0ZStPaXJkNVkwZDdobllNNkxyUUxMOUw3ZnRrb0xCRUZkZTl5dHAwbUFlVgpoT1Rvc2ZWUkxLNmtJNkpjdkFMM0tmRGdZNEJDbFZiM3NBdFZnVkhuQ3R0MFBBbk9hU0dveTg4K1JmVk9LdlR3CitSTjNFaTA2NFhzZy9waThJa2NYcVZOT1BWUDRyQWlkWjNDNStpSnNIZEszVkJDaVJZV3FqLzk0RkRuMm03N00KN0xRK0RUSmNvMzZEajh6S1lWS25WOUVGNjRPbHJmOFVkMFFPSjlMYmc0QkJISEFjWmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg" \
|base64 --decode >default.crt 解码后,查看其Subject
$ openssl x509 -text -noout -in default.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1425085721526103358 (0x13c6ebe9ce0b6d3e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Sep 26 09:31:02 2022 GMT
Not After : Sep 26 09:31:04 2023 GMT
Subject: O=system:masters, CN=kubernetes-admin
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e6:33:8c:f9:2b:db:69:65:f1:ec:3e:7c:26:da:
c2:9c:42:62:b2:c5:b8:91:7c:74:ff:be:5e:26:81:
aa:0e:34:11:8d:40:4f:96:dd:b4:6c:03:3e:22:31:
a9:b3:a5:2f:b2:d5:88:6a:78:26:fa:c5:20:a3:0c:
64:61:45:e2:e7:71:9f:29:ec:27:e8:04:f2:01:ff:
45:b8:90:a3:b8:cf:cb:9f:11:ef:7f:fc:49:b9:15:
7e:54:e6:27:37:f8:44:f8:e9:cb:78:cd:71:fc:a2:
cb:07:10:06:61:8d:98:88:a2:46:04:c6:a9:91:e6:
87:56:05:62:7e:4b:84:c2:f2:76:6b:62:60:5f:c8:
99:70:4a:a0:e8:29:63:63:41:57:26:1c:cd:77:21:
1d:be:0e:48:eb:c5:25:0b:6f:5e:9c:d4:b7:82:12:
8d:f3:ad:f1:b0:2c:90:b4:e3:e4:2d:fb:98:a3:23:
2e:dc:e8:84:a6:fe:85:b1:b4:43:c7:91:f2:dd:ce:
29:a8:54:dd:c7:67:78:21:d6:80:eb:ad:b5:81:88:
e7:93:ac:d5:8e:54:62:c2:63:c0:09:40:83:fa:5f:
b9:05:05:52:8a:99:06:3d:ff:c1:40:4b:ff:1a:61:
9a:6c:a0:92:10:db:2e:6b:34:e2:0c:5b:3c:13:57:
99:57
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:05:14:18:14:2D:8D:19:82:E9:21:69:7F:B9:F3:56:CA:E2:58:AC:56
Signature Algorithm: sha256WithRSAEncryption
81:81:83:ac:cd:cc:86:11:fc:15:db:90:96:9b:1b:98:da:80:
ef:fe:f1:77:4c:c9:37:06:2a:ed:38:8d:d3:0c:0d:d2:5d:7c:
03:f1:92:75:a8:2d:26:6a:39:12:3b:96:66:3e:3d:0e:0e:58:
fa:85:f2:4f:eb:76:74:c1:42:d3:0e:43:58:c4:5e:95:cd:d6:
16:ef:38:ba:fa:a4:b5:c0:ee:de:96:75:e6:40:0d:f4:c2:93:
e1:ef:8e:8a:b7:79:63:47:7b:86:76:0c:e8:ba:d0:2c:bf:4b:
ed:fb:64:a0:b0:44:15:d7:bd:ca:da:74:98:07:95:84:e4:e8:
b1:f5:51:2c:ae:a4:23:a2:5c:bc:02:f7:29:f0:e0:63:80:42:
95:56:f7:b0:0b:55:81:51:e7:0a:db:74:3c:09:ce:69:21:a8:
cb:cf:3e:45:f5:4e:2a:f4:f0:f9:13:77:12:2d:3a:e1:7b:20:
fe:98:bc:22:47:17:a9:53:4e:3d:53:f8:ac:08:9d:67:70:b9:
fa:22:6c:1d:d2:b7:54:10:a2:45:85:aa:8f:ff:78:14:39:f6:
9b:be:cc:ec:b4:3e:0d:32:5c:a3:7e:83:8f:cc:ca:61:52:a7:
57:d1:05:eb:83:a5:ad:ff:14:77:44:0e:27:d2:db:83:80:41:
1c:70:1c:66即: Subject: O=system:masters, CN=kubernetes-admin,表示用户为kubernetes-admin,所属的组为system:masters。
而我们知道,用户持有证书(被Kubernetes集群CA证书签名的有效证书)访问kubernetes时,证书中Subject(主题)里的信息被当作用户名参与认证过程,如"/CN=kubernetes-admin",服务端在接收到证书后通过私钥解密证书,获得客户端证书公钥,并用该公钥认证证书的信息,确认客户端是否合法。
这里使用的证书是kubernetes(kubeadm等)自动生成的,然而我们还可以创建自己的证书,学习创建和使用证书,见 https://www.cnblogs.com/cosmos-wong/p/16890364.html
在clusterrolebinding cluster-admin中绑定了组"system:masters"
$ kubectl get clusterrolebinding cluster-admin -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "135"
uid: 0f68aa16-5090-4086-b200-fec2e468dcc5
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters角色cluster-admin,能够操作集群中的任何资源,包括资源类型和非资源类型
$ kubectl get clusterrole cluster-admin -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2022-09-26T09:31:13Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "73"
uid: 24cf144c-6d0c-4e77-9ff2-a736b5e6c4c5
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'因此,尽管默认情况下,我们没有做任何配置,kubectl也能够访问集群中的所有资源,就是它已经帮我们做了认证和授权。
更多有关认证和鉴权细节,见:
Kubernetes API 访问控制:https://kubernetes.io/zh-cn/docs/concepts/security/controlling-access/
