Kubernetes 1.6 New Feature Learning: RBAC Authorization

Posted by morris520 on Wed, 03 Jul 2019 21:44:48 +0200

Summary

The access control process of API Server in Kuberntes is illustrated as follows:

In Kubernetes, authorization is a step after authentication. Authorization is to determine whether a user (ordinary user or Service Account) has the right to request the Kubernetes API to do something.

Previously, the authorization strategy in Kubernetes was mainly ABAC(Attribute-Based Access Control). For ABAC, Kubernetes is difficult to implement, and requires SSH and root file system access rights of Master Node. API Server needs to be restarted after the authorization policy changes.

In Kubernetes 1.6, RBAC(Role-Based Access Control) entered the Beta phase of role-based access control. RBAC access control policies can be configured using kubectl or Kubernetes API. Using RBAC, users can be authorized directly to have authorization management rights, so that they no longer need to touch Master Node directly. RBAC is mapped to API resources and operations in Kubernetes.

Resource object of RBAC API

In Kubernetes 1.6, RBAC is enabled for API Server by starting parameter - authorization-mode=RBAC.API Overview.

The 1.6 version of Kubernetes cluster initialized with kubeadm has opened RBAC by default for API Server. You can view the static Pod definition file of API Server on Master Node:


cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep RBAC
    - --authorization-mode=RBAC

The RBAC API defines four resource objects to describe the connection privileges between users and resources in RBAC:

Role
ClusterRole
RoleBinding
ClusterRoleBinding

Role and Cluster Role

Role is a collection of permissions. Role is a resource defined under a Namespace and used under this specific Namespace. Cluster Role is similar to Role, but Cluster Role is used throughout the cluster.

Let's use kubectl to print Role and CulturRole in the Kubernetes cluster:


kubectl get roles --all-namespaces
NAMESPACE     NAME                                        AGE
kube-public   system:bootstrap-signer-clusterinfo         6d
kube-public   system:controller:bootstrap-signer          6d
kube-system   extension-apiserver-authentication-reader   6d
kube-system   system:controller:bootstrap-signer          6d
kube-system   system:controller:token-cleaner             6d


kubectl get ClusterRoles
NAME                                           AGE
admin                                          6d
cluster-admin                                  6d
edit                                           6d
flannel                                        5d
system:auth-delegator                          6d
system:basic-user                              6d
system:controller:attachdetach-controller      6d
......
system:kube-aggregator                         6d
system:kube-controller-manager                 6d
system:kube-dns                                6d
system:kube-scheduler                          6d
system:node                                    6d
system:node-bootstrapper                       6d
system:node-problem-detector                   6d
system:node-proxier                            6d
system:persistent-volume-provisioner           6d
view                                           6d

You can see that many Roles and Cluster Roles have been built in or created in the Kubernetes cluster created previously.

Next, create a Role named pod-reader in the default namespace. The role-pord-reader.yaml file is as follows:


kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]


kubectl create -f role-pord-reader.yaml
role "pod-reader" created

kubectl get roles
NAME         AGE
pod-reader   1m

Note that RBAC is still in Beta phase in Kubernetes 1.6, so the API belongs to rbac.authorization.k8s.io, and the apiVersion above is rbac.authorization.k8s.io/v1beta1.

Here's another definition file for ClusterRole:


kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

Role Binding and Cluster Role Binding

RoleBinding binds Role to Subject, the main body of the account, so that Subject inherits Role's permissions under namespace. Cluster Role Binding binds Cluster Role to Subject, allowing Subject to integrate the privileges of Cluster Role across the cluster.

Account Subject is still called "user" here, including group, user and Service Account.


kubectl get rolebinding --all-namespaces
NAMESPACE     NAME                                   AGE
kube-public   kubeadm:bootstrap-signer-clusterinfo   6d
kube-public   system:controller:bootstrap-signer     6d
kube-system   system:controller:bootstrap-signer     6d
kube-system   system:controller:token-cleaner        6d


kubectl get clusterrolebinding
NAME                                           AGE
cluster-admin                                  6d
flannel                                        6d
kubeadm:kubelet-bootstrap                      6d
kubeadm:node-proxier                           6d
system:basic-user                              6d
system:controller:attachdetach-controller      6d
system:controller:certificate-controller       6d
......
system:controller:ttl-controller               6d
system:discovery                               6d
system:kube-controller-manager                 6d
system:kube-dns                                6d
system:kube-scheduler                          6d
system:node                                    6d
system:node-proxier                            6d

In fact, a RoleBinding can refer to either a role under the same namespace or a Cluster Role, and when RoleBinding refers to Cluster Role, the user's inherited rights are limited to the namespace where RoleBinding resides.


kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io


kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: read-secrets
  namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
  name: dave
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

Default Role and Role Binding in Kubernetes

API Server has created a series of Cluster Roles and Cluster Role Binding. The names in these resource objects begin with system: to indicate that the resource object belongs to the Kubernetes system infrastructure. That is to say, the default cluster role of RBAC has been covered enough so that the cluster can be completely in place. RBAC runs under management. Modifying these resource objects may have unknown consequences, such as defining the permissions of the kubelet process for the system:node ClusterRole, which may cause the kubelet to fail to work if the role is modified.

You can use the label kubernetes.io/bootstrapping=rbac-defaults to view the default Cluster Role and Cluster Role Binding:


kubectl get clusterrole -l kubernetes.io/bootstrapping=rbac-defaults
NAME                                           AGE
admin                                          6d
cluster-admin                                  6d
edit                                           6d
system:auth-delegator                          6d
system:basic-user                              6d
system:controller:attachdetach-controller      6d
system:controller:certificate-controller       6d
......
system:node-problem-detector                   6d
system:node-proxier                            6d
system:persistent-volume-provisioner           6d
view                                           6d


kubectl get clusterrolebinding -l kubernetes.io/bootstrapping=rbac-defaults
NAME                                           AGE
cluster-admin                                  6d
system:basic-user                              6d
system:controller:attachdetach-controller      6d
system:controller:certificate-controller       6d
system:controller:cronjob-controller           6d
system:controller:daemon-set-controller        6d
system:controller:deployment-controller        6d
......
system:discovery                               6d
system:kube-controller-manager                 6d
system:kube-dns                                6d
system:kube-scheduler                          6d
system:node                                    6d
system:node-proxier                            6d

Detailed privilege information about these roles can be viewed Default Roles and Role Bindings

Original text http://blog.frognew.com/2017/04/kubernetes-1.6-rbac.html

Topics: Kubernetes DNS kubelet Attribute

Programmer Think