RBAC 权限控制深度解析
RBAC 核心概念
Subject(主体)
├── User(用户)
├── Group(用户组)
└── ServiceAccount(服务账号)
Role/ClusterRole(角色,定义权限)
│ RoleBinding/ClusterRoleBinding(绑定)
▼
Subject 获得权限Role 与 ClusterRole
yaml
# Role(命名空间级别)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: production
rules:
- apiGroups: [""] # "" 表示 core API 组
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["app-config"] # 只允许访问特定资源
verbs: ["get"]
---
# ClusterRole(集群级别,可绑定到任意命名空间)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metrics.k8s.io"]
resources: ["nodes", "pods"]
verbs: ["get", "list"]RoleBinding 与 ClusterRoleBinding
yaml
# RoleBinding(命名空间级别绑定)
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: production
subjects:
- kind: User
name: alice
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: dev-team
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: my-service-account
namespace: production
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
---
# ClusterRoleBinding(集群级别绑定)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-binding
subjects:
- kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioServiceAccount
yaml
# 创建 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app-sa
namespace: production
annotations:
# AWS IRSA(IAM Roles for Service Accounts)
eks.amazonaws.com/role-arn: arn:aws:iam::123456789:role/my-app-role
---
# 绑定权限
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-app-binding
namespace: production
subjects:
- kind: ServiceAccount
name: my-app-sa
namespace: production
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
---
# Pod 使用 ServiceAccount
spec:
serviceAccountName: my-app-sa
automountServiceAccountToken: true # 自动挂载 Token常用内置 ClusterRole
| ClusterRole | 权限 |
|---|---|
cluster-admin | 超级管理员,所有权限 |
admin | 命名空间管理员 |
edit | 读写大多数资源 |
view | 只读大多数资源 |
system:node | kubelet 权限 |
权限检查
bash
# 检查当前用户权限
kubectl auth can-i create pods
kubectl auth can-i '*' '*' --all-namespaces # 是否是集群管理员
# 检查指定用户权限
kubectl auth can-i create pods --as=alice
kubectl auth can-i create pods --as=system:serviceaccount:production:my-app-sa
# 列出用户所有权限
kubectl auth can-i --list --as=alice -n production
# 查看 RBAC 规则
kubectl get rolebindings,clusterrolebindings -A | grep alice最小权限原则实践
yaml
# 只给 Operator 需要的权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: myapp-operator
rules:
# 管理自己的 CRD
- apiGroups: ["apps.mycompany.io"]
resources: ["myapps", "myapps/status", "myapps/finalizers"]
verbs: ["*"]
# 管理 Deployment 和 Service
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["services", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# 只读 Pod
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# 发布事件
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]