Kubernetes RBAC权限管理与安全:构建安全的访问控制体系
Kubernetes RBAC权限管理与安全:构建安全的访问控制体系
一、RBAC概述
**RBAC(Role-Based Access Control)**是Kubernetes中基于角色的访问控制机制,通过定义角色和权限绑定来管理用户对集群资源的访问。
1.1 RBAC架构
flowchart TD subgraph 主体层 A[User Account] B[Service Account] C[Group] end D[RoleBinding - 用户与角色绑定] subgraph 角色层 E[Role - 命名空间级别] F[ClusterRole - 集群级别] end G[Resources - Pod - Service - Deployment - Secret] A --> D B --> D C --> D D --> E D --> F E --> G F --> G1.2 RBAC核心组件
| 组件 | 描述 | 作用范围 |
|---|---|---|
| Role | 定义命名空间内的权限 | 命名空间 |
| ClusterRole | 定义集群级别的权限 | 集群 |
| RoleBinding | 将Role绑定到用户/组 | 命名空间 |
| ClusterRoleBinding | 将ClusterRole绑定到用户/组 | 集群 |
二、Role配置
2.1 创建Role
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: default rules: - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "list", "watch"]2.2 多资源Role
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-manager namespace: default rules: - apiGroups: [""] resources: ["pods", "services", "configmaps"] verbs: ["get", "list", "watch", "create", "update", "delete"] - apiGroups: ["apps"] resources: ["deployments", "statefulsets"] verbs: ["get", "list", "watch", "create", "update", "delete"]2.3 资源名称限定
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: specific-pod-reader namespace: default rules: - apiGroups: [""] resources: ["pods"] resourceNames: ["my-app-pod"] verbs: ["get", "list", "watch"]三、ClusterRole配置
3.1 创建ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-admin rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"]3.2 只读ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-reader rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "list", "watch"]3.3 节点管理ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: node-manager rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch", "update"]四、RoleBinding配置
4.1 用户绑定Role
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pod-reader-binding namespace: default subjects: - kind: User name: alice apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io4.2 ServiceAccount绑定Role
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-sa-binding namespace: default subjects: - kind: ServiceAccount name: my-app-sa namespace: default roleRef: kind: Role name: app-manager apiGroup: rbac.authorization.k8s.io4.3 组绑定Role
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dev-team-binding namespace: default subjects: - kind: Group name: dev-team apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: app-manager apiGroup: rbac.authorization.k8s.io五、ClusterRoleBinding配置
5.1 用户绑定ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-admin-binding subjects: - kind: User name: admin-user apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io5.2 ServiceAccount绑定ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: monitoring-sa-binding subjects: - kind: ServiceAccount name: prometheus-sa namespace: monitoring roleRef: kind: ClusterRole name: cluster-reader apiGroup: rbac.authorization.k8s.io六、ServiceAccount配置
6.1 创建ServiceAccount
apiVersion: v1 kind: ServiceAccount metadata: name: my-app-sa namespace: default6.2 ServiceAccount挂载Secret
apiVersion: v1 kind: ServiceAccount metadata: name: my-app-sa namespace: default secrets: - name: my-app-secret6.3 Pod使用ServiceAccount
apiVersion: v1 kind: Pod metadata: name: my-app-pod spec: serviceAccountName: my-app-sa containers: - name: app image: my-app:latest七、RBAC最佳实践
7.1 最小权限原则
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: minimal-role namespace: default rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "update"]7.2 分层权限设计
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: view-only namespace: default rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "list", "watch"]7.3 命名空间隔离
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: namespace-admin namespace: team-a rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"]八、权限审计
8.1 查看权限
# 查看用户权限 kubectl auth can-i create deployments --namespace default --as alice # 查看完整权限列表 kubectl auth can-i --list --as alice # 检查特定操作权限 kubectl auth can-i delete pods --namespace default8.2 权限绑定检查
# 查看RoleBindings kubectl get rolebindings -n default # 查看ClusterRoleBindings kubectl get clusterrolebindings # 查看RoleBinding详情 kubectl describe rolebinding pod-reader-binding -n default九、Pod Security Standards
9.1 Pod Security Admission
apiVersion: v1 kind: Namespace metadata: name: my-namespace labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted9.2 Security Context
apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 containers: - name: app image: my-app:latest securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL十、总结
RBAC实践要点:
- 最小权限原则:只授予必要的权限
- 分层设计:根据角色分层配置权限
- 命名空间隔离:限制权限到特定命名空间
- ServiceAccount管理:为每个应用创建独立的ServiceAccount
- 定期审计:定期检查和清理权限绑定
- Pod安全:配置Pod Security Standards和Security Context
建议定期审查RBAC配置,确保权限符合安全要求。
参考资料:
- RBAC文档
- Pod Security Standards
- ServiceAccount文档