• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    迪恩网络公众号
登陆 注册
描述文字

uruddarraju/kubernetes-rbac-policies: Kubernetes RBAC Policies for cluster servi ...

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称(OpenSource Name):

uruddarraju/kubernetes-rbac-policies

开源软件地址(OpenSource Url):

https://github.com/uruddarraju/kubernetes-rbac-policies

开源编程语言(OpenSource Language):


开源软件介绍(OpenSource Introduction):

Cluster RBAC Policies

I will list down all the RBAC Policies needed for the functioning of a Kube cluster with only the RBAC Authorizer below on a component by component basis

Default Role Given to all users in the system, would help in discovery and common read only operations

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: default-reader
rules:
  - apiGroups: [""]
    resources:
      - componentstatuses
      - events
      - endpoints
      - namespaces
      - nodes
      - persistentvolumes
      - resourcequotas
      - services
    verbs: ["get", "watch", "list"]
  - nonResourceURLs: ["*"]
    verbs: ["get", "watch", "list"]

Appropriate binding would be:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: default-reader-role-binding
subjects:
  - kind: User
    name: "*"
roleRef:
  kind: ClusterRole
  name: default-reader
  apiVersion: rbac.authorization.k8s.io/v1alpha1

Read all Can be given to pseudo admins (like schedulers), for readonly operations. Not given by default to anyone. Can read everything except secrets

---
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
  name: cluster-read-all
rules:
  -
    apiGroups:
      - ""
      - apps
      - autoscaling
      - batch
      - extensions
      - policy
      - rbac.authorization.k8s.io
    resources:
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs:
      - get
      - watch
      - list
  - nonResourceURLs: ["*"]
    verbs:
      - get
      - watch
      - list

Cluster Administrator

---
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
  name: cluster-admin-all
rules:
  -
    apiGroups:
      - ""
      - apps
      - autoscaling
      - batch
      - extensions
      - policy
      - rbac.authorization.k8s.io
    resources:
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]

Controller Manager Controller manager needs access to almost all the resources in Kubernetes hence, we need to grant it top level admin access. Controller manager is actually a super user, so it can work even without a rolebinding.

---
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
  name: cluster-controller-manager
rules:
  -
    apiGroups:
      # have access to everything except Secrets
      - "*"
    resources: ["*"]
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]

Kubelet

To spin up pods and update node and pod status the kubelet would need the following role and binding:

apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata: 
  name: kubelet-runtime
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - configmaps
  - persistentvolumes
  - persistentvolumeclaims
  - secrets
  - services
  - healthz
  verbs:
  - get
  - watch
  - list
- attributeRestrictions: null
  nonResourceURLs:
  - '*'
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - events
  - nodes
  - nodes/status
  - pods
  - pods/status
  verbs:
  - '*'
- attributeRestrictions: null
  nonResourceURLs:
  - '*'
  verbs:
  - '*'

The appropriate binding would be:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: kubelet-role-binding
subjects:
  - kind: User
    name: kubelet
roleRef:
  kind: ClusterRole
  name: kubelet-runtime
  apiVersion: rbac.authorization.k8s.io/v1alpha1
  • For kubelet to check apiserver healthz:
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
  name: healthz-reader-role
rules:
  -
    apiGroups:
      - ""
    resources: []
    verbs: ["get"]
  - nonResourceURLs: ["*"]
    verbs: ["get"]

The reason we made this explicit healthz binding is to make sure only the healthz is allowed access by everyone. Not only kubelet, but other monitoring systems can usee healthz in the future and hence granting access to all users

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: healthz-role-binding
subjects:
  - kind: User
    name: "*"
roleRef:
  kind: ClusterRole
  name: healthz-reader-role
  apiVersion: rbac.authorization.k8s.io/v1alpha1

Scheduler Scheduler needs the following roles:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: scheduler
rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["update"]
    nonResourceURLs: [""]
    verbs: ["*"]

needs the following role bindings:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: scheduler-role-binding
subjects:
  - kind: User
    name: system:scheduler
roleRef:
  kind: ClusterRole
  name: cluster-read-all
  apiVersion: rbac.authorization.k8s.io/v1alpha1

and also

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: scheduler-role-binding
subjects:
  - kind: User
    name: system:scheduler
roleRef:
  kind: ClusterRole
  name: scheduler
  apiVersion: rbac.authorization.k8s.io/v1alpha1

Kube Proxy Needs the following:

---
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
  name: kube-proxy-role
rules:
  -
    apiGroups:
      - ""
    resources:
      - endpoints
      - events
      - services
      - nodes
    verbs: ["get", "watch", "list"]
  - nonResourceURLs: ["*"]
    verbs: ["get", "watch", "list"]
  -
    apiGroups:
      - ""
    resources:
      - events
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: kubeproxy-role-binding
subjects:
  - kind: User
    name: kube_proxy
roleRef:
  kind: ClusterRole
  name: kube-proxy-role
  apiVersion: rbac.authorization.k8s.io/v1alpha1

Kube Proxy

---
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
  name: kube-proxy-role
rules:
  -
    apiGroups:
      - ""
    resources:
      - endpoints
      - events
      - services
      - nodes
    verbs: ["get", "watch", "list"]
  - nonResourceURLs: ["*"]
    verbs: ["get", "watch", "list"]
  -
    apiGroups:
      - ""
    resources:
      - events
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]

And the corresponding binding

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: kube-system-sa-admin
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system
roleRef:
  kind: Role
  namespace: kube-system
  name: kube-system-admin
  apiVersion: rbac.authorization.k8s.io/v1alpha1

Kube System Components: Long term plan should be to move components out of kube-system into appropriate namespaces. DNS, Monitoring etc.

The following is a Role and grants access only within the kube-system namespace

kind: Role
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  namespace: kube-system
  name: kube-system-admin
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

Appropriate binding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: kube-system-sa-admin
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system
roleRef:
  kind: Role
  namespace: kube-system
  name: kube-system-admin
  apiVersion: rbac.authorization.k8s.io/v1alpha1

Read all for dns and monitoring to work

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: kube-system-readall-role-binding
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-read-all
  apiVersion: rbac.authorization.k8s.io/v1alpha1

鲜花
握手
雷人
路过
鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
More+
上一篇:
liggitt/audit2rbac: Autogenerate RBAC policies based on Kubernetes audit logs发布时间:2022-07-09
下一篇:
corylanou/tns-restful-json-api: This is the code repository that goes along with ...发布时间:2022-07-08
热门推荐
More+
热门话题
More+
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap