k8skubernetes-admin用户权限分析本文主要介绍k8s中默认~/.kube/config中admin管理员权限的分析,看看为什么kubernetes-admin用户拥有所有权限1.k8s默认kubernetes-admin管理员后用户集群安装完成后,原目录下/etc/kubernetes/下会有一个默认的配置文件,一般会复制到~/.kube/config下,可以看到有一个用户:kubernetes-admin。我们来看看它有哪些权限?2、查询clusterrolebindings我们知道k8s中有两种用户,一种是NormalUsers,一种是ServiceAccount,k8s不管理Users,只要证书通过就可以访问集群。一,但是用户可以操作的权限是和rolebinding/clusterrolebinding关联的,所以kubernetes-admin也必须有bindingroles。我们看一下kubectlgetclusterrolebindings-A可以看到cluster-admin和admin的绑定权限很相似见clusterrolebindingscluster-admin[root@master1.kube]#kubectlgetclusterrolebindingscluster-admin-A-oyamlapiVersion:rbac.authorization.k8s.io/v1kind:ClusterRoleBindingmetadata:注释:rbac.authorization.kubernetes.io/autoupdate:“true”creationTimestamp:“2023-03-13T08:02:38Z”标签:kubernetes.io/bootstrapping:rbac-defaults名称:cluster-admin资源eVersion:“148”uid:1e950454-3849-4306-84a8-5e4a6ee59cbfroleRef:apiGroup:rbac.authorization.k8s.iokind:ClusterRolename:cluster-adminsubjects:-apiGroup:rbac.authorization.k8s.iokind:Groupname:system:masters查看ClusterRolekubectlgetclusterrolecluster-admin-A-oyaml至此可以了解到Group用户组system:masters拥有这个集群管理员权限从上面我们可以知道用户组system:masters有集群管理员权限cluster-admin,我们也可以猜测kubernetes-admin应该在这个组下,但是如何证明呢?实际上组和用户的关系是在证书中,X509客户端证书的一部分Subject中O(organization)的值代表用户组,CN(commonname)代表用户名。k8s据此可以判断用户在哪个组。base64-d>admin-temp-ca.crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJWG5nNHhHT3FzSzR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBek1UTXdPREF5TWpOYUZ3MHlOREF6TVRJd09EQXlNalZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXhHVVRUR2JCa0V4dkk5SnEKQUY5MlFrVnlIdHJXODdWeGc3cit4WlNnczJjblk0T3JlS1VNdU5SS01HbWlNcnU0cDduSGk1Z1prM1ZUOG4vMApSeW5QdHV3QUJ5dldBcnBJR2VIdk9ONWpVMTYvZ0o4NTNIcFVqa2dZMENkenc0R2JKY25jd3pKZjJFQ2wvelAxCml3VU5hcjNGM3F6bFhwMlNwOXhTQlgycGVkSmFuVzhVU2M4TGlWdmVTTE1mZCsrSDRmdVdIZzUyVXFRSitaL0wKbktaNnNJblhYdUhZY3ZYTTNkMnN5aFppUTBlUk4zWDl5U1JwSmE2ZHB1VThMRGgzYjJnOHBiUWFRZlpjQWFSVgo0V0haWlc5V1F4VkxBZXRZVlpQVloySzJHb3hrS1JRQzkrZGtCVEFIdmlCalJrQ3pGMjlQS3RFY2ZNNXIzMEFZCkxaaHhMd0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTVUNUaWFxbm9RdFMySGdXUnFqaEZIaUhITQpWekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBS2Q3S2lBSlRweWkvZjhSUTdpWnIxSlZFRFFZTG85NE5jdWMxCjVBRWZud3dtWW1ZaS9wb1BVR1Q0aWZpSGpmOFVHK3hTaDdhUUxjT0RaL1JQUFlTU3lPc2xVTXhDTlVYVUJUUWgKaFJhYUl2OTBCZmRBeS9lUEtrYnlDQTNYN0lQQzBEU2M3SjMzTVB2b3Z1MEM5NWtzUVZhajAvbm1zVGpDbzlidApZWk5iaFRIUDVoL3ljeG5TbEdIVnNZeW5EZ3F1M3BZbk9vSHBLZ1diNEw1NlhtVVNMUzQraFdVZno4ZmdtL2tDCmY0UHVyZnVjSEdKS1lPd04rOWZxOFhXQW5ZZ3NLdDdrbG5GNThoelhpcU55THd3L2pVeEFKRFN0bDdyeGVpU2QKTU9ZTW5LSG14TDlmbGZsU0hNSGVLOUR1Q2dCbHVUaEpQenpBcVZhYmVGTlhSTlB1U2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==>EOF#查询证书的内容opensslx509-inadmin-temp-ca.crt-noout-text至此就把组和用户关联起来了,也就理解了kubernetes-admin管理员的整个权限流程4.ExtendedthinkingThroughtheabove,wecanunderstandthataslongastheusersunderthesystem:mastersgrouphaveadministratorprivileges,canwealsocreateauserourselvesandissueaSubject:O=system:masters,CNwiththek8srootcertificate=johnny-admin’scertificate?SummaryThisarticlemainlyintroducesthepermissionprocessofthekubernetes-adminadministratorandhowtomatchitwiththesystem:mastersgroupWelcomeeveryonetovisitthepersonalblogJohnnyHouseWelcometopayattentiontoindividuals公众号
