-
[따배쿠] 인증과 권한 관리 - 권한관리편kubernetes 2024. 12. 29. 15:57
권한 관리 (Role & RoleBinding)
실습
[Role 생성]
# command로 Role 생성
kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
role 이름 : develpoer
role 역할 : create, get, list, update, delete
대상 리소스 : pod
즉, pod에 대해 create, get, list, update, delete의 권한을 갖는 role이다.
# command로 만든 Role에 관해 yaml 파일로 확인
root@master:~# kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods --dry-run -o yaml W1229 06:37:41.385507 649542 helpers.go:703] --dry-run is deprecated and can be replaced with --dry-run=client. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: developer rules: - apiGroups: - "" resources: - pods verbs: - create - get - list - update - delete
[Role binding]
# command로 Role Binding
kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser
# command로 만든 Role Binding에 관해 yaml 파일로 확인
root@master:~# kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser rolebinding.rbac.authorization.k8s.io/developer-binding-myuser created root@master:~# kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser --dry-run -o yaml W1229 06:40:35.843526 650777 helpers.go:703] --dry-run is deprecated and can be replaced with --dry-run=client. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: developer-binding-myuser roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: developer subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: myuser
즉, 지금까지 myuser를 쿠버네티스에 등록했고
해당 myuser에 developer이라는 Role을 Binding했다.
[해당 user을 kubeconfig에 추가]
# 새로운 자격증명 추가
root@master:~/Getting-Start-Kubernetes/13# kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true User "myuser" set.
# context 추가
root@master:~/Getting-Start-Kubernetes/13# kubectl config set-context myuser --cluster=kubernetes --user=myuser Context "myuser" created.
myuser라는 context가 추가되었다.
# 작업 context switch
root@master:~/Getting-Start-Kubernetes/13# kubectl config use-context myuser Switched to context "myuser".
# 현재 context 확인
root@master:~/Getting-Start-Kubernetes/13# kubectl config current-context myuser
myuser의 작업 context로 switch 되었다.
# 테스트
root@master:~/Getting-Start-Kubernetes/13# kubectl get pods No resources found in default namespace.
pod는 조회가 가능하다
root@master:~/Getting-Start-Kubernetes/13# kubectl get svc Error from server (Forbidden): services is forbidden: User "myuser" cannot list resou rce "services" in API group "" in the namespace "default"
myuser은 pod에 대한 특정 권한만 갖고있으므로,
service에 대한 조회는 불가능하다. (권한이 없기 때문)
이렇게 user 별로 최소 권한을 제어할 수 있다.
root@master:~/Getting-Start-Kubernetes/13# kubectl get pods -n kube-system Error from server (Forbidden): pods is forbidden: User "myuser" cannot list reso urce "pods" in API group "" in the namespace "kube-system"
같은 namespace(default)가 아닌 다른 namespace(kube-system)의 리소스는 확인 불가능하다.
권한 관리 (ClusterRole & ClusterRoleBinding)
일반 RoleBinding은 같은 namespace 안 리소스들에 대한 액세스 제어가 가능했다면, (자신이 속한 namespace)
ClusterRoleBidning은 같은 namespace 안 리소스뿐만 아니라 다른 namespace까지도 제어가 가능하다. (All namespace)
실습
기존의 Role과 RoleBinding을 삭제시켜보자
# 현재 context 확인
root@master:~/Getting-Start-Kubernetes/13# kubectl config current-context myuser
# context 전환
root@master:~/Getting-Start-Kubernetes/13# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes".
root@master:~/Getting-Start-Kubernetes/13# kubectl config current-context kubernetes-admin@kubernetes
# role 확인 및 삭제
root@master:~/Getting-Start-Kubernetes/13# kubectl get role NAME CREATED AT developer 2024-12-29T08:05:49Z
root@master:~/Getting-Start-Kubernetes/13# kubectl delete role developer role.rbac.authorization.k8s.io "developer" deleted
# roleBinding 확인 및 삭제
root@master:~/Getting-Start-Kubernetes/13# kubectl get rolebinding NAME ROLE AGE developer-binding-myuser Role/developer 22m
root@master:~/Getting-Start-Kubernetes/13# kubectl delete rolebinding developer-binding-myuser rolebinding.rbac.authorization.k8s.io "developer-binding-myuser" deleted
ClusteRoleBinding 생성 뒤
다른 namespace의 리소스에도 접근 가능하도록 해보자
# ClusterRole 생성
root@master:~/Getting-Start-Kubernetes/13# kubectl create clusterrole developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods clusterrole.rbac.authorization.k8s.io/developer created
# ClusterRoleBinding 생성
root@master:~/Getting-Start-Kubernetes/13# kubectl create clusterrolebinding developer-binding-myuser --clusterrole=developer --user=myuser clusterrolebinding.rbac.authorization.k8s.io/developer-binding-myuser created
# context 전환
root@master:~/Getting-Start-Kubernetes/13# kubectl config use-context myuser Switched to context "myuser".
myuser context로 전환한다.
# 테스트
root@master:~/Getting-Start-Kubernetes/13# kubectl get pods No resources found in default namespace.
myuser가 위치한 default namespace의 리소스는 당연히 확인가능하다.
root@master:~/Getting-Start-Kubernetes/13# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-5b9b456c66-slbt7 1/1 Running 10 (27h ago) 24d calico-node-22qcb 1/1 Running 17 (27h ago) 56d calico-node-7lxq2 1/1 Running 10 (27h ago) 24d calico-node-hqlgk 1/1 Running 17 (27h ago) 56d coredns-55cb58b774-hn85c 1/1 Running 10 (27h ago) 24d coredns-55cb58b774-wx9q6 1/1 Running 10 (27h ago) 24d etcd-master 1/1 Running 17 (27h ago) 56d kube-apiserver-master 1/1 Running 17 (27h ago) 56d kube-controller-manager-master 1/1 Running 17 (27h ago) 56d kube-proxy-4gkx6 1/1 Running 17 (27h ago) 56d kube-proxy-6xskg 1/1 Running 10 (27h ago) 24d kube-proxy-bbl9f 1/1 Running 17 (27h ago) 56d kube-scheduler-master 1/1 Running 17 (27h ago) 56d
또한 다른 namespace 내 리소스까지 확인 가능하다.
root@master:~/Getting-Start-Kubernetes/13# kubectl get nodes Error from server (Forbidden): nodes is forbidden: User "myuser" cannot list resource "nodes" in API group "" at the cluster scope
root@master:~/Getting-Start-Kubernetes/13# kubectl get svc Error from server (Forbidden): services is forbidden: User "myuser" cannot list resource "services" in API group "" in the namespace "default"
그러나 pod에 대해서만 접근 가능하도록 했으므로, pod를 제외한 다른 서비스에는 접근이 불가능하다.
삭제
# Context 변환
root@master:~/Getting-Start-Kubernetes/13# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes".
# ClusterRole 및 ClusterRoleBinding 삭제
root@master:~/Getting-Start-Kubernetes/13# kubectl delete clusterrolebinding developer-binding-myuser clusterrolebinding.rbac.authorization.k8s.io "developer-binding-myuser" deleted
root@master:~/Getting-Start-Kubernetes/13# kubectl delete clusterrole developer clusterrole.rbac.authorization.k8s.io "developer" deleted
# User의 Context 삭제
root@master:~/Getting-Start-Kubernetes/13# kubectl config delete-context myuser deleted context myuser from /root/.kube/config
# User 정보 삭제
root@master:~/Getting-Start-Kubernetes/13# kubectl config delete-user myuser deleted user myuser from /root/.kube/config
# User 삭제
root@master:~/Getting-Start-Kubernetes/13# kubectl delete csr myuser certificatesigningrequest.certificates.k8s.io "myuser" deleted
번외)
# 쿠버네티스에서 기본적으로 제공하는 cluster role
root@master:~/Getting-Start-Kubernetes/13# kubectl get clusterrole NAME CREATED AT admin 2024-11-03T05:00:43Z calico-kube-controllers 2024-11-03T05:10:31Z calico-node 2024-11-03T05:10:31Z cluster-admin 2024-11-03T05:00:43Z edit 2024-11-03T05:00:43Z ingress-nginx 2024-12-09T04:50:36Z ingress-nginx-admission 2024-12-09T04:50:37Z kubeadm:get-nodes 2024-11-03T05:00:44Z ...
여기서 cluster-admin이라는 role을 자세하게 조회해보자
root@master:~/Getting-Start-Kubernetes/13# kubectl describe clusterrole cluster-admin Name: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.* [] [] [*] [*] [] [*]
모든 리소스에 대해 모든 권한을 가지는 것을 확인 가능
root@master:~/Getting-Start-Kubernetes/13# kubectl create clusterrolebinding developer-binding-myuser --clusterrole=cluster-admin --user=myuser
clusterrole에 쓰면서 활용할 수 있다.
퀴즈
# user 및 csr 생성
root@master:~/Getting-Start-Kubernetes/13# openssl genrsa -out app-manager.key 2048 root@master:~/Getting-Start-Kubernetes/13# openssl req -new -key app-manager.key -out app-manager.csr -subj "/CN=app-manager"
root@master:~/Getting-Start-Kubernetes/13# cat app-manager.csr | base64 | tr -d "\n" LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1d6Q0NBVU1DQVFBd0ZqRVVNQklHQTFVRUF3d0xZWEJ3TFcxaGJtRm5aWEl3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN4dU1CaDJDWVJsL0gxQnFRUHJNSW1nbmFCbzlEeElxYm1kN0g0CjJYWk9EU3BsL3lEa1pld1c1aHNLNVg3YkY1K2N2T2VhcEFMTHBTMU15QlIwZTZwRHBodGNUVDNMa2lQT2RDTnAKbkRsQjVGR3ZMUlIrYWlYY1JCMFhKZTNBRGtqSWFaZEFmeFB0VWQyMGJ5ekZaMjVCWU43VFpkSk85L0tjUzFXRgpOUWhqTDNLRmJLeVk0eUszZHg4OXk0ZE1wMEN1VjlNU2lOcy82TzdPMm5zNFpEaERMUDk5ZkNhaGhocnByK3hGCmVCUnlSeGZuczNIcWtzWnk0NStwbkV3Tk1aaU5PZmIrTkRiQlhSSU1qdUhodzF3VUlDQm82em9MQ0Njbm1YSHkKRzVCN29HTWdlelgwdDJPK3dZVmVucmxVRzI1NTByaTlvYkgvK2tzb3J3TjNzK0tMQWdNQkFBR2dBREFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQVdUeU1BRmNLRTVZc1JMVXlvTVhLaFQxVi9EWjJpUCtuZDVVbTJIQnVaRHAxCm9LUWRVcDRmbzdqeGJGY0RSazJLTGRZNmtEOU5QaHh1STBTRk9DZjQyeFEvalh6NlVEQ3Q1cGtNdmpUdzBoVVQKTmJSbWtLVFQxSS9oOExxNTUrL1R5eDdiN3ppRzJwRzVRNFQ5VjNndHRJb2NvRFZGbTV6TDFUWFBXSFZ5QW5ucQpPTE9BV3hrL2pmTU1NN01zTnRqZ2Uxc1o3K3E3WXQxYTU4ZGhGbzVPalRmRHFVaERSSlFEZ2ZiVkVyQmRnWVZhCmg4SlNERGVwbHQ4dnZ6M2VQRU0xMEVnU1huaUJReS8zS2tEQjRoblNCSENGQk5CUFRXems0cEZkUDVMZUZ5cTcKZW9uMzdHdHYvM2FqU1Uwby9mYWxsRnQvOVliQ1RHaVAwRmZhNzFHY3VBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
root@master:~/Getting-Start-Kubernetes/13# vi csr-app-manager.yaml apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: app-manager spec: request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1d6Q0NBVU1DQVFBd0ZqRVVNQklHQTFVRUF3d0xZWEJ3TFcxaGJtRm5aWEl3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN4dU1CaDJDWVJsL0gxQnFRUHJNSW1nbmFCbzlEeElxYm1kN0g0CjJYWk9EU3BsL3lEa1pld1c1aHNLNVg3YkY1K2N2T2VhcEFMTHBTMU15QlIwZTZwRHBodGNUVDNMa2lQT2RDTnAKbkRsQjVGR3ZMUlIrYWlYY1JCMFhKZTNBRGtqSWFaZEFmeFB0VWQyMGJ5ekZaMjVCWU43VFpkSk85L0tjUzFXRgpOUWhqTDNLRmJLeVk0eUszZHg4OXk0ZE1wMEN1VjlNU2lOcy82TzdPMm5zNFpEaERMUDk5ZkNhaGhocnByK3hGCmVCUnlSeGZuczNIcWtzWnk0NStwbkV3Tk1aaU5PZmIrTkRiQlhSSU1qdUhodzF3VUlDQm82em9MQ0Njbm1YSHkKRzVCN29HTWdlelgwdDJPK3dZVmVucmxVRzI1NTByaTlvYkgvK2tzb3J3TjNzK0tMQWdNQkFBR2dBREFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQVdUeU1BRmNLRTVZc1JMVXlvTVhLaFQxVi9EWjJpUCtuZDVVbTJIQnVaRHAxCm9LUWRVcDRmbzdqeGJGY0RSazJLTGRZNmtEOU5QaHh1STBTRk9DZjQyeFEvalh6NlVEQ3Q1cGtNdmpUdzBoVVQKTmJSbWtLVFQxSS9oOExxNTUrL1R5eDdiN3ppRzJwRzVRNFQ5VjNndHRJb2NvRFZGbTV6TDFUWFBXSFZ5QW5ucQpPTE9BV3hrL2pmTU1NN01zTnRqZ2Uxc1o3K3E3WXQxYTU4ZGhGbzVPalRmRHFVaERSSlFEZ2ZiVkVyQmRnWVZhCmg4SlNERGVwbHQ4dnZ6M2VQRU0xMEVnU1huaUJReS8zS2tEQjRoblNCSENGQk5CUFRXems0cEZkUDVMZUZ5cTcKZW9uMzdHdHYvM2FqU1Uwby9mYWxsRnQvOVliQ1RHaVAwRmZhNzFHY3VBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg== signerName: kubernetes.io/kube-apiserver-client usages: - client auth
root@master:~/Getting-Start-Kubernetes/13# kubectl apply -f csr-app-manager.yaml certificatesigningrequest.certificates.k8s.io/app-manager created
root@master:~/Getting-Start-Kubernetes/13# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION app-manager 24s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pending
root@master:~/Getting-Start-Kubernetes/13# kubectl certificate approve app-manager certificatesigningrequest.certificates.k8s.io/app-manager approved
root@master:~/Getting-Start-Kubernetes/13# kubectl get csr app-manager -o jsonpath='{ .status.certificate}'| base64 -d > app-manager.crt
# context 생성
root@master:~/Getting-Start-Kubernetes/13# kubectl config set-credentials app-manager --client-key=app-manager.key --client-certificate=app-manager.crt --embed-certs=true User "app-manager" set.
root@master:~/Getting-Start-Kubernetes/13# kubectl config set-context app-manager --cluster=kubernetes --user=app-manager Context "app-manager" created.
# ClusterRole 및 ClusterRoleBinding 생성
root@master:~/Getting-Start-Kubernetes/13# kubectl create clusterrole app-access --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods --resource=deployment --resource=service clusterrole.rbac.authorization.k8s.io/app-access created
root@master:~/Getting-Start-Kubernetes/13# kubectl create clusterrolebinding app-binding-manager --clusterrole=app-access --user=app-manager clusterrolebinding.rbac.authorization.k8s.io/app-binding-manager created
# 확인
root@master:~/Getting-Start-Kubernetes/13# kubectl config use-context app-manager Switched to context "app-manager".
root@master:~/Getting-Start-Kubernetes/13# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 20d mainui-svc ClusterIP 10.97.156.116 <none> 80/TCP 19d root@master:~/Getting-Start-Kubernetes/13# kubectl get pods No resources found in default namespace.
[참고 영상]
https://www.youtube.com/watch?v=zv24Db73SrU&list=PLApuRlvrZKohLYdvfX-UEFYTE7kfnnY36&index=4
'kubernetes' 카테고리의 다른 글
[따배쿠] Kubernetes Autoscaling - 운영 (0) 2025.01.19 [따배쿠] 로그 관리 (1) 2025.01.08 [따배쿠] Secret (1) 2024.12.25 [따배쿠] ConfigMap (0) 2024.12.24 [따배쿠] Label을 이용한 Canary Deployment (0) 2024.12.10