K8S RBAC 机制
Role-Based Access Control,基于角色的访问控制
核心组件:主体(subject)-->角色绑定(rolebinding)-->角色(role)-->资源权限
四层架构:
主体:谁需要权限(用户、组、服务账户)
角色:定义一组权限规则
角色绑定:将角色绑定到主体
资源:需要被访问的k8s对象
RBAC API资源类型
Role:命名空间级,定义单个命名空间内的权限
ClusterRole:集群级,定义集群范围的权限
RoleBinding:命名空间级,将Role/ClusterRole绑定到主体(在单个命名空间内生效)
ClusterRoleBinding:集群级,将ClusterRole绑定到主体(在整个集群生效)
核心组件详解
主体(Subject)
三种类型的主体:
# 示例:RoleBinding 中的 subjects 部分
subjects:
- kind: User # 外部用户
name: "alice@example.com"
apiGroup: rbac.authorization.k8s.io
- kind: Group # 用户组
name: "developers"
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount # 服务账户
name: default
namespace: kube-system
角色(Role)
Role(命名空间级),示例:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # 核心 API 组(空字符串)
resources: ["pods", "pods/log"] # 资源类型
verbs: ["get", "list", "watch"] # 允许的操作
ClusterRole(集群级),示例:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# ClusterRole 没有 namespace 字段
name: cluster-admin
rules:
- apiGroups: ["*"] # 所有 API 组
resources: ["*"] # 所有资源
verbs: ["*"] # 所有操作
- nonResourceURLs: ["*"] # 非资源端点
verbs: ["*"]
规则(Rules)
rules:
- apiGroups: ["apps"] # API 组
resources: ["deployments"] # 资源类型
resourceNames: ["my-app"] # 特定资源名称(可选)
verbs: ["get", "list"] # 操作动词
常用verbs:
读操作:get,list,watch
写操作:create,update,patch,delete
特殊操作:deletecollection,exec
状态操作:use(用于PodSecurityPolicy)
角色绑定
RoleBinding示例:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default # 只在 default 命名空间生效
subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role # 或 ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
ClusterRoleBinding示例:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-secrets-global # 没有 namespace
subjects:
- kind: Group
name: system:authenticated # 所有已认证用户
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
RBAC权限组合
权限集成关系:
ClusterRoleBinding + ClusterRole = 集群范围权限
ClusterRoleBinding + Role = ❌ 不允许
RoleBinding + Role = 命名空间内权限
RoleBinding + ClusterRole = 命名空间内权限(ClusterRole 的权限被限制在该命名空间)
内置ClusterRoles:
cluster-role:集群级,超级管理员,可以访问所有资源
admin:命名空间级,命名空间管理员,大部分资源的读写权限
edit:命名空间级,允许修改资源,但不能查看/修改RBAC
view:命名空间级,只读权限,不能查看Secret或修改资源
查看内置角色:
kubectl get clusterrole
实际应用场景
开发人员权限:
# 1. 创建开发人员角色(只能在 dev 命名空间操作)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: dev
name: developer
rules:
- apiGroups: ["", "apps", "batch"]
resources: ["pods", "deployments", "jobs", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list"]
# 2. 绑定到开发组
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding
namespace: dev
subjects:
- kind: Group
name: "dev-team"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
只读监控账户:
# 创建只读 ClusterRole(用于监控)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitor
rules:
- apiGroups: [""]
resources: ["pods", "services", "nodes", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list"]
# 绑定到服务账户(用于 Prometheus)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: monitor-binding
subjects:
- kind: ServiceAccount
name: prometheus
namespace: monitoring
roleRef:
kind: ClusterRole
name: monitor
apiGroup: rbac.authorization.k8s.io
操作命令
原则:
小权限原则:只授予必要的权限
定期审计:定期检查权限分配
使用服务账户:为应用程序使用专用服务账户
避免使用 cluster-admin:除非绝对必要
检查权限:
# 检查当前用户权限
kubectl auth can-i create deployments
kubectl auth can-i delete pods --namespace=production
# 以其他用户身份检查
kubectl auth can-i list pods --as=system:serviceaccount:default:my-sa
# 详细检查
kubectl auth can-i --list
创建和管理:
# 创建 Role
kubectl create role pod-reader --verb=get,list,watch --resource=pods
# 创建 RoleBinding
kubectl create rolebinding bob-read-pods \
--role=pod-reader \
--user=bob \
--namespace=default
# 创建 ClusterRole
kubectl create clusterrole cluster-monitor \
--verb=get,list,watch \
--resource=nodes,pods,services
# 创建 ClusterRoleBinding
kubectl create clusterrolebinding monitor-all \
--clusterrole=cluster-monitor \
--group=monitoring-team
查看和调试:
# 查看所有绑定
kubectl get rolebindings,clusterrolebindings --all-namespaces
# 查看特定主体的绑定
kubectl get rolebindings,clusterrolebindings \
--all-namespaces \
-o jsonpath='{range .items[?(@.subjects[0].name=="bob")]}{.kind}{"\t"}{.metadata.name}{"\t"}{.metadata.namespace}{"\n"}{end}'
# 导出 RBAC 配置
kubectl get roles,rolebindings,clusterroles,clusterrolebindings -o yaml > rbac-backup.yaml0