Kubernetes RBAC

KubeVela 1.4 开始,我们加入了认证和授权的功能,这使得控制器可以严格根据使用者的权限去做应用的交付和管理,隔离不同的租户,让应用交付变得更安全。

为了不影响之前的用户体验,在 1.4 版本中我们为多集群权限做了功能开关,默认不开启,你可以在安装或升级时指定开启,方法如下。

  1. 删除原先的集群绑定权限 vela-core:manager-rolebinding,避免 KubeVela 控制器使用已有的高权限。

    1. kubectl delete ClusterRoleBinding kubevela-vela-core:manager-rolebinding
  2. 升级控制器,开启用户权限认证功能:

    1. helm upgrade --install kubevela kubevela/vela-core --create-namespace -n vela-system --set authentication.enabled=true --set authentication.withUser=true --wait
  3. 确保命令行工具 Vela CLI 版本为 v1.4.1+,参考安装文档.

  4. (可选) 安装 vela-prism 组件,开启高级的权限管理能力。

    1. helm repo add prism https://charts.kubevela.net/prism
    2. helm repo update
    3. helm install vela-prism prism/vela-prism -n vela-system

在我们开始之前,请确保你已经有 2 个集群添加到管控中,假设命名为 c2c3。你可以参考多集群管理文档 查看如何添加集群。

  1. $ vela cluster list
  2. NAME ALIAS CREDENTIAL_TYPE ENDPOINT ACCEPTED LABELS
  3. local Internal - true
  4. c3 X509Certificate <c3 apiserver url> true
  5. c2 X509Certificate <c2 apiserver url> true

下图概括了下述的流程。在下文的介绍中,相关命令将会通过使用 KUBECONFIG 环境变量来切换身份,代表不同身份(用户)的操作。(不同的 KUBECONFIG 代表不同的用户身份。)

auth-procedure

  1. $ vela auth gen-kubeconfig --user alice > alice.kubeconfig
  2. Private key generated.
  3. Certificate request generated.
  4. Certificate signing request alice generated.
  5. Certificate signing request alice approved.
  6. Signed certificate retrieved.

这里的 alice (—user指定) 既可以表示某个用户组,也可以代表某个用户。通常我们建议用来表示用户组,以便降低整体权限控制的复杂度。在 VelaUX 中则与“项目”这个概念对应,每一个项目创建一个独立的用户组权限,而 VelaUX 中支持使用 LDAP 对接公司的账号体系,可以对具体的某个用户账号授权,加入到某个项目中(即加入用户组),以此完成 VelaUX 终端用户和底层资源权限的打通。

  1. $ vela auth grant-privileges --user alice --for-namespace dev --for-cluster=local,c2 --create-namespace
  2. ClusterRole kubevela:writer created in local.
  3. RoleBinding dev/kubevela:writer:binding created in local.
  4. ClusterRole kubevela:writer created in c2.
  5. RoleBinding dev/kubevela:writer:binding created in c2.
  6. Privileges granted.

这里采用了 KubeVela 简化的权限能力,对 local 和 c2 集群授权了 dev 命名空间的“读/写”权限,同时还可以方便的创建命名空间。授权命令可以多次执行,用于增加权限。

  1. $ vela auth list-privileges --user alice --cluster local,c2
  2. User=alice
  3. ├── [Cluster] local
  4. └── [ClusterRole] kubevela:writer
  5. ├── [Scope]
  6. └── [Namespaced] dev (RoleBinding kubevela:writer:binding)
  7. └── [PolicyRules]
  8. ├── APIGroups: *
  9. Resources: *
  10. Verb: get, list, watch, create, update, patch, delete
  11. └── NonResourceURLs: *
  12. Verb: get, list, watch, create, update, patch, delete
  13. └── [Cluster] c2
  14. └── [ClusterRole] kubevela:writer
  15. ├── [Scope]
  16. └── [Namespaced] dev (RoleBinding kubevela:writer:binding)
  17. └── [PolicyRules]
  18. ├── APIGroups: *
  19. Resources: *
  20. Verb: get, list, watch, create, update, patch, delete
  21. └── NonResourceURLs: *
  22. Verb: get, list, watch, create, update, patch, delete

你可以一目了然的看到这个用户组在不同集群中的权限。

创建用户组之后(vela auth gen-kubeconfig),会生成一个 KubeConfig 对应该权限,最终用户可以拿着这个 KubeConfig 使用 vela 命令行工具进行操作,生态的插件功能也可以通过这个 KubeConfig 跟 KubeVela 的 API 对接。 使用的方式与 KubeConfig 原先的用法完全一致,你可以将 KubeConfig 放到 ~/.kube/config 中,也可以通过环境变量使用。

  1. cat <<EOF | KUBECONFIG=alice.kubeconfig vela up -f -
  2. apiVersion: core.oam.dev/v1beta1
  3. kind: Application
  4. metadata:
  5. name: podinfo
  6. namespace: dev
  7. spec:
  8. components:
  9. - name: podinfo
  10. type: webservice
  11. properties:
  12. image: stefanprodan/podinfo:6.0.1
  13. policies:
  14. - type: topology
  15. name: topology
  16. properties:
  17. clusters: ["c2"]
  18. EOF

可以通过如下命令查看多集群下资源的部署状态:

  1. $ KUBECONFIG=alice.kubeconfig vela status podinfo -n dev
  2. About:
  3. Name: podinfo
  4. Namespace: dev
  5. Created at: 2022-05-31 17:06:14 +0800 CST
  6. Status: running
  7. Workflow:
  8. mode: DAG
  9. finished: true
  10. Suspend: false
  11. Terminated: false
  12. Steps
  13. - id:rk3npcpycl
  14. name:deploy-topology
  15. type:deploy
  16. phase:succeeded
  17. message:
  18. Services:
  19. - Name: podinfo
  20. Cluster: c2 Namespace: dev
  21. Type: webservice
  22. Healthy Ready:1/1
  23. No trait applied

对于创建出的 KubeConfig,如果 Alice 访问 dev 这个命名空间以外的资源,服务端会禁止这个操作。

  1. KUBECONFIG=alice.kubeconfig kubectl get pod -n vela-system
  2. Error from server (Forbidden): pods is forbidden: User "alice" cannot list resource "pods" in API group "" in the namespace "vela-system"

Alice 使用 Application 创建涉及其他集群的资源也会被禁止,比如创建如下的应用 podinfo-bad

  1. $ cat <<EOF | KUBECONFIG=alice.kubeconfig vela up -f -
  2. apiVersion: core.oam.dev/v1beta1
  3. kind: Application
  4. metadata:
  5. name: podinfo-bad
  6. namespace: dev
  7. spec:
  8. components:
  9. - name: podinfo-bad
  10. type: webservice
  11. properties:
  12. image: stefanprodan/podinfo:6.0.1
  13. policies:
  14. - type: topology
  15. name: topology
  16. properties:
  17. clusters: ["c3"]
  18. EOF

Alice在查看应用状态时会了解到错误情况:

  1. $ KUBECONFIG=alice.kubeconfig vela status podinfo-bad -n dev
  2. About:
  3. Name: podinfo-bad
  4. Namespace: dev
  5. Created at: 2022-05-31 17:09:16 +0800 CST
  6. Status: runningWorkflow
  7. Workflow:
  8. mode: DAG
  9. finished: false
  10. Suspend: false
  11. Terminated: false
  12. Steps
  13. - id:tw539smx7m
  14. name:deploy-topology
  15. type:deploy
  16. phase:failed
  17. message:step deploy: run step(provider=multicluster,do=deploy): Found 1 errors. [(error encountered in cluster c3: HandleComponentsRevision: controllerrevisions.apps is forbidden: User "alice" cannot list resource "controllerrevisions" in API group "apps" in the namespace "dev")]

我们也可以给用户创建一个只读权限,这也是 KubeVela 封装好的预置权限,比如给用户 Bob 提供只读的 KubeConfig:

  1. $ vela auth gen-kubeconfig --user bob > bob.kubeconfig
  2. Private key generated.
  3. Certificate request generated.
  4. Certificate signing request bob generated.
  5. Certificate signing request bob approved.
  6. Signed certificate retrieved.
  7. $ vela auth grant-privileges --user bob --for-namespace dev --for-cluster=local,c2 --readonly
  8. ClusterRole kubevela:reader created in local.
  9. RoleBinding dev/kubevela:reader:binding created in local.
  10. ClusterRole kubevela:reader created in c2.
  11. RoleBinding dev/kubevela:reader:binding created in c2.
  12. Privileges granted.

用户 Bob 就可以看到 dev 这个命名空间的应用状态了。

  1. $ KUBECONFIG=bob.kubeconfig vela ls -n dev
  2. APP COMPONENT TYPE TRAITS PHASE HEALTHY STATUS CREATED-TIME
  3. podinfo podinfo webservice running healthy Ready:1/1 2022-05-31 17:06:14 +0800 CST
  4. podinfo-bad podinfo-bad webservice workflowTerminated 2022-05-31 17:09:16 +0800 CST
  5. $ KUBECONFIG=bob.kubeconfig vela status podinfo -n dev
  6. About:
  7. Name: podinfo
  8. Namespace: dev
  9. Created at: 2022-05-31 17:06:14 +0800 CST
  10. Status: running
  11. Workflow:
  12. mode: DAG
  13. finished: true
  14. Suspend: false
  15. Terminated: false
  16. Steps
  17. - id:rk3npcpycl
  18. name:deploy-topology
  19. type:deploy
  20. phase:succeeded
  21. message:
  22. Services:
  23. - Name: podinfo
  24. Cluster: local Namespace: dev
  25. Type: webservice
  26. Healthy Ready:1/1
  27. No trait applied
  28. - Name: podinfo
  29. Cluster: c2 Namespace: dev
  30. Type: webservice
  31. Healthy Ready:1/1
  32. No trait applied

但是如果他想做其他操作,比如删除一个应用,就会被禁止:

  1. $ KUBECONFIG=bob.kubeconfig vela delete podinfo-bad -n dev
  2. Deleting Application "podinfo-bad"
  3. Error: delete application err: applications.core.oam.dev "podinfo-bad" is forbidden: User "bob" cannot delete resource "applications" in API group "core.oam.dev" in the namespace "dev"
  4. 2022/05/31 17:17:51 delete application err: applications.core.oam.dev "podinfo-bad" is forbidden: User "bob" cannot delete resource "applications" in API group "core.oam.dev" in the namespace "dev"

而对于有权限的 Alice 来说,她可以删除应用:

  1. $ KUBECONFIG=alice.kubeconfig vela delete podinfo-bad -n dev
  2. application.core.oam.dev "podinfo-bad" deleted

如果用户想要细粒度的资源查看能力,就要安装之前提到的 vela-prism 组件了。安装完成后就可以使用如下命令查看资源关联关系和状态:

  1. $ KUBECONFIG=bob.kubeconfig vela status podinfo -n dev --tree --detail
  2. CLUSTER NAMESPACE RESOURCE STATUS APPLY_TIME DETAIL
  3. c2 ─── dev ─── Deployment/podinfo updated 2022-05-31 17:06:14 Ready: 1/1 Up-to-date: 1 Available: 1 Age: 13m
  4. local ─── dev ─── Deployment/podinfo updated 2022-05-31 17:06:14 Ready: 1/1 Up-to-date: 1 Available: 1 Age: 13m

注意,如果没有安装 vela-prism 组件,非管理员用户都无法查看资源状态。

这个文档提供了系统授权的基本操作说明,事实上 KubeVela 支持更细粒度的权限管理,并与 Kubernetes RBAC 权限一致,你可以阅读底层实现原理文档了解更多详情。

如果你是平台管理员,你可以阅读系统集成文档了解更多与 Kubernetes RBAC 集成的细节。

Last updated on 2023年8月4日 by Daniel Higuero