Kubernetes RBAC
KubeVela 1.4 开始,我们加入了认证和授权的功能,这使得控制器可以严格根据使用者的权限去做应用的交付和管理,隔离不同的租户,让应用交付变得更安全。
安装
为了不影响之前的用户体验,在 1.4 版本中我们为多集群权限做了功能开关,默认不开启,你可以在安装或升级时指定开启,方法如下。
删除原先的集群绑定权限
vela-core:manager-rolebinding,避免 KubeVela 控制器使用已有的高权限。kubectl delete ClusterRoleBinding kubevela-vela-core:manager-rolebinding升级控制器,开启用户权限认证功能:
helm upgrade --install kubevela kubevela/vela-core --create-namespace -n vela-system --set authentication.enabled=true --set authentication.withUser=true --wait确保命令行工具 Vela CLI 版本为 v1.4.1+,参考安装文档.
(可选) 安装 vela-prism 组件,开启高级的权限管理能力。
helm repo add prism https://charts.kubevela.net/prism
helm repo update
helm install vela-prism prism/vela-prism -n vela-system
使用
准备好集群
在我们开始之前,请确保你已经有 2 个集群添加到管控中,假设命名为 c2 和 c3。你可以参考多集群管理文档 查看如何添加集群。
$ vela cluster list
NAME ALIAS CREDENTIAL_TYPE ENDPOINT ACCEPTED LABELS
local Internal - true
c3 X509Certificate <c3 apiserver url> true
c2 X509Certificate <c2 apiserver url> true
下图概括了下述的流程。在下文的介绍中,相关命令将会通过使用 KUBECONFIG 环境变量来切换身份,代表不同身份(用户)的操作。(不同的 KUBECONFIG 代表不同的用户身份。)
创建用户组(用户)
$ vela auth gen-kubeconfig --user alice > alice.kubeconfig
Private key generated.
Certificate request generated.
Certificate signing request alice generated.
Certificate signing request alice approved.
Signed certificate retrieved.
这里的 alice (--user指定) 既可以表示某个用户组,也可以代表某个用户。通常我们建议用来表示用户组,以便降低整体权限控制的复杂度。在 VelaUX 中则与“项目”这个概念对应,每一个项目创建一个独立的用户组权限,而 VelaUX 中支持使用 LDAP 对接公司的账号体系,可以对具体的某个用户账号授权,加入到某个项目中(即加入用户组),以此完成 VelaUX 终端用户和底层资源权限的打通。
对用户组授权
$ vela auth grant-privileges --user alice --for-namespace dev --for-cluster=local,c2 --create-namespace
ClusterRole kubevela:writer created in local.
RoleBinding dev/kubevela:writer:binding created in local.
ClusterRole kubevela:writer created in c2.
RoleBinding dev/kubevela:writer:binding created in c2.
Privileges granted.
这里采用了 KubeVela 简化的权限能力,对 local 和 c2 集群授权了 dev 命名空间的“读/写”权限,同时还可以方便的创建命名空间。授权命令可以多次执行,用于增加权限。
查看用户组权限
$ vela auth list-privileges --user alice --cluster local,c2
User=alice
├── [Cluster] local
│ └── [ClusterRole] kubevela:writer
│ ├── [Scope]
│ │ └── [Namespaced] dev (RoleBinding kubevela:writer:binding)
│ └── [PolicyRules]
│ ├── APIGroups: *
│ │ Resources: *
│ │ Verb: get, list, watch, create, update, patch, delete
│ └── NonResourceURLs: *
│ Verb: get, list, watch, create, update, patch, delete
└── [Cluster] c2
└── [ClusterRole] kubevela:writer
├── [Scope]
│ └── [Namespaced] dev (RoleBinding kubevela:writer:binding)
└── [PolicyRules]
├── APIGroups: *
│ Resources: *
│ Verb: get, list, watch, create, update, patch, delete
└── NonResourceURLs: *
Verb: get, list, watch, create, update, patch, delete
你可以一目了然的看到这个用户组在不同集群中的权限。
使用权限
创建用户组之后(vela auth gen-kubeconfig),会生成一个 KubeConfig 对应该权限,最终用户可以拿着这个 KubeConfig 使用 vela 命令行工具进行操作,生态的插件功能也可以通过这个 KubeConfig 跟 KubeVela 的 API 对接。 使用的方式与 KubeConfig 原先的用法完全一致,你可以将 KubeConfig 放到 ~/.kube/config 中,也可以通过环境变量使用。
cat <<EOF | KUBECONFIG=alice.kubeconfig vela up -f -
apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
name: podinfo
namespace: dev
spec:
components:
- name: podinfo
type: webservice
properties:
image: stefanprodan/podinfo:6.0.1
policies:
- type: topology
name: topology
properties:
clusters: ["c2"]
EOF
可以通过如下命令查看多集群下资源的部署状态:
$ KUBECONFIG=alice.kubeconfig vela status podinfo -n dev
About:
Name: podinfo
Namespace: dev
Created at: 2022-05-31 17:06:14 +0800 CST
Status: running
Workflow:
mode: DAG
finished: true
Suspend: false
Terminated: false
Steps
- id:rk3npcpycl
name:deploy-topology
type:deploy
phase:succeeded
message:
Services:
- Name: podinfo
Cluster: c2 Namespace: dev
Type: webservice
Healthy Ready:1/1
No trait applied
未授权的操作会被禁止
对于创建出的 KubeConfig,如果 Alice 访问 dev 这个命名空间以外的资源,服务端会禁止这个操作。
KUBECONFIG=alice.kubeconfig kubectl get pod -n vela-system
Error from server (Forbidden): pods is forbidden: User "alice" cannot list resource "pods" in API group "" in the namespace "vela-system"
Alice 使用 Application 创建涉及其他集群的资源也会被禁止,比如创建如下的应用 podinfo-bad:
$ cat <<EOF | KUBECONFIG=alice.kubeconfig vela up -f -
apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
name: podinfo-bad
namespace: dev
spec:
components:
- name: podinfo-bad
type: webservice
properties:
image: stefanprodan/podinfo:6.0.1
policies:
- type: topology
name: topology
properties:
clusters: ["c3"]
EOF
Alice在查看应用状态时会了解到错误情况:
$ KUBECONFIG=alice.kubeconfig vela status podinfo-bad -n dev
About:
Name: podinfo-bad
Namespace: dev
Created at: 2022-05-31 17:09:16 +0800 CST
Status: runningWorkflow
Workflow:
mode: DAG
finished: false
Suspend: false
Terminated: false
Steps
- id:tw539smx7m
name:deploy-topology
type:deploy
phase:failed
message:step deploy: run step(provider=multicluster,do=deploy): Found 1 errors. [(error encountered in cluster c3: HandleComponentsRevision: controllerrevisions.apps is forbidden: User "alice" cannot list resource "controllerrevisions" in API group "apps" in the namespace "dev")]
只读权限
我们也可以给用户创建一个只读权限,这也是 KubeVela 封装好的预置权限,比如给用户 Bob 提供只读的 KubeConfig:
$ vela auth gen-kubeconfig --user bob > bob.kubeconfig
Private key generated.
Certificate request generated.
Certificate signing request bob generated.
Certificate signing request bob approved.
Signed certificate retrieved.
$ vela auth grant-privileges --user bob --for-namespace dev --for-cluster=local,c2 --readonly
ClusterRole kubevela:reader created in local.
RoleBinding dev/kubevela:reader:binding created in local.
ClusterRole kubevela:reader created in c2.
RoleBinding dev/kubevela:reader:binding created in c2.
Privileges granted.
用户 Bob 就可以看到 dev 这个命名空间的应用状态了。
$ KUBECONFIG=bob.kubeconfig vela ls -n dev
APP COMPONENT TYPE TRAITS PHASE HEALTHY STATUS CREATED-TIME
podinfo podinfo webservice running healthy Ready:1/1 2022-05-31 17:06:14 +0800 CST
podinfo-bad podinfo-bad webservice workflowTerminated 2022-05-31 17:09:16 +0800 CST
$ KUBECONFIG=bob.kubeconfig vela status podinfo -n dev
About:
Name: podinfo
Namespace: dev
Created at: 2022-05-31 17:06:14 +0800 CST
Status: running
Workflow:
mode: DAG
finished: true
Suspend: false
Terminated: false
Steps
- id:rk3npcpycl
name:deploy-topology
type:deploy
phase:succeeded
message:
Services:
- Name: podinfo
Cluster: local Namespace: dev
Type: webservice
Healthy Ready:1/1
No trait applied
- Name: podinfo
Cluster: c2 Namespace: dev
Type: webservice
Healthy Ready:1/1
No trait applied
但是如果他想做其他操作,比如删除一个应用,就会被禁止:
$ KUBECONFIG=bob.kubeconfig vela delete podinfo-bad -n dev
Deleting Application "podinfo-bad"
Error: delete application err: applications.core.oam.dev "podinfo-bad" is forbidden: User "bob" cannot delete resource "applications" in API group "core.oam.dev" in the namespace "dev"
2022/05/31 17:17:51 delete application err: applications.core.oam.dev "podinfo-bad" is forbidden: User "bob" cannot delete resource "applications" in API group "core.oam.dev" in the namespace "dev"
而对于有权限的 Alice 来说,她可以删除应用:
$ KUBECONFIG=alice.kubeconfig vela delete podinfo-bad -n dev
application.core.oam.dev "podinfo-bad" deleted
查看应用的资源
如果用户想要细粒度的资源查看能力,就要安装之前提到的 vela-prism 组件了。安装完成后就可以使用如下命令查看资源关联关系和状态:
$ KUBECONFIG=bob.kubeconfig vela status podinfo -n dev --tree --detail
CLUSTER NAMESPACE RESOURCE STATUS APPLY_TIME DETAIL
c2 ─── dev ─── Deployment/podinfo updated 2022-05-31 17:06:14 Ready: 1/1 Up-to-date: 1 Available: 1 Age: 13m
local ─── dev ─── Deployment/podinfo updated 2022-05-31 17:06:14 Ready: 1/1 Up-to-date: 1 Available: 1 Age: 13m
注意,如果没有安装
vela-prism组件,非管理员用户都无法查看资源状态。
扩展阅读
这个文档提供了系统授权的基本操作说明,事实上 KubeVela 支持更细粒度的权限管理,并与 Kubernetes RBAC 权限一致,你可以阅读底层实现原理文档了解更多详情。
如果你是平台管理员,你可以阅读系统集成文档了解更多与 Kubernetes RBAC 集成的细节。