RBAC 权限控制
RBAC 概述
RBAC(Role-Based Access Control)基于角色的访问控制,通过 Role/ClusterRole 定义权限,通过 RoleBinding/ClusterRoleBinding 将权限绑定到用户或 ServiceAccount。
| 资源 | 作用域 | 说明 |
|---|---|---|
| Role | Namespace | Namespace 内的权限 |
| ClusterRole | 集群 | 集群级资源权限 |
| RoleBinding | Namespace | 将 Role/ClusterRole 绑定到用户(Namespace 范围) |
| ClusterRoleBinding | 集群 | 将 ClusterRole 绑定到用户(集群范围) |
Role 与 ClusterRole
role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: default
rules:
- apiGroups: [""] # 核心 API 组
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
常用 verbs
| 动词 | 说明 | 对应操作 |
|---|---|---|
get | 读取单个资源 | kubectl get pod xxx |
list | 列出资源 | kubectl get pods |
watch | 监听变化 | kubectl get pods -w |
create | 创建 | kubectl create |
update | 更新 | kubectl apply |
patch | 部分更新 | kubectl patch |
delete | 删除 | kubectl delete |
RoleBinding 与 ClusterRoleBinding
rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
# 绑定到用户
- kind: User
name: alice
apiGroup: rbac.authorization.k8s.io
# 绑定到 ServiceAccount
- kind: ServiceAccount
name: myapp-sa
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-binding
subjects:
- kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin # 内置超级管理员角色
apiGroup: rbac.authorization.k8s.io
ServiceAccount
Pod 通过 ServiceAccount 获取 API 权限。
serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: myapp-sa
namespace: default
---
# 给 SA 绑定权限
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: myapp-sa-binding
namespace: default
subjects:
- kind: ServiceAccount
name: myapp-sa
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
---
# Pod 使用 SA
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
serviceAccountName: myapp-sa # 指定 SA
automountServiceAccountToken: true
containers:
- name: app
image: myapp
内置 ClusterRole
| 角色 | 权限 |
|---|---|
cluster-admin | 超级管理员,所有权限 |
admin | Namespace 管理员(不含 ResourceQuota) |
edit | 读写大多数资源 |
view | 只读 |
最小权限原则示例
ci-cd-sa.yaml
# CI/CD 用 ServiceAccount:只需要部署权限
apiVersion: v1
kind: ServiceAccount
metadata:
name: ci-deploy
namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deployer
namespace: production
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "update", "patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ci-deploy-binding
namespace: production
subjects:
- kind: ServiceAccount
name: ci-deploy
roleRef:
kind: Role
name: deployer
apiGroup: rbac.authorization.k8s.io
权限检查
# 检查当前用户权限
kubectl auth can-i create pods
kubectl auth can-i delete deployments -n production
# 以其他用户身份检查
kubectl auth can-i get pods --as=alice
kubectl auth can-i get pods --as=system:serviceaccount:default:myapp-sa
# 列出所有权限
kubectl auth can-i --list
常见面试问题
Q1: K8s RBAC 的核心组件有哪些?
答案:
四个核心资源:
- Role:命名空间级权限定义
- ClusterRole:集群级权限定义
- RoleBinding:将 Role/ClusterRole 绑定到主体(Namespace 范围)
- ClusterRoleBinding:将 ClusterRole 绑定到主体(集群范围)
主体(Subjects):User、Group、ServiceAccount
Q2: 如何实现最小权限原则?
答案:
- 不使用
cluster-admin,为每个角色定义精确权限 - 使用 Namespace 隔离不同团队/环境
- 只授予必要的 verbs(读操作不给 delete)
- 限制
resourceNames到特定资源 - 定期审计:
kubectl auth can-i --list - CI/CD 使用专用 ServiceAccount + 有限权限