iam身份驗證以及訪問控制
介紹 (Introduction)
Elastic Kubernetes Service (EKS) is the fully managed Kubernetes service from AWS. It is deeply integrated with many AWS services, such as AWS Identity and Access Management (IAM) (for authentication to the cluster), Amazon CloudWatch (for logging), Auto Scaling Groups (for scaling worker nodes), and Amazon Virtual Private Cloud (VPC) (for networking). Many companies trust Amazon EKS to run their containerized workloads.
Elastic Kubernetes服務(EKS)是AWS的完全托管的Kubernetes服務。 它與許多AWS服務深度集成,例如AWS Identity and Access Management(IAM)(用于對集群進行身份驗證),Amazon CloudWatch(用于日志記錄),Auto Scaling Groups(用于擴展工作節點)和Amazon Virtual Private Cloud( VPC)(用于聯網)。 許多公司信任Amazon EKS來運行其容器化工作負載。
EKS uses IAM to provide authentication to your Kubernetes cluster (via the aws eks get-token command, or the AWS IAM Authenticator for Kubernetes). For authorization it relies on native Kubernetes Role Based Access Control (RBAC). IAM is used for authentication to your EKS Cluster. And you can manage the permissions for interacting with your cluster’s Kubernetes API through the native Kubernetes RBAC system.
EKS使用IAM為您的Kubernetes集群提供身份驗證(通過aws eks get-token eks aws eks get-token命令或適用于Kubernetes的AWS IAM Authenticator )。 對于授權,它依賴于本地Kubernetes基于角色的訪問控制(RBAC) 。 IAM用于對EKS群集進行身份驗證。 而且,您可以通過本地Kubernetes RBAC系統管理與群集的Kubernetes API交互的權限。
如何創建IAM用戶 (How to create an IAM User)
Go to your AWS Console where you will find the IAM service listed under the “Security, Identity & Compliance” group. Inside the IAM dashboard click on the Users tab and click the “Add User” button.
轉到您的AWS控制臺 ,您將在其中找到“安全性,身份和合規性”組下列出的IAM服務 。 在IAM儀表板內,單擊“用戶”選項卡,然后單擊“添加用戶”按鈕。
Create a new user and allow the user programmatic access by clicking on the "Programmatic access" checkbox. You do not need any particular permission for your user to access EKS. You can go ahead without selecting any permission.
創建一個新用戶,并通過單擊“程序訪問”復選框來允許該用戶以程序訪問 。 您不需要用戶的任何特殊權限即可訪問EKS。 您無需選擇任何權限即可繼續操作。
After the user is created, you will have access to the user's Access Key ID and Secret Access Key. You will be required to use these keys in the next step.
創建用戶后,您將有權訪問用戶的訪問密鑰ID和秘密訪問密鑰 。 您將需要在下一步中使用這些鍵。
配置AWS CLI (Configure the AWS CLI)
Configuring your AWS CLI with a new user is as simple as running the aws configure command and providing the AWS Access Key ID and the AWS Secret Access Key. The Default region name and Default Output format are optional, though.
使用新用戶配置AWS CLI就像運行aws configure命令并提供AWS Access Key ID和AWS Secret Access Key 。 但是, Default region name和Default Output format是可選的。
$ aws configure --profile eks-user
AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: textOnce configured you can test to see if the user is properly configured using the aws sts get-caller-identity command:
配置完成后,您可以使用aws sts get-caller-identity命令測試是否正確配置了用戶:
$ aws sts get-caller-identity --profile eks-userIf the user is properly configured with the aws cli utility you should see a response like the one shown below:
如果使用aws cli實用程序正確配置了用戶,您應該會看到如下所示的響應:
{"UserId": "AIDAX7JPBEM4A6FTJRTMB","Account": "123456789012","Arn": "arn:aws:iam::123456789012:user/eks-user"
}為用戶創建角色和RoleBinding (Creating a Role and RoleBinding for the user)
With your IAM user properly configured, you can go ahead and create a role for the user. This snippet of code creates a role named eks-user-role with a modest list permission to the pods resource in your cluster.
正確配置IAM用戶后,您可以繼續為該用戶創建角色。 此代碼段創建一個名為eks-user-role ,對集群中的pods資源具有適度的list權限。
kind: Role
metadata:name: eks-user-role
rules:
- apiGroups: [""]resources: ["pods"]verbs: ["list"]Save the above snippet of code in a file and then apply the Role to your Kubernetes cluster:
將上述代碼片段保存在文件中,然后apply Role應用于您的Kubernetes集群:
$ kubectl apply -f role.yamlWith the role configured you need to create a corresponding RoleBinding:
配置了角色后,您需要創建相應的RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: eks-user-role-binding
subjects:
- kind: Username: eks-userapiGroup: rbac.authorization.k8s.io
roleRef:kind: Rolename: eks-user-roleapiGroup: rbac.authorization.k8s.ioSave the above snippet of code in a file and then apply the Role Binding to your Kubernetes cluster:
將上述代碼片段保存在文件中,然后apply角色綁定應用于您的Kubernetes集群:
$ kubectl apply -f role-binding.yaml將用戶添加到aws-auth配置圖 (Adding the user to the aws-auth configmap)
If you want to grant additional AWS users or roles the ability to interact with your EKS cluster, you must add the users/roles to the aws-auth ConfigMap within Kubernetes in the kube-system namespace.
如果要授予其他AWS用戶或角色與EKS集群進行交互的能力,則必須將用戶/角色添加到kube-system命名空間中Kubernetes中的aws-auth ConfigMap中。
You can do this by either editing it using the kubectl edit command:
您可以使用kubectl edit命令kubectl edit :
$ kubectl edit configmap aws-auth -n kube-systemOr by importing the aws-auth ConfigMap and applying the changes:
或通過導入aws-auth ConfigMap并應用更改:
$ kubectl get configmap aws-auth -n kube-system -o yaml > aws-auth.yamlAdd the user under the mapUsers as an item in the aws-auth ConfigMap:
將用戶添加到mapUsers下,作為aws-auth ConfigMap中的一項:
data:mapUsers: |- userarn: arn:aws:iam::123456789012:user/eks-userusername: eks-usergroups:- eks-roleIf the user is properly configured you should be able to list pods in the Cluster:
如果正確配置了用戶,則您應該能夠在集群中列出Pod:
$ kubectl get pods --as eks-userThe --as flag impersonates the request to Kubernetes as the given user. You can use this flag to test permissions for any given user.
--as標志以給定用戶身份向Kubernetes發出請求。 您可以使用此標志來測試任何給定用戶的權限。
配置用戶權限 (Configuring permissions for the user)
The role which you defined previously only had permission to list pods. The eks-user cannot access any other Kubernetes resources like Deployments, ConfigMaps, Events, Secrets, logs or even shell into a given pod.
您先前定義的角色僅具有列出窗格的權限。 eks eks-user無法訪問任何其他Kubernetes資源,如Deployments,ConfigMap,Events,Secrets,日志甚至是shell到給定的pod中。
In a real-world scenario, you will need to provide permissions to a user to access the required resources. The below snippet of code provides access to resources such as events, pods, deployments, configmaps and secrets.
在實際情況下,您將需要向用戶提供訪問所需資源的權限。 下面的代碼段提供對資源的訪問,例如events , pods , deployments , configmaps和secrets 。
rules:
- apiGroups: [""]resources: ["events"]verbs: ["get", "list", "watch"]
- apiGroups: [""]resources: ["pods", "pods/log", "pods/exec"]verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: ["extensions", "apps"]resources: ["deployments"]verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]resources: ["configmaps"]verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]resources: ["secrets"]verbs: ["list", "get", "create", "update", "delete"]Add the above permissions to the role.yaml file and apply the changes, using kubectl apply -f.
使用kubectl apply -f將以上權限添加到role.yaml文件并應用更改。
測試,測試和測試! (Test, test and test!)
Now go ahead and test to see if the permissions have been properly applied to the eks-user. You can test the same using the above mentioned --as USERNAME flag or set the eks-user as the default profile for the aws cli.
現在繼續進行測試,以查看權限是否已正確地應用于eks-user 。 您可以使用上面提到的--as USERNAME標志進行測試,或者將--as USERNAME eks-user設置為aws cli的默認配置文件。
$ export AWS_PROFILE=eks-userOnce configured you can test to see if the user is properly configured using the aws sts get-caller-identity command:
配置完成后,您可以使用aws sts get-caller-identity命令測試用戶是否配置正確:
$ aws sts get-caller-identityYou should see a response like the following, indicating the user is properly configured with your aws cli utility:
您應該看到類似以下的響應,表明已使用aws cli實用程序正確配置了用戶:
{"UserId": "AIDAX7JPBEM4A6FTJRTMB","Account": "123456789012","Arn": "arn:aws:iam::123456789012:user/eks-user"
}Test the permissions of the user with the below-mentioned commands.
使用以下命令測試用戶的權限。
$ kubectl get pods
$ kubectl get secrets
$ kubectl get configmaps
$ kubectl get deployments
$ kubectl logs <pod-name>
$ kubectl exec -it <pod-name> sh
$ kubectl create configmap my-cm --from-literal=db_username=<USERNAME> --from-literal=db_host=<HOSTNAME>
$ kubectl create secret generic my-secret --from-literal=db_password=<SOME_STRONG_PASSWORD>Simply put, the eks-user user should be able to perform all the actions specified in the verbs array for pods, secrets, configmaps, deployments, and events. You can read more about it here Kubernetes Authorization Overview.
簡而言之, eks-user用戶應該能夠執行verbs數組中針對pods , secrets , configmaps , deployments和events所指定的所有動作。 您可以在此處閱讀有關Kubernetes授權概述的更多信息。
是否可以 (Can-I or Not)
You can use auth can-i to check if you have permission to a resource. To see if you have the permission to get pods simply run:
您可以使用auth can-i來檢查您是否有權使用資源。 要查看您是否有權獲得吊艙,只需運行:
$ kubectl auth can-i get podsThe answer will be a simple yes or no. Amazing, isn’t it?
答案將是簡單的yes或no 。 太神奇了,不是嗎?
Wanna check if you have cluster-admin permissions? Fire this:
想檢查您是否具有cluster-admin權限? 觸發此:
$ kubectl auth can-i "*" "*"結語 (Wrap up)
EKS provides the Kubernetes control plane with the backend persistence layer. The Kubernetes API server and the master nodes are provisioned and scaled across various availability zones, resulting in high availability and eliminating a single point of failure. An AWS-managed Kubernetes cluster can withstand the loss of an availability zone.
EKS為??Kubernetes控制平面提供了后端持久層。 Kubernetes API服務器和主節點在各種可用性區域中進行配置和擴展,從而實現了高可用性并消除了單點故障。 由AWS管理的Kubernetes集群可以承受可用性區域的丟失。
Access and authorization controls are critical for any security system. Kubernetes provides us with an awesome robust RBAC permission mechanism.
訪問和授權控制對于任何安全系統都是至關重要的。 Kubernetes為我們提供了強大的RBAC許可機制。
Originally published at faizanbashir.me
最初發表在 faizanbashir.me
翻譯自: https://www.freecodecamp.org/news/adding-limited-access-iam-user-to-eks-cluster/
iam身份驗證以及訪問控制
)
)
)
