Security Configurations Inside Kubernetes

Namespace

本项目中提供的组件大多数需要了解命名空间。对于 Kubernetes(1.3+),命名空间作为服务帐户密码的一部分提供给 Pod,并且会被客户端自动检测。对于较早版本,它需要作为环境变量指定给 Pod。以下是一种快速执行此操作的方法:

Most of the components provided in this project need to know the namespace. For Kubernetes (1.3+), the namespace is made available to the pod as part of the service account secret and is automatically detected by the client. For earlier versions, it needs to be specified as an environment variable to the pod. A quick way to do this is as follows:

      env:
      - name: "KUBERNETES_NAMESPACE"
        valueFrom:
          fieldRef:
            fieldPath: "metadata.namespace"

Service Account

对于支持群集内更细粒度的基于角色的访问的 Kubernetes 分发版,你需要确保运行 spring-cloud-kubernetes 的 Pod 具有访问 Kubernetes API 的权限。对于你分配给部署或 Pod 的任何服务帐户,你需要确保它们具有正确的角色。

For distributions of Kubernetes that support more fine-grained role-based access within the cluster, you need to make sure a pod that runs with spring-cloud-kubernetes has access to the Kubernetes API. For any service accounts you assign to a deployment or pod, you need to make sure they have the correct roles.

根据要求,你将需要对以下资源进行 getlistwatch 权限:

Depending on the requirements, you’ll need get, list and watch permission on the following resources:

Table 1. Kubernetes Resource Permissions
Dependency Resources

spring-cloud-starter-kubernetes-fabric8

pods, services, endpoints

spring-cloud-starter-kubernetes-fabric8-config

configmaps, secrets

spring-cloud-starter-kubernetes-client

pods, services, endpoints

spring-cloud-starter-kubernetes-client-config

configmaps, secrets

出于开发目的,你可以将 cluster-reader 权限添加到你的 default 服务帐户。在生产系统中,你可能希望提供更细粒度的权限。

For development purposes, you can add cluster-reader permissions to your default service account. On a production system you’ll likely want to provide more granular permissions.

以下角色和角色绑定是 default 帐户的命名空间权限示例:

The following Role and RoleBinding are an example for namespaced permissions for the default account:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: YOUR-NAME-SPACE
  name: namespace-reader
rules:
  - apiGroups: [""]
    resources: ["configmaps", "pods", "services", "endpoints", "secrets"]
    verbs: ["get", "list", "watch"]

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-reader-binding
  namespace: YOUR-NAME-SPACE
subjects:
- kind: ServiceAccount
  name: default
  apiGroup: ""
roleRef:
  kind: Role
  name: namespace-reader
  apiGroup: ""