非root用户管理k8s和docker容器详解
作者:CN-FuWei
文章介绍了如何通过创建非root用户(如ops用户)并配置kubectl权限,结合RBAC限制访问范围,实现安全管理K8s集群;同时通过将用户加入docker组,无需root权限即可操作Docker容器
一、非root用户管理k8s集群
1.1 创建一个普通用户
useradd ops
1.2 修改集群配置
OPS机器关联kubectl进行如下操作:
root用户执行:
mkdir -p /home/ops/.kube/ cp ~/.kube/config /home/ops/.kube/ chown deployer:deployer /home/ops/.kube chown deployer:deployer /home/ops/.kube/config
ops用户执行:
echo "export KUBECONFIG=/home/ops/.kube/config" >> ~/.bash_profile echo "source <(kubectl completion bash)" >> /home/ops/.bashrc source ~/.bash_profile
1.3 验证
[root@k8s-master1 ~]# su ops [ops@k8s-master1 root]$ kubectl get node NAME STATUS ROLES AGE VERSION k8s-master1 Ready control-plane,master 42d v1.22.0 k8s-master2 Ready control-plane,master 42d v1.22.0 k8s-master3 Ready control-plane,master 42d v1.22.0 k8s-node1 Ready <none> 42d v1.22.0 k8s-node2 Ready <none> 42d v1.22.0 k8s-node3 Ready <none> 42d v1.22.0 [ops@k8s-master1 root]$ kubectl get ns NAME STATUS AGE default Active 42d kube-node-lease Active 42d kube-public Active 42d kube-system Active 42d monitoring Active 42d
此时已经可以使用ops用户来管理k8s集群(若需要针对ops用户指定ns以及资源对象拥有特定权限,可以使用RBAC来限制)
二、非root用户管理docker
由于docker软件安装好之后,自动会创建好docker用户组,所以这里只需要创建好管理docer容器的用户就好。
[root@k8s-master1 ~]# cat /etc/group .................... docker:x:995:
首先来看一下正常的普通用户管理docker是什么样的
切换dev用户执行docker命令,报错如下:
[root@k8s-master1 ~]# su dev [dev@k8s-master1 root]$ docker ps Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docker.sock: connect: permission denied [dev@k8s-master1 root]$ docker images Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/json": dial unix /var/run/docker.sock: connect: permission denied
现在我们把ops用户加入docker用户组中
usermod -g docker ops
接下来切换ops用户来查看一下效果:
[root@k8s-master1 ~]# su ops [ops@k8s-master1 root]$ docker version Client: Docker Engine - Community Version: 20.10.12 API version: 1.39 Go version: go1.16.12 Git commit: e91ed57 Built: Mon Dec 13 11:45:41 2021 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 18.09.9 API version: 1.39 (minimum version 1.12) Go version: go1.11.13 Git commit: 039a7df Built: Wed Sep 4 16:22:32 2019 OS/Arch: linux/amd64 Experimental: false [ops@k8s-master1 root]$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE rancher/mirrored-flannelcni-flannel v0.17.0 9247abf08677 3 months ago 59.8MB rancher/mirrored-flannelcni-flannel v0.16.3 8cb5de74f107 4 months ago 59.7MB rancher/mirrored-flannelcni-flannel-cni-plugin v1.0.1 ac40ce625740 4 months ago 8.1MB quay.io/prometheus/node-exporter v1.3.1 1dbe0e931976 5 months ago 20.9MB registry.aliyuncs.com/google_containers/kube-apiserver v1.22.0 838d692cbe28 10 months ago 128MB registry.aliyuncs.com/google_containers/kube-controller-manager v1.22.0 5344f96781f4 10 months ago 122MB registry.aliyuncs.com/google_containers/kube-scheduler v1.22.0 3db3d153007f 10 months ago 52.7MB registry.aliyuncs.com/google_containers/kube-proxy v1.22.0 bbad1636b30d 10 months ago 104MB registry.aliyuncs.com/google_containers/etcd 3.5.0-0 004811815584 11 months ago 295MB registry.aliyuncs.com/google_containers/coredns v1.8.4 8d147537fb7d 12 months ago 47.6MB registry.aliyuncs.com/google_containers/pause 3.5 ed210e3e4a5b 14 months ago 683kB [ops@k8s-master1 root]$
至此就完成了非root用户管理docker容器了
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持脚本之家。