命名空间隔离与 RBAC
核心问题:多个团队共用一个 Kubernetes 集群时,怎样防止他们互相干扰?怎样精确控制谁能做什么?
Namespace 作为隔离边界
Namespace 提供了逻辑隔离:
graph TB
subgraph "Kubernetes 集群"
subgraph "production Namespace"
P1[api-deployment]
P2[web-deployment]
P3[postgres-statefulset]
end
subgraph "staging Namespace"
S1[api-deployment]
S2[web-deployment]
end
subgraph "monitoring Namespace"
M1[prometheus]
M2[grafana]
end
subgraph "argocd Namespace"
A1[argocd-server]
end
end
| Namespace 类型 | 说明 |
|---|---|
production | 生产应用,严格 RBAC,手动审批 |
staging | 测试环境,开发者有 apply 权限 |
monitoring | 监控组件,平台团队管理 |
argocd | GitOps 控制器,只有 SRE 团队 |
kube-system | K8s 系统组件,禁止业务使用 |
创建 Namespace 并设置资源配额
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
env: production
team: platform
---
# ResourceQuota:限制 Namespace 的资源总量
apiVersion: v1
kind: ResourceQuota
metadata:
name: production-quota
namespace: production
spec:
hard:
# 计算资源
requests.cpu: "20"
requests.memory: 40Gi
limits.cpu: "40"
limits.memory: 80Gi
# 对象数量
count/pods: "100"
count/services: "20"
count/persistentvolumeclaims: "30"
count/secrets: "50"
count/configmaps: "50"
---
# LimitRange:为没有设置 limits 的 Pod 设置默认值
apiVersion: v1
kind: LimitRange
metadata:
name: production-limits
namespace: production
spec:
limits:
- type: Container
default: # 默认 limits(未设置时自动添加)
cpu: 500m
memory: 512Mi
defaultRequest: # 默认 requests
cpu: 100m
memory: 128Mi
max: # 单容器最大值
cpu: "4"
memory: 8Gi
min: # 单容器最小值
cpu: 10m
memory: 32Mi
RBAC:Role-Based Access Control
Kubernetes RBAC 有四个核心对象:
graph LR
SA["ServiceAccount
(Pod 身份)
User / Group
(人员身份)"] RB["RoleBinding /
ClusterRoleBinding
(绑定:谁有什么角色)"] R["Role /
ClusterRole
(角色:能做什么)"] SA -->|Subject| RB RB -->|roleRef| R R -->|允许的操作| K8S["Kubernetes API 资源"]
(Pod 身份)
User / Group
(人员身份)"] RB["RoleBinding /
ClusterRoleBinding
(绑定:谁有什么角色)"] R["Role /
ClusterRole
(角色:能做什么)"] SA -->|Subject| RB RB -->|roleRef| R R -->|允许的操作| K8S["Kubernetes API 资源"]
| 对象 | 作用域 | 用途 |
|---|---|---|
Role | 单个 Namespace | 定义 Namespace 内的权限 |
ClusterRole | 整个集群 | 定义集群级权限(Node、PV 等) |
RoleBinding | 单个 Namespace | 将角色绑定到用户/SA |
ClusterRoleBinding | 整个集群 | 集群级绑定 |
常用 Role 定义
# 开发者角色:能查看和部署,不能删除
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: staging
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "statefulsets"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["pods/log", "pods/exec"] # 查看日志、exec 进容器
verbs: ["get", "create"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"] # 只读,不能创建/修改密钥
---
# 只读角色:适合产品经理、审计人员
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: readonly-all
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
# SRE 角色:能管理所有资源,但不能修改 RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sre
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
verbs: ["get", "list", "watch"] # 只读 RBAC,不能修改
RoleBinding:将角色绑定给用户或组
# 将 developer 角色绑定给用户
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developers-staging
namespace: staging
subjects:
- kind: User
name: alice@example.com
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: github-org:team-api-developers # GitHub Teams 通过 OIDC 提供
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
---
# 将 ServiceAccount 绑定 ClusterRole(ArgoCD 用法)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argocd-application-controller
subjects:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
NetworkPolicy:网络层隔离
# 默认拒绝所有入站(需要先设置 default deny,再开白名单)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: production
spec:
podSelector: {} # 匹配所有 Pod
policyTypes:
- Ingress
---
# 只允许同 Namespace 内的 Pod 互通
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-same-namespace
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {} # 同 Namespace 内的所有 Pod
---
# 允许 Ingress Controller 进入(来自 ingress-nginx namespace)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-controller
namespace: production
spec:
podSelector:
matchLabels:
app: api-server
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-nginx
ports:
- port: 3000
RBAC 权限验证
# 检查当前用户是否有某个权限
kubectl auth can-i list pods -n production
# 检查某个 ServiceAccount 的权限
kubectl auth can-i create deployments \
--namespace=staging \
--as=system:serviceaccount:staging:deployer
# 检查 OIDC 用户权限
kubectl auth can-i delete pods -n production \
--as=alice@example.com
# 查看某 Subject 的权限
kubectl get rolebindings,clusterrolebindings \
-A -o wide | grep alice@example.com
# 常用调试命令
kubectl describe rolebinding developers-staging -n staging
kubectl describe clusterrolebinding argocd-application-controller
下一节:多集群工具与架构选型