diff --git a/sig-architecture/concepts-and-designs/access-control-zh.md b/sig-architecture/concepts-and-designs/access-control-zh.md new file mode 100644 index 00000000..a9e6cda6 --- /dev/null +++ b/sig-architecture/concepts-and-designs/access-control-zh.md @@ -0,0 +1,132 @@ +## 权限控制 + +### RBAC + +https://kubernetes.io/docs/reference/access-authn-authz/rbac/ + +![](../images/rbac-example.png) + + +### KS中的租户与资源层级 + +![](../images/resource-hierarchy.png) + + +Platform: users、workspaces、clusters +Cluster: nodes、workloads、namespaces +Workspace: namespaces、apps +Namesapce: workloads + +### API Pattern + +https://kubernetes.io/docs/reference/using-api/api-concepts/ + +``` +# KS API +/kapis/{apiGroup}/{apiVersion}/{resourcePlural}/{resourceName}/{subResource} + +# K8s 原生 API +/apis/{apiGroup}/{apiVersion}/{resourcePlural}/{resourceName}/{subResource} +/api/{apiGroup}/{apiVersion}/{resourcePlural}/{resourceName}/{subResource} + +# 多集群分发 +/apis/clusters/{cluster}/{apiGroup}/{apiVersion}/{resourcePlural}/{resourceName}/{subResource} +/kapis/clusters/{cluster}/{apiGroup}/{apiVersion}/{resourcePlural}/{resourceName}/{subResource} +``` + +**API 示例** + +Platform Scope + +特殊的 CRD,这类资源被 host 集群管理,受到 GlobalRole 的限制 + +``` +/kapis/iam.kubesphere.io/users +/kapis/resources.kubesphere.io/v1alpha3/clusters +/kapis/tenant.kubesphere.io/workspaces +``` + +Workspace Scope + +KS 中的资源层级,受到 WorkspaceRole 的限制 + +``` +/kapis/openpitrix.kubesphere.io/workspaces/{workspace}/apps +/kapis/tenant.kubesphere.io/workspaces/{workspace}/namespaces +``` + +Cluster Scope + +K8s 中的资源层级,收到 ClusterRole 的限制 + +``` +/api/v1/nodes +/apis/apps/v1/deployments +``` + +Namespace Scope + +``` +/apis/apps/v1/namespaces/{namespace}/deployments +``` + +### 插件的权限控制 + +KubeSphere 2.x + +![](../images/rbac-2.x.png) + + +KubeSphere 3.x + +![](./../images/rbac-3.x.png) + +KubeSphere 4.x + +在 3.x 的基础之上进一步细化,授权粒度分为 创建(create)、查看(list、get、watch)、编辑(update、patch)、删除(delete)、管理(\*) 五个部分 + +授权项、功能模块可以动态拓展 + +** RoleTemplate ** + +```yaml +apiVersion: iam.kubesphere.io/v1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/scope: Platform + iam.kubesphere.io/module: Access Control + iam.kubesphere.io/rules: '{"users": "view"}' + name: role-template-view-users + +rules: +- apiGroups: + - '*' + resources: + - users + verbs: + - get + - list + - watch +``` + +```yaml +apiVersion: iam.kubesphere.io/v1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/scope: Namespaced + iam.kubesphere.io/module: Pipelines + iam.kubesphere.io/rules: '{"pipelines": "view"}' + name: role-template-view-pipelines + +rules: +- apiGroups: + - 'devops.kubesphere.io' + resources: + - 'pipelines' + verbs: + - get + - list + - watch +``` \ No newline at end of file diff --git a/sig-architecture/images/rbac-2.x.png b/sig-architecture/images/rbac-2.x.png new file mode 100644 index 00000000..c965d015 Binary files /dev/null and b/sig-architecture/images/rbac-2.x.png differ diff --git a/sig-architecture/images/rbac-3.x.png b/sig-architecture/images/rbac-3.x.png new file mode 100644 index 00000000..4e32c394 Binary files /dev/null and b/sig-architecture/images/rbac-3.x.png differ diff --git a/sig-architecture/images/rbac-example.png b/sig-architecture/images/rbac-example.png new file mode 100644 index 00000000..5ac16ef8 Binary files /dev/null and b/sig-architecture/images/rbac-example.png differ diff --git a/sig-architecture/images/resource-hierarchy.png b/sig-architecture/images/resource-hierarchy.png new file mode 100644 index 00000000..a608f9c5 Binary files /dev/null and b/sig-architecture/images/resource-hierarchy.png differ