Kubernetes 命名空间与 RBAC 权限

在 Kubernetes 集群中，命名空间（Namespace）用于隔离资源，RBAC（Role-Based Access Control）用于控制用户和应用对资源的访问权限。合理配置命名空间和 RBAC 是保障集群安全的关键。本文将详细讲解这两个核心功能的配置和使用。

一、命名空间（Namespace）

1.1 默认命名空间

• default：未指定命名空间时的默认空间。
• kube-system：系统组件运行的空间。
• kube-public：所有用户可读的公共空间。
• kube-node-lease：节点心跳租约。

1.2 创建命名空间

# 命令行创建
kubectl create namespace production
kubectl create namespace staging
kubectl create namespace development

# YAML 创建
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    env: production
    team: backend

1.3 资源配额

为命名空间设置资源配额，防止单个团队或应用占用过多资源：

apiVersion: v1
kind: ResourceQuota
metadata:
  name: production-quota
  namespace: production
spec:
  hard:
    requests.cpu: "4"
    requests.memory: 8Gi
    limits.cpu: "8"
    limits.memory: 16Gi
    pods: "20"
    services: "10"
    persistentvolumeclaims: "10"

1.4 默认资源限制

apiVersion: v1
kind: LimitRange
metadata:
  name: default-limits
  namespace: production
spec:
  limits:
  - default:
      cpu: "500m"
      memory: "256Mi"
    defaultRequest:
      cpu: "100m"
      memory: "128Mi"
    type: Container

二、RBAC 核心概念

• Role：命名空间级别的权限定义。
• ClusterRole：集群级别的权限定义。
• RoleBinding：将 Role 绑定到用户或组。
• ClusterRoleBinding：将 ClusterRole 绑定到用户或组。
• ServiceAccount：Pod 使用的身份标识。

三、创建 Role

3.1 命名空间级别的 Role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list"]

3.2 开发者角色

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: developer
rules:
- apiGroups: ["", "apps", "batch"]
  resources: ["pods", "deployments", "services", "configmaps", "jobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["pods/exec", "pods/log", "pods/portforward"]
  verbs: ["get", "create"]

3.3 集群级别的 ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-viewer
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list"]

四、创建 RoleBinding

4.1 绑定 Role 到用户

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

4.2 绑定 Role 到 ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: app-role-binding
  namespace: production
subjects:
- kind: ServiceAccount
  name: app-sa
  namespace: production
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

4.3 ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-viewer
subjects:
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: namespace-viewer
  apiGroup: rbac.authorization.k8s.io

五、ServiceAccount

5.1 创建 ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-sa
  namespace: production

5.2 在 Pod 中使用

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: production
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: app-sa
      containers:
      - name: app
        image: myapp:latest

5.3 生成 kubeconfig

为 ServiceAccount 生成 kubeconfig 文件，用于 CI/CD 等外部工具访问集群：

# 创建 Token Secret
apiVersion: v1
kind: Secret
metadata:
  name: app-sa-token
  namespace: production
  annotations:
    kubernetes.io/service-account.name: app-sa
type: kubernetes.io/service-account-token

# 获取 Token
kubectl get secret app-sa-token -n production -o jsonpath='{.data.token}' | base64 -d

六、网络策略

使用 NetworkPolicy 限制命名空间间的网络访问：

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          env: production

七、权限检查

# 检查当前用户权限
kubectl auth can-i create pods -n production
kubectl auth can-i delete deployments -n production

# 以其他用户身份检查
kubectl auth can-i create pods -n production --as alice

# 列出所有权限
kubectl auth can-i --list -n production

八、常见问题

权限不足错误

kubectl describe rolebinding -n production
kubectl get role -n production -o yaml

命名空间无法删除

命名空间卡在 Terminating 状态，检查是否有残留资源：

kubectl get all -n stuck-namespace
kubectl api-resources --verbs=list --namespaced -o name | xargs -n 1 kubectl get -n stuck-namespace

总结

命名空间和 RBAC 是 Kubernetes 安全管理的基础，通过合理划分命名空间和分配权限，可以实现多租户隔离和最小权限原则。搭配 持久化存储 和 部署策略 可以构建安全可靠的容器化平台。选购搬瓦工 VPS 请参考 全部方案，使用优惠码 NODESEEK2026 享受 6.77% 折扣。