建立用户相关操作

创建证书

(umask 077; openssl genrsa -out testuser.key 2048)
openssl req -new -key testuser.key -out testuser.csr -subj "/CN=testuser"
openssl x509 -req -in testuser.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out testuser.crt -days 3650
openssl x509 -in testuser.crt -text -noout

把用户账户信息添加到k8s集群中

kubectl config set-credentials testuser --client-certificate=./testuser.crt --client-key=./testuser.key --embed-certs=true
User "testuser" set.

创建账户,设置用户访问的集群

kubectl config set-context testuser@kubernetes --cluster=kubernetes --user=testuser
kubectl config set-context testuser@kubernetes --cluster=kubernetes --user=testuser
Context "testuser@kubernetes" created.

切换至testuser用户

kubectl config use-context testuser@kubernetes

验证权限

kubectl get pods

切换成管理员

kubectl config use-context kubernetes-admin@kubernetes

创建并提交如下3个yaml文件
1.创建 serviceaccount.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: testuser
  namespace: test

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: testuser
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: testuser
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: testuser
subjects:
- kind: ServiceAccount
  name: testuser

2.编辑role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: test
  name: testuser-reader
rules:
rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["services"]
    verbs: ["get", "watch", "list"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
  - apiGroups: ["batch", "externsions"]
    resources: ["jobs"]
    verbs: ["get","list","watch","create", "update","patch","delete"]

3.编辑role-binding.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: read-pods
  namespace: test
subjects:
- kind: User
  name: testuser
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: testuser-reader
  apiGroup: rbac.authorization.k8s.io

切换到testuser再次测试对test命名空间是否有访问权限
kubectl config use-context testuser@kubernetes
Switched to context "testuser@kubernetes".
[root@master1 root]# kubectl get pods -n test
NAME READY STATUS RESTARTS AGE
bizpig-5d88bbccc-68rlp 1/1 Running 0 98s
bizpig-5d88bbccc-lj9l9 1/1 Running 0 98s
此时已经可以具有可读权限

最后修改日期: 2021年4月1日

作者

留言

撰写回覆或留言

发布留言必须填写的电子邮件地址不会公开。