创建k8s User Account
使用openssl方法创建普通用户
准备工作
1
2
3
4
|
mkdir /root/pki/ 将k 8 s ca.pem ca-key.pem 证书拷贝到此目录
cp /opt/kubernetes/ssl/ca-key.pem /root/pki/ cp /opt/kubernetes/ssl/ca.pem /root/pki/ |
一、创建证书
1.创建user私钥
1
|
(umask 077 ;openssl genrsa -out dev.key 2048 )
|
2.创建证书签署请求
O=组织信息,CN=用户名
1
|
openssl req -new -key dev.key -out dev.csr -subj "/O=k8s/CN=dev"
|
3.签署证书
1
2
3
|
openssl x 509 -req -in dev.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dev.crt -days 365
Signature ok subject=/O=k 8 s/CN=dev
|
二、创建配置文件
1
2
3
4
|
kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE #集群配置 kubectl config set-credentials NAME --kubeconfig=/PATH/TO/SOMEFILE #用户配置 kubectl config set-context #context配置 kubectl config use-context #切换context |
1
2
3
|
* --embed-certs=true的作用是不在配置文件中显示证书信息。 * --kubeconfig=/root/dev.conf用于创建新的配置文件,如果不加此选项,则内容会添加到家目录下.kube/config文件中,可以使用use-context来切换不同的用户管理k 8 s集群。
* context简单的理解就是用什么用户来管理哪个集群,即用户和集群的结合。 |
创建集群配置
1
2
3
4
|
kubectl config set-cluster k 8 s --server=https:// 192.168 . 124.61: 6443 \
--certificate-authority=ca.pem \ --embed-certs=true \ --kubeconfig=/root/dev.conf |
创建用户配置
1
2
3
4
5
|
kubectl config set-credentials dev \ --client-certificate=dev.crt \ --client-key=dev.key \ --embed-certs=true \ --kubeconfig=/root/dev.conf |
创建context配置
1
2
3
4
|
kubectl config set-context dev@k 8 s \
--cluster=k 8 s \
--user=dev \ --kubeconfig=/root/dev.conf |
切换context
1
2
|
kubectl config use-context dev@k 8 s --kubeconfig=/root/dev.conf
kubectl config view --kubeconfig=/root/dev.conf |
创建系统用户
1
2
3
4
5
|
useradd dev mkdir -p /home/dev/.kube cp /root/dev.conf /home/dev/.kube/config chown dev.dev -R /home/dev/ su - dev |
k8s验证文件
kubectl get pod
这个时候不成功是因为没有进行权限绑定
创建Role
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
root@k 8 s-master:~# cat > pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k 8 s.io/v 1
kind: Role metadata: name: pods-reader
rules: - apiGroups: - ""
resources:
- pods
verbs:
- get
- list
- watch
EOF
|
创建Rolebinding
用户dev和role pods-reader的绑定
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
root@k 8 s-master:~# cat >test-pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k 8 s.io/v 1
kind: RoleBinding metadata: name: cbmljs-pods-reader
roleRef: apiGroup: rbac.authorization.k 8 s.io
kind: Role
name: pods-reader
subjects: - apiGroup: rbac.authorization.k 8 s.io
kind: User
name: dev
EOF |
到这一步就可以进行验证了
kubectl get pod
我们是可以查看查看default命名空间的pod,但是其他空间的pod是无法查看的。
创建ClusterRole
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
root@k 8 s-master:~# cat cluster-reader.yaml
apiVersion: rbac.authorization.k 8 s.io/v 1
kind: ClusterRole metadata: name: cluster-reader
rules: - apiGroups: - ""
resources:
- pods
verbs:
- get
- list
- watch
|
创建ClusterRoleBinding
1
2
3
4
5
6
7
8
9
10
11
12
13
|
root@k 8 s-master:~# cat cbmljs-read-all-pod.yaml
apiVersion: rbac.authorization.k 8 s.io/v 1 beta 1
kind: ClusterRoleBinding metadata: name: billy-read-all-pods
roleRef: apiGroup: rbac.authorization.k 8 s.io
kind: ClusterRole
name: cluster-reader
subjects: - apiGroup: rbac.authorization.k 8 s.io
kind: User
name: dev
|
验证结果
kubectl get pod --all-namespaces
就可以看到所有命名空间的pod了.
权限绑定指定的namespace
也可以使用下面方法进行绑定
kubectl get clusterrole 查看系统自带角色
1
|
kubectl create rolebinding devuser-admin-rolebinding(rolebinding的名字) --clusterrole=admin(clusterrole的名字,admin在k 8 s所有namespace下都有最高权限) --user=devuser(将admin的权限赋予devuser用户) --namespace=dev(范围是dev这个namespace下) 即dev
|
扩展:
kubectl api-resources 可以查看apiGroups
示例:
创建集群角色
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
cat clusterrole.yaml apiVersion: rbac.authorization.k 8 s.io/v 1
kind: ClusterRole metadata: name: test-clusterrole
rules: - apiGroups: [ "" ]
resources: [ "pods" ]
verbs: [ "get" , "list" , "watch" , "create" , "update" , "patch" , "delete" ]
- apiGroups: [ "extensions" , "apps" ]
resources: [ "deployments" ]
verbs: [ "get" , "watch" , "list" ]
- apiGroups: [ "" ]
resources: [ "pods/exec" ]
verbs: [ "get" , "list" , "watch" , "create" , "update" , "patch" , "delete" ]
- apiGroups: [ "" ]
resources: [ "pods/log" ]
verbs: [ "get" , "list" , "watch" , "create" , "update" , "patch" , "delete" ]
- apiGroups: [ "" ]
resources: [ "namespaces" , "namespaces/status" ]
verbs: [ "*" ] # 也可以使用[ ‘*‘ ]
- apiGroups: [ "" , "apps" , "extensions" , "apiextensions.k8s.io" ]
resources: [ "role" , "replicasets" , "deployments" , "customresourcedefinitions" , "configmaps" ]
verbs: [ "*" ]
|
集群绑定
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@master role]# cat test-classbind.yaml apiVersion: rbac.authorization.k 8 s.io/v 1 beta 1
kind: ClusterRoleBinding metadata: name: test-all-pods
roleRef: apiGroup: rbac.authorization.k 8 s.io
kind: ClusterRole
name: test-clusterrole
subjects: - apiGroup: rbac.authorization.k 8 s.io
kind: User
name: test
|
参考:
https://blog.csdn.net/cbmljs/article/details/102953428