https://kubernetes.io/docs/reference/access-authn-authz/rbac/
kubectl create serviceaccount user1 -nchuan
serviceaccount/user1 created root@slave002:~/role# kubectl get secrets -nchuan NAME TYPE DATA AGE default-token-j5xbb kubernetes.io/service-account-token 3 27h user1-token-m8h8t kubernetes.io/service-account-token 3 6
root@slave002:~/role# cat user1_role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: chuan name: user1-role rules: - apiGroups: ["*"] resources: ["pods/exec"] verbs: ["*"] ##RO-Role #verbs: ["get", "list", "watch", "create"] - apiGroups: ["*"] resources: ["pods"] #verbs: ["*"] ##RO-Role verbs: ["get", "list", "watch"] - apiGroups: ["apps/v1"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ##RO-Role #verbs: ["get", "watch", "list"]
root@slave002:~/role# kubectl get Role -nchuan NAME CREATED AT user1-role
root@slave002:~/role# cat user1_role_bind.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: role-bind-chuan namespace: chuan subjects: - kind: ServiceAccount name: user1 namespace: chuan roleRef: kind: Role name: user1-role apiGroup: rbac.authorization.k8s.io
root@slave002:~/role# kubectl get RoleBinding -nchuan NAME ROLE AGE role-bind-chuan Role/user1-role 32s
root@slave002:~/role# kubectl describe secrets user1-token-m8h8t -nchuan Name: user1-token-m8h8t Namespace: chuan Labels: <none> Annotations: kubernetes.io/service-account.name: user1 kubernetes.io/service-account.uid: b929fc62-fa9c-482d-ac24-ca70cfec5d8e Type: kubernetes.io/service-account-token Data ==== token: eyJhbGciOiJSUzI1NiIsImtpZCI6Ikc1YlhjN0w1SkJhcmRIWkdwRnBzMlM2NFh4dWxWZ0hkVXVwU0I3dWtFWEEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjaHVhbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ1c2VyMS10b2tlbi1tOGg4dCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ1c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImI5MjlmYzYyLWZhOWMtNDgyZC1hYzI0LWNhNzBjZmVjNWQ4ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjaHVhbjp1c2VyMSJ9.BIsBsRAMgKcb8keG-_-2MsSNpIMZtqErzw4bA0_QCzQJYpwAS7xbSCkW2E4YrwnGcXDgTyMljYoayopZwxQrqGqxGY-zvaCzn-uRc3r5h8h2ENidVFDqxtNmhyXXokB-mZ-4ZR1ivqHpXqJN_0CfrTxJTFYI6yIoOt8V0STRUOjWCkhITmhsqvTbj9Ct8YJBUCND7RfJvMOCnfiI2epnCt37TJFCjlpBHy0dc-5H8BCB--2QU5guiNBz9uoPUWg8HowbNIFgCngqsRs4smHCdud7kTkhhA2ZAiw8vlVIoBNoa2DHEr_eVgG1AlTCRjHHqxlEkWVyWoXt95oegvt8Tw ca.crt: 1350 bytes namespace: 5 bytes
验证,无删除权限
root@slave002:~/role# cat user1_role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: chuan name: user1-role rules: #- apiGroups: ["*"] # resources: ["pods/exec"] # verbs: ["*"] ##RO-Role #verbs: ["get", "list", "watch", "create"] - apiGroups: ["*"] resources: ["pods"] #verbs: ["*"] ##RO-Role verbs: ["get", "list", "watch"] - apiGroups: ["apps/v1"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ##RO-Role #verbs: ["get", "watch", "list"]
验证无创建pod权限
二:基于kube-config文件登录
1:创建csr文件:
root@slave002:~/pem# cat user1-csr.json { "CN": "China", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
2,签发证书
root@slave002:~/pem# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=/etc/kubeasz/clusters/k8s-01/ssl/ca-config.json -profile=kubernetes user1-csr.json | cfssljson -bare user1
root@slave002:~/pem# ls user1-csr.json user1-key.pem user1.csr user1.pem
3:生成普通用户kubeconfig文件
root@slave002:~/pem# kubectl config set-cluster cluster1 --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://192.168.192.153:6443 --kubeconfig=user1.kubeconfig
4:设置客户端认证参数:
# cp *.pem /etc/kubernetes/ssl/ # kubectl config set-credentials user1 \ --client-certificate=/etc/kubernetes/ssl/user1.pem \ --client-key=/etc/kubernetes/ssl/user1-key.pem \ --embed-certs=true \ --kubeconfig=user1.kubeconfig
5:设置上下文参数
kubectl config set-context cluster1 \ --cluster=cluster1 \ --user=user1 \ --namespace=chuan \ --kubeconfig=user1.kubeconfig
6,验证