K8S创建用户RBAC授权

2024-01-26 13:55:46

  [root@k8s186 rbac]# vim usertest-csr.json 
{
    "CN": "usertest",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

 

  证书生成 export KUBE_APISERVER="https://192.168.70.186:6443" ./cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /apps/rbac/usertest-csr.json | ./cfssljson -bare usertest   设置集群参数 kubectl config set-cluster kubernetes --certificate-authority=/apps/conf/kubernetes/ssl/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=usertest.kubeconfig   设置客户端认证参数 kubectl config set-credentials usertest --client-certificate=/apps/rbac/usertest.pem --client-key=/apps/rbac/usertest-key.pem --embed-certs=true --kubeconfig=usertest.kubeconfig   设置上下文参数 kubectl config set-context kubernetes --cluster=kubernetes --user=usertest --namespace=test --kubeconfig=usertest.kubeconfig   设置默认上下文 kubectl config use-context kubernetes --kubeconfig=usertest.kubeconfig   mkdir /home/usertest/.kube   cp -f usertest.kubeconfig /home/usertest/.kube/config   kubectl create rolebinding usertest-binding --clusterrole=test --user=usertest --namespace=test     方法二: (umask 077; openssl genrsa -out gpu.key 2048) openssl req -new -key gpu.key -out gpu.csr -subj "/CN=gpu"   openssl x509 -req -in gpu.csr -CA /apps/conf/kubernetes/ssl/ca.crt -CAkey /apps/conf/kubernetes/ssl/ca.key -CAcreateserial -out gpu.crt -days 3650 openssl x509 -in gpu.crt -text -noout   export KUBE_APISERVER="https://192.168.70.186:6443" kubectl config set-cluster cluster.local --certificate-authority=/apps/conf/kubernetes/ssl/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=gpu.kubeconfig   kubectl config set-credentials gpu --client-certificate=/root/gpu.crt --client-key=/root/gpu.key --embed-certs=true --kubeconfig=gpu.kubeconfig   kubectl config set-context gpu@cluster.local --cluster=cluster.local --user=gpu --namespace=test --kubeconfig=gpu.kubeconfig   kubectl config use-context gpu@cluster.local --kubeconfig=gpu.kubeconfig   mkdir /home/gpu/.kube   cp -f gpu.kubeconfig /home/gpu/.kube/config  chown gpu:gpu /home/gpu/.kube/config kubectl create rolebinding gpu-binding --clusterrole=admin --user=gpu --namespace=test     额外: 切换用户 kubectl config use-context gpu@kubernetes 验证权限 kubectl get pods 切换成管理员 kubectl config use-context kubernetes-admin@kubernetes 查看所有用户 kubectl config get-contexts 查看集群角色 kubectl get ClusterRole 查看服务账户 kubectl get serviceAccount

上一篇:maven总结(九)--idea的两种启动maven项目-(tomcat/插件tomcat)


下一篇:kubernetes/client-go