查看role相关的资源定义：kubectl api-resources |grep rbac

clusterrolebindings rbac.authorization.k8s.io
clusterroles        rbac.authorization.k8s.io
rolebindings        rbac.authorization.k8s.io
roles               rbac.authorization.k8s.io

kubernetes 用户的创建过程

创建用户所需要的key和证书

 

#生成key
openssl genrsa -out devproject.key 1024
#生成签名请求
openssl req -new -key devproject.key -out devproject.csr -subj '/CN=devproject/O=kubeusers'
#使用kubernetes CA对签名请求进行发证
openssl x509 -req -in devproject.csr -out devproject.crt -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 3650

创建用户认证所需要的kubeconfig文件

kubeconfig主要涉及三部分的内容。 clusterinfo , userinfo , context . 其关系如下图所示：

设置kubeconfig文件

# 设置kubeconfig集群配置信息
kubectl config set-cluster kubernetes --kubeconfig=./devproject.kubeconfig --server="https://192.168.240.142:6443" --embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt
# 设置用户认证所需要的key/cert
kubectl config set-credentials devproject --kubeconfig=./devproject.kubeconfig --user devproject --embed-certs=true --client-certificate ./devproject.crt --client-key ./devproject.key
# 设置context (关联用户与集群)
kubectl config set-context devproject@kubernetes --cluster='kubernetes' --user='devproject' --kubeconfig=./devproject.kubeconfig
# 设置devproject@kubernetes为当前context
kubectl config set current-context devproject@kubernetes --kubeconfig=./devproject.kubeconfig

检查当前配置的devproject用户是否可用

kubectl get pods --kubeconfig=./devproject.kubeconfig

此时，得到的提示如下：

Error from server (Forbidden): pods is forbidden: User "devproject" cannot list resource "pods" in API group "" in the namespace "default"

以上内容说明devproject没有获取default namespace下的pod资源的权限。需要为devproject用户创建相应的role 以及rolebindings

创建role 以及rolebindings

role的创建getpodRole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role

metadata:
  name: getpodRole
  namespace: default
rules:
- apiGroups: 
  - ""
  resources:
  - "pods"
  verbs:
  - "get"
  - "list"
  - "watch"

　

rolebinding的创建 devprojectRolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding

metadata:
  name: devproject-getPodRoleBinding
  namespace: default
roleRef:
  kind: Role
  name: getpodRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
  name: devproject
  apiGroup: rbac.authorization.k8s.io

　

再次测试使用devproject用户获取default名称空间中的pod资源：

kubectl get pod --kubeconfig=./devproject.kubeconfig