Copyright © 1998-2023 maxiaoke.com All rights reserved.

当前位置:  首页>> 技术小册>> Kubernets合辑8-权限控制

小册名称:Kubernets合辑8-权限控制

RBAC授权

  1. [root@hdss7-200 rbac]# cat /data/k8s-yaml/base_resource/rbac/maxiaoke-user.yaml 
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: Role
  4. metadata:
  5.   name: maxiaoke-role
  6.   namespace: app
  7. rules:
  8. - apiGroups:
  9.   - ""
  10.   resources:
  11.   - pods
  12.   - services
  13.   verbs:
  14.   - get
  15.   - list
  16. ---
  17. apiVersion: rbac.authorization.k8s.io/v1
  18. kind: RoleBinding
  19. metadata:
  20.   name: maxiaoke-rolebinding
  21.   namespace: app
  22. roleRef:
  23.   apiGroup: rbac.authorization.k8s.io
  24.   kind: Role
  25.   name: maxiaoke-role
  26. subjects:
  27. - apiGroup: rbac.authorization.k8s.io
  28.   kind: User
  29.   name: maxiaoke

创建必要的用户证书

  1. # kubectl 的配置文件读取顺序:--kubeconfig 参数指定 > $KUBECONFIG 环境变量指定 > ${HOME}/.kube/config
  2. # 此次以集群的CA证书为本,签署并创建一个新的 user account:
  3. # 10.4.7.201 只拷贝了一个二进制命令 kubectl 到 /root/bin/ 下,未拷贝其它任何内容K8S配置
  4. [root@hdss7-200 ~]# cd /opt/certs
  5. [root@hdss7-200 certs]# cat maxiaoke-csr.json  # 模仿 kubelet-csr.json 来修改
  6. {
  7.     "CN": "maxiaoke",
  8.     "hosts": [
  9.     "127.0.0.1",
  10.     "10.4.7.10",
  11.     "10.4.7.21",
  12.     "10.4.7.22",
  13.     "10.4.7.23",
  14.     "10.4.7.24",
  15.     "10.4.7.25",
  16.     "10.4.7.26",
  17.     "10.4.7.27",
  18.     "10.4.7.28"
  19.     ],
  20.     "key": {
  21.         "algo": "rsa",
  22.         "size": 2048
  23.     },
  24.     "names": [
  25.         {
  26.             "C": "CN",
  27.             "ST": "beijing",
  28.             "L": "beijing",
  29.             "O": "od",
  30.             "OU": "ops"
  31.         }
  32.     ]
  33. }
  34. [root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client maxiaoke-csr.json | cfssl-json -bare maxiaoke
  35. [root@hdss7-200 certs]# scp maxiaoke* ca.pam 10.4.7.201:/root/certs

创建config文件

  1. [root@operate-7-201 ~]# kubectl config set-cluster myk8s \ # 集群名称可以自定义
  2. --certificate-authority=/root/certs/ca.pem \
  3. --embed-certs=true \
  4. --server=https://10.4.7.10:7443 \
  5. --kubeconfig=/root/.kube/config
  7. [root@operate-7-201 ~]# kubectl config set-credentials maxiaoke \
  8. --client-certificate=/root/certs/maxiaoke.pem \
  9. --client-key=/root/certs/maxiaoke-key.pem \
  10. --embed-certs=true \
  11. --kubeconfig=/root/.kube/config
  13. [root@operate-7-201 ~]# kubectl config set-context myk8s-context \
  14. --cluster=myk8s \
  15. --user=maxiaoke \
  16. --kubeconfig=/root/.kube/config
  18. [root@operate-7-201 ~]# kubectl config use-context myk8s-context --kubeconfig=/root/.kube/config
  20. [root@operate-7-201 ~]# kubectl get pod # 没有访问default名称空间
  21. Error from server (Forbidden): pods is forbidden: User "maxiaoke" cannot list resource "pods" in API group "" in the namespace "default"
  22. [root@operate-7-201 ~]# kubectl get svc -n app  # 账户创建成功
  23. NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)       AGE
  24. slb-s1   ClusterIP   192.168.219.15   <none>        80/TCP        6d21h
  25. slb-s2   ClusterIP   192.168.10.100   <none>        80/TCP        6d9h
  26. slb-s3   NodePort    192.168.1.125    <none>        80:3080/TCP   6d8h
  27. slb-s4   ClusterIP   None             <none>        80/TCP        6d6h
  28. [root@operate-7-201 ~]# rm -fr /root/certs

该分类下的相关小册推荐:

Kubernets合辑10-网络
Kubernets合辑10-网络
云原生-K8S入门实战
云原生-K8S入门实战
Kubernets合辑6-服务发现
Kubernets合辑6-服务发现
Kubernets合辑12-配置中心
Kubernets合辑12-配置中心
Kubernets合辑7-存储
Kubernets合辑7-存储
Kubernetes中文教程(一)
Kubernetes中文教程(一)
Kubernets合辑15-持续部署
Kubernets合辑15-持续部署
Kubernetes中文教程(六)
Kubernetes中文教程(六)
Kubernets合辑11-持续集成
Kubernets合辑11-持续集成
Kubernets合辑9-资源约束
Kubernets合辑9-资源约束
Kubernets合辑2-部署Ingress
Kubernets合辑2-部署Ingress
Kubernets合辑4-kubernetes入门
Kubernets合辑4-kubernetes入门