kubernets 1.23 user account创建与角色及角色绑定
无说明的情况下,以下操作均在/etc/kubernetes/pki目录下执行root@master:/etc/kubernetes/pki# cd /etc/kubernetes/pki1,创建用户密钥root@master:/etc/kubernetes/pki# openssl genrsa -outleeqiand.key 2048Generating RSA private key, 20
无说明的情况下,以下操作均在/etc/kubernetes/pki目录下执行
root@master:/etc/kubernetes/pki# cd /etc/kubernetes/pki
1,创建用户密钥
root@master:/etc/kubernetes/pki# openssl genrsa -out leeqiand.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
...........................+++++
e is 65537 (0x010001)
2,创建证书签署请求
#CN= 用户名
root@master:/etc/kubernetes/pki# openssl req -new -key leeqiand.key -out leeqiand.csr -subj "/CN=leeqiand"
3,签署证书
root@master:/etc/kubernetes/pki# openssl x509 -req -in leeqiand.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out leeqiand.crt -days 365
Signature ok
subject=CN = leeqiand
Getting CA Private Key
查看生成的文件
root@master:/etc/kubernetes/pki# ls |grep leeqiand
leeqiand.crt
leeqiand.csr
leeqiand.key
4,创建kubeconfig文件
创建集群信息
--server根据实际信息填写即可
root@master:/etc/kubernetes/pki# kubectl config set-cluster kubernetes --certificate-authority=ca.crt --embed-certs=true --server=https://10.0.2.2:6443 --kubeconfig=leeqiand.kubeconfig
Cluster "kubernetes" set.
root@master:/etc/kubernetes/pki# cat leeqiand.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data:
。。。。。。。。。。。。
server: https://10.0.2.2:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
创建用户
root@master:/etc/kubernetes/pki# kubectl config set-credentials leeqiand --client-certificate=/etc/kubernetes/pki/leeqiand.crt --client-key=/etc/kubernetes/pki/leeqiand.key --embed-certs=true --kubeconfig=leeqiand.kubeconfig
User "leeqiand" set.
创建context
root@master:/etc/kubernetes/pki# kubectl config set-context leeqiand@kubernetes --cluster=kubernetes --user=leeqiand --kubeconfig=leeqiand.kubeconfig
Context "leeqiand@kubernetes" created.
5,创建role以及rolebinding
(任意目录)
role以及rolebinding网上资料较多,仅做一简单范例
role:
root@master:~/kube/sa# cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: lee
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "create", "update", "patch"]
rolebinding
root@master:~/kube/sa# cat rolebind.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: mytest
namespace: default
subjects:
- kind: User
name: leeqiand
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: lee
apiGroup: rbac.authorization.k8s.io
创建:
root@master:~/kube/sa# kubectl create -f role.yaml
role.rbac.authorization.k8s.io/lee created
root@master:~/kube/sa# kubectl create -f rolebind.yaml
rolebinding.rbac.authorization.k8s.io/mytest created
root@master:~/kube/sa# kubectl get role,rolebinding
NAME CREATED AT
role.rbac.authorization.k8s.io/lee 2022-03-02T09:12:25Z
NAME ROLE AGE
rolebinding.rbac.authorization.k8s.io/mytest Role/lee 42s
6,将配置文件分发给普通用户
root@master:/etc/kubernetes/pki# cp leeqiand.kubeconfig /home/lee/.kube/config
root@master:/etc/kubernetes/pki# chown lee:lee /home/lee/.kube/config
切换到普通用户
root@master:/etc/kubernetes/pki# su - lee
lee@master:~$ cd .kube/
lee@master:~/.kube$ ls
config
lee@master:~/.kube$ kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?
因为没指定current-context,手动修改config
lee@master:~/.kube$ vim config
contexts:
- context:
cluster: kubernetes
user: leeqiand
name: leeqiand@kubernetes
current-context: leeqiand@kubernetes
7,测试
由于我们授予了create权限,所以可以创建pod,但是并无delete权限,所以无法delete,由以下测试可以查看与预期相符
lee@master:~/.kube$ kubectl get pods
NAME READY STATUS RESTARTS AGE
dns 1/1 Running 22 (165m ago) 21d
lee@master:~/.kube$ kubectl run nginx --image=nginx
pod/nginx created
lee@master:~/.kube$ kubectl get pods
NAME READY STATUS RESTARTS AGE
dns 1/1 Running 22 (165m ago) 21d
nginx 1/1 Running 0 10s
lee@master:~/.kube$ kubectl delete pod nginx
Error from server (Forbidden): pods "nginx" is forbidden: User "leeqiand" cannot delete resource "pods" in API group "" in the namespace "default"
lee@master:~/.kube$
更多推荐
所有评论(0)