K8s新建用户制作证书绑定角色
role roulebind clustrrole clustrrloebinding
Kubeadm 创建的k8s集群默认证书有限期为三年,三年后会过期

Kubernetes创建一个集群用户连接API-Server 使用命令模式
#可以用现有用户kubernetes-admin@kubernetes的CA证书 【ca.crt ca.key】 去签署一个新创建的用户,进行绑定 文件默认路径/etc/Kubernetes/pki/

  1. 创建私钥
    cd /etc/Kubernetes/pki/
    openssl genrsa -out sunwenbo.key 2048

  2. 生成证书签署请求
    openssl req -new -key sunwenbo.key -out sunwenbo.csr -subj "/CN=sunwenbo"

  3. 用CA证书签证
    openssl x509 -req -in sunwenbo.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out sunwenbo.crt -days 365

  4. 查看签署后的证书内容
    openssl x509 -in sunwenbo.crt -text -noout

  5. 创建一个新的集群用户,使用自签证书和私钥 –embed-certs=true 将证书和私钥隐藏

kubectl config set-credentials sunwenbo --client-certificate=./sunwenbo.crt --client-key=./sunwenbo.key --embed-certs=true

kubectl config view #查看会多出一个users

  1. 设置上下文,让新建sunwenbo的用户也可以去访问kubernetes集群
    kubectl config set-context sunwenbo@kubernetes --cluster=Kubernetes --user=sunwenbo
    kubectl config view #查看会多出一个context

  2. 切换账号
    kubectl config use-context sunwenbo@kubernetes
    kubectl get pods
    #此时会提示 No resources found Error from server (forbiddent): pods is forbiddent: User “sunwenbo”cannot list pods in the namespace “default”
    #原因是我们只是有了一个可登录的用户,但是这个用户并没有任何权限。

1#创建一个自定义的集群
kubectl config set-cluster mycluster --kubeconfig=/tmp/mycluster.conf --server="192.168.10.231:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
#查看自定义集群的信息
kubectl config view --kubeconfig=/tmp/mycluster.conf

创建role角色和绑定

  1. 创建一个role
    kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml >role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
  createionTimestamp: null
  name: pods-reader
rules:
  - apiGroup:
  - ""
resources:
  - pods
verbs:
  - get
  - list 
  - watch
kubectl apply -f role.yaml
kubectl get role
    kubectl describe role pods-reader
  1. 创建一个rolebinding,将角色绑定到一个用户
    kubectl create rolebinding sunwenbo-read-pods --role=pods-reader --user=sunwenbo --dry-run -o yaml >rolebanging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
   creationTimestamp: null
   name: sunwenbo-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kubectl apply -f rolebanging.yaml
kubectl describe rolebinding sunwenbo-read-pods  #查看详细内容
  1. 切换用户验证
    kubectl config use-context sunwenbo@kubernetes
    kubect get pod #只能查看default 名称空间下的资源,如果是其他名称空间,创建role时指定namespace 即可

创建clusterrole可以访问所有名称空间

  1. 创建clusterrole
    kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > cluster.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
  - apiGroup:
  - ""
resources:
  - pods
verbs:
  - get
  - list 
  - watch
kubectl apply -f cluster.yaml
kubectl  get clusterrole | grep cluster-reader
kubectl  describe  clusterrole cluster-reader
  1. 绑定role
    #如果这个用户已经绑定了其他role需要将rolebanding删掉,删除立即生效
    kubectl delete rolebinding sunwenbo-read-pods

kubectl create clusterrolebinging admin-read-pods --clusterrole=cluster-reder --user=sunwenbo --dry-run -o yaml > clusterrolebinging.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
   name: admin-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: cluster-reder
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: sunwenbo
  1. 切换用户验证
    kubectl config use-context sunwenbo@kubernetes
    kubect get pod #可以查看所有名称空间下的资源,但是只有get,list,watch权限

#rolebinding绑定clusterbinding,clusterbinding会自动降级,跟随rolebinding定义的权限规则

#给用户绑定系统默认role,可以指定拥有某个名称空间的权限
kubectl create rolebinging default-ns-admin --clusterrole=admin –user=sunwenbo –dry -run -o yaml > default-user-banding.yaml

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐