Role:管理某一命名空间下pods,pods/log,pods/exec,deployment等资源。

ClusterRole:管理面更广,可以授予整个namespace下的所有资源,以及Node级别的资源。

操作的资源对象:

  • pods
  • pods/log
  • pods/exec
  • configmaps
  • deployments
  • nodes
  • secrets
  • namespaces

操作

  • create
  • get
  • delete
  • list
  • update
  • edit
  • watch
  • exec

Role&&Rolebinding

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: mynamespace
  name: example-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-rolebinding
  namespace: mynamespace
subjects:
- kind: User
  name: example-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io

ClusterRole&&ClusterRoleBinding

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-clusterrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-clusterrolebinding
subjects:
- kind: User
  name: example-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: example-clusterrole
  apiGroup: rbac.authorization.k8s.io

ServiceAccount&&RoleBinding

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: mynamespace
  name: example-sa
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example-rolebinding
  namespace: mynamespace
subjects:
- kind: ServiceAccount
  name: example-sa
  namespace: mynamespace
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

例子:

#创建一个用户"ceshi",该用户对namespace-jenkins下面的pod,deployment,有查看权但是没有update等其他权限

1> 用openssl创建用户证书

openssl genrsa -out ceshi.key 2048

openssl req -new -key ceshi.key -out ceshi.csr -subj "/CN=ceshi/O=ceshi"

2> 用kubernetes的根证书认证用户证书生成crt

openssl x509 -req \
 -in ceshi.csr \
 -CA /etc/kubernetes/pki/ca.crt \
 -CAkey /etc/kubernetes/pki/ca.key \
 -CAcreateserial \
 -out ceshi.crt \
 -days 500

#-in:刚才生成的csr
#-CA:Kubernetes集群的根证书
#-out:输出证书文件
#-days:证书有效期限,不加该参数为无期

3> 设置客户端认证参数

kubectl config set-credentials ceshi \
 --client-certificate=ceshi.crt \
 --client-key=ceshi.key \
 --embed-certs=true \
 --kubeconfig=kubectl.kubeconfig
#--embed-certs=true:将用户的密钥保存到config文件中,不然的话/root/.kube/config换到另外一台机器的话密钥也要动 

4> 设置上下文参数

kubectl config set-context ceshi-context --cluster=kubernetes --namespace=kube-system --user=ceshi --kubeconfig=kubectl.kubeconfig

5> 设置默认上下文参数,可以不设,不设置后使用该用户时

kubectl config use-context ceshi-context --kubeconfig=kubectl.kubeconfig

6> 查看/root/.kube/config文件

cat /root/.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4akNDQXE2Z0F3SUJBZ0lVYS85MXh4YVlBUzl5VVkwRnQwVWhBQlo1ZzIwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVTTUJBR0ExVUVDeE1KTkZCaGNtRmthV2R0TVJNd0VRWURWUVFECkV3cHJkV0psY201bGRHVnpNQ0FYRFRFNU1USXlNakE1TkRJd01Gb1lEekl4TVRreE1USTRNRGswTWpBd1dqQm8KTVFzd0NRWURWUVFHRXdKRFRqRVFNQTRHQTFVRUNCTUhRbVZwU21sdVp6RVFNQTRHQTFVRUJ4TUhRbVZwU21sdQpaekVNTUFvR0ExVUVDaE1EYXpoek1SSXdFQVlEVlFRTEV3azBVR0Z5WVdScFoyMHhFekFSQmdOVkJBTVRDbXQxClltVnlibVYwWlhNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN5V0Vha1FzeWIKQ3drZStQcktuTklEdWpVYUx5SGpkeVBYWU0vSVBUUy9ZbmN2cEVzMlpVNmxOZFNjaFcvSFkwOEwrOWZrK21KSApNQ1NPZlE0cGN0MG93ZisxNXlqL0dJT2hYUzM3TVRLelhvazYwbzA2dE5kMVRWdmJ1NndwWG9odWVUNjNqbVByCkZDb0psZGFqRlVsSXF0clY2R3RuR1dVUUVMRHI5WUJLSTAxeUUxdXAwYUxkNXp4eFAvSTZiYlg3Si85MDRMMGwKV28xbndrVnJiOUZLeU9lRlpwWXlPWTdvdXhZYWRWVFFJWWlFUGNycGVPOW1RUG0rSnJpR1pSenJCazN6OVdhbwoveGVBaDFYOTQ2UEVhRWpJUXFKZnY4TjlQYm1TYWViQjZ6Tml3ZDE0OHROZ0t4Qm9WN3d3eW44YWtOL2JlU2NSCjQwdDYyUm9GVDBsYkFnTUJBQUdqWmpCa01BNEdBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUcKQVFIL0FnRUNNQjBHQTFVZERnUVdCQlFFMFp1KzVxc0QrbUdUZENVK3RkcGpQOVl2N3pBZkJnTlZIU01FR0RBVwpnQlFFMFp1KzVxc0QrbUdUZENVK3RkcGpQOVl2N3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVNvZnJsT01rCnExem01TUtNQUxSM0pMcnB3cm00bWt1dU5IMUdrUjBTR1lHZ0ZYc0tJOFVZWTlIdXpxUEh3RXdCZDZocVY2WjQKb014V0lDN1dLV3hBb0hHTXBKRlR1cE5obGFjd0pMbTBIdGJlRnNWdUROdDY5a3pkMGRJTHpERnNxbjcybHpiYwpNaWVhZWh6a0tyUWptYmFMS2tNS0Nsem9lRFo5R1N2OW1aY1M1M1RkbzZCUFlMQW5DQXJRMS9IanRlNkZKYXhECld6MjErUjJoeGRWQUFxdUFDMTFjVmw0VGhyaWlsNXA5dmVubGh2OUNKUXRHd1liUGxDYnlnQkhjRnNTYUtyWHkKNjAraVFSVHNFNXZ2aWRtM3BZYVdSNWNUc3VEak9SQ0FyZ0FMVzhOamxUR1pNTTN0LzdLNEhSblZSWENrbmtwWgpaV2twdTRMZUlBd291Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://192.168.3.10:8443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: kube-system
    user: ceshi
  name: ceshi-context
- context:
    cluster: kubernetes
    user: admin
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ0ekNDQXN1Z0F3SUJBZ0lVQmJhYVNNUk9oeEtBaXYzZjlLWS83ZjBXK0dBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVTTUJBR0ExVUVDeE1KTkZCaGNtRmthV2R0TVJNd0VRWURWUVFECkV3cHJkV0psY201bGRHVnpNQjRYRFRFNU1USXlNakE1TkRRd01Gb1hEVEk1TVRJeE9UQTVORFF3TUZvd2JqRUwKTUFrR0ExVUVCaE1DUTA0eEVEQU9CZ05WQkFnVEIwSmxhVXBwYm1jeEVEQU9CZ05WQkFjVEIwSmxhVXBwYm1jeApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1SSXdFQVlEVlFRTEV3azBVR0Z5WVdScFoyMHhEakFNCkJnTlZCQU1UQldGa2JXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXY2azMKUGdlREFkelhKMHNNY2NFRkUwaGN3dHV0aUZVUjZqRDlHdWE4ZEJzOE1rOEJ2T3haZG84c1NJL3lWYnFlMW1yOApNZmo5NjFhZ1BMWHpCWndQTXBNK2s4K2c0QktwNjJiQXhBNFNQZDl5L2tNNERJYTdrUkkya3p2Vi9HRGE0MENrCnJqZ3lEZlVwWFVxb1Fra1BJWFBQSkFDelk3em5Sd0M5cndzRVJiTnRwUko4cVFoekJaUU8zQUNmR0N1amdxUWMKQ3RKUGdEV3JvenBFckhiVjc3NGZGYlczNmxQZnptMk9pUkdQb05OTEJUY3RaWXFVMUsrcy9tajFIZTg0RUpBVwpzT2tJOWlQSm9XS0FuR3h4NTlZa0lyNHpxUThIR2YwalY3RXJla3hDTzJEcGpoTjNHT1k0SGR2T2kxRk5BYmtCCkVqTWVRRnE3KzN5elV3Nkgxd0lEQVFBQm8zOHdmVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXcKRkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SFFZRFZSME9CQllFRkNmQwp6blNwK1QwWWZWOTdQUGZRVWFnSGRtaE9NQjhHQTFVZEl3UVlNQmFBRkFUUm03N21xd1A2WVpOMEpUNjEybU0vCjFpL3ZNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNJTTBjbFVKZzRwNGRab2dtY2tRMURyZFA2d0Y5SS9uVEEKdjJtUURTTmxSQWswWElDVE9JRUFKZWVLUVZDMmZhM0FacVErNnZZMmQzc2Urem5XUjM3Y0VCc3ZyWkx2RWdPbApFT0VTaFpzNUJoK3MvU1d2djNzWmlFRmFKL0xSUGRkMjhmeFM1ZzBzYlNTVVhwYWU3YTM4SHVuSTJrMG5BWEFGCmxSMHlTZldtQzNJSnpUN3QxcFVrL2g5Z2V1bmFQQWt3eHBIbXBPTGRGYTlmeTFrWmJYZ1lDcE1xK1dhTnMxQUUKaVJDdXhxaTZrVlNudFVsbWN1alpOYjJrZUlKRVZnRmltYmlWNmdVNUVvQ0QxV2QxWjBQcHJJVC8zdjQzc2IzMApMMG1oZ0ZCVGc2WFlESG91bVJYNi81MGpOdUxIZHJ5WXp1WEQyVkI1WmZzMTMyaElqSG1QCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdjZrM1BnZURBZHpYSjBzTWNjRUZFMGhjd3R1dGlGVVI2akQ5R3VhOGRCczhNazhCCnZPeFpkbzhzU0kveVZicWUxbXI4TWZqOTYxYWdQTFh6Qlp3UE1wTStrOCtnNEJLcDYyYkF4QTRTUGQ5eS9rTTQKRElhN2tSSTJrenZWL0dEYTQwQ2tyamd5RGZVcFhVcW9Ra2tQSVhQUEpBQ3pZN3puUndDOXJ3c0VSYk50cFJKOApxUWh6QlpRTzNBQ2ZHQ3VqZ3FRY0N0SlBnRFdyb3pwRXJIYlY3NzRmRmJXMzZsUGZ6bTJPaVJHUG9OTkxCVGN0ClpZcVUxSytzL21qMUhlODRFSkFXc09rSTlpUEpvV0tBbkd4eDU5WWtJcjR6cVE4SEdmMGpWN0VyZWt4Q08yRHAKamhOM0dPWTRIZHZPaTFGTkFia0JFak1lUUZxNyszeXpVdzZIMXdJREFRQUJBb0lCQUF4Q1pxWXhGTkFwc0JsegpVM2h6UUQvYmdSTjF1Y1BlclNhdHU0TGMvM0R0elF2cXdkR3p6SVVvNDB4QTZOOVM4SllHZ2Rzd2NnMTduUVJGCkh5WmN0UnduRHZtbGJrVG03TGVCK3hLUFU5dGhUNW16OHdIYUhHVkxKUEtHQVVvRFovemhSYWRmTU5SenVoR2QKbE9Xb2hxODlHU0xVYUtVWWtES2FlWWVZek0wb2NJRDhiK1Q0ZUJZVXNzUGFUeUZuY1JjWlVBVzdnNHNnOGVIRgo2MEJndjhZSXhuaHF3STJjMVdiZm0rRzE0ZnAvbTh0Skk4eklEYmdmd0h0YTFOTzJSc0hxTFFCWk01eTQySTQ0Cnc4ODFROFZVQUNxa2Q0L21Sd3ViaVpHYUI5bkVsUElDQm43UExwM0F6cVltTjRaTUhVd0pjV0l5ekJDdXR2Nm0KeTZBVWhBRUNnWUVBOUpaRU5NNlMyWmh4d09kalZLVVZiaEtwSkpMdFdod3Fabm41T0ZrYmM4NFhhZDUyYmNWYgowdDBkNUhzMlRRc1R2Ylc4aFp4YzNRbk5hek9xbC9jN3NCQ3ZzbWhlbFJvT081ZHAwbE5hYnEvOUs0SzZmd2I4CjdCSUl0Uis3TTBJbmZOKzFjMEt5VlUrMll4cjhWOVNnRWFTRWNuak1KWmswTTBWT3BxbzFHZWNDZ1lFQXlKcTMKd08xOW1JbXFqdVlpK0tLUU1aNCs3Y0Z6REc5K3dCd1RUbUpCK0RERFFkaGsyVVJsVFRSc3p4cHpkbGtTT0oxWQpnMFdGL2lJQUJZSzVkNTh1KzhZcnNjOEFjSkVRV05nUEI3RVEyb0tjRGpSQUpxL2h6Ym1oRDUxYi9OOXlDbFJuCmhlQ0haV1NVc1drcjBjdjNYUkNVZUdSaU1SeTRvVXpKd2ZycXhKRUNnWUEybTNZTzlEQUZOT3Z3emJoM3BZUHIKVjI4OEl6R3E5Szdpd2tqS005clZPQ1l5Rk9FTUVRdzNQL2IwbEMzRGRiMnFsWERKdytkWDBtQnlsczUzcjFNOApNLzJHTDVjdVl1cmFreXVsTWNiMi80UGV1d2s0WXk4RTVlSGJ6b0hWSitmNUVWbEpxcEoyU1ozRzhyZDBSSnlZClU4cmVZK253V3d3MGhqelJLUjlCOFFLQmdGRjl3STNvTERCT0pISStmUkJpQVkrV2lGdlBUU3hORXNGNTVrSGUKV293M1N1cXh2RzRpZ2NCMlBvbDNabFk2WXRPSzM4MGI3ZzNKeEJaNC8xemYxcGRDN3JjaHJ6MExRUWZHWlh5cgphbnhKdUpsd2ttcms0aWJQZE9WQitIOW1TZzUyTVVQS2JWWThJTWRkUVFiT0ErUFRlMnpZNHFhdTB6WDdXcTZwCmZydHhBb0dCQVBHZEhxck00eVcxVm5kWm1YZ0VpZlFSdEdWYkVrbVdKTkwvbG9HYW1EUzJPMk9qK0ZYTG5CaUoKWW14bE5yd0ZVaHJtR3pzd2ZQMWFOMXoxNmxoZzJPK2ZxQWp4ampwcDJMV1U4Q29wMlBGV1hzQVZWL3hMQit2bgpWWlVoRWxLU3hPMDlYUnJjM0x4UDdjM3hVaFZ3V0pRS2ROblhZOFZWZFlXZE1Ld0tWR1VsCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
- name: ceshi
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV3Q0NRQzc5NDFhZDhBNWZ6QU5CZ2txaGtpRzl3MEJBUXNGQURCb01Rc3dDUVlEVlFRR0V3SkQKVGpFUU1BNEdBMVVFQ0JNSFFtVnBTbWx1WnpFUU1BNEdBMVVFQnhNSFFtVnBTbWx1WnpFTU1Bb0dBMVVFQ2hNRAphemh6TVJJd0VBWURWUVFMRXdrMFVHRnlZV1JwWjIweEV6QVJCZ05WQkFNVENtdDFZbVZ5Ym1WMFpYTXdIaGNOCk1qQXhNakF6TURnMU56VXpXaGNOTWpJd05ERTNNRGcxTnpVeldqQWdNUTR3REFZRFZRUUREQVZqWldocGN6RU8KTUF3R0ExVUVDZ3dGWTJWemFHa3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDOQpqU0NiNDhTV2NPRFEybUJQOGdtWHIwQ3RNdFgwblMyMENWV0ZjcE9qbDRvS1pOU2IwWGg3c1lCN1JvVWUrNTVNCk9PV3MzcE1hb1RvaG9CK3MwYzdQWndRSEZLQmVJMlFqNHV1YzJoWGRHZk5lMEVTNTJvTFdtcmdwN1dlc0hiZ1kKTExkQUdCUzNob1BVR05LRXRWcVBnaURQaXhlcVRHenAvZHI2OGlSaTBsWEdRb0Voa3I0Rlh2Wk5pWkVYa01mZwphakh4R3R3aUpDWlNrbXZtUFVJbkRkMkt3R1RIT2NQVDdHQm90UTEzdVJWbmdmOHF6RWJ4b3JCckJRRk1CR2YxCmZnVFUwTzl3bHN0ckFOVjJtbWxYS2ltNUhrcldValBqTVFkSDBrVUJRQnZCdWtJV21PQUhRWnpwZ1ZqOENDVU4Kd0tYKzQza1lUaXhTTzlQbjBCUlpBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFETXlOZzVqT1JWcwp3RkpIRjFJSm9JTUJwZFU1V2F5N2dKMytzS0xVY2VYK3Z4UjRnRzZIU0g4WlJrajc5bVdjeXFIYWwwTjY3ODd4CjBwRkJWKzFzUHpML0c3dm11SS9lajdnRCt6R3BEMUFQelVPeXJnbjYwekpBVVhHR3NXaXpCVUhMcXVNN0ZlNlYKR0RaNGlvbTh5dG5EQzRuVzRiL24zTnhsRXdxRU5Sb0F6MC9kdG5pWU1DUFJBZE9YWlEvbjF5QVFyR0hxTjdLcgozSFQyQkF4RkJRSDlJZUd0V0htUWdkbUJ6TVE4Vk9LcHpITmJnS3BranRNSjlCNGZ1cWo3RDNNUDdxSUtOSldHCk9LMnJpMWg0dnl6WkxvY2dmN1cyR1MrUDhaUUZobE1qNk53RU9OYVVBYjQyQnlHK0duekt1S0FmaVhMYzc1amgKWUtGQk5FeURZQ0E9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdlkwZ20rUEVsbkRnME5wZ1QvSUpsNjlBclRMVjlKMHR0QWxWaFhLVG81ZUtDbVRVCm05RjRlN0dBZTBhRkh2dWVURGpsck42VEdxRTZJYUFmck5IT3oyY0VCeFNnWGlOa0krTHJuTm9WM1Juelh0QkUKdWRxQzFwcTRLZTFuckIyNEdDeTNRQmdVdDRhRDFCalNoTFZhajRJZ3o0c1hxa3hzNmYzYSt2SWtZdEpWeGtLQgpJWksrQlY3MlRZbVJGNURINEdveDhScmNJaVFtVXBKcjVqMUNKdzNkaXNCa3h6bkQwK3hnYUxVTmQ3a1ZaNEgvCktzeEc4YUt3YXdVQlRBUm45WDRFMU5EdmNKYkxhd0RWZHBwcFZ5b3B1UjVLMWxJejR6RUhSOUpGQVVBYndicEMKRnBqZ0IwR2M2WUZZL0FnbERjQ2wvdU41R0U0c1VqdlQ1OUFVV1FJREFRQUJBb0lCQUZ3RWtlcjdwR2kvL1hPRwpQN0V2dDVacVhvUjJKRVd1dEF3dFo5WHpyRmFEYjJEaVdCQVluVnUyN0w5cm1aNVQyaUg0a1E3ZHNoNEFYTjhNCkE3UjYyZUgzaVk0Q1ptT3MzS1ZMT01RWlh2bko2a3FCNG9zeTE4ZGtycml6NWxzNHhqRCtMQ3V5UlFSZkNjcEMKRHBpY0RZMlRSMmhaaHJDR2oyejhibnphWmUyT2hrK1kwdWFJTFRMTTlRU2ZydFlZZm9aYnV2TXZlclUwRVNBbAozYlJIb3ZGckdXbkV5MS9TNGEwMC9oUmlqdzBpSmRRcEgzSnBnbVhnbUFMZS9tT2h0STFxc3pRVFVaRmErNFAxCjNlY05lNTVhTFlqZ1pTUHQ5dUpHdHpqbmR1NXBWTExDdWxPYnBwRzNqYysvK211UHpPR0lNaTlMdlhScDRqaSsKNEIvaFRlMENnWUVBNUU1aGMxYUovUmFTM203d0V0R1RnNHppRUVSV25NNjcvSDRKblZPeUhndGxJWWFpYkVocgpTeHF0elg3VWhoZWZnNVhxVkwrT1NCakpwVGpZT1FmYzRiZWNaeU1qeGF1dEZOb05UNTYySlczSHd5Vi9nVVAxClZnWXRzMG9iOHVUY0VFQWFjNWRYbkg3OXdrNTRpcmJRczdYUkRkRkNwTXhMZkhiVGxDa0RMSDhDZ1lFQTFJdEoKUnNTRUVaZGUzUHI5ZDdGd205ZG5jOEFDcWtJd2JDbjYvd3NpU3dsaW1DTkJZK3RnUzJ2R2RBRDlWUE5KQXg2SQpuU05LWVhBZFNZTTJIVGx4bDFMUStwVzZCajBHNWg4aFV5Qnp1clFvaGVLZERxZ1NTUFBZSFVEdmNiNGwyajZzCmZMdlVUZkVIblFvTHZjbHBPeVhENTNUbG1NcXJBOWR3ZzRvSk15Y0NnWUJqMkJkc0xudDRVSWY0ZVFISzZSYWYKSUZ5NUNubnFaOHIwbUZZeUZLay8xSEhzNElsbDI2SDRuWGxHOW1HUkp3R2V0VkJlc2N0U29teUZNai8xYVFmagpPcjVPcUtKN1R5SUpqWGJtekIwU2IxaytjY2E2VEhNZHBPUVZsYUoxYmpzRGJGVmxHZG01Mmh1MS8wVmVQS2MzCkFKdWxkRSsxN0paU24xRFdhYjAybHdLQmdRREZMTW8zeW9zeXZwaVVySXVFQktxUkNJM0NoZmh5OXFCeFY2aXYKL2lZOE1tS3kvTkhtM2k4aENNUzhUVWEzRGxOSGY0WUJNUUlKenJaOHdpcnJoYVRwV3p6Zm14Tk9Ra01xTE9yLwpjUFdyMlFKVzRsb05oTUloeDRWUDdqT3o4MUN1WE1Jcm5SeGhpaDhrQW5QT0J4R0dlNHg0SnF2d3lPTkoxdzFjCkdpeGF0UUtCZ1FEZjNNY1dDVDc1bHhwQU1KeEpONDdobUg0VzZSdk1FK240WlplVS9CZ2FqVTl0em9HUFhHYzYKei85eXZYOUdMN3RqVU15dlBqL0VGMnVsZDR5QlByclZ5V0NjU2VvMDVnVTcyMDJBVHhkczlsVGZ4dXJVQ0JEegpPQnRuYTc0QXczaXUxVlJYVXJLSmszYkxRVjRqV2JoQ0cvbkcybXFvTnhoL1N2SGx6OVlQaHc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

#看到多了一个- name: ceshi的用户

7> 测试用户权限

kubectl get pods --context=ceshi-context 

Error from server (Forbidden): pods is forbidden: User "ceshi" cannot list resource "pods" in API group "" in the namespace "kube-system"
#报错:用户测试不能查看namespace(kube-system)下的pods资源,如果用户证书没有经过kubernetes根证书授权的话会报另外的错误
#需要我们创建Role/ClusterRole后,通过Rolebinding/ClusterRolebinding绑定该用户

8> 创建Role/Rolebinding

#如果授予对所有的namespace下资源的操作需创建ClusterRole/ClusterRolebinding

vim ceshi-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ceshi-role
  namespace: jenkins
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 也可以使用['*']

vim ceshi-rolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ceshi-rolebinding
  namespace: jenkins
subjects:
- kind: User
  name: ceshi
  apiGroup: ""
roleRef:
  kind: Role
  name: ceshi-role
  apiGroup: ""

kubectl apply -f . --context=kubernetes 

role.rbac.authorization.k8s.io/ceshi-role created
rolebinding.rbac.authorization.k8s.io/ceshi-rolebinding created

9> 验证是否生效

 kubectl get pods -n jenkins --context=ceshi-context

NAME                      READY   STATUS    RESTARTS   AGE
jenkins-6b874b8d7-c4gkz   1/1     Running   5          334d

 kubectl get pods -n kube-system --context=ceshi-context

Error from server (Forbidden): pods is forbidden: User "ceshi" cannot list resource "pods" in API group "" in the namespace "kube-system"
 

#使用ceshi-context可以查看jenkins-namespace下面的pod,但是看不到kube-system下面的pod,测试通过

# kubernetes # 容器
Logo
Cloudpods

开源、云原生的融合云平台

更多推荐

面向未来的 IT 基础设施管理架构——融合云(Unified IaaS)

随着数字化时代的到来,IT系统已成为人类社会正常运转不可或缺的组成部分。不远的未来,智能制造,5G和人工智能等技术将成为推动生产力发展的重要引擎,人类社会将面临前所未有的全面彻底的数字化浪潮。IT基础设施作为IT系统运行的平台和载体,是实现数字化的基石。在这场数字化浪潮中,企业必须积极拥抱云计算技术,采用符合技术发展趋势、面向未来的IT基础构架,才能在未来的竞争中赢得先机。 一、云计算历经十余年

avatar Cloudpods

Cloudpods负载均衡的功能介绍

作者:周有松 今天的内容会从以下几个方面展开: 负载均衡产品简介。主要介绍负载均衡作为一个云上产品,它的功能模型是怎样的,日常使用中会遇到的业务词汇负载均衡的功能与典型应用场景。这部分主要结合业务词汇,对负载均衡服务中常见的一些功能选项进行介绍,并举例介绍一些典型的应用场景最后,我们做一下总结,讨论一下负载均衡产品相比传统方式的优点 一、产品简介​ 1. 以NGINX为例​ 提到负载均衡,我们以

avatar Cloudpods

使用Linux vfio将Nvidia GPU透传给QEMU虚拟机

Linux 上虚拟机 GPU 透传需要使用 vfio 的方式。主要是因为在 vfio 方式下对虚拟设备的权限和 DMA 隔离上做的更好。但是这么做也有个缺点,这个物理设备在主机和其他虚拟机都不能使用了。 qemu 直接使用物理设备本身命令行是很简单的,关键在于事先在主机上对系统、内核和物理设备的一些配置。 单纯从 qemu 的命令行来看,其实和普通虚拟机启动就差了最后那个-device的选项。这

avatar Cloudpods