推荐阅读0 这是个个人博客 有K8S 云原生系列的文章

https://jimmysong.io/kubernetes-handbook/guide/kubectl-user-authentication-authorization.html

推荐阅读1

https://blog.csdn.net/luanpeng825485697/article/details/88375842

rbac目录
1 rbac api对象
2 实操
创建一个只能访问某个 namespace 的用户
我们来创建一个 User Account，只能访问 kube-system 这个命名空间：

username: haimaxy
group: youdianzhishi

2.1 创建用户凭证
$ ls # 一共三个证书 步骤见原文 略过
haimaxy.csr haimaxy.key haimaxy.crt

kubectl config set-context haimaxy-context --cluster=kubernetes --namespace=kube-system --user=haimaxy

kubectl get pods --context=haimaxy-context

Error from server (Forbidden): pods is forbidden: User “haimaxy” cannot list pods in the namespace “default”

2.2 创建角色

2.3 创建角色权限绑定

2.4 测试
$ kubectl get pods --context=haimaxy-context
…

管理员token授权和X.509 客户端证书方式

https://www.cnblogs.com/37yan/p/14781546.html

推荐阅读2

http://dockone.io/article/9178

ns-read-clusterrole.yaml 可用 配合腾讯的 ClusterRoleBinding策略生成器可以生成 kubeconfig 可用证书 ， 注意 不要和 RoleBinding混用 否者 你这个子账号以后的ClusterRoleBinding 永远都无法生效了 删除重新更新几次都没用（原因未明）

k8s rbac实践 tke rbac实践 ClusterRoleBinding自定义

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: namespace-reader
  labels:
     self-cluster-role: test-namespaces
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "namespaces"
  resources: ["namespaces"]
  verbs: ["get", "watch", "list"]

dukuan原模板：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
  labels:
     self-cluster-role: test-secrets
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

这个文章不错 202212120更新

https://blog.csdn.net/weixin_43266367/article/details/127146419