1 上传文件
[root@k8s-master rbc]# ls
rbac.zip
[root@k8s-master rbc]# unzip rbac.zip 
Archive:  rbac.zip
   creating: rbac/
  inflating: rbac/cert.sh            
  inflating: rbac/kubeconfig.sh      
  inflating: rbac/rbac.yaml          
[root@k8s-master rbc]# ls
rbac  rbac.zip
[root@k8s-master rbc]# cd rbac/
[root@k8s-master rbac]# ls
cert.sh  kubeconfig.sh  rbac.yaml

2,上传cfssl 工具
[root@k8s-master rbac]# ls
aliang-csr.json  ca-config.json  cert.sh  cfssl.tar.gz  kubeconfig.sh  rbac.yaml
[root@k8s-master rbac]# tar -xf cfssl.tar.gz 
[root@k8s-master rbac]# ls
aliang-csr.json  ca-config.json  cert.sh  cfssl  cfssl-certinfo  cfssljson  cfssl.tar.gz  kubeconfig.sh  rbac.yaml
[root@k8s-master rbac]# mv cfssl* /usr/bin/

3,运行生成证书
[root@k8s-master rbac]# sh cert.sh 
2021/12/07 22:14:05 [INFO] generate received request
2021/12/07 22:14:05 [INFO] received CSR
2021/12/07 22:14:05 [INFO] generating key: rsa-2048
2021/12/07 22:14:06 [INFO] encoded CSR
2021/12/07 22:14:06 [INFO] signed certificate with serial number 21573919850865078341829546414992361611052808094
2021/12/07 22:14:06 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

[root@k8s-master rbac]# cat cert.sh 

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF

cat > aliang-csr.json <<EOF
{
  "CN": "aliang",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes aliang-csr.json | cfssljson -bare aliang

 

生成证书和私钥

查看证书有效时间

 

[root@k8s-master rbac]# cat kubeconfig.sh 

kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/pki/ca.crt \
  --embed-certs=true \
  --server=https://172.16.2.15:6443 \
  --kubeconfig=aliang.kubeconfig
 
# 设置客户端认证
kubectl config set-credentials aliang \
  --client-key=aliang-key.pem \
  --client-certificate=aliang.pem \
  --embed-certs=true \
  --kubeconfig=aliang.kubeconfig

# 设置默认上下文
kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=aliang \
  --kubeconfig=aliang.kubeconfig

# 设置当前使用配置
kubectl config use-context kubernetes --kubeconfig=aliang.kubeconfig


[root@k8s-master rbac]# sh kubeconfig.sh 
Cluster "kubernetes" set.
User "aliang" set.
Context "kubernetes" created.
Switched to context "kubernetes".
[root@k8s-master rbac]# ls
aliang.csr  aliang-csr.json  aliang-key.pem  aliang.kubeconfig  aliang.pem  ca-config.json  cert.sh  kubeconfig.sh  rbac.yaml
[root@k8s-master rbac]# cat aliang.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1URXdPVEV5TURJeE5sb1hEVE14TVRFd056RXlNREl4Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTW5vCnNncGtmNDNPWmRNNjY4Uk1FRzA0Z01kcmxWYXUyS3RKSkhGcEw3QWw4cTBKMStTeGI1WmNDbnZJN0hDQTRMWVoKZzErOStta1gyZURHVWtDVktCYUNTbFNTSHB3V2hIalJtWXR4eWl2NEJ5ZjZndFlqMFpycFVNNjJBWnIvTHpucQpwWmcyMHN0TzV3ekVsVzg4N25KQjNDRWZ6M1RKRHdJUkZSMVltNGt3WUVvUkVVcjhRYmhpZmZLZ1ZoWGI5QVFtCkhWN3pGSkg5bWhES3NaRWJObVpBV2NtMndPTHJObitsc2s0dm5zZEJXbWJkSXpQb3NkVG9Ybmh5LzRNazMvVHEKSjBIRGJGTXBjanM4emp1RkFaTEEvc3BseHRycStySVRRTGsxSlRsN2VYNkJ3ZjF3UGVnWldnU3dqSTJadHA3UApKSTlBN3p0aDNKS3o5eVNETEdVQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZBTGF5dk9iSlVEWXRFeXB3UTFFOVNQc2lTVk1NQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCd1lnSzVUcUlhRHFmcDhUT25hOGQ2OFVBSUZyNFlaRnhML1JQSEtzWGVZNVhicFZNNQo5anBXNFh1VGhkQ3VzN2p4OFpPbDk1OE11bXlXdVI1K0hJK1BYNHNlZkUwWjYrSEgzY3JkMnBhQ2FrSVp3bUUyCjNxYjVlcXJHeVBremdUaUQzbkloQlowam1vOExwbDhxM2ViTjJ4NUpKcldYYmd6U1poU0JjWE9RakFnbG9WMnIKODFvSklPbmFZYWxla1kzclJ2LzlHK1ZqSUJKTk1MWmRLQWhXVXNSenNpb3kzR1E2LzlQY21oaEUrSUtqVXF6cQo2M0tQaksxN0ZjbGw2YVplcktickhjT0V1cEF4RFhobkVGQ2Z0eWNlVVMreVNGWXlPazV4ejhtcTFzYnE5T2ptClJCQWZpZVBqUklLN214YUlGdU1DeHFBNXdFeXdYSTNlTHZveAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://172.16.2.15:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: aliang
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: aliang
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnekNDQW11Z0F3SUJBZ0lVQThkb2RFWkRJRnRhMkkxRjBCbFBtdzJCZDU0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1URXlNRGN4TkRBNU1EQmFGdzB6TVRFeQpNRFV4TkRBNU1EQmFNR0V4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUE1BMEcKQTFVRUF4TUdZV3hwWVc1bk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBb1dTcgpzd0Fibm8rdjBtcVpMU25MZWY4TXpzNXRTeUNPc0tnRUdydnBybW1Semx3bmdNWkZWZU5sU0prUm43NmRHSTYyCkRPOHByZ1ltSEdVd2JmVnRMVTdRZG9YQ2dZS2ZrT3d6RFk3NG1SKzFnZVVjMmhmRGhLa25TVW51eXVaT25CM3oKNkZOMzdKQ1B2MGtBVE5rZ2praG5aeEhnbnExVVkrYkhEbFBoV2xQb0cwZ2VRc2lMSnVOL3d5V0RRL1ZlVWJmbwptV0NkcXNJSTlwVjdianZlN3hJUzhXbzArc1Y3WlRrSFBmVEpMdVdaVEU2a1lSVzJabGQ4S293WUhiSWg1QjdEClFhMnBkVXdEQ0dVV1NFQkNrdVR5WjUzNUhkZVBPbGxzVm1mekJJOFUwdGZyeFprVzRobCtOcUREQ1FvbEpXWTYKTEx3ckd0b1lKOTJield3Mm9RSURBUUFCbzM4d2ZUQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZdwpGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwT0JCWUVGQktJCldCNDJhS2hySjgyUTUwM0xVUHFwUWVjRE1COEdBMVVkSXdRWU1CYUFGQUxheXZPYkpVRFl0RXlwd1ExRTlTUHMKaVNWTU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVFoRlJpdThFQ2ZRRUZqK2Q5R1B3Mk9oc3JqQThLU01CdwpsRTIzZXh0TDdteEptTTBLL3MyNnBVM29lc1AySmx0Z0UwcEZqQ0kwbkRQLzlhNkpxT2tOMGJWSmovOEJRbkNxCkpjRm9wZlJIQ205d3M2dTMyUDczMHk1NmlVUGhOaTJ4VDMzY1lydWw2MzBweCtTSWVQRVBXK2EwaGtxY2QrZ0MKVHIrK0NjMXZLZFg3b0M3ckpSWlNlajhtZzN2bkZsTVRPdElVR1J4QnRML2VsQXpuT2h4c2hKbFpXdHJUZCtWegpyQ0tIMWVNWmU0NWpzSWtMRW9Bb2Z1Z21tcTVjMDlzV2pWUjdwdWRscDVVZExFc2p0ZldDOUpsV2dZT2xjL1F1CmNZQjlVSlNJQmpGYVg3anJITlBpZzNLV2ZKOFluMEVGYzMzWEl3VXdLQmZkTFdzOVB5NDYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBb1dTcnN3QWJubyt2MG1xWkxTbkxlZjhNenM1dFN5Q09zS2dFR3J2cHJtbVJ6bHduCmdNWkZWZU5sU0prUm43NmRHSTYyRE84cHJnWW1IR1V3YmZWdExVN1Fkb1hDZ1lLZmtPd3pEWTc0bVIrMWdlVWMKMmhmRGhLa25TVW51eXVaT25CM3o2Rk4zN0pDUHYwa0FUTmtnamtoblp4SGducTFVWStiSERsUGhXbFBvRzBnZQpRc2lMSnVOL3d5V0RRL1ZlVWJmb21XQ2Rxc0lJOXBWN2JqdmU3eElTOFdvMCtzVjdaVGtIUGZUSkx1V1pURTZrCllSVzJabGQ4S293WUhiSWg1QjdEUWEycGRVd0RDR1VXU0VCQ2t1VHlaNTM1SGRlUE9sbHNWbWZ6Qkk4VTB0ZnIKeFprVzRobCtOcUREQ1FvbEpXWTZMTHdyR3RvWUo5MmJ6V3cyb1FJREFRQUJBb0lCQUF0ZGNuWFZjUngyVTlSRwphMmp4dzRGZ3czOGdyRE9aSkZNdVViT3NQZVZwUzdvelpSaTlYWTZSeDhVWCtsUzhjSVdWTHg2MERNUlRiSVdkClhvNnZ0TE4zRkZqMFRHRWdXS28wNTlkeGxQSDdlS1dnQTZzYjkwbTFPNjMraGRGRjdJMHowc1F1ZEloMUdacEgKd3J5bW9aTkRaL3lyRnAwMTZYWnJmdUwwWnk4Y0V0clUwY2NDaEpkM0M1YXJFRDd3ZDlSam1XT2R5cWErL3dZMwo5UW9VUm1ucUhKY1Z4eWpTK1U1SUc0alVIdlNVNXlGZzhzYloweDhnWXl6MUpBVlBOdlJqOU0zWjZLSjg2OE11CkxiU1g1Mm1NbVlwczRkRW0ra1hmNjEzOXhQemZHcDYrdXRUU0YvbzVLMFlETVhWbU52TG9FMHdxRitGd25qMnQKcnQwQ1JOMENnWUVBMDNHVU1IT1Y4VGYxTE9MNE9BSHZjeDB2QkMzOVlTSlA4U1ZJOWRRdGVyMzFEeThXUTZTcgpvelBIeHowVEh2L1lER3pTaXR4UzA0bVdvdjdrVkZzamJqYzgxTzdncGVKQnpTTmF3a0czckdMY1JYT0JxM1kzCnR4V2JRZUI2RWhIN2Q1L3FrZ1ZsMFpSRGpNMldlb1NKTVVhWkdyT2RML3FMWHcrMDRWYXRvLzhDZ1lFQXcyY1oKa3ZUMURON3JmZUcvMnBoMm1BR1dteUZFbWZqbjBOdWVHeGhLbXhrUXJBeE9ZY3g0STNRWWo4WlNxL215aWJJTQpwalIyQVNjQVNteDcxU2NyVm8rWlFMV0FERjlQVUZsUHVxajVvd2dtUEo5d0cyVlkrK0FQQjVMOUZEa1RWbENqCjdoc2ZNNGtnVzZDMUc5U1JJWVEzSGdSL3FqZ3dIdDRqN1lPM3BWOENnWUVBcDBxWndLdnkybU0zckVmM3MvaDAKQjFQenV3N1lCbDRyZWRQU0lnMjUzZjhsUU5vMGQxaDJKQzMzeG45Zi9ZclcyUjNRaHVWQzh2Tk5KN0ViM2xJdAplaXBpQ3Viay90cEF6WmxIV2FLOU83c01KRGI3UlRuSFl5ZkpLeG43K3dnWE9kSmd1UjlrSzZsdXVKeUFqbmNHClJPSmlpR25MMkFZVzl5TnFMVTl6R3VrQ2dZQVQyU2dtM2t6NTlyYlMvWmhnV3ZaSThIaGMzNTg1U0tnN2RlTjAKZXg0dzdQWGRsQTV1THJmUldoeVlsaHVWcm5KdFBERyt2RHQwV0lMV0RIanpxTnZsR2djR0pLbVNHQ2hWVUEwaQpOOEhMeHFzam8wcGU3Z2VBNWp5QWwzU3ZsakNacHUxUDVWOWcrNy9XcnRkV3NWdmduSzZBbFJKbXR2aGtXa29wCitTUXhYd0tCZ1FDWXNDamxTVHBRTXJLbzdOaEVCQ2hXaEhHeWU1M0NzQ0UrakdvNXFTb21ES0VUdGtOV09OTDUKK1FCbmJZNFV6QnFuUnlWZjZlTFJhVUtMUFpvb0ljV2tYYmhFME83K3lkcjNXaUVJWHFlWFhyakhXZFUxdDV2VApFazR1NEhJTFRQbEhDWnVIQjBxSHplMjNPNzhBb1NkY0FzVWRXeTEvSFVKRStIbHpxUVRJTXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

创建完用户提示没有权限

 新建权限组

 授权

[root@k8s-master rbac]# kubectl apply -f rbac.yaml 
role.rbac.authorization.k8s.io/pod-reader created
rolebinding.rbac.authorization.k8s.io/read-pods created
[root@k8s-master rbac]# 
[root@k8s-master rbac]# 
[root@k8s-master rbac]# cat rbac.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: aliang
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

测试成功

 

服务账号(SA)示例:为一个服务账号分配只能创建deployment、 daemonset、statefulset的权限 
[root@k8s-master rbac]# cat test.rbc.yaml 
apiVersion: v1
kind: ServiceAccount
metadata: 
  name: cicd-token
  namespace: app-team1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: deploymnet-clusterrrole
rules:
- apiGroups: ["apps"]
  resources: ["DaemonSet","Deployment","StatefulSet"]
  verbs: ["create"]
  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cicd-token
  namespace: app-team1
roleRef:
  kind: ClusterRole # 此字段必须是 Role 或 ClusterRole
  name: deploymnet-clusterrrole     # 此字段必须与你要绑定的 Role 或 ClusterRole 的名称匹配
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: cicd-token # "name" 是区分大小写的
  namespace: app-team1

测试:kubectl --as=system:serviceaccount:app-team1:cice-token create deployment web11 --image=nginx -n app-team1

# kubernetes
Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes