机制说明

Kubernetes 作为一个分布式集群的管理工具,保证集群的安全性是其一个重要的任务。API Server 是集群内部各个组件通信的中介,也是外部控制的入口。所以 Kubernetes 的安全机制基本就是围绕保护 API Server 来设计的。Kubernetes 使用了认证(Authentication)、鉴权(Authorization)、准入控制(AdmissionControl)三步来保证API Server的安全。

认证(Authentication)

  • HTTP Token 认证:通过一个 Token 来识别合法用户
  • HTTP Base 认证:通过 用户名+密码 的方式认证
  • 最严格的 HTTPS 证书认证:基于 CA 根证书签名的客户端身份认证方式
HTTPS:双向认证(颁发证书)-集群组件
      ETCD
	      服务端:ETCD
		  客户端:ApiServer
      ApiServer
	      服务端:ApiServer
	      客户端:
		        需要加密:
				    集群颁发:kubelet
					手动颁发:kubectl、kube-proxy
			    非加密:都运行在master节点
				   Controller Manager、Scheduler
				   
       SA(ServiceAccount)-POD认证
	      ca.crt:用户Pod验证apiserver发来的证书
		  token:用户单点认证apiserer验证pod是否合法
		  namespace:标识作用域

鉴权(Authorization)

上面认证过程,只是确认通信的双方都确认了对方是可信的,可以相互通信。而鉴权是确定请求方有哪些资源的权限。API Server 目前支持以下几种授权策略 (通过 API Server 的启动参数 “–authorization-mode” 设置)

  • AlwaysDeny:表示拒绝所有的请求,一般用于测试
  • AlwaysAllow:允许接收所有请求,如果集群不需要授权流程,则可以采用该策略
  • ABAC(Attribute-Based Access Control):基于属性的访问控制,表示使用用户配置的授权规则对用户请求进行匹配控制
  • Webbook:通过调用外部 REST 服务对用户进行授权
  • RBAC(Role-Based Access Control):基于角色的访问控制,现行默认规则
RBAC 授权模式

RBAC(Role-Based Access Control)基于角色的访问控制,在 Kubernetes 1.5 中引入,现行版本成为默认标准。相对其它访问控制方式,拥有以下优势:

  • 对集群中的资源和非资源均拥有完整的覆盖

  • 整个 RBAC 完全由几个 API 对象完成,同其它 API 对象一样,可以用 kubectl 或 API 进行操作

  • 可以在运行时进行调整,无需重启 API Server

RBAC 的 API 资源对象说明

RBAC 引入了 4 个新的顶级资源对象:Role(角色)、ClusterRole(集群角色)、RoleBinding(角色绑定)、ClusterRoleBinding(集群角色绑定),4 种对象类型均可以通过 kubectl 与 API 操作

Role and ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
  - apiGroups: [""] # "" indicates the core API group
  #对象是pod类型,可以通过/分隔符控制子资源的访问权限,例如: resources: ["pods","pods/logs"],
  #如果为resources:["pods/logs"]表明只能访问pod下的logs
    resources: ["pods"] 
    verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]
RoleBinding and ClusterRoleBinding

RoleBinding 包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(User、Group、ServiceAcount)

RoleBinding 可以绑定Role也可以绑定ClusterRole,而 ClusterRoleBinding 只能绑定ClusterRole
RoleBinding绑定Role

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: jane
    #Defaults to "" for ServiceAccount subjects. 
    #Defaults to "rbac.authorization.k8s.io" for User and Group subjects
    apiGroup: rbac.auorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

RoleBinding绑定ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: read-secrets
  namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
  name: dave
  apiGroup: rbac.authization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRoleBinding绑定ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
  - kind: Group
    name: manager
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io
实例:创建用户作为某个名称空间下的管理员
#在opt目录下创建test.json文件
{
  #用户为test
  "CN": "test",
  #当前证书可以在任意节点被调用,即任意节点可以通过证书访问apiserver
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      #所属组为k8s自定义的组,系统组为system:
      "O": "k8s",
      "OU": "System"
    }
  ]
}

# 下载证书生成工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

#授予可执行权限
chmod a+x /usr/local/bin/cfssl
chmod a+x /usr/local/bin/cfssljson
chmod a+x /usr/local/bin/cfssl-certinfo

#签发证书
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -profile=kubernetes /opt/test.json | cfssljson -bare test 
[root@master opt]# ll test*
-rw-r--r--. 1 root root  993 54 15:52 test.csr
-rw-r--r--. 1 root root  217 54 15:28 test.json
-rw-------. 1 root root 1675 54 15:52 test-key.pem
-rw-r--r--. 1 root root 1233 54 15:52 test.pem

# 设置集群参数(即服务端)
[root@master opt]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.116.128 master k8s-api registry
192.168.116.129 node1
#设置KUBE_APISERVER变量
export KUBE_APISERVER="https://k8s-api:6443"

kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=/opt/test.kubeconfig

[root@master opt]# cat test.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8s-api:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

# 设置客户端认证参数
kubectl config set-credentials test \
--client-certificate=/opt/test.pem \
--client-key=/opt/test-key.pem \
--embed-certs=true \
--kubeconfig=/opt/test.kubeconfig

[root@master opt]# cat test.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8s-api:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTURUb3ZweHVUajk0VUZrNDM3N1RRNDZFQmljd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFF3TnpRNE1EQmFGdzB5TXpBMQpNRFF3TnpRNE1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0o1RS9VRgo0TEVvMW5naUNrazJ4ZENTQVQ2cUpSMWo5ODVjNm0yZXFDdURleUIrVDREWXlCOXA3RmZxUnRVdTRyQ1hxWTJ4CmhVRXZyOFNDUUtPd1hXUDgxcXhURzZkRVB5ejMrV2h5dTJGcHJSZWhoL3NwRHZVdmJ2QUFPMmx6U3VJVFQ3WWYKUVdhRk95NzdldHR5bm95bjNZa1FMbE9xeGRmV2hMeUJFTHkvdElDSW14L0UyYmlzNGNRelVSeGIwQisva0kwegpoN0Z0YzZQNXQzc0dzVjdVL3hYY0NIb211Q1RoZC9JVjVTNjYvWjFFbTVUSEM3blgwSENaOWJZeWxvSmZJZzliCkpEOTNtQVB0WXR2VHdNQVI3LzB5Q1pka0RkV0l3N2NoUUF0UzBqNFBUSWRVZlVwZmwwMkNXRFRteHlSSUFYTUkKYjVnblg1SGl2VlBIRU5jQ0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVFdxZ0VRClNBSjdxN0dEZFlMQy82WkN5LzQ1bURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUxjVHJYRnUwWjBhMlNtUHgKaVU1WEk0S1dWSXp6QnBaSzJ3ei9xZGh5ZGc4bTFlRzBaZWRGejFPME9tMHVUV3Zpa24xa1IreUpqeE5RMmgrUgpncmtQUUEwQUpvUkhZR1RBckltOSszQkFKNGswNGgwUWpJaVIzdmk0Nklwdm1keTBibGU4ejNqUTlvazZlMUJLCmh6VzdpS2JDVzZrdkI5Q0JlaWxldGdaYTcvQmJPM0xlaDkwZUFOQ3FJWVFSSEZsbXpKMnVBTDdkN2MxdWtlUGIKUTdEdXRDRjdaV1dTczloOGRXT3pUVkRxZTU3a3l1MFB6aWQ0RkRkdHhuK0RCSVdXVEt5OCtnem1tanZnaVladgpvZk0yTzRtSnM2a1BabERzaW5iV0VveVl6NzBUeUdPcFQ5UDFJUDB6cTBkKzYvUVowSi9XdXhWd2YzMUpVUVBCCldFay9qUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNG5rVDlRWGdzU2pXZUNJS1NUYkYwSklCUHFvbEhXUDN6bHpxYlo2b0s0TjdJSDVQCmdOaklIMm5zVitwRzFTN2lzSmVwamJHRlFTK3Z4SUpBbzdCZFkveldyRk1icDBRL0xQZjVhSEs3WVdtdEY2R0gKK3lrTzlTOXU4QUE3YVhOSzRoTlB0aDlCWm9VN0x2dDYyM0tlaktmZGlSQXVVNnJGMTlhRXZJRVF2TCswZ0lpYgpIOFRadUt6aHhETlJIRnZRSDcrUWpUT0hzVzF6by9tM2V3YXhYdFQvRmR3SWVpYTRKT0YzOGhYbExycjluVVNiCmxNY0x1ZGZRY0puMXRqS1dnbDhpRDFza1AzZVlBKzFpMjlQQXdCSHYvVElKbDJRTjFZakR0eUZBQzFMU1BnOU0KaDFSOVNsK1hUWUpZTk9iSEpFZ0Jjd2h2bUNkZmtlSzlVOGNRMXdJREFRQUJBb0lCQUNtR3pBc0VyZU91T2sxQwo2S0h1SWkyUmFCc0dkZEhDeitDT0Z3cE1xa2Q0VDI1dzJzRWtmdVdMdGFPVk9MSEViQnEzWklhdncyQmxqeFE0ClVnUHh4ZDRjc1h4ZHJOZHA0eStxdEpmYldkS04zd2hUUFN6bnBXOTk2QmluNGp6K3YvOWVUU0oyN3JZT3ZnQnEKYW1lc3g3ZkEzQlZTMnp2S040YlJOZnVlcXVRQTVuQ0J2UUhrNVpISk4vNW9MVS9tNjJOMnZyck1jYkw2UC9mcwpBUVlkWDZOTjdUemZDN01lUFBOQmhyeVFTbHBBMXhnZWtyWlVaOXVnb2ZTWWhacWtDNDllMlFCeGhrR2dxdnAvCjg1bmljZ1hkQnl4ZWpsb1g5SUNFSGhxNHpVTDlidHJpdnZES1Jsa0FFUVh5Y08zS0hFL1g3SVhMRkp3c0NrdHEKeHdoK0pURUNnWUVBNHJITWxWUWMvVzNGNWJ5M2dVckhmWVh2Zk0wVlBaNGpaL05Zd0pBcm0vejRaeUFBMEJGbAp6TlhNSzZDLzkya3FnRDdrd1lvdWRGMGRQOEF6WE9SUDU3dzQ5bS9SUnBKdTN3YWVPc0VaejVKUXpkb0UvSVlxCmRJMlFRa245S29OblNkdG9QNUhWWVdvV1BLWGNQZUQ0c2lYaktrYWMvMExmN1hIZG85S211YjhDZ1lFQS83L3kKUCtBeHFTYUZZTTBXaXVhNmZlRnoxSk0xSXhUaldDU3dYaXZYM3p5TVAzTTRKMkp0aVlSVXQ3OWpIZ01GR0lVMwpsNlE3WFZwZi9qbWFyY3pOTHYwbEtVWU4yR2twOFUrN2k0SW04OHJkTmNxd1BlYk55c2VWc0RZallhYkxlWTAwCkZNbUFQQ3Awam5GTGF2OTd4R0l4dElUeFY0SnpBRFVXVXdSa2Z1a0NnWUFZcitZb3FQVlRQLzRhSzdnTU0zbVEKR09MZ3czQzV1aHYrK1FoRVNDOEhtTC93Y3hMRGxmRnhJaU5PNlAyZTB1d1c5VUp5TlRzajN2UU5lai9kc050bQowQitmN3NOcW5RM0g2ZStYVkdvY0tjSDArUFlzRGV4WHJ3Ynp3Uno1NFQrQlVveUN4NzNtRXVpRENFajQwQ1FsCk9tMEhzSkx1VlhrUFlhUVNjQ0ZKL3dLQmdHU0xiTXlwOGp3aTFjcnh0Z3dUbTN2RHQ4cjV1S2s3SEFuYUdyQmIKSWpvMFRwcmZURk5IZ2ZMUFlKTUFuaEg5Yy9KbzVTc3J1TjhCbWIyVG5majREQzZOL1I4VjJIbWRGbzAxSUhFLwpVTnNGaFNRUnRHb1JwQlExbE9hNjBmd2hHOXVFcE5ZTFJldmhjUU5URFNoYW1xamhSZE5IZEs1SHJiaUdKbW1xCnoydUpBb0dCQUp2VmVIRmpKRkl2MFVHbzBIbGl2R3JOZWVJVzFGZjV0SmdUd2ZlQ1BtSEcxOUNJZDB4RFZEVVUKMlJEL2RMOXQ4MmdzUTFjS1JQVTNjQ08walpxck9pTGg1aWQ5aEpCMUg2MmtGa3IrNEpOK0IvcHNJM3VPWFlFTgo0b0k1NVl6NFJlTEtOTWZQSWNPVFpTRXFoTGdtVVNHZGhuUU9NWGNVMnFnK1FidzRYQ3ZRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
    
# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=test \
--namespace=testns \
--kubeconfig=/opt/test.kubeconfig

[root@master opt]# cat test.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8s-api:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: testns
    user: test
  name: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTURUb3ZweHVUajk0VUZrNDM3N1RRNDZFQmljd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFF3TnpRNE1EQmFGdzB5TXpBMQpNRFF3TnpRNE1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0o1RS9VRgo0TEVvMW5naUNrazJ4ZENTQVQ2cUpSMWo5ODVjNm0yZXFDdURleUIrVDREWXlCOXA3RmZxUnRVdTRyQ1hxWTJ4CmhVRXZyOFNDUUtPd1hXUDgxcXhURzZkRVB5ejMrV2h5dTJGcHJSZWhoL3NwRHZVdmJ2QUFPMmx6U3VJVFQ3WWYKUVdhRk95NzdldHR5bm95bjNZa1FMbE9xeGRmV2hMeUJFTHkvdElDSW14L0UyYmlzNGNRelVSeGIwQisva0kwegpoN0Z0YzZQNXQzc0dzVjdVL3hYY0NIb211Q1RoZC9JVjVTNjYvWjFFbTVUSEM3blgwSENaOWJZeWxvSmZJZzliCkpEOTNtQVB0WXR2VHdNQVI3LzB5Q1pka0RkV0l3N2NoUUF0UzBqNFBUSWRVZlVwZmwwMkNXRFRteHlSSUFYTUkKYjVnblg1SGl2VlBIRU5jQ0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVFdxZ0VRClNBSjdxN0dEZFlMQy82WkN5LzQ1bURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUxjVHJYRnUwWjBhMlNtUHgKaVU1WEk0S1dWSXp6QnBaSzJ3ei9xZGh5ZGc4bTFlRzBaZWRGejFPME9tMHVUV3Zpa24xa1IreUpqeE5RMmgrUgpncmtQUUEwQUpvUkhZR1RBckltOSszQkFKNGswNGgwUWpJaVIzdmk0Nklwdm1keTBibGU4ejNqUTlvazZlMUJLCmh6VzdpS2JDVzZrdkI5Q0JlaWxldGdaYTcvQmJPM0xlaDkwZUFOQ3FJWVFSSEZsbXpKMnVBTDdkN2MxdWtlUGIKUTdEdXRDRjdaV1dTczloOGRXT3pUVkRxZTU3a3l1MFB6aWQ0RkRkdHhuK0RCSVdXVEt5OCtnem1tanZnaVladgpvZk0yTzRtSnM2a1BabERzaW5iV0VveVl6NzBUeUdPcFQ5UDFJUDB6cTBkKzYvUVowSi9XdXhWd2YzMUpVUVBCCldFay9qUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNG5rVDlRWGdzU2pXZUNJS1NUYkYwSklCUHFvbEhXUDN6bHpxYlo2b0s0TjdJSDVQCmdOaklIMm5zVitwRzFTN2lzSmVwamJHRlFTK3Z4SUpBbzdCZFkveldyRk1icDBRL0xQZjVhSEs3WVdtdEY2R0gKK3lrTzlTOXU4QUE3YVhOSzRoTlB0aDlCWm9VN0x2dDYyM0tlaktmZGlSQXVVNnJGMTlhRXZJRVF2TCswZ0lpYgpIOFRadUt6aHhETlJIRnZRSDcrUWpUT0hzVzF6by9tM2V3YXhYdFQvRmR3SWVpYTRKT0YzOGhYbExycjluVVNiCmxNY0x1ZGZRY0puMXRqS1dnbDhpRDFza1AzZVlBKzFpMjlQQXdCSHYvVElKbDJRTjFZakR0eUZBQzFMU1BnOU0KaDFSOVNsK1hUWUpZTk9iSEpFZ0Jjd2h2bUNkZmtlSzlVOGNRMXdJREFRQUJBb0lCQUNtR3pBc0VyZU91T2sxQwo2S0h1SWkyUmFCc0dkZEhDeitDT0Z3cE1xa2Q0VDI1dzJzRWtmdVdMdGFPVk9MSEViQnEzWklhdncyQmxqeFE0ClVnUHh4ZDRjc1h4ZHJOZHA0eStxdEpmYldkS04zd2hUUFN6bnBXOTk2QmluNGp6K3YvOWVUU0oyN3JZT3ZnQnEKYW1lc3g3ZkEzQlZTMnp2S040YlJOZnVlcXVRQTVuQ0J2UUhrNVpISk4vNW9MVS9tNjJOMnZyck1jYkw2UC9mcwpBUVlkWDZOTjdUemZDN01lUFBOQmhyeVFTbHBBMXhnZWtyWlVaOXVnb2ZTWWhacWtDNDllMlFCeGhrR2dxdnAvCjg1bmljZ1hkQnl4ZWpsb1g5SUNFSGhxNHpVTDlidHJpdnZES1Jsa0FFUVh5Y08zS0hFL1g3SVhMRkp3c0NrdHEKeHdoK0pURUNnWUVBNHJITWxWUWMvVzNGNWJ5M2dVckhmWVh2Zk0wVlBaNGpaL05Zd0pBcm0vejRaeUFBMEJGbAp6TlhNSzZDLzkya3FnRDdrd1lvdWRGMGRQOEF6WE9SUDU3dzQ5bS9SUnBKdTN3YWVPc0VaejVKUXpkb0UvSVlxCmRJMlFRa245S29OblNkdG9QNUhWWVdvV1BLWGNQZUQ0c2lYaktrYWMvMExmN1hIZG85S211YjhDZ1lFQS83L3kKUCtBeHFTYUZZTTBXaXVhNmZlRnoxSk0xSXhUaldDU3dYaXZYM3p5TVAzTTRKMkp0aVlSVXQ3OWpIZ01GR0lVMwpsNlE3WFZwZi9qbWFyY3pOTHYwbEtVWU4yR2twOFUrN2k0SW04OHJkTmNxd1BlYk55c2VWc0RZallhYkxlWTAwCkZNbUFQQ3Awam5GTGF2OTd4R0l4dElUeFY0SnpBRFVXVXdSa2Z1a0NnWUFZcitZb3FQVlRQLzRhSzdnTU0zbVEKR09MZ3czQzV1aHYrK1FoRVNDOEhtTC93Y3hMRGxmRnhJaU5PNlAyZTB1d1c5VUp5TlRzajN2UU5lai9kc050bQowQitmN3NOcW5RM0g2ZStYVkdvY0tjSDArUFlzRGV4WHJ3Ynp3Uno1NFQrQlVveUN4NzNtRXVpRENFajQwQ1FsCk9tMEhzSkx1VlhrUFlhUVNjQ0ZKL3dLQmdHU0xiTXlwOGp3aTFjcnh0Z3dUbTN2RHQ4cjV1S2s3SEFuYUdyQmIKSWpvMFRwcmZURk5IZ2ZMUFlKTUFuaEg5Yy9KbzVTc3J1TjhCbWIyVG5majREQzZOL1I4VjJIbWRGbzAxSUhFLwpVTnNGaFNRUnRHb1JwQlExbE9hNjBmd2hHOXVFcE5ZTFJldmhjUU5URFNoYW1xamhSZE5IZEs1SHJiaUdKbW1xCnoydUpBb0dCQUp2VmVIRmpKRkl2MFVHbzBIbGl2R3JOZWVJVzFGZjV0SmdUd2ZlQ1BtSEcxOUNJZDB4RFZEVVUKMlJEL2RMOXQ4MmdzUTFjS1JQVTNjQ08walpxck9pTGg1aWQ5aEpCMUg2MmtGa3IrNEpOK0IvcHNJM3VPWFlFTgo0b0k1NVl6NFJlTEtOTWZQSWNPVFpTRXFoTGdtVVNHZGhuUU9NWGNVMnFnK1FidzRYQ3ZRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=

#切换上下文信息
kubectl config use-context kubernetes --kubeconfig=/opt/test.kubeconfig
[root@master .kube]# cat config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdOVEF4TXpJek5Wb1hEVE15TURVd01qQXhNekl6TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTER6CkRhVG9IRVdpNzVnR002ZTU2SngzQlRHN3I4VWNrS3lIR2xiV2EvUHFyd0dlc2pFU0JZU2VkV1I3SGtiVWNjRGYKVmxSNStvczBISHFaZm80OEZBOXpQd1kra2k2M21jd015SFpXVXgvbkVLYmswTWZ1V3JwRG5DNFBIb09GdEFZVQpmSEhDL1YzOFJxN3EzMWpSdnp0eFdudXBPb3ZVVDYzaElDL0NpdnhSbTVhTlUxbFJDaUwyRXFkYW1jRVNGamY0CmZ2bmkyS283NlNnL3FrTXpxWTlDc2UxSkxUdkVKbmw1OXNnNHlGR3BLdnVacGVSbGROSGx1K2x2ZGJIWkpNQVoKSXE4c0NEbUVZdGlvL1lncmFxZXR4S25LQTdPU2k5U0M2OGMvRDJ5cndiWmtaSkVOSGNDRGpwRWdqQ3lLNk1pSQpxbFVKcEpNaWxNVE01SmxWaUZrQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFY3RMdDBES1MxNTBMQVlMQjd6Rmd0TmxmK1YKYmg5MjcvNEppbERzVFJBVkpBa3hpUDVsT1ZQTjRlUzZ0WlpBWlFvOFVqZTl2R282aUMrc1ZDUkJMcGo4QXBUYQovVFdOMUx4dG1rci9vK2pMS3BEelBob0ZrK3dITDJ4SXN3K1l0SWltTmFEb0R1Z0MwOS8xOENrSnNGdjBHNGxTClNZb1RaZkg4QXRlQWRLNTJYUmxrUXBMWTJ5SWtIc21WYzkzUVI1WmttcFBPcmROcFk1TXhHYnZ6Zm02cDVCcE0KZ1ZvakJMQUNURXlKcjlzbzlkTjRRb1FkVkd1WVQrYzIxUXFJMVNrTUc3cG1FY08xb3pOc1QzeFJadkZEb0FJVAorWVNXQ1YrWEt0Wks4blgyMDlKZi8xb2pxbVFWY0tFdTNBblpLVEZtL0cxZTdWbmZBTUw2R014WWhaVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.234.137:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: testns
    user: test
  name: kubernetes
#原先为空字符串,切换后变为kubernetes
#特别注意,必须先切换上下文后才能将文件拷贝到$HOME/.kube文件夹下,否则会报无法连接apiserver
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTHpBZXZmQXBhd0xyNzFKN1Brb084MmxUTlRJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFV3TmpRMU1EQmFGdzB5TXpBMQpNRFV3TmpRMU1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0gvMkVpRwp5NUl2Y2lTcEJQT3ViM1lhL2JCNFlwaVM3d0kxRklDN1RkWDNPYTBmelE1Vk4rN0VYem1DZ1pEbjFYZStzcXRpCjFydWcxWDRqRGswN25kUXRpZkJ2bktWcExmUjM5alBRUzZJRjFPTndMb1hMaEVaWGFBMmVSMzZrWGtBOEtXaUEKRVM2UitONmFSd1RFNE5zODFHanhUanNJYlBvRGRnV0txaE81bVJJNUp3MkxBWXZxRTBWdUpRY0RNd0Z6Z0dZagovdWp4anBrTGhWSXloVm1ZSUlGU01KbGdoaE9BYXIyZHFYNzBqMEE3VzJ0d3ZtQWZXUmd0RktwMWh6QVRaUEliCkowb2FnM3dmMGwvbkNQMm5xeEJTNDNqQTFXdWdqOEpZSGVqZlJveTh1bDJrT3Zid2NPZGZNb0tNMFVuY2hxdDAKZTRpZncvdUY1RkJYT2Y4Q0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCU0RpZ3M5ClNxMGphOUVYSEF4L1JXL21qcGZpV1RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUZXbnJXSzRPSlJQQkxrUEgKK1ZiSXE2Z0wwUzhSZlptcjlnYmdnUTlYMXZ0MDNrUGQ5YzBiOG1EZDEwUDc4YUlGUitJazNBT1NSTkxXM2s5KwpxMCthTitwekcvVU50UGFMQWYxZzJXRVJyTVBCTWVITTNqcW1HWG42cVM0d1lrNWVWaHVhU29KSlA5cGlLaDhNCjBFZDRPcjNYakhtNlJLVFdFK05PSlpGWTExUzlIUXdzVzVIN1BGYXc0MWN4WW9XaFFTVWhub01sUDBMNngxdjAKRlZTaXlkMDM1VytZcDZVMEtDTVIzYlR6bEJLZ05DZlFSRzJuL003NENPOHg1Y25CT3ZTejJuY05HUExJZjBYUApDV000ZDBPSS95eWIyN1luckZxUEhnWjBsbzNURmFxVHBtU0lscVJENFFFaDRXZFZQQlQvbWNTMW1GT25EVlhOCjUzbUlDQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNGYvWVNJYkxraTl5SktrRTg2NXZkaHI5c0hoaW1KTHZBalVVZ0x0TjFmYzVyUi9OCkRsVTM3c1JmT1lLQmtPZlZkNzZ5cTJMV3U2RFZmaU1PVFR1ZDFDMko4RytjcFdrdDlIZjJNOUJMb2dYVTQzQXUKaGN1RVJsZG9EWjVIZnFSZVFEd3BhSUFSTHBINDNwcEhCTVRnMnp6VWFQRk9Pd2hzK2dOMkJZcXFFN21aRWprbgpEWXNCaStvVFJXNGxCd016QVhPQVppUCs2UEdPbVF1RlVqS0ZXWmdnZ1ZJd21XQ0dFNEJxdloycGZ2U1BRRHRiCmEzQytZQjlaR0MwVXFuV0hNQk5rOGhzblNocURmQi9TWCtjSS9hZXJFRkxqZU1EVmE2Q1B3bGdkNk45R2pMeTYKWGFRNjl2Qnc1MTh5Z296UlNkeUdxM1I3aUovRCs0WGtVRmM1L3dJREFRQUJBb0lCQUV6L0ZYamdNOHNDVHlrZQpUSW1aREhCNGthWGwzZkdOWGRDcXRPbUc1dVhXN05lRzFoM2orc0ptTk9zckEybVRFcTlSVVI0QzlwWEdIZlp6Cml4UFZFOWlPQzBqWFBjODlIbU1EMitXYk9hbGh3ejRab2tBRExuV29vZExCOGltN1prRU1QaTlVTW9aalJSN1MKQVJBbTQxVE9USy9VUm9ybU8vcVI0MHZRQ2xIZGJkVVYrMCt3bnlIMXdUUGJndFhCcFV4dUVjNjdnWUVQQzBVZgpUV1JTcUZnZHdsc09jQVMxcGRoM2Y5S0NKdjcra0trbUFndFhQWUx0Z0NUb2pxNTZiL1BHOHNmbkVxTVRZdnljCnRFb2NBVERxOUZ6Y0ZVRDJ6SzlTQngrZjd1blg1NWppZkoxMkxvQXJOSGRtc3V4a3hkZndJVDZlR1BCT0FwQ2MKdFJLRjhRRUNnWUVBN0dka0RPVWgzMDVQbm5zWWwwS0NPbEFVMTVqVXliYXAzcUFUNHJDbUFWR1MzejlsbkFmQQpSaGZ5NzNjOVJOOThNaHRnb1dCcnM0VkFZTTh0TUpOMGNyTEhaNjJ2enZ0Qmc3ZU5yT1BHc1RwM0pWbGJ1d0dlClZsekNaUzB3NWx5Z2ZUclc0UlNhL2RJWjdCcDE0Z0dTUnpFTUg0OUliM2MzQU9yUVdHR0VvaEVDZ1lFQTlMdXEKY2owdjBmUDhNblN6eE1sL1NSQ0tQNHBLVi8rNzhXcE8xZHprc3p5eEJrVWdGL2p1NjFmeTFTUU1vZUdKK290cQptcWgrZVhMU2RkT3RZL2FjNzZNWmQxMUJUbmdOMnA2eFVuRmtMaWZET0I1c29hcDBFTHlEMWkyYnVQTDlNQXFEClhkT0JvRkRZZThnYkFIeE40KzZOaGRvTUNtOXdFU00rNGhIckN3OENnWUVBeXdYa0E3c0lRdm5ESU96QWFxN2cKbm1uRjdINUJTRmFLUGpvbHVjcFJWdEtTbXcyY0dzc0JVbkVnM296OTNsYzhGdUF5TllWVUdXRjNyMnhkZDlrNgo2WUltQkNGQzJqUW55SkhycHk0YXBudjZkT1h3QklOWVV2em9xZkdNakZuQ0xxcElmaGF2SVFxOTNtbS9FWENlCkNtdlI2SXlwL2FoWllYMUhubzlwVTdFQ2dZRUEwWFo5MytEMnVOLzJqc2pMeERZaHQwdHN5QTE0cS9DNXoxcUoKdHdta3hMUEJYL2h5QzVLSUN1M3ZiUFc1eWlQYmtKRWE0Tnd0dzR5L0RSSHJhWTk5cXEwUjh0UGlQV01MbUg0UwpqdGwyUVByUFg0ekt0V1BLaXppT0xoWkRIZno3THM4UXVKRjZkTmc5TVZTSHA5YThZOFdkWTE3SXgzV3htVGx0CmJOaWhMNGtDZ1lCN1NXRFp5VTlIcnBqTG5vblRUdWlnNEhaZ05UcFBaa3hpTVp6aUdjMWZ1TFBqaW8zTnVja2kKM3V6cUF2UEVsVFAxYndEcEZVMjZ1THNIVUdra3J4YVFHMm52WGFaL0JIU1h1MkdtcUVMZERjdmtkL2pYNm5MWApEbUhnVENtL3h0M3haeFMyN1IzbWFOYXRCbUN2RGlPREFxR0JpSndUaU1ldURLNEhBR1JBeWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
    
#创建testns的名称空间
kubectl create ns testns

#限制名称空间资源
apiVersion: v1
kind: ResourceQuota
metadata:
  name: limit-resources
  namespace: testns
spec:
  hard:
    requests.cpu: "20"
    requests.memory: 100Gi
    limits.cpu: "40"
    limits.memory: 200Gi


#给test用户绑定管理员权限
kubectl create rolebinding test-admin-binding --clusterrole=admin --user=test --namespace=testns
$ kubectl get rolebinding -n testns
NAME                 ROLE                AGE
test-admin-binding   ClusterRole/admin   33s

#linux随意创建用户,比如test1,将test.kubeconfig放入到test1家目录下.kube文件夹下,即可访问apiserver
useradd test1
passwd test1
mkdir -p /home/test1/.kube
cp /opt/test.kubeconfig /home/test1/.kube/config
chown -R test1.test1 /home/test1/.kube
#注意此时get pod的名称空间就为testns 
[test1@master ~]$ kubectl get pod
No resources found in testns namespace
#如果想要获取其他名称空间下的pod会被拒绝
[test1@master ~]$ kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"

准入控制

准入控制是API Server的插件集合,通过添加不同的插件,实现额外的准入控制规则。甚至于API Server的一些主要的功能都需要通过 Admission Controllers 实现,比如 ServiceAccount,默认启用的插件

CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, LimitRanger, MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize, Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook
  • NamespaceLifecycle: 防止在不存在的 namespace 上创建对象,防止删除系统预置 namespace,删除namespace 时,连带删除它的所有资源对象。
  • LimitRanger:确保请求的资源不会超过资源所在 Namespace 的 LimitRange 的限制。
  • ServiceAccount: 实现了自动化添加 ServiceAccount。
    mespace 上创建对象,防止删除系统预置 namespace,删除namespace 时,连带删除它的所有资源对象。
  • LimitRanger:确保请求的资源不会超过资源所在 Namespace 的 LimitRange 的限制。
  • ServiceAccount: 实现了自动化添加 ServiceAccount。
  • ResourceQuota:确保请求的资源不会超过资源的 ResourceQuota 限制
# kubernetes # 运维 # docker
Logo
Cloudpods

开源、云原生的融合云平台

更多推荐

面向未来的 IT 基础设施管理架构——融合云(Unified IaaS)

随着数字化时代的到来,IT系统已成为人类社会正常运转不可或缺的组成部分。不远的未来,智能制造,5G和人工智能等技术将成为推动生产力发展的重要引擎,人类社会将面临前所未有的全面彻底的数字化浪潮。IT基础设施作为IT系统运行的平台和载体,是实现数字化的基石。在这场数字化浪潮中,企业必须积极拥抱云计算技术,采用符合技术发展趋势、面向未来的IT基础构架,才能在未来的竞争中赢得先机。 一、云计算历经十余年

avatar Cloudpods

Cloudpods负载均衡的功能介绍

作者:周有松 今天的内容会从以下几个方面展开: 负载均衡产品简介。主要介绍负载均衡作为一个云上产品,它的功能模型是怎样的,日常使用中会遇到的业务词汇负载均衡的功能与典型应用场景。这部分主要结合业务词汇,对负载均衡服务中常见的一些功能选项进行介绍,并举例介绍一些典型的应用场景最后,我们做一下总结,讨论一下负载均衡产品相比传统方式的优点 一、产品简介​ 1. 以NGINX为例​ 提到负载均衡,我们以

avatar Cloudpods

使用Linux vfio将Nvidia GPU透传给QEMU虚拟机

Linux 上虚拟机 GPU 透传需要使用 vfio 的方式。主要是因为在 vfio 方式下对虚拟设备的权限和 DMA 隔离上做的更好。但是这么做也有个缺点,这个物理设备在主机和其他虚拟机都不能使用了。 qemu 直接使用物理设备本身命令行是很简单的,关键在于事先在主机上对系统、内核和物理设备的一些配置。 单纯从 qemu 的命令行来看,其实和普通虚拟机启动就差了最后那个-device的选项。这

avatar Cloudpods