普通用户

1 创建角色和角色绑定

例如,创建cms用户

A 创建角色cms
cms-role-cms.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cms
  namespace: cms
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  - serviceaccounts
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch

B 创建角色绑定 
cms-rolebinding-cms.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cms
  namespace: cms
subjects:
- kind: User
  name: cms # 目标用户
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: cms # 角色信息
  apiGroup: rbac.authorization.k8s.io

执行创建

kubectl create -f cms-role-cms.yaml
kubectl create -f cms-rolebinding-cms.yaml

2  创建token(也就是secret)

kubernetes-dashboard-cms-rbac.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-cms
  namespace: cms
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-cms
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard-cms
  namespace: cms

执行创建

kubectl create -f kubernetes-dashboard-cms-rbac.yaml

注意,这里的服务账号service account 绑定的是clusterRole view。 一定要注意!!!!

3 创建config文件(创建cms用户)

A 证书内容
cms-csr.json

{
  "CN": "cms",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

B 创建config文件脚本
userconfig.sh

for targetName in cms; do
cfssl gencert --ca k8s-root-ca.pem --ca-key k8s-root-ca-key.pem --config k8s-gencert.json --profile kubernetes $targetName-csr.json | cfssljson --bare $targetName
echo "Create $targetName kubeconfig..."
kubectl config set-cluster kubernetes --certificate-authority=k8s-root-ca.pem --embed-certs=true --server=https://*.*.*.*:6443 --kubeconfig=$targetName.kubeconfig
kubectl config set-credentials $targetName --client-certificate=$targetName.pem --client-key=$targetName-key.pem --embed-certs=true --kubeconfig=$targetName.kubeconfig
kubectl config set-context kubernetes --cluster=kubernetes --user=$targetName --kubeconfig=$targetName.kubeconfig
kubectl config use-context kubernetes --kubeconfig=$targetName.kubeconfig
done

如上脚本是一个for循环,适用于创建多个权限的config文件。

执行脚本创建config文件。

chmod +x userconfig.sh
./userconfig.sh

如上执行后会生成一个cms.kubeconfig文件。

4 config文件中添加token

获取创建的token内容

kubectl -n cms describe secret $(kubectl -n cms get secret | grep kubernetes-dashboard | awk '{print $1}')

将获取到的token粘贴到步骤3生成的cms.kubeconfig文件中

得到如下:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ************************BDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVWGRFMkozQ0RGdmZmcmRDbS9Ua2ROSE9pZ3Ywd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNZMjR4RURBT0JnTlZCQWdUQjNScFlXNXFhV*****RBT0JnTlZCQWNUQjNScApZVzVxYVc0eEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HYzNsemRHVnRNUk13RVFZRF**********************
    server: https://*.*.*.*:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: cms
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: cms
  user:
    as-user-extra: {}
    client-certificate-data: ******************************nVGUGVrcjRhaG5VbVEvc2s1YXZQa3MyMgo3aEVvRFh6TUwwbzUxL3I5TTRFdVRqdTZQb0V1SFFSZHIydy9IaFZZaGM5SEdKamlyR1J2a1lTYWZLMnRmZ1dLCjhyZ3o5WVdnOUpvWXJvQTllWUFvV21DR2hERFpmeVNvSmFMQ2tqVThCK3U3TXJSV********************
    client-key-data: *******************************kQTh3L1RPS3hsMXRoTU43ZGFoVHYzQm1CclJnNnNGd1VwQy9yS0Y3Ci9BWFNzM2ZBczVzZmJCOTZQN3lXeXNrQ2dZRUFqd0REWEZVWWdjcllJY1B6UEhtRGtkYU1scnBnNmR2UmlDeEEKRUdKb295Z2Q1cUFGU3hHQ1orODY4ZEt0YVZ6VTZ4WFh********************
    token: ****************************************8YQPdhiRvaKlwq1o1vX1ROX_L8GZpy0Ech-kCk9DfPpGuiPDedWxiLCbS6TaCVUH2v1LDpQwCutWLsknbaxv_-TnlQeXQs1***************

此时的config文件即可访问kubernetes的dashboard界面。

管理员用户

1 Create Service Account 创建一个服务帐号

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
EOF

2  Create ClusterRoleBinding 创建ClusterRoleBinding

cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
EOF

3 获取token

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

将生成的token填入,即可进入dashboard的主页面,或者追加到admin 用户的config中,用config方式访问。

Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes