kubernetes集群编排（7）

k8s认证授权

pod绑定sa

[root@k8s2 ~]# kubectl create sa admin        //在当前 Kubernetes 集群中创建一个名为 "admin" 的新服务账户
 
[root@k8s2 secret]# vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  serviceAccountName: admin
  containers:
    - name: nginx
      image: nginx

[root@k8s2 secret]# cd /etc/kubernetes/pki/
[root@k8s2 pki]# openssl genrsa -out test.key 2048
[root@k8s2 pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test"
[root@k8s2 pki]# openssl  x509 -req -in test.csr -CA ca.crt -CAkey ca.key  -CAcreateserial -out test.crt -days 365
[root@k8s2 pki]#  kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
[root@k8s2 pki]# kubectl config set-context test@kubernetes --cluster=kubernetes --user=test

[root@k8s2 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.56.172:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    user: test
  name: test@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: test
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

默认用户没有任何权限，需要授权

授权

[root@k8s2 rbac]# vim roles.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: myrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
 
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-read-pods
  namespace: default
subjects:
- kind: User
  name: test
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: myrole
  apiGroup: rbac.authorization.k8s.io
 
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myclusterrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding						#RoleBinding必须指定namespace
metadata:
  name: rolebind-myclusterrole
  namespace:  default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test
 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding				#ClusterRoleBinding全局授权，无需指定namespace
metadata:
  name: clusterrolebinding-myclusterrole
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test

[root@k8s2 rbac]# kubectl apply -f roles.yaml
 
[root@k8s2 rbac]# kubectl config use-context test@kubernetes
 
[root@k8s2 rbac]# kubectl get deployments.apps -A

切回admin 回收

[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes
 
 
[root@k8s2 rbac]# kubectl delete -f roles.yaml
 
[root@k8s2 rbac]# kubectl config delete-user test
[root@k8s2 rbac]# kubectl config delete-context test@kubernetes