kubernetes集群编排——k8s认证授权

pod绑定sa

[root@k8s2 ~]# kubectl create sa admin

[root@k8s2 secret]# vim pod5.yaml


apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  serviceAccountName: admin
  containers:
    - name: nginx
      image: nginx


kubectl apply -f pod5.yaml
 
kubectl get pod -o yaml

认证


[root@k8s2 secret]# cd /etc/kubernetes/pki/
[root@k8s2 pki]# openssl genrsa -out test.key 2048
[root@k8s2 pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test"
[root@k8s2 pki]# openssl  x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 365


[root@k8s2 pki]#  kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
[root@k8s2 pki]# kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
[root@k8s2 pki]# kubectl config view

切换用户


[root@k8s2 pki]# kubectl config use-context test@kubernetes
 
[root@k8s2 pki]# kubectl get pod

默认用户没有任何权限，需要授权

切回admin

[root@k8s2 pki]# kubectl config use-context kubernetes-admin@kubernetes

[root@k8s2 rbac]# vim roles.yaml


kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: myrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
 
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-read-pods
  namespace: default
subjects:
- kind: User
  name: test
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: myrole
  apiGroup: rbac.authorization.k8s.io

[root@k8s2 rbac]# kubectl apply -f roles.yaml

[root@k8s2 rbac]# kubectl config use-context test@kubernetes


[root@k8s2 rbac]# kubectl run demo --image nginx
 
[root@k8s2 rbac]# kubectl get pod

现在只能操作pod资源，其它不行

[root@k8s2 rbac]# kubectl get deployments.apps

切回admin

[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes

授权

[root@k8s2 rbac]# vim clusteroles.yaml


kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myclusterrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding                      #RoleBinding必须指定namespace
metadata:
  name: rolebind-myclusterrole
  namespace:  default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test
 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding               #ClusterRoleBinding全局授权，无需指定namespace
metadata:
  name: clusterrolebinding-myclusterrole
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test

[root@k8s2 rbac]# kubectl apply -f clusteroles.yaml


[root@k8s2 rbac]# kubectl config use-context test@kubernetes
 
[root@k8s2 rbac]# kubectl get deployments.apps -A

切回admin

[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes

回收


[root@k8s2 rbac]# kubectl delete -f roles.yaml
 
[root@k8s2 rbac]# kubectl config delete-user test
 
[root@k8s2 rbac]# kubectl config delete-context test@kubernetes

相关阅读:
AntV/G2 柱状图+折线图双轴图表
numpy和matlab的多维数组展平：ravel, flatten, reshape, (:)
微积分学习笔记（2）：用Go语言画函数图像
简单理解Vue中的数据代理
面对全新的编程语言，这些思路可以帮助你察觉漏洞
07、vue : 无法加载文件 C:\Users\JH\AppData\Roaming\npm\vue.ps1，因为在此系统上禁止运行脚本。
如何用VisualStudio编写一个利用滑块绘制扇形的小程序既可以正向绘制也可以反向绘制
Oracle基础入门
PXE高效批量网络装机
ubuntu安装gptsovits

原文地址：https://blog.csdn.net/dgffd/article/details/134299555