rbac
k8s里面有两种用户,一种是User,一种就是service account,User给人用的,service account给进程用的,让进程有相关的权限。
1. 创建 namespace 普通用户
master 操作
kubectl create namespace bst-petrel-st
# 给 node 节点设置命令空间
kubectl label nodes 10.0.43.33 k8s.wonhigh.cn/namespace=bst-petrel-st
kubectl label nodes 10.0.43.9 k8s.wonhigh.cn/namespace=bst-petrel-st
# 将用户设置为该命名空间的管理员
kubectl create rolebinding user-bst-petrel-st-binding --clusterrole=admin --user=user-bst-petrel-st --namespace=bst-petrel-st
root 操作:
adduser bst-petrel-st
passwd bst-petrel-st
cp /root/local/bin/docker* /usr/local/bin/
cp /root/local/bin/kubectl /usr/local/bin/
usermod -G root bst-petrel-st
# 复制证书文件
cd /etc/kubernetes/ssl
cp admin-csr.json user-bst-petrel-st-csr.json
sed -i 's/admin/user-bst-petrel-st/g' user-bst-petrel-st-csr.json
sed -i 's/system:masters/k8s/g' user-bst-petrel-st-csr.json
# 生成证书
/root/local/bin/cfssl gencert \
-ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes user-bst-petrel-st-csr.json | /root/local/bin/cfssljson -bare user-bst-petrel-st
# 配置集群信息
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://10.0.43.251:8443 \
--kubeconfig=user-bst-petrel-st.kubeconfig
chmod +r /etc/kubernetes/ssl/user-bst-petrel-st*
# 收回其他用户的执行权限
chmod 744 /root/local/bin/cfssl*
# 查看所有的集群角色
kubectl get clusterrole
bst-petrel-st 操作:
cd ~
\cp -f /etc/kubernetes/ssl/user-bst-petrel-st* /home/bst-petrel-st/
# 配置用户
kubectl config set-credentials user-bst-petrel-st \
--client-certificate=user-bst-petrel-st.pem \
--embed-certs=true \
--client-key=user-bst-petrel-st-key.pem \
--kubeconfig=user-bst-petrel-st.kubeconfig
# 配置上下文
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=user-bst-petrel-st \
--namespace=bst-petrel-st \
--kubeconfig=user-bst-petrel-st.kubeconfig
# 指定上下文
kubectl config use-context kubernetes --kubeconfig=user-bst-petrel-st.kubeconfig
# 覆盖默认的 kubeconfig 文件
\cp -f ./user-bst-petrel-st.kubeconfig ~/.kube/config
# 删除中间文件
rm -rf ~/user-bst-petrel-st*
# 查看 token
kubectl -n=bst-petrel-st describe secret $(kubectl -n=bst-petrel-st get secret | grep user-bst-petrel-st | awk '{print $1}')
2. 参考资料
kubernetes dashboard访问用户添加权限控制