目录
k8s认证授权
pod绑定sa
认证
授权
k8s认证授权
pod绑定sa
[root@k8s2 ~]# kubectl create sa admin //在当前 Kubernetes 集群中创建一个名为 "admin" 的新服务账户
[root@k8s2 secret]# vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
serviceAccountName: admin
containers:
- name: nginx
image: nginx
认证
[root@k8s2 secret]# cd /etc/kubernetes/pki/
[root@k8s2 pki]# openssl genrsa -out test.key 2048
[root@k8s2 pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test"
[root@k8s2 pki]# openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 365
[root@k8s2 pki]# kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
[root@k8s2 pki]# kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
[root@k8s2 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.56.172:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: test
name: test@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: test
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
切换用户
[root@k8s2 pki]# kubectl config use-context test@kubernetes
[root@k8s2 pki]# kubectl get pod 
默认用户没有任何权限,需要授权
切回admin
[root@k8s2 pki]# kubectl config use-context kubernetes-admin@kubernetes
[root@k8s2 rbac]# vim roles.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: myrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-read-pods
namespace: default
subjects:
- kind: User
name: test
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: myrole
apiGroup: rbac.authorization.k8s.io
[root@k8s2 rbac]# kubectl apply -f roles.yaml
role.rbac.authorization.k8s.io/myrole created
rolebinding.rbac.authorization.k8s.io/test-read-pods created
[root@k8s2 rbac]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".
[root@k8s2 rbac]# kubectl run demo --image nginx
[root@k8s2 rbac]# kubectl get pod
现在只能操作pod资源,其它不行
切回admin
[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes
授权
[root@k8s2 rbac]# vim roles.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: myrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-read-pods
namespace: default
subjects:
- kind: User
name: test
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: myrole
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myclusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding #RoleBinding必须指定namespace
metadata:
name: rolebind-myclusterrole
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding #ClusterRoleBinding全局授权,无需指定namespace
metadata:
name: clusterrolebinding-myclusterrole
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
[root@k8s2 rbac]# kubectl apply -f roles.yaml
[root@k8s2 rbac]# kubectl config use-context test@kubernetes
[root@k8s2 rbac]# kubectl get deployments.apps -A
切回admin 回收
[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes
[root@k8s2 rbac]# kubectl delete -f roles.yaml
[root@k8s2 rbac]# kubectl config delete-user test
[root@k8s2 rbac]# kubectl config delete-context test@kubernetes
