kubernetes集群编排——k8s认证授权

pod绑定sa

[root@k8s2 ~]# kubectl create sa admin

[root@k8s2 secret]# vim pod5.yaml

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  serviceAccountName: admin
  containers:
    - name: nginx
      image: nginx

kubectl apply -f pod5.yaml

kubectl get pod -o yaml

认证

[root@k8s2 secret]# cd /etc/kubernetes/pki/
[root@k8s2 pki]# openssl genrsa -out test.key 2048
[root@k8s2 pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test"
[root@k8s2 pki]# openssl  x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 365

[root@k8s2 pki]#  kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
[root@k8s2 pki]# kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
[root@k8s2 pki]# kubectl config view

切换用户

[root@k8s2 pki]# kubectl config use-context test@kubernetes

[root@k8s2 pki]# kubectl get pod

默认用户没有任何权限，需要授权

切回admin

[root@k8s2 pki]# kubectl config use-context kubernetes-admin@kubernetes

[root@k8s2 rbac]# vim roles.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: myrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-read-pods
  namespace: default
subjects:
- kind: User
  name: test
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: myrole
  apiGroup: rbac.authorization.k8s.io

[root@k8s2 rbac]# kubectl apply -f roles.yaml

[root@k8s2 rbac]# kubectl config use-context test@kubernetes

[root@k8s2 rbac]# kubectl run demo --image nginx

[root@k8s2 rbac]# kubectl get pod

现在只能操作pod资源，其它不行

[root@k8s2 rbac]# kubectl get deployments.apps

切回admin

[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes

授权

[root@k8s2 rbac]# vim clusteroles.yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: myclusterrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding                      #RoleBinding必须指定namespace
metadata:
  name: rolebind-myclusterrole
  namespace:  default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding               #ClusterRoleBinding全局授权，无需指定namespace
metadata:
  name: clusterrolebinding-myclusterrole
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test

[root@k8s2 rbac]# kubectl apply -f clusteroles.yaml

[root@k8s2 rbac]# kubectl config use-context test@kubernetes

[root@k8s2 rbac]# kubectl get deployments.apps -A

切回admin

[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes

回收

[root@k8s2 rbac]# kubectl delete -f roles.yaml

[root@k8s2 rbac]# kubectl config delete-user test

[root@k8s2 rbac]# kubectl config delete-context test@kubernetes

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：/a/124997.html

如若内容造成侵权/违法违规/事实不符，请联系我们进行投诉反馈qq邮箱809451989@qq.com，一经查实，立即删除！