需求1:创建一个Role和ServiceAccount并把他们绑定起来。ServiceAccount有get、list、watch的权限
1、创建YAML文件
$ cat > testsa.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: testsa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: testsa-role
rules:
- apiGroups: # api组,例如apps组,空值表示是核心API组,像namespace、pod、service、pv、pvc都在里面
- ""
resources: #资源名称(复数),例如pods, deployments, services
- pods
verbs: # 允许的操作,这里允许get, list, watch
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: testsa-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: testsa-role
subjects:
- kind: ServiceAccount
name: testsa
EOF
2、应用此YAML
$ k apply -f testsa.yaml
3、生成token(v1.24版本之前会自动生成token)
v1.24版本及之后版本操作
$ k create token testsa
v1.24版本之前版本操作,不用自己生成token,直接按照以下方法查看即可
$ SECRET_NAME=$(kubectl get serviceaccount testsa -o jsonpath='{.secrets[0].name}')
$ k get secret $SECRET_NAME -o jsonpath='{.data.token}' | base64 -d
需求2:给user1用户授权aming命名空间Pod读取权限
1、生成ca证书
二进制安装
$ cd /etc/kubernetes/pki/
$ openssl genrsa -out user1.key 2048
$ openssl req -new -key user1.key -out user1.csr -subj "/CN=user1"
$ openssl x509 -req -in user1.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out user1.crt -days 3650
kubeadm安装
$ cd /etc/kubernetes/pki/
$ openssl genrsa -out user1.key 2048
$ openssl req -new -key user1.key -out user1.csr -subj "/CN=user1"
$ openssl x509 -req -in user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user1.crt -days 3650
2、生成kubeconfig授权文件
(1)设置集群
$ cd /etc/kubernetes/pki/
$ k config set-cluster myk8s \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://192.168.1.38:8443 \
--kubeconfig=/root/user1.kubecfg
如果不知道server地址,使用以下命令进行查看
$ k cluster-info
(2)查看user1配置,users和context都为空
$ k config view --kubeconfig=/root/user1.kubecfg
(3)设置客户端认证
$ cd /etc/kubernetes/pki/
$ k config set-credentials user1 \
--client-key=user1.key \
--client-certificate=user1.crt \
--embed-certs=true \
--kubeconfig=/root/user1.kubecfg
(4)查看user1配置,观察到users有内容
$ k config view --kubeconfig=/root/user1.kubecfg
(5)设置context
$ cd /etc/kubernetes/pki/
$ k config set-context user1@myk8s \
--cluster=myk8s \
--user=user1 \
--kubeconfig=/root/user1.kubecfg
(6)查看user1配置,观察到context已经有内容
$ k config view --kubeconfig=/root/user1.kubecfg
(7)切换context
$ k config use-context user1@myk8s --kubeconfig=/root/user1.kubecfg
3、创建角色
(1)定义YAML
$ cat > user1-role.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: aming
name: user1-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
EOF
(2)应用YAML
$ k apply -f user1-role.yaml
4、将用户与角色绑定
(1)定义YAML
$ cat > user1-rolebinding.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: user1-rolebinding
namespace: aming
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: user1-role
subjects:
- kind: User
name: user1
apiGroup: rbac.authorization.k8s.io
EOF
(2)应用YAML
$ k apply -f user1-rolebinding.yaml
5、创建系统用户并使用user1的配置
$ useradd aming
$ mkdir /home/aming/.kube
$ cp /root/user1.kubecfg /home/aming/.kube/config
$ chown -R aming.aming /home/aming/.kube/
6、切换到普通用下并访问k8s,观察到只能访问aming命名空间的Pod资源
$ su - aming
$ kubectl get po
$ kubectl get po -n aming
$ kubectl get deploy -n aming
7、恢复
$ k delete -f user1-rolebinding.yaml
$ k delete -f user1-role.yaml
$ k delete -f testsa.yaml