Authorization鉴权
小知识:
平常我们访问都是使用API restful风格,比如,kubectl get pod
其实他也是通过http协议进行访问的。
先暴露8080端口:
kubectl proxy --port=8080
例子1:
另起终端:
curl http://localhost:8080/api/v1/namespaces
这时我们访问到v1版本下的所有命名空间。
例子2:
[root@master helm]# kubectl get deployments.apps -n kube-system
NAME READY UP-TO-DATE AVAILABLE AGE
coredns 2/2 2 2 19d
[root@master helm]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/
这两个效果类似
HTTP request verb:
get,post,put,delete
API request verb:
get,list,create,update,patch,watch,proxy,redirect,delete,deletecollection
API Server 鉴权模式:
• AlwaysDeny:拒绝所有请求
• AlwaysAllow:允许所有请求
• ABAC:基于属性的访问控制。使用用户配置的授权规则
• Webbook:通过调用外部 REST 服务对用户进行授权
• RBAC:基于角色的访问控制。默认
通过 --authorization-mode 设置
RBAC:
k8s 1.5 引入。
• 对集群中的资源和非资源均有完整的覆盖
• 整个 RBAC完全由几个 API 对象完成,可以通过 kubectl 或 API 进行操作
• 运行时动态生效,无需重启 API-Server
练习RBAC可以去中文官网,讲的很详细:
RBAC官网:https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/
实践:
1.创建用户和密码
adduser userdev
passwd userdev
2.创建证书:
mkdir -p /usr/local/install-k8s/cert/userdev
vim /usr/local/install-k8s/cert/userdev/userdev-csr.json
{
"CN": "userdev",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
解释:
3.下载证书生成工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
cd /etc/kubernetes/pki/
发现这个目录下都是k8s系统保留的证书:
所有https证书的签发都是根据k8s集群的根证书ca
进行签发
cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /usr/local/install-k8s/cert/userdev/userdev-csr.json | cfssljson -bare userdev
执行完后会发现多出了userdev-key.pem
、userdev.pem
、userdev.csr
userdev.csr
证书签名请求,要发给 CA 组织
userdev.pem
:证书
userdev-key.pem
:私钥
4.设置集群参数
cd /usr/local/install-k8s/cert/userdev/
export KUBE_APISERVER="https://192.168.10.180:6443"
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=userdev.kubeconfig
这是会在当前目录下生成一个userdev.kubeconfig文件
[root@master cert]# cat userdev.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01USXdNVEF4TXpJMU4xb1hEVE13TVRFeU9UQXhNekkxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjBMCldmbUJIdEc5a2lycVZ4U3U3WEtETm05QjdZcTNlSjRvaFVPZ2JFQjZZYVNYNU5ENnZXWDFLS2lWZWRoMGZTc3UKVEQyTFBSYVNqSXVlOXNpOERxWWR5aVlPVlNETFl1bzNzTnB3MmkwK1hJd0FnQVJQd215YzdGUVR3ckxxcDdPRgpsZVowejdndlQ5NHB3REhpZXJRdGVNSlZ5cXkrenRvcnA3bXZHNXEzV0Jtc3ZVRFByVytiRHlFRFozKzVlMXpZCkVXaWtQeDRwclRQb2RCaHNVWG1ZRVNQMzhsd0dTN2xNZVJabnBwck9oWlk4MGVzcXFHUyt2YndIbmpaOEhQc3kKZDlkaStJWDBrTXoyUHBWWmJVK1Q4a3FZM1F6blZ6Qm13OEtSd2czRi8wMm5raVNzU09JbEU4NGRtMzJJY1JOKwpZamp1ZWZuVnNKL3JralE4eUVFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJVjhCSUN2a01QelkyYmZVdnRFdWgybHV4OFVNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCOFExMkxiLzcvcGRXZDNuWjEyMUFobS9QZFdHbkxLSWVqdUtxbEVVRWc5cFJEcGI5Mwppbjg4TmpIVFRnY2ZScE5zbzZjYnJmUEtCRW10Sk9XRjRFWWdDdThXb0loV0ZPWXRqckdKZUtkOGhTbS9XY2M3Cm9nN1YxKzQ0MkxsYS81Wk9SRHlmRmhTeThtRit3ZnBoQ25mTklGUW4veGY2ME1WWWJ3YkJhL3ord0J2Uis4UmgKTS91NG9hNFU5aUhDRkE4UFhOU0ZKUGdWdVFSUU5lSDNOSDhrU1FtSk9MbC95MWRmYXoxMFlQWmNsSkZFQ1pRegpobXFPMGpMR29QbVlERGtrY0E5NTdCa1NRTTRvSy9nQkdmSENpOU1UTFdHaCtRNDRyZXFTbjBOQWQvYzM3Z0g3Cm1XL0tqeDkzRlJCdnAzcUdLeklVaWFjSU5XUE9DTWdjMUNsZwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.10.180:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
此时可以看到已经有了集群信息clusters
5.设置客户端认证参数
kubectl config set-credentials userdev --client-certificate=/etc/kubernetes/pki/userdev.pem --client-key=/etc/kubernetes/pki/userdev-key.pem --embed-certs=true --kubeconfig=userdev.kubeconfig
[root@master cert]# cat userdev.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01USXdNVEF4TXpJMU4xb1hEVE13TVRFeU9UQXhNekkxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjBMCldmbUJIdEc5a2lycVZ4U3U3WEtETm05QjdZcTNlSjRvaFVPZ2JFQjZZYVNYNU5ENnZXWDFLS2lWZWRoMGZTc3UKVEQyTFBSYVNqSXVlOXNpOERxWWR5aVlPVlNETFl1bzNzTnB3MmkwK1hJd0FnQVJQd215YzdGUVR3ckxxcDdPRgpsZVowejdndlQ5NHB3REhpZXJRdGVNSlZ5cXkrenRvcnA3bXZHNXEzV0Jtc3ZVRFByVytiRHlFRFozKzVlMXpZCkVXaWtQeDRwclRQb2RCaHNVWG1ZRVNQMzhsd0dTN2xNZVJabnBwck9oWlk4MGVzcXFHUyt2YndIbmpaOEhQc3kKZDlkaStJWDBrTXoyUHBWWmJVK1Q4a3FZM1F6blZ6Qm13OEtSd2czRi8wMm5raVNzU09JbEU4NGRtMzJJY1JOKwpZamp1ZWZuVnNKL3JralE4eUVFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJVjhCSUN2a01QelkyYmZVdnRFdWgybHV4OFVNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCOFExMkxiLzcvcGRXZDNuWjEyMUFobS9QZFdHbkxLSWVqdUtxbEVVRWc5cFJEcGI5Mwppbjg4TmpIVFRnY2ZScE5zbzZjYnJmUEtCRW10Sk9XRjRFWWdDdThXb0loV0ZPWXRqckdKZUtkOGhTbS9XY2M3Cm9nN1YxKzQ0MkxsYS81Wk9SRHlmRmhTeThtRit3ZnBoQ25mTklGUW4veGY2ME1WWWJ3YkJhL3ord0J2Uis4UmgKTS91NG9hNFU5aUhDRkE4UFhOU0ZKUGdWdVFSUU5lSDNOSDhrU1FtSk9MbC95MWRmYXoxMFlQWmNsSkZFQ1pRegpobXFPMGpMR29QbVlERGtrY0E5NTdCa1NRTTRvSy9nQkdmSENpOU1UTFdHaCtRNDRyZXFTbjBOQWQvYzM3Z0g3Cm1XL0tqeDkzRlJCdnAzcUdLeklVaWFjSU5XUE9DTWdjMUNsZwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.10.180:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: userdev
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoRENDQW15Z0F3SUJBZ0lVZWhLUU9EV3IrQ0VJVTQzQUNaNWwvYnZvb0RJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1ERXlNRFF3TXpJNE1EQmFGdzB5TVRFeQpNRFF3TXpJNE1EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhkWE5sY21SbGRqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtFQgp6M0Y3UHBwWlNsWElWNUMzMmpzOEtSSnhKekxlYmVMMDkrNEVycFJlSEhDNlh4b1o2ZWxVbGg1aGxVUndCQ3BXCmpQUllIU0Q2Znd1RDJxMWRpWGcwSVBZRWRqdm9aTVF2NS9FN3Z0bXNWOXIxS0dzTE1wWjJFYmlCUmVPY0dFZ3UKUTkzZDh2cllqd1VhSWduSHZRd3NXMWp2TGF0QUY3dmtSUlQ1R2tlOUIvNENxYy9kNUQzNDh0anozRXpvQnBFMAoyVlAxbEFpVHhmWXU5cFQ1Z1c1QUQvcVh5bUJsRVBEVm0vcSswdW9DWWNyU0RvOWs0bVZkbGlrSllUbU9EVWZvCjN2dlFyYTZzNjE4ZFR6U0cyWkZMS3U4WHhveHhNR2FUOGZpSUYrVGFObkEvYUZ0Z3VZbnMzNHpiajhVZlpoNWIKQTczR0grVmMyZ0htSDB5bHRGTUNBd0VBQWFOL01IMHdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlNjClJGSlJZNTl5TjhtM3RxOXJ5a3Y0TGRNWTNEQWZCZ05WSFNNRUdEQVdnQlNGZkFTQXI1REQ4Mk5tMzFMN1JMb2QKcGJzZkZEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFldDJLVDdEMjRONnpBdjFQR2VJdHY3RG9iRHBKd3JDMQpEOUhvY3ltRHh4YTNxVW1BOTNDSzdSM3NmVlNBTzhxckdxV1dqbFhDWVd3WlFxelpJaGxiVmR4UDh4ajI3aDc3CklhbHF6ekxPaWc2aFhFdUQySkd4WFM2K3creWc3KzlEaGUxM3lSTWl3dEJMUTdkZ1diUTNxcXlIbldxenNpYVMKMnIwTVlJQUNNK2Z6OUxqMTY3UWh4S2tkQmloemIzUitaajFRbW8vY3J1dTZPUldURDNULzA0dEdtY2dxVW16QgpqcHVFeHhIbWhGNEwzajZFSWxpRkpRZ2JsZWdZOEl0TWdqSVpOU3hNUmRLRHNpUDZRU1lQazl6Q3JzYlFLbUc3CmZrQThDZXRTSXlFcUY4UWxvZUU0eUJOQVhaSEQvVC9Bam1CelBybE02dktEWUdyQzF6dzNMUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb1FIUGNYcyttbGxLVmNoWGtMZmFPendwRW5Fbk10NXQ0dlQzN2dTdWxGNGNjTHBmCkdobnA2VlNXSG1HVlJIQUVLbGFNOUZnZElQcC9DNFBhclYySmVEUWc5Z1IyTytoa3hDL244VHUrMmF4WDJ2VW8KYXdzeWxuWVJ1SUZGNDV3WVNDNUQzZDN5K3RpUEJSb2lDY2U5REN4YldPOHRxMEFYdStSRkZQa2FSNzBIL2dLcAp6OTNrUGZqeTJQUGNUT2dHa1RUWlUvV1VDSlBGOWk3MmxQbUJia0FQK3BmS1lHVVE4TldiK3I3UzZnSmh5dElPCmoyVGlaVjJXS1FsaE9ZNE5SK2plKzlDdHJxenJYeDFQTkliWmtVc3E3eGZHakhFd1pwUHgrSWdYNU5vMmNEOW8KVzJDNWllemZqTnVQeFI5bUhsc0R2Y1lmNVZ6YUFlWWZUS1cwVXdJREFRQUJBb0lCQUdjSytJK0JOOXlpbnE5dAo2NVRFQlpmNWRiUEcxVFo2SWt1cFNlOTc4WnNrN0FDOVZsWW5GWXZ1UmJFbDlOajY4NytBNnU4S1lZSVVyekJZCmI2Q2FoM3QxcVU2cUpsMUs2d3FnT2tvcVdZZUlCQ1l1MW5KRGxWbTBNTDByaHVZWHBYYTBuVnltU25aK0dISkUKZWxwV0NjaDdydTZwREVwWVY1ZzVqSGpTd0IzK2VlUm5YU2JjZzJFaU5haUwreGJhVitpTUsyNndTL0NLYXZDbwp0SjVoUFgvMFBDdENSc0IwOVVPZG5nOFlBMmJHS2xRY0RaeVVQN3pQQWdub0RLazFwSVNyVkVJd3Q4WXpYTXM1CmI0Q0Z6MVAxZXR3d0xiREViSmcvZUdOeStpdEI0LytZSVE4K25lY3dwUGFwdUZ6K0hWem5JN3FWTGo5RXVaZ2sKbjAyYkhwa0NnWUVBMEh6WERVOTdyMi9CUkFqRjFkVUZ2Z21HQUFiR3BZeHVYUUZsa2RpRHlNUXZULzdiWWduQgppbXo1c1VaSGF2dDdaUTFRaGZOQW5PRUVGSS9lQnMzak5IN0ZndEsyOXdaVTB1NTRGNWllUkFCeEkrVTRFdGRICmVQbTdFUzQ4NlRtWmw2UmNZckFUYzBleEQ0eGNDQURTR2ZtVzR0M2xBK1haNi8rOWkxaUl2ZTBDZ1lFQXhiTDAKaVM2MjViTXdBWUxrb2ZUZWcwYnVKZ2tzWnFDdC9FMEQ2QUVMeFdPVDFhSzRNS0lhdjBycDlvZDdxRGl3RHFjRQpyb1BadThFSjJ6RkRNS293b3o1alFJbjROaVJ3cVlSampSVStvR0gzTVBRWEV1a2xYTXZHWExxVEsyaUNrc213ClVvS2NsU3dlQTZFMzBGVlV0Z2NEdGdjcGdxZ1ZzN0k1dUZLejh6OENnWUVBb0RadkpBRmljTXlXWGV2SDY2eUoKZnlIZVlZTFRnRUJNUnhoZHJ4Z05IV2oxV3Fua2VKQTZ0RjlOK2RhaDV5cGVCcWVXcTNqa3ZDbUdjeTZqVmVNOQpxQWVMVEI4VkR2dEVqOXRGV2d5a0FtbThoL01MaGg3OUE1QVZHdnpIUGdwUFoyS2N4Qkcrd0tYbEFLZkJ5VHlvCk4rRysrNU84KzZQVU5URVB2VmRKclhrQ2dZQi8wMU4xRjNVK1UzdG9ucjlCVUZoR3ZTZmlBL0JuY3VETHp1Z0YKckJkMlN3b2RDWmJhS3hYc05YM00zcEMvbGRlUHdjR3ZMS1V0Vm9VTzZtMHRHLzFTcjFYeE5zUDhEZGVpWTIwUwpuWGZlcnpqcXVBZnJQRC9pSGdkbGtXVHluaUkrMHBWazQvcG1JUjVPN29CdC9aNUdDNGNFdk9ERUQvWG9PQVpGCi9ZTklkUUtCZ0RXMXFtNHAzNGRlL25IdzB6SUs2a2hLU0xGVEYydTBWWS9UMkxsTHU2LzhBS2YwZWZWa1JUaVQKcU1FSm0xUGlBMzhkdXJIdVFGOGtENmJiTW4rMEVMRXQxS05HbHBRVmUwNE1mSFl1cEJZRzdnNjBDalozTTIrSgpJSS9XOHNDVkgxZllNc2dtU0duc3V0Z1QwT1VCaXRBV3dscmVWN1dyM0lVVkwwU1I0aGRlCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
此时可以看到已经有了用户信息:users:
6.设置上下文参数
创建dev命名空间:
kubectl create ns dev
kubectl config set-context kubernetes --cluster=kubernetes --user=userdev --namespace=dev --kubeconfig=userdev.kubeconfig
[root@master cert]# cat userdev.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01USXdNVEF4TXpJMU4xb1hEVE13TVRFeU9UQXhNekkxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjBMCldmbUJIdEc5a2lycVZ4U3U3WEtETm05QjdZcTNlSjRvaFVPZ2JFQjZZYVNYNU5ENnZXWDFLS2lWZWRoMGZTc3UKVEQyTFBSYVNqSXVlOXNpOERxWWR5aVlPVlNETFl1bzNzTnB3MmkwK1hJd0FnQVJQd215YzdGUVR3ckxxcDdPRgpsZVowejdndlQ5NHB3REhpZXJRdGVNSlZ5cXkrenRvcnA3bXZHNXEzV0Jtc3ZVRFByVytiRHlFRFozKzVlMXpZCkVXaWtQeDRwclRQb2RCaHNVWG1ZRVNQMzhsd0dTN2xNZVJabnBwck9oWlk4MGVzcXFHUyt2YndIbmpaOEhQc3kKZDlkaStJWDBrTXoyUHBWWmJVK1Q4a3FZM1F6blZ6Qm13OEtSd2czRi8wMm5raVNzU09JbEU4NGRtMzJJY1JOKwpZamp1ZWZuVnNKL3JralE4eUVFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJVjhCSUN2a01QelkyYmZVdnRFdWgybHV4OFVNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCOFExMkxiLzcvcGRXZDNuWjEyMUFobS9QZFdHbkxLSWVqdUtxbEVVRWc5cFJEcGI5Mwppbjg4TmpIVFRnY2ZScE5zbzZjYnJmUEtCRW10Sk9XRjRFWWdDdThXb0loV0ZPWXRqckdKZUtkOGhTbS9XY2M3Cm9nN1YxKzQ0MkxsYS81Wk9SRHlmRmhTeThtRit3ZnBoQ25mTklGUW4veGY2ME1WWWJ3YkJhL3ord0J2Uis4UmgKTS91NG9hNFU5aUhDRkE4UFhOU0ZKUGdWdVFSUU5lSDNOSDhrU1FtSk9MbC95MWRmYXoxMFlQWmNsSkZFQ1pRegpobXFPMGpMR29QbVlERGtrY0E5NTdCa1NRTTRvSy9nQkdmSENpOU1UTFdHaCtRNDRyZXFTbjBOQWQvYzM3Z0g3Cm1XL0tqeDkzRlJCdnAzcUdLeklVaWFjSU5XUE9DTWdjMUNsZwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.10.180:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: dev
user: userdev
name: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: userdev
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoRENDQW15Z0F3SUJBZ0lVZWhLUU9EV3IrQ0VJVTQzQUNaNWwvYnZvb0RJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1ERXlNRFF3TXpJNE1EQmFGdzB5TVRFeQpNRFF3TXpJNE1EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhkWE5sY21SbGRqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtFQgp6M0Y3UHBwWlNsWElWNUMzMmpzOEtSSnhKekxlYmVMMDkrNEVycFJlSEhDNlh4b1o2ZWxVbGg1aGxVUndCQ3BXCmpQUllIU0Q2Znd1RDJxMWRpWGcwSVBZRWRqdm9aTVF2NS9FN3Z0bXNWOXIxS0dzTE1wWjJFYmlCUmVPY0dFZ3UKUTkzZDh2cllqd1VhSWduSHZRd3NXMWp2TGF0QUY3dmtSUlQ1R2tlOUIvNENxYy9kNUQzNDh0anozRXpvQnBFMAoyVlAxbEFpVHhmWXU5cFQ1Z1c1QUQvcVh5bUJsRVBEVm0vcSswdW9DWWNyU0RvOWs0bVZkbGlrSllUbU9EVWZvCjN2dlFyYTZzNjE4ZFR6U0cyWkZMS3U4WHhveHhNR2FUOGZpSUYrVGFObkEvYUZ0Z3VZbnMzNHpiajhVZlpoNWIKQTczR0grVmMyZ0htSDB5bHRGTUNBd0VBQWFOL01IMHdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlNjClJGSlJZNTl5TjhtM3RxOXJ5a3Y0TGRNWTNEQWZCZ05WSFNNRUdEQVdnQlNGZkFTQXI1REQ4Mk5tMzFMN1JMb2QKcGJzZkZEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFldDJLVDdEMjRONnpBdjFQR2VJdHY3RG9iRHBKd3JDMQpEOUhvY3ltRHh4YTNxVW1BOTNDSzdSM3NmVlNBTzhxckdxV1dqbFhDWVd3WlFxelpJaGxiVmR4UDh4ajI3aDc3CklhbHF6ekxPaWc2aFhFdUQySkd4WFM2K3creWc3KzlEaGUxM3lSTWl3dEJMUTdkZ1diUTNxcXlIbldxenNpYVMKMnIwTVlJQUNNK2Z6OUxqMTY3UWh4S2tkQmloemIzUitaajFRbW8vY3J1dTZPUldURDNULzA0dEdtY2dxVW16QgpqcHVFeHhIbWhGNEwzajZFSWxpRkpRZ2JsZWdZOEl0TWdqSVpOU3hNUmRLRHNpUDZRU1lQazl6Q3JzYlFLbUc3CmZrQThDZXRTSXlFcUY4UWxvZUU0eUJOQVhaSEQvVC9Bam1CelBybE02dktEWUdyQzF6dzNMUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb1FIUGNYcyttbGxLVmNoWGtMZmFPendwRW5Fbk10NXQ0dlQzN2dTdWxGNGNjTHBmCkdobnA2VlNXSG1HVlJIQUVLbGFNOUZnZElQcC9DNFBhclYySmVEUWc5Z1IyTytoa3hDL244VHUrMmF4WDJ2VW8KYXdzeWxuWVJ1SUZGNDV3WVNDNUQzZDN5K3RpUEJSb2lDY2U5REN4YldPOHRxMEFYdStSRkZQa2FSNzBIL2dLcAp6OTNrUGZqeTJQUGNUT2dHa1RUWlUvV1VDSlBGOWk3MmxQbUJia0FQK3BmS1lHVVE4TldiK3I3UzZnSmh5dElPCmoyVGlaVjJXS1FsaE9ZNE5SK2plKzlDdHJxenJYeDFQTkliWmtVc3E3eGZHakhFd1pwUHgrSWdYNU5vMmNEOW8KVzJDNWllemZqTnVQeFI5bUhsc0R2Y1lmNVZ6YUFlWWZUS1cwVXdJREFRQUJBb0lCQUdjSytJK0JOOXlpbnE5dAo2NVRFQlpmNWRiUEcxVFo2SWt1cFNlOTc4WnNrN0FDOVZsWW5GWXZ1UmJFbDlOajY4NytBNnU4S1lZSVVyekJZCmI2Q2FoM3QxcVU2cUpsMUs2d3FnT2tvcVdZZUlCQ1l1MW5KRGxWbTBNTDByaHVZWHBYYTBuVnltU25aK0dISkUKZWxwV0NjaDdydTZwREVwWVY1ZzVqSGpTd0IzK2VlUm5YU2JjZzJFaU5haUwreGJhVitpTUsyNndTL0NLYXZDbwp0SjVoUFgvMFBDdENSc0IwOVVPZG5nOFlBMmJHS2xRY0RaeVVQN3pQQWdub0RLazFwSVNyVkVJd3Q4WXpYTXM1CmI0Q0Z6MVAxZXR3d0xiREViSmcvZUdOeStpdEI0LytZSVE4K25lY3dwUGFwdUZ6K0hWem5JN3FWTGo5RXVaZ2sKbjAyYkhwa0NnWUVBMEh6WERVOTdyMi9CUkFqRjFkVUZ2Z21HQUFiR3BZeHVYUUZsa2RpRHlNUXZULzdiWWduQgppbXo1c1VaSGF2dDdaUTFRaGZOQW5PRUVGSS9lQnMzak5IN0ZndEsyOXdaVTB1NTRGNWllUkFCeEkrVTRFdGRICmVQbTdFUzQ4NlRtWmw2UmNZckFUYzBleEQ0eGNDQURTR2ZtVzR0M2xBK1haNi8rOWkxaUl2ZTBDZ1lFQXhiTDAKaVM2MjViTXdBWUxrb2ZUZWcwYnVKZ2tzWnFDdC9FMEQ2QUVMeFdPVDFhSzRNS0lhdjBycDlvZDdxRGl3RHFjRQpyb1BadThFSjJ6RkRNS293b3o1alFJbjROaVJ3cVlSampSVStvR0gzTVBRWEV1a2xYTXZHWExxVEsyaUNrc213ClVvS2NsU3dlQTZFMzBGVlV0Z2NEdGdjcGdxZ1ZzN0k1dUZLejh6OENnWUVBb0RadkpBRmljTXlXWGV2SDY2eUoKZnlIZVlZTFRnRUJNUnhoZHJ4Z05IV2oxV3Fua2VKQTZ0RjlOK2RhaDV5cGVCcWVXcTNqa3ZDbUdjeTZqVmVNOQpxQWVMVEI4VkR2dEVqOXRGV2d5a0FtbThoL01MaGg3OUE1QVZHdnpIUGdwUFoyS2N4Qkcrd0tYbEFLZkJ5VHlvCk4rRysrNU84KzZQVU5URVB2VmRKclhrQ2dZQi8wMU4xRjNVK1UzdG9ucjlCVUZoR3ZTZmlBL0JuY3VETHp1Z0YKckJkMlN3b2RDWmJhS3hYc05YM00zcEMvbGRlUHdjR3ZMS1V0Vm9VTzZtMHRHLzFTcjFYeE5zUDhEZGVpWTIwUwpuWGZlcnpqcXVBZnJQRC9pSGdkbGtXVHluaUkrMHBWazQvcG1JUjVPN29CdC9aNUdDNGNFdk9ERUQvWG9PQVpGCi9ZTklkUUtCZ0RXMXFtNHAzNGRlL25IdzB6SUs2a2hLU0xGVEYydTBWWS9UMkxsTHU2LzhBS2YwZWZWa1JUaVQKcU1FSm0xUGlBMzhkdXJIdVFGOGtENmJiTW4rMEVMRXQxS05HbHBRVmUwNE1mSFl1cEJZRzdnNjBDalozTTIrSgpJSS9XOHNDVkgxZllNc2dtU0duc3V0Z1QwT1VCaXRBV3dscmVWN1dyM0lVVkwwU1I0aGRlCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
此时已经有了上下文参数:
7.rolebinding角色绑定赋予权限:
[root@master cert]# kubectl create rolebinding userdev-admin-binding --clusterrole=admin --user=userdev --namespace=dev
rolebinding.rbac.authorization.k8s.io/userdev-admin-binding created
rolebinding
名称:devuser-admin-binding
clusterrole
:权限
user namepsace
:授权目标
8.设置当前上下文:
kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig
9.用户使用:
mkdir /home/userdev/.kube/
将生成的config复制到/home/userdev/.kube/文件下
cp userdev.kubeconfig /home/userdev/.kube/
修改文件权限:
chown -R userdev:userdev /home/userdev/.kube/
切换用户:
su userdev
cd ~/.kube/
将文件修改为默认访问的文件名:
mv userdev.kubeconfig config
验证:
kubectl get pod
只会显示dev命名空间的pod,而且查询的时候也不用添加-n dev
指定命名空间,但是当指定-n default
是查不到pod的,其他命名空间一样,因为我们只给了dev命名空间的权限。
[userdev@master root]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 112s 10.244.2.48 node2 <none> <none>
[userdev@master root]$ kubectl get pod -A
Error from server (Forbidden): pods is forbidden: User "testuser" cannot list resource "pods" in API group "" at the cluster scope
[userdev@master root]$ kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "testuser" cannot list resource "pods" in API group "" in the namespace "default"