# 1) 创建证书
[root@k8s-master01 pki]# cd /etc/kubernetes/pki/
[root@k8s-master01 pki]# (umask 077;openssl genrsa -out dev.key 2048)
# 2) 用apiserver的证书去签署
# 2-1) 签名申请,申请的用户是dev,组是devgroup
[root@k8s-master01 pki]# openssl req -new -key dev.key -out dev.csr -subj "/CN=dev/O=devgroup"
# 2-2) 签署证书
[root@k8s-master01 pki]# openssl x509 -req -in dev.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dev.crt -days 3650
# 3) 设置集群、用户、上下文信息
[root@k8s-master01 pki]# kubectl config set-cluster kubernetes --embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt --server=https://192.168.109.100:6443
[root@k8s-master01 pki]# kubectl config set-credentials dev --embed-certs=true --client-certificate=/etc/kubernetes/pki/dev.crt --client-key=/etc/kubernetes/pki/dev.key
[root@k8s-master01 pki]# kubectl config set-context dev@kubernetes --cluster=kubernetes --user=dev
# 切换账户到dev
[root@k8s-master01 pki]# kubectl config use-context dev@kubernetes
Switched to context "dev@kubernetes".
创建Role和RoleBinding,为用户授权
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: dev
name: dev-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: authorization-role-binding
namespace: dev
subjects:
- kind: User
name: dev
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: dev-role
apiGroup: rbac.authorization.k8s.io
创建系统用户
useradd dev
echo dev:zorkdata.2020|chpasswd
mkdir -p /home/dev/.kube && cp -a /root/.kube/* /home/dev/.kube/
chown dev.dev/home/dev/.kube/ -R
添加环境变量
[dev@master ~]$ vim .bashrc
export KUBECONFIG=/home/dev/.kube/config
kubectl config use-context dev@kubernetes
[dev@master ~]$ source .bashrc
[dev@master ~]$ kubectl get pods
[root@master]# chattr +i .bashrc
kubernetes伪多租户
最新推荐文章于 2024-05-11 16:23:21 发布