User Account
介绍
Kubernetes用户账号可以直接在终端使用,用来读写有权限的资源或者非资源数据,而Service Account一般是用来绑定程序调用的。
一、创建用户
[ root@master ~]
openssl genrsa -out wzh.key 2048
openssl req -new -key wzh.key -out wzh.csr -subj "/CN=wzh"
openssl x509 -req -in wzh.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wzh.crt -days 3650
kubectl config set-credentials wzh --client-certificate= ./wzh.crt --client-key= ./wzh.key --embed-certs= true
kubectl config set-context wzh@kubernetes --cluster = kubernetes --user = wzh
[ root@master pki]
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.93.145:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: wzh
name: wzh@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: { }
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: wzh
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[ root@master pki]
[ root@master pki]
Error from server ( Forbidden) : pods is forbidden: User "wzh" cannot list resource "pods" in API group "" in the namespace "default"
二、使用系统用户玩转K8S
创建 Linux
系统用户 wzh01
,并将Kubernetes
中wzh
配置到其账户家目录下。
useradd -m wzh01
passwd wzh01
cp -ar /root/.kube /home/wzh01
chown -R wzh01:wzh01 /home/wzh01/.kube/
使用 wzh
系统用户访问default
名称空间的Pod
[ root@master ~]
[ wzh@master ~] $ kubectl get pod
error: error loading config file "/home/wzh/.kube/config" : open /home/wzh/.kube/config: permission denied