一、非root用户管理k8s集群
1.1 创建一个普通用户
useradd ops
1.2 修改集群配置
OPS机器关联kubectl进行如下操作:
root用户执行:
mkdir -p /home/ops/.kube/
cp ~/.kube/config /home/ops/.kube/
chown deployer:deployer /home/ops/.kube
chown deployer:deployer /home/ops/.kube/config
ops用户执行:
echo "export KUBECONFIG=/home/ops/.kube/config" >> ~/.bash_profile
echo "source <(kubectl completion bash)" >> /home/ops/.bashrc
source ~/.bash_profile
1.3 验证
[root@k8s-master1 ~]# su ops
[ops@k8s-master1 root]$ kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master1 Ready control-plane,master 42d v1.22.0
k8s-master2 Ready control-plane,master 42d v1.22.0
k8s-master3 Ready control-plane,master 42d v1.22.0
k8s-node1 Ready <none> 42d v1.22.0
k8s-node2 Ready <none> 42d v1.22.0
k8s-node3 Ready <none> 42d v1.22.0
[ops@k8s-master1 root]$ kubectl get ns
NAME STATUS AGE
default Active 42d
kube-node-lease Active 42d
kube-public Active 42d
kube-system Active 42d
monitoring Active 42d
此时已经可以使用ops用户来管理k8s集群(若需要针对ops用户指定ns以及资源对象拥有特定权限,可以使用RBAC来限制)
二、非root用户管理docker
由于docker软件安装好之后,自动会创建好docker用户组,所以这里只需要创建好管理docer容器的用户就好。
[root@k8s-master1 ~]# cat /etc/group
....................
docker:x:995:
首先来看一下正常的普通用户管理docker是什么样的
切换dev用户执行docker命令,报错如下:
[root@k8s-master1 ~]# su dev
[dev@k8s-master1 root]$ docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docker.sock: connect: permission denied
[dev@k8s-master1 root]$ docker images
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/json": dial unix /var/run/docker.sock: connect: permission denied
现在我们把ops用户加入docker用户组中
usermod -g docker ops
接下来切换ops用户来查看一下效果:
[root@k8s-master1 ~]# su ops
[ops@k8s-master1 root]$ docker version
Client: Docker Engine - Community
Version: 20.10.12
API version: 1.39
Go version: go1.16.12
Git commit: e91ed57
Built: Mon Dec 13 11:45:41 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 18.09.9
API version: 1.39 (minimum version 1.12)
Go version: go1.11.13
Git commit: 039a7df
Built: Wed Sep 4 16:22:32 2019
OS/Arch: linux/amd64
Experimental: false
[ops@k8s-master1 root]$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rancher/mirrored-flannelcni-flannel v0.17.0 9247abf08677 3 months ago 59.8MB
rancher/mirrored-flannelcni-flannel v0.16.3 8cb5de74f107 4 months ago 59.7MB
rancher/mirrored-flannelcni-flannel-cni-plugin v1.0.1 ac40ce625740 4 months ago 8.1MB
quay.io/prometheus/node-exporter v1.3.1 1dbe0e931976 5 months ago 20.9MB
registry.aliyuncs.com/google_containers/kube-apiserver v1.22.0 838d692cbe28 10 months ago 128MB
registry.aliyuncs.com/google_containers/kube-controller-manager v1.22.0 5344f96781f4 10 months ago 122MB
registry.aliyuncs.com/google_containers/kube-scheduler v1.22.0 3db3d153007f 10 months ago 52.7MB
registry.aliyuncs.com/google_containers/kube-proxy v1.22.0 bbad1636b30d 10 months ago 104MB
registry.aliyuncs.com/google_containers/etcd 3.5.0-0 004811815584 11 months ago 295MB
registry.aliyuncs.com/google_containers/coredns v1.8.4 8d147537fb7d 12 months ago 47.6MB
registry.aliyuncs.com/google_containers/pause 3.5 ed210e3e4a5b 14 months ago 683kB
[ops@k8s-master1 root]$
至此就完成了非root用户管理docker容器了