标签:devproject kubernetes kuberentes kubeconfig rbac key k8s
查看role相关的资源定义:kubectl api-resources |grep rbac
clusterrolebindings rbac.authorization.k8s.io clusterroles rbac.authorization.k8s.io rolebindings rbac.authorization.k8s.io roles rbac.authorization.k8s.io
kubernetes 用户的创建过程
创建用户所需要的key和证书
#生成key openssl genrsa -out devproject.key 1024 #生成签名请求 openssl req -new -key devproject.key -out devproject.csr -subj '/CN=devproject/O=kubeusers' #使用kubernetes CA对签名请求进行发证 openssl x509 -req -in devproject.csr -out devproject.crt -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 3650
创建用户认证所需要的kubeconfig文件
kubeconfig主要涉及三部分的内容。 clusterinfo , userinfo , context . 其关系如下图所示:
设置kubeconfig文件
# 设置kubeconfig集群配置信息 kubectl config set-cluster kubernetes --kubeconfig=./devproject.kubeconfig --server="https://192.168.240.142:6443" --embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt # 设置用户认证所需要的key/cert kubectl config set-credentials devproject --kubeconfig=./devproject.kubeconfig --user devproject --embed-certs=true --client-certificate ./devproject.crt --client-key ./devproject.key # 设置context (关联用户与集群) kubectl config set-context devproject@kubernetes --cluster='kubernetes' --user='devproject' --kubeconfig=./devproject.kubeconfig # 设置devproject@kubernetes为当前context kubectl config set current-context devproject@kubernetes --kubeconfig=./devproject.kubeconfig
检查当前配置的devproject用户是否可用
kubectl get pods --kubeconfig=./devproject.kubeconfig
此时,得到的提示如下:
Error from server (Forbidden): pods is forbidden: User "devproject" cannot list resource "pods" in API group "" in the namespace "default"
以上内容说明devproject没有获取default namespace下的pod资源的权限。需要为devproject用户创建相应的role 以及rolebindings
创建role 以及rolebindings
role的创建getpodRole.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: getpodRole namespace: default rules: - apiGroups: - "" resources: - "pods" verbs: - "get" - "list" - "watch"
rolebinding的创建 devprojectRolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: devproject-getPodRoleBinding namespace: default roleRef: kind: Role name: getpodRole apiGroup: rbac.authorization.k8s.io subjects: - kind: User name: devproject apiGroup: rbac.authorization.k8s.io
再次测试使用devproject用户获取default名称空间中的pod资源:
kubectl get pod --kubeconfig=./devproject.kubeconfig
标签:devproject,kubernetes,kuberentes,kubeconfig,rbac,key,k8s 来源: https://www.cnblogs.com/learn-ops/p/13022230.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。