使用user创建kubeconfig文件
方权
目标系统用户useraccount1. useraccount2
k8s中有 4个ns ns1, ns2, ns3 ns4
useraccount1 只能get ns1 ns3
useraccount2 只能get ns2 ns4
- 创建CA证书和密钥
- 创建useraccount1.key和useraccount2.key
#进入目录/etc/kubernetes/pki
[root@master pki]# (umask 077;openssl genrsa -out useraccount1.key 2048)
Generating RSA private key, 2048 bit long modulus
..............................................................+++
..................................................................+++
e is 65537 (0x10001)
[root@master pki]# (umask 077;openssl genrsa -out useraccount2.key 2048)
Generating RSA private key, 2048 bit long modulus
...................................................+++
.............+++
e is 65537 (0x10001)
-
- 创建证书签署请求
[root@master pki]# openssl req -new -key useraccount1.key -out useraccount1.csr -subj "/O=k8s/CN=useraccount1"
[root@master pki]# openssl req -new -key useraccount2.key -out useraccount2.csr -subj "/O=k8s/CN=useraccount2"
-
- 签署证书
[root@master pki]#openssl x509 -req -in useraccount1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out useraccount1.crt -days 365
Signature ok
subject=/O=k8s/CN=useraccount1
Getting CA Private Key
[root@master pki]#openssl x509 -req -in useraccount2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out useraccount2.crt -days 365
Signature ok
subject=/O=k8s/CN=useraccount2
Getting CA Private Key
- 创建配置文件
- 创建集群配置
[root@master pki]# kubectl config set-cluster kubernetes --server=https://10.20.9.48:6443 --certificate-authority=ca.crt --embed-certs=true --kubeconfig=/root/useraccount/useraccount1.conf
Cluster "kubernetes" set.
[root@master pki]# kubectl config view --kubeconfig=/root/useraccount/useraccount1.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.20.9.48:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
[root@master pki]# kubectl config set-cluster kubernetes --server=https://10.20.9.48:6443 --certificate-authority=ca.crt
--embed-certs=true --kubeconfig=/root/useraccount/useraccount2.conf
Cluster "kubernetes" set.
[root@master pki]#
[root@master pki]# kubectl config view --kubeconfig=/root/useraccount/useraccount2.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.20.9.48:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
-
- 创建Context配置
[root@master pki]# kubectl config set-context useraccount1@kubernetes --cluster=kubernetes --user=useraccount1 --kubeconfig=/root/useraccount/useraccount1.conf
Context "useraccount1@kubernetes" created.
[root@master pki]# kubectl config view --kubeconfig=/root/useraccount/useraccount1.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.20.9.48:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: useraccount1
name: useraccount1@kubernetes
current-context: ""
kind: Config
preferences: {}
users: null
[root@master pki]# kubectl config set-context useraccount2@kubernetes --cluster=kubernetes --user=useraccount2 --kubeconfig=/root/useraccount/useraccount2.conf
Context "useraccount2@kubernetes" created.
[root@master pki]# kubectl config view --kubeconfig=/root/useraccount/useraccount2.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.20.9.48:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: useraccount2
name: useraccount2@kubernetes
current-context: ""
kind: Config
preferences: {}
users: null
-
- 创建用户配置
[root@master pki]# kubectl config set-credentials useraccount1 --client-certificate=useraccount1.crt --client-key=useraccount1.key --embed-certs=true --kubeconfig=/root/useraccount/useraccount1.conf
User "useraccount1" set.
[root@master pki]# kubectl config view --kubeconfig=/root/useraccount/useraccount1.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.20.9.48:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: useraccount1
name: useraccount1@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: useraccount1
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master pki]# kubectl config set-credentials useraccount2 --client-certificate=useraccount2.crt --client-key=useraccount2.key --embed-certs=true --kubeconfig=/root/useraccount/useraccount2.conf
User "useraccount2" set.
[root@master pki]# kubectl config view --kubeconfig=/root/useraccount/useraccount2.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.20.9.48:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: useraccount2
name: useraccount2@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: useraccount2
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- RoleBinding
- 设置useraccount1只能访问ns1,ns3内容
[root@master useraccount]# kubectl create rolebinding useraccount1-admin-binding --clusterrole=admin --user=useraccount1 --namespace=ns1
rolebinding.rbac.authorization.k8s.io/useraccount1-admin-binding created
[root@master useraccount]# kubectl create rolebinding useraccount1-admin-binding --clusterrole=admin --user=useraccount1 --namespace=ns3
rolebinding.rbac.authorization.k8s.io/useraccount1-admin-binding created
验证:
- 切换context,指定临时export KUBECONFIG=/root/useraccount/useraccount1.conf
[root@master pki]# kubectl config use-context useraccount1@kubernetes --kubeconfig=/root/useraccount/useraccount1.conf
Switched to context "useraccount1@kubernetes".
[root@master useraccount]# export KUBECONFIG=/root/useraccount/useraccount1.conf
- 获取default namespace内容被拒绝
[root@master useraccount]# kubectl get pods --namespace default
Error from server (Forbidden): pods is forbidden: User "useraccount1" cannot list resource "pods" in API group "" in the namespace "default"
- 获取ns1 ns3 namespace内容被允许
[root@master useraccount]# kubectl get pods --namespace ns1
No resources found in ns1 namespace.
[root@master useraccount]# kubectl get pods --namespace ns3
No resources found in ns3 namespace.
-
- 设置useraccount2只能访问ns2,ns4内容
[root@master ~]# kubectl create rolebinding useraccount2-admin-binding --clusterrole=admin --user=useraccount2 --namespace=ns2
rolebinding.rbac.authorization.k8s.io/useraccount2-admin-binding created
[root@master ~]# kubectl create rolebinding useraccount2-admin-binding --clusterrole=admin --user=useraccount2 --namespace=ns4
rolebinding.rbac.authorization.k8s.io/useraccount2-admin-binding created
[root@master ~]#
验证:
- 切换context,指定临时export KUBECONFIG=/root/useraccount/useraccount2.conf
[root@master ~]# kubectl config use-context useraccount2@kubernetes --kubeconfig=/root/useraccount/useraccount2.conf
Switched to context "useraccount2@kubernetes".
[root@master ~]# export KUBECONFIG=/root/useraccount/useraccount2.conf
- 获取default namespace内容被拒绝
[root@master ~]# kubectl get pods --namespace default
Error from server (Forbidden): pods is forbidden: User "useraccount2" cannot list resource "pods" in API group "" in the namespace "default"
- 获取ns2 ns4 namespace内容被允许
[root@master ~]# kubectl get pods --namespace ns2
No resources found in ns2 namespace.
[root@master ~]#
[root@master ~]#
[root@master ~]# kubectl get pods --namespace ns4
No resources found in ns4 namespace.
[root@master ~]#
类似资料: