kubectl管理用户: role, rolebinding, use-context

参考：https://blog.csdn.net/hy9418/article/details/80268418

1, 创建用户，上下文

a, 创建用户凭证

#生成私钥：　用户名.key
openssl genrsa -out wang.key 2048  

#使用刚刚创建的私钥创, 建证书请求签名用户名.csr，在-subj中指定用户和组
openssl req -new -key wang.key -out wang.csr -subj "/CN=wang/O=test1"

#在/etc/kubernetes/pki，找到找到kubernetes集群认证的ca.crt、ca.key。生成最终的证书wang.crt，有效期30天
openssl x509 -req -in wang.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out wang.crt -days 30

#把这个用户凭证加入kubeconfig
kubectl config set-credentials wang  \
--client-key=wang.key \
--client-certificate=wang.crt

#编辑config文件，把密钥的内容写进去，以便在命令行切换用户
[root@master keys]# tail  ~/.kube/config  
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS...0tLQo=
    client-key-data: LS0tLS1CRUdJT...S0tCg==
- name: wang
  user:
    client-certificate: /root/ssl/keys/wang.crt
    client-key: /root/ssl/keys/wang.key

#把client-certificate, client-key注释掉, 仿照kubernetes-admin改为：client-certificate-data，client-key-data
[root@master keys]# ls
wang.crt  wang.crt.bas  wang.key  wang.key.bas
[root@master keys]# cat wang.crt|base64 --wrap=0
LS0tLS1CRUdJTiBDRVJUSUZ....RFLS0tLS0K==
[root@master keys]# cat wang.key|base64 --wrap=0
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSB...WS0tLS0tCg==

#创建用户上下文：wang-context
kubectl config set-context wang-context --cluster=kubernetes --namespace=test1 --user=wang

2, 创建角色，给用户绑定角色

[root@master crt]# cat user-rabc.yaml 
kind: Namespace
apiVersion: v1
metadata:
  name: test1
  labels:
    name: test1
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test1
  name: pod-reader
rules:
- apiGroups: ["","extensions","apps"] #''表示cor
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: test1
subjects:
- kind: User
  name: wang
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

在test1命名空间下，创建一个测试用的pod

[root@master crt]# cat ns-test1.pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: test1
spec:
  containers:
  - image: busybox
    name: busybox

3,切换用户上下文

#通过wang-context获取pod信息
[root@master crt]# kubectl --context=wang-context get po
NAME      READY   STATUS             RESTARTS   AGE
busybox   0/1     CrashLoopBackOff   77         6h21m

#切换用户
[root@master crt]# kubectl config use-context wang-context
Switched to context "wang-context".
[root@master crt]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "wang" cannot list resource "services" in API group "" in the namespace "test1"

#切换回admin上下文
[root@master crt]# kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
          kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   
*         wang-context                  kubernetes   wang               test1

[root@master crt]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@master ~]# kubectl config current-context
kubernetes-admin@kubernetes

[root@master crt]# kubectl get svc
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.1.0.1     <none>        443/TCP   2d7h