原文
创建一个只读的用户
2.1 创建用户
首先根据上下文可以得知,kubernetes不存储具体用户细节信息,也就是说只要通过它的那几种方式能进来的用户,kubernetes就认为他是合法的,那么为了让kubectl只读,所以我们需要先给他创建一个用来承载只读权限的用户;这里用户创建我们选择使用证书方式。
签发证书的json,创建文件名:readonly.json
{
"CN": "readonly",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "HangZhou",
"L": "HangZhou",
"O": "develop:readonly",
"OU": "develop"
}
]
}
ca-config-readonly.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
基于以Kubernetes CA证书创建只读用户的证书
/usr/local/bin/cfssl gencert --ca /etc/kubernetes/pki/ca.crt --ca-key /etc/kubernetes/pki/ca.key --config ca-config-readonly.json --profile=kubernetes readonly.json |/usr/local/bin/cfssljson --bare readonly
以上命令会生成readonly-key.pem、readonly.pem、readonly.csr
创建kubeconfig
有了用于证明身份的证书以后,接下来创建一个kubeconfig文件方便kubectl使用
kubeconfig.sh
KUBE_API_SERVER="https://k8s-master.xiaomai5.com:6443"
kubectl config set-cluster kubernetes --server=${KUBE_API_SERVER} \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--kubeconfig=readonly.kubeconfig
kubectl config set-credentials develop-readonly \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--client-key=readonly-key.pem \
--client-certificate=readonly.pem \
--kubeconfig=readonly.kubeconfig
kubectl config set-context default-system --cluster=kubernetes \
--user=develop-readonly \
--kubeconfig=readonly.kubeconfig
kubectl config use-context default-system --kubeconfig=readonly.kubeconfig
readonly-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: develop:readonly
[root@es-cluster001 rbac]# cat rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cluster-readonly
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
- watch
clusterroleing
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: develop:readonly
确认配置权限配置成功
[root@k8s-master-01 rbac]# kubectl --kubeconfig=../readonly.kubeconfig get node
Error from server (Forbidden): nodes is forbidden: User "readonly" cannot list resource "nodes" in API group "" at the cluster scope
[root@k8s-master-01 rbac]# kubectl --kubeconfig=../readonly.kubeconfig get pods
NAME READY STATUS RESTARTS AGE
sms-6857f7797b-47sn7 1/1 Running 0 2d21h