kubernetes集群编排——k8s认证授权
pod绑定sa
[root@k8s2 ~]# kubectl create sa admin[root@k8s2 secret]# vim pod5.yamlapiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
serviceAccountName: admin
containers:
- name: nginx
image: nginx
kubectl apply -f pod5.yaml
kubectl get pod -o yaml
认证
[root@k8s2 secret]# cd /etc/kubernetes/pki/
[root@k8s2 pki]# openssl genrsa -out test.key 2048
[root@k8s2 pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test"
[root@k8s2 pki]# openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 365[root@k8s2 pki]# kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
[root@k8s2 pki]# kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
[root@k8s2 pki]# kubectl config view
切换用户
[root@k8s2 pki]# kubectl config use-context test@kubernetes
[root@k8s2 pki]# kubectl get pod
默认用户没有任何权限,需要授权
切回admin
[root@k8s2 pki]# kubectl config use-context kubernetes-admin@kubernetes[root@k8s2 rbac]# vim roles.yamlkind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: myrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-read-pods
namespace: default
subjects:
- kind: User
name: test
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: myrole
apiGroup: rbac.authorization.k8s.io[root@k8s2 rbac]# kubectl apply -f roles.yaml[root@k8s2 rbac]# kubectl config use-context test@kubernetes[root@k8s2 rbac]# kubectl run demo --image nginx
[root@k8s2 rbac]# kubectl get pod
现在只能操作pod资源,其它不行
[root@k8s2 rbac]# kubectl get deployments.apps
切回admin
[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes授权
[root@k8s2 rbac]# vim clusteroles.yamlkind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myclusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding #RoleBinding必须指定namespace
metadata:
name: rolebind-myclusterrole
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding #ClusterRoleBinding全局授权,无需指定namespace
metadata:
name: clusterrolebinding-myclusterrole
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
[root@k8s2 rbac]# kubectl apply -f clusteroles.yaml[root@k8s2 rbac]# kubectl config use-context test@kubernetes
[root@k8s2 rbac]# kubectl get deployments.apps -A
切回admin
[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes回收
[root@k8s2 rbac]# kubectl delete -f roles.yaml
[root@k8s2 rbac]# kubectl config delete-user test
[root@k8s2 rbac]# kubectl config delete-context test@kubernetes