创建k8s普通用户

#生成用户验证的私钥文件
openssl genrsa -out k8s_viewer.key 2048
#生成证书签名请求文件
openssl req -new -key k8s_viewer.key -out k8s_viewer.csr -subj “/CN=k8s_viewer/O=kubeusers”
#使用k8s的ca.crt和ca.key进行签名生成证书
openssl x509 -req -in k8s_viewer.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out k8s_viewer.crt -days 365
#获取集群信息
kubectl config get-clusters
#设置新集群(kubernetes),指明apiserver地址、k8s证书路径和隐藏证书,并保存在
kubectl config set-cluster kubernetes --server=“https://10.10.10.100:6443” --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --kubeconfig=/tmp/k8s_viewer.kubeconfig
#将用户的验证信息添加进kubectl的配置
kubectl config set-credentials k8s_viewer --client-certificate=/etc/kubernetes/pki/k8s_viewer.crt --client-key=/etc/kubernetes/pki/k8s_viewer.key --username=k8s_viewer --embed-certs=true --kubeconfig=/tmp/k8s_viewer.kubeconfig
kubectl config set-context k8s_viewer@kubernetes --cluster=kubernetes --user=k8s_viewer --kubeconfig=/tmp/k8s_viewer.kubeconfig

#创建角色对象,指定权限。这里可以不创建,用集群自带的viewer角色
kind: ClusterRole #集群范围权限
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-res-reader
rules:

  • apiGroups: [“”] # “” 表示核心群组:core API group
    resources: [“pods”, “pods/log”, “services”,“deployments”,“statefulsets”,“daemonset”,“jobs”]
    verbs: [“get”, “list”, “watch”]

#创建角色绑定对象
kind: ClusterRoleBinding #ClusterRoleBinding为集群级别的权限绑定
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-k8s_viewer-res-reader #增加可读性,命名规则:<用户>-<权限>
subjects:

  • kind: User
    name: k8s_viewer
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: ClusterRole
    name: cluster-res-reader #这里也可以使用基本自带的角色cluster-viewer,有只读权限
    apiGroup: rbac.authorization.k8s.io

你可能感兴趣的:(kubernetes,容器,云原生)