创建k8s普通用户

#生成用户验证的私钥文件
openssl genrsa -out k8s_viewer.key 2048
#生成证书签名请求文件
openssl req -new -key k8s_viewer.key -out k8s_viewer.csr -subj “/CN=k8s_viewer/O=kubeusers”
#使用k8s的ca.crt和ca.key进行签名生成证书
openssl x509 -req -in k8s_viewer.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out k8s_viewer.crt -days 365
#获取集群信息
kubectl config get-clusters
#设置新集群（kubernetes），指明apiserver地址、k8s证书路径和隐藏证书，并保存在
kubectl config set-cluster kubernetes --server=“https://10.10.10.100:6443” --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --kubeconfig=/tmp/k8s_viewer.kubeconfig
#将用户的验证信息添加进kubectl的配置
kubectl config set-credentials k8s_viewer --client-certificate=/etc/kubernetes/pki/k8s_viewer.crt --client-key=/etc/kubernetes/pki/k8s_viewer.key --username=k8s_viewer --embed-certs=true --kubeconfig=/tmp/k8s_viewer.kubeconfig
kubectl config set-context k8s_viewer@kubernetes --cluster=kubernetes --user=k8s_viewer --kubeconfig=/tmp/k8s_viewer.kubeconfig

#创建角色对象，指定权限。这里可以不创建，用集群自带的viewer角色
kind: ClusterRole #集群范围权限
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-res-reader
rules:

• apiGroups: [“”] # “” 表示核心群组：core API group
  resources: [“pods”, “pods/log”, “services”,“deployments”,“statefulsets”,“daemonset”,“jobs”]
  verbs: [“get”, “list”, “watch”]

#创建角色绑定对象
kind: ClusterRoleBinding #ClusterRoleBinding为集群级别的权限绑定
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-k8s_viewer-res-reader #增加可读性，命名规则：<用户>-<权限>
subjects:

• kind: User
  name: k8s_viewer
  apiGroup: rbac.authorization.k8s.io
  roleRef:
  kind: ClusterRole
  name: cluster-res-reader #这里也可以使用基本自带的角色cluster-viewer，有只读权限
  apiGroup: rbac.authorization.k8s.io