授权指定用户访问指定资源

创建凭证及用户（此处以will做演示）

openssl genrsa -out will.key 2048

openssl req -new -key will.key -out will.csr -subj "/CN=will/O=group"

openssl x509 -req -in will.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out will.crt -days 365

kubectl config set-credentials will \
  --client-certificate=will.crt \
  --client-key=will.key

创建 role

# 创建一个只可以查看postgres命名空间里sts资源的role
# cat sts-viewer-role.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: postgres  # 替换为你的目标命名空间
  name: sts-viewer
rules:
- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["get", "list", "watch"]

kubectl apply -f sts-viewer-role.yaml

创建 rolebinding

# cat sts-viewer-binding.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sts-viewer-binding
  namespace: postgres  # 必须与Role相同的命名空间
subjects:
- kind: User
  name: will  # 替换为你的用户名
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: sts-viewer
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f sts-viewer-binding.yaml

验证权限

kubectl -n postgres --user=will get statefulsets # 成功
kubectl -n postgres --user=will get deployments # 失败
kubectl -n kube-system --user=will get statefulsets # 失败

配置 config 文件

# 将此文件传到需要使用kubectl命令的节点，即可使用kubectl命令
# cat ./kube/config
apiVersion: v1
kind: Config
clusters:
- name: kubernetes
  cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://192.168.1.26:6443
users:
- name: will
  user:
    client-certificate: /root/.kube/will.crt
    client-key: /root/.kube/will.key
contexts:
- name: will-context
  context:
    cluster: kubernetes
    user: will
    namespace: postgres
current-context: will-context

Previous常用服务部署 Next排错

Last updated 7 months ago