1.给dev节点查看权限
1. 下载cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
2. 赋予执行权限
chmod +x cfssl*
3.重命名
for x in cfssl*; do mv $x ${x%*_linux-amd64}; done
4.移动文件到目录 (/usr/bin)
mv cfssl* /usr/bin
2.生成证书
[root@k8s-matser01 rbac]# cat cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
cat > dev-csr.json <<EOF
{
"CN": "dev", ### username自己命名
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes dev-csr.json | cfssljson -bare dev
3.生成配置文件
[root@k8s-matser01 rbac]# cat kubeconfig.sh
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=https://10.2.1.12:6443 \ # apiserver
--kubeconfig=dev.kubeconfig
# 设置客户端认证
kubectl config set-credentials aliang \
--client-key=dev-key.pem \
--client-certificate=dev.pem \
--embed-certs=true \
--kubeconfig=dev.kubeconfig
# 设置默认上下文
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=dev \
--kubeconfig=dev.kubeconfig
# 设置当前使用配置
kubectl config use-context kubernetes --kubeconfig=dev.kubeconfig
4.编程权限绑定
[root@k8s-matser01 rbac]# cat rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: dev # 第二步指定的username
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
5.测试
1.master测试
[root@k8s-matser01 rbac]# kubectl --kubeconfig=dev.kubeconfig get pod
NAME READY STATUS RESTARTS AGE
nexus3-7b7598945f-t7j8k 1/1 Running 0 7d4h
nfs-client-provisioner-5f6bbb4656-vmwpz 1/1 Running 1 19d
tomcat-994445b55-hkckq 1/1 Running 0 176m
tomcat-994445b55-kkb7v 1/1 Running 0 5d20h
tomcat-994445b55-q5wsw 1/1 Running 0 5d20h
web-7846c464c8-4gldj 1/1 Running 0 7d22h
2.传给node
[root@k8s-matser01 rbac]# !scp
scp dev.kubeconfig 10.2.1.14:/root/.kube/config
3.node查看
[root@k8s-work02 ~]# cat /root/.kube/c
cache/ config
[root@k8s-work02 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nexus3-7b7598945f-t7j8k 1/1 Running 0 7d4h
nfs-client-provisioner-5f6bbb4656-vmwpz 1/1 Running 1 19d
tomcat-994445b55-hkckq 1/1 Running 0 3h
tomcat-994445b55-kkb7v 1/1 Running 0 5d20h
tomcat-994445b55-q5wsw 1/1 Running 0 5d20h
web-7846c464c8-4gldj 1/1 Running 0 7d22h
[root@k8s-work02 ~]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "dev" cannot list resource "services" in API group "" in the namespace "default"