k8s使用rbac实现多租户

### 制作租户访问证书 ###

openssl genrsa -out ethan.key 2048

openssl req -new -key ethan.key -out ethan.csr -subj "/CN=ethan/O=test"

openssl x509 -req -in ethan.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ethan.crt -days 10000

### 配置config文件 ###
kubectl config set-credentials ethan --client-certificate=ethan.crt --client-key=ethan.key 

kubectl config set-context ethan-context --cluster=cluster.local --namespace=test --user=ethan


### 新建一条属于自己命令空间的Role ###
cat > roleByNamespaces.yaml <<EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test #< namespace 需新建>
  name: myrole
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
EOF


### 租户绑定命名空间以及Role ###
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ethan-test
  namespace: test
subjects:
- kind: User
  name: ethan
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: myrole
  apiGroup: rbac.authorization.k8s.io


kubectl --context=ethan-context get po

  

posted @ 2020-07-09 18:04  Ethan.Sun  阅读(919)  评论(0编辑  收藏  举报