K8S授权用户只能访问单个名称空间

ServiceAccount：

apiVersion: v1
kind: ServiceAccount
metadata:
name: deliver
namespace: deliver

Role：

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deliver
namespace: deliver
rules:
- apiGroups: ["","extensions","apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- "job"
- "cronjob"
verbs: ["*"]

RoleBinding：

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: deliver
namespace: deliver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: deliver
subjects:
- kind: ServiceAccount
name: deliver
namespace: deliver

generate-kubeconfig.sh

server="https://IP:PORT"
name="deliver-token-kk8qg"
namespace="deliver"

ca=$(kubectl get secret $name -n $namespace -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret $name -n $namespace -o jsonpath='{.data.token}' | base64 --decode)

cat >> config << EOF
apiVersion: v1
kind: Config
clusters:
- name: test
cluster:
certificate-authority-data: ${ca}
server: ${server}
contexts:
- name: test
context:
cluster: test
user: deliver
current-context: test
users:
- name: deliver
user:
token: ${token}
EOF

./generate-kubeconfig.sh

useradd deliver

mkdir /home/deliver/.kube

cp config /home/deliver/.kube

su deliver

posted @ 2021-06-01 19:03 Vampire-Min 阅读(210) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

Vampire-Min

K8S授权用户只能访问单个名称空间

公告