K8S授权用户只能访问单个名称空间
ServiceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: deliver
namespace: deliver
Role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: deliver
namespace: deliver
rules:
- apiGroups: ["","extensions","apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- "job"
- "cronjob"
verbs: ["*"]
RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: deliver
namespace: deliver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: deliver
subjects:
- kind: ServiceAccount
name: deliver
namespace: deliver
generate-kubeconfig.sh
server="https://IP:PORT"
name="deliver-token-kk8qg"
namespace="deliver"
ca=$(kubectl get secret $name -n $namespace -o jsonpath='{.data.ca\.crt}')
token=$(kubectl get secret $name -n $namespace -o jsonpath='{.data.token}' | base64 --decode)
cat >> config << EOF
apiVersion: v1
kind: Config
clusters:
- name: test
cluster:
certificate-authority-data: ${ca}
server: ${server}
contexts:
- name: test
context:
cluster: test
user: deliver
current-context: test
users:
- name: deliver
user:
token: ${token}
EOF
./generate-kubeconfig.sh
useradd deliver
mkdir /home/deliver/.kube
cp config /home/deliver/.kube
su deliver