K8S创建用户RBAC授权

 

[root@k8s186 rbac]# vim usertest-csr.json

{
    "CN": "usertest",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

 

 

证书生成

export KUBE_APISERVER="https://192.168.70.186:6443"

./cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /apps/rbac/usertest-csr.json | ./cfssljson -bare usertest

 

设置集群参数

kubectl config set-cluster kubernetes --certificate-authority=/apps/conf/kubernetes/ssl/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=usertest.kubeconfig

 

设置客户端认证参数

kubectl config set-credentials usertest --client-certificate=/apps/rbac/usertest.pem --client-key=/apps/rbac/usertest-key.pem --embed-certs=true --kubeconfig=usertest.kubeconfig

 

设置上下文参数

kubectl config set-context kubernetes --cluster=kubernetes --user=usertest --namespace=test --kubeconfig=usertest.kubeconfig

 

设置默认上下文

kubectl config use-context kubernetes --kubeconfig=usertest.kubeconfig

 

mkdir /home/usertest/.kube

 

cp -f usertest.kubeconfig /home/usertest/.kube/config

 

kubectl create rolebinding usertest-binding --clusterrole=test --user=usertest --namespace=test

 

 

方法二：

(umask 077; openssl genrsa -out gpu.key 2048)

openssl req -new -key gpu.key -out gpu.csr -subj "/CN=gpu"

 

openssl x509 -req -in gpu.csr -CA /apps/conf/kubernetes/ssl/ca.crt -CAkey /apps/conf/kubernetes/ssl/ca.key -CAcreateserial -out gpu.crt -days 3650

openssl x509 -in gpu.crt -text -noout

 

export KUBE_APISERVER="https://192.168.70.186:6443"

kubectl config set-cluster cluster.local --certificate-authority=/apps/conf/kubernetes/ssl/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=gpu.kubeconfig

 

kubectl config set-credentials gpu --client-certificate=/root/gpu.crt --client-key=/root/gpu.key --embed-certs=true --kubeconfig=gpu.kubeconfig

 

kubectl config set-context gpu@cluster.local --cluster=cluster.local --user=gpu --namespace=test --kubeconfig=gpu.kubeconfig

 

kubectl config use-context gpu@cluster.local --kubeconfig=gpu.kubeconfig

 

mkdir /home/gpu/.kube

 

cp -f gpu.kubeconfig /home/gpu/.kube/config

 chown gpu:gpu /home/gpu/.kube/config

kubectl create rolebinding gpu-binding --clusterrole=admin --user=gpu --namespace=test

 

 

额外：

切换用户 kubectl config use-context gpu@kubernetes

验证权限 kubectl get pods

切换成管理员 kubectl config use-context kubernetes-admin@kubernetes

查看所有用户 kubectl config get-contexts

查看集群角色 kubectl get ClusterRole

查看服务账户 kubectl get serviceAccount