kubernetes 认证，授权

认证

首先生成一个私钥

(umask 077; openssl genrsa -out caonw.key 2048)

然后基于私钥生成一个证书
1.生成私钥签署请求

openssl req -new -key caonw.key -out caonw.csr -subj "/CN=caonw"

2.使用ca进行签证

openssl x509 -req -in caonw.csr -CA ./ca.crt -CAkey ca.key -CAcreateserial -out caonw.crt -days 365

查看证书

openssl x509 -in caonw.crt -text -noout

3.将用户添加到kubernetes集群的认证信息

kubectl config set-credentials caonw --client-certificate=./caonw.crt --client-key=./caonw.key --embed-certs=true

4.添加上下文

kubectl config set-context caonw@kubernetes --cluster=kubernetes --user=caonw　　

5.切换默认上下文

kubectl config use-context caonw@kubernetes

6.测试认证

[root@k8s-lb pki]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "caonw" cannot list resource "pods" in API group "" in the namespace "default"

 授权 授权插件 node ABAC Webhook RBAC

RBAC

user   useraccount  serviceaccount

rolebinding  clusterrolebinding

role  clusterrole