faith丶

导航

授权某个linux系统root下kubectl命令给 普通用户

###

1.创建普通用户,设置密码

[root@jira ~]# useradd alphaReadLog
[root@jira ~]# passwd alphaReadLog
Changing password for user test.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.

2.复制admin.conf文件到普通用户

[alphaReadLog@iZ2ze2uuh7sdomb9ij4gxeZ ~]$ mkdir -p /home/alphaReadLog/.kube/config/

[root@iZ2ze2uuh7sdomb9ij4gxeZ ~]# cp /etc/kubernetes/admin.conf  /home/alphaReadLog/.kube/config/

[root@iZ2ze2uuh7sdomb9ij4gxeZ ~]# chown alphaReadLog.alphaReadLog /home/alphaReadLog/.kube/config/admin.conf 

[alphaReadLog@iZ2ze2uuh7sdomb9ij4gxeZ ~]$ cat /home/alphaReadLog/.bashrc 
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
    . /etc/bashrc
fi
# Uncomment the following line if you don't like systemctl's auto-paging feature:
# export SYSTEMD_PAGER=
export KUBECONFIG=/home/alphaReadLog/.kube/config/admin.conf
source <(kubectl completion bash)
# User specific aliases and functions

[alphaReadLog@iZ2ze2uuh7sdomb9ij4gxeZ ~]$ source /home/alphaReadLog/.bashrc

3.授权alphaReadLog用户可以执行kubectl命令(***步骤可不做)

[root@jira ~]# cat /etc/sudoers
# ****
## Allow root to run any commands anywhere 
root    ALL=(ALL)     ALL
#(为普通用户alphaReadLog赋予root权限)
#第一个ALL:所有地方都可以登陆,localhost只能本机登陆。
#第二个(ALL):表示什么身份的用户都执行。’
#第三个ALL:表示所有命令都可以使用
#NOPASSWD:表示不用输入root密码即可执行
alphaReadLog ALL=(ALL) NOPASSWD:/usr/bin/kubectl

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel    ALL=(ALL)    ALL

## Same thing without a password
# %wheel    ALL=(ALL)    NOPASSWD: ALL

# ****

4.普通用户测试

# 未授权(未操作步骤2中拷贝admin.conf)时使用命令
[alphaReadLog@iZ2ze2uuh7sdomb9ij4gxeZ ~]$ kubectl get pod
The connection to the server localhost:8080 was refused - did you specify the right host or port?

# 授权后(本次未执行步骤3,执行了步骤2)
[alphaReadLog@iZ2ze2uuh7sdomb9ij4gxeZ ~]$ kubectl get pod
NAME                                     READY   STATUS    RESTARTS   AGE
alpha-abilitytest-6849db6b7c-frrt7       1/1     Running   0          127d
alpha-recruitment-548f7957d7-6glsm       1/1     Running   0          9d

 

 

###

posted on 2021-01-14 16:26  faith丶  阅读(1328)  评论(0编辑  收藏  举报