k8s-学习笔记12-权限体系
创建低权限账户
先创建一个角色,只在一个ns里起作用
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
namespace: rrb
rules:
- verbs:
- get
- watch
- list
apiGroups:
- ''
resources:
- pods
- verbs:
- create
apiGroups:
- ''
resources:
- pods/exec
再创建一个sa
kind: ServiceAccount apiVersion: v1 metadata: name: eks-reader namespace: rrb
最后把这个角色歌sa绑定,这样sa生成的secrets里的token,就可以用来登陆dashboard,只有这个ns的pod的list和exec权限
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: eks-reader
namespace: rrb
subjects:
- kind: ServiceAccount
name: eks-reader
namespace: rrb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-reader
kuceconfig管理员账户
在python调用api时,需要使用这份config,最高权限
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "hangzhou",
"ST": "hangzhou",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client admin-csr.json | cfssljson -bare admin
# 设置集群参数 kubectl config set-cluster kubernetes \ --server=https://192.168.18.56:6443 \ --certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \ --embed-certs=true \ --kubeconfig=admin.kubeconfig # 设置客户端认证参数 kubectl config set-credentials cluster-admin \ --certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \ --embed-certs=true \ --client-key=/opt/kubernetes/server/bin/cert/admin-key.pem \ --client-certificate=/opt/kubernetes/server/bin/cert/admin.pem \ --kubeconfig=admin.kubeconfig # 设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user=cluster-admin \ --kubeconfig=admin.kubeconfig # 设置默认上下文 kubectl config use-context default --kubeconfig=admin.kubeconfig
