kubectl 新建config 指定namespace get pod dev权限

cat > dev-csr.json <<EOF
{
  "CN": "dev",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
# CN表示单个用户，O表示用户组，生成用户组就不用每个用户都去授权
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes dev-csr.json | cfssljson -bare dev

 

# ca证书目录

kubectl config set-cluster kubernetes \

  --certificate-authority=/root/TLS/k8s/ca.pem \

  --embed-certs=true \

  --server=https://127.0.0.1:16443 \

  --kubeconfig=dev.kubeconfig

 

# 设置客户端认证

kubectl config set-credentials dev \

  --client-key=dev-key.pem \

  --client-certificate=dev.pem \

  --embed-certs=true \

  --kubeconfig=dev.kubeconfig

 

# 设置默认上下文

kubectl config set-context kubernetes \

  --cluster=kubernetes \

  --user=dev \

  --kubeconfig=dev.kubeconfig

 

# 设置当前使用配置

kubectl config use-context kubernetes --kubeconfig=dev.kubeconfig

 

 

rbac.yaml

# 授权特定命名空间的访问权限 

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  # 指定命名空间

  namespace: closeli

  name: pod-reader

# 指定只能对pod进行get watch list操作

rules:

- apiGroups: [""]

  # 后面一般需要加上s

  resources: ["pods"]

  verbs: ["get", "watch", "list"]

 

---

 

# 角色绑定

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: read-pods

  namespace: closeli

subjects:

 # 指定主体，如果是用户组kind就是Group，name就是组名

- kind: User

  name: dev

  apiGroup: rbac.authorization.k8s.io

roleRef:

  kind: Role

  name: pod-reader

  apiGroup: rbac.authorization.k8s.io