kubectl 新建config 指定namespace get pod dev权限

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

cat > dev-csr.json <<EOF {   "CN": "dev",   "hosts": [],   "key": {     "algo": "rsa",     "size": 2048   },   "names": [     { # CN表示单个用户，O表示用户组，生成用户组就不用每个用户都去授权       "C": "CN",       "ST": "BeiJing",       "L": "BeiJing",       "O": "k8s",       "OU": "System"     }   ] } EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes dev-csr.json | cfssljson -bare dev

 

# ca证书目录

kubectl config set-cluster kubernetes \

  --certificate-authority=/root/TLS/k8s/ca.pem \

  --embed-certs=true \

  --server=https://127.0.0.1:16443 \

  --kubeconfig=dev.kubeconfig

 

# 设置客户端认证

kubectl config set-credentials dev \

  --client-key=dev-key.pem \

  --client-certificate=dev.pem \

  --embed-certs=true \

  --kubeconfig=dev.kubeconfig

 

# 设置默认上下文

kubectl config set-context kubernetes \

  --cluster=kubernetes \

  --user=dev \

  --kubeconfig=dev.kubeconfig

 

# 设置当前使用配置

kubectl config use-context kubernetes --kubeconfig=dev.kubeconfig

 

 

rbac.yaml

# 授权特定命名空间的访问权限 

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  # 指定命名空间

  namespace: closeli

  name: pod-reader

# 指定只能对pod进行get watch list操作

rules:

- apiGroups: [""]

  # 后面一般需要加上s

  resources: ["pods"]

  verbs: ["get", "watch", "list"]

 

---

 

# 角色绑定

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: read-pods

  namespace: closeli

subjects:

 # 指定主体，如果是用户组kind就是Group，name就是组名

- kind: User

  name: dev

  apiGroup: rbac.authorization.k8s.io

roleRef:

  kind: Role

  name: pod-reader

  apiGroup: rbac.authorization.k8s.io