RBAC

创建一个lichuan 只能管理lichuan-dev这个namespace

 

#下载证书制作软件
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64 -o cfssl
chmod +x cfssl
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_amd64 -o cfssljson
chmod +x cfssljson
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl-certinfo_1.4.1_linux_amd64 -o cfssl-certinfo
chmod +x cfssl-certinfo

cp cfssl* /usr/local/bin

#这里的CN就会作为用户名，而O就为作为用户组名，例如创建 lichuan-csr.json文件如下
{
  "CN": "lichuan",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
     {
       "C": "CN",
       "L": "Beijing",
       "O": "Beijing",
       "OU": "k8s-dev",
       "ST": "System"
     }
  ]
}

#根据上面的请求信息生成CA认证后的用户证书和私钥
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -profile=kubernetes lichuan-csr.json | cfssljson -bare lichuan


#生成用户专属的认证config文件
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=https://10.3.65.37:6443 --kubeconfig=lichuan.config

#设置客户端认证证书
kubectl config set-credentials lichuan --client-certificate=/etc/kubernetes/pki/lichuan.pem --client-key=/etc/kubernetes/pki/lichuan-key.pem --embed-certs=true --kubeconfig=lichuan.config

#创建一个新的namespace
kubectl create namespace lichuan-dev

#给lichuan用户设置context
kubectl config set-context kubernetes --cluster=kubernetes --user=lichuan --namespace=lichuan-dev --kubeconfig=lichuan.config
#设置下current-context
kubectl config use-context kubernetes --kubeconfig=lichuan.config

#做rolebinding
kubectl create rolebinding lichuan-admin-dev-binding --clusterrole=admin --user=lichuan --namespace=lichuan-dev

 

参考：https://blog.csdn.net/Victor2code/article/details/106143273

https://www.qikqiak.com/k8s-book/docs/30.RBAC.html

第二个有创建角色的，可以参考，第一个默认用的admin，自带的，权限大

 

https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb

官网：https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/