0
点赞
收藏
分享

微信扫一扫

手工创建kubeconfig配置文件便于分配不同权限

编写kubeconfig文件
这个 kubeconfig 文件定义了集群和客户端信息,包括https认证等,当然也可以采用 insecure-skip-tls-verify: true 来替换 certificate-authority: /etc/kubernetes/ssl/ca.crt 以跳过集群验证。
一般参考如下:
-[appuser@k8s-master-1 ~]$ cat /etc/kubernetes/kubeconfig
apiVersion: v1
kind: Config
clusters:

  • name: shjq-dev01-chenqiang-cluster

cluster:
server: https://10.130.14.155:443
certificate-authority: /etc/kubernetes/ssl/ca.crt
users:

  • name: shjq-dev01-chenqiang-user

user:
client-certificate: /etc/kubernetes/ssl/cs_client.crt
client-key: /etc/kubernetes/ssl/cs_client.key
contexts:

  • context:
  • cluster: shjq-dev01-chenqiang-cluster
    user: shjq-dev01-chenqiang-user
  • namespace: dev

name: shjq-dev01-chenqiang


通过rbac鉴权机制创建用户shjq-dev01-chenqiang-user

用户-》role-〉roleBinding

创建用户

openssl genrsa -out deploy.key 2048 #创建用户私钥

openssl req -new -key deploy.key -out deploy.csr -subj "/CN=deploy/O=DEPLOY" #创建证书签署请求

openssl x509 -req -in deploy.csr -CA /etc/kubernetes/ssl/kube-ca.pem -CAkey /etc/kubernetes/ssl/kube-ca-key.pem -CAcreateserial -out deploy.crt -days 365      #签署证书

role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: my-role
namespace: my-ns
rules:

  • apiGroups: [""] # 默认 core api group

resources: ["pods"]
verbs: ["get","watch","list"]

  • apiGroups: ["apps"]

resources: ["deployments"]
verbs: ["get","list","create","update","patch","delete","watch"]

rolebinding

绑定 Role

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-rolebinding-1
namespace: my-ns
subjects:

  • kind: User # 权限资源类型

name: eli # 名称
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: my-role
apiGroup: rbac.authorization.k8s.io

举报

相关推荐

0 条评论