编写kubeconfig文件
这个 kubeconfig 文件定义了集群和客户端信息,包括https认证等,当然也可以采用 insecure-skip-tls-verify: true 来替换 certificate-authority: /etc/kubernetes/ssl/ca.crt 以跳过集群验证。
一般参考如下:
-[appuser@k8s-master-1 ~]$ cat /etc/kubernetes/kubeconfig
apiVersion: v1
kind: Config
clusters:
- name: shjq-dev01-chenqiang-cluster
cluster:
server: https://10.130.14.155:443
certificate-authority: /etc/kubernetes/ssl/ca.crt
users:
- name: shjq-dev01-chenqiang-user
user:
client-certificate: /etc/kubernetes/ssl/cs_client.crt
client-key: /etc/kubernetes/ssl/cs_client.key
contexts:
- context:
- cluster: shjq-dev01-chenqiang-cluster
user: shjq-dev01-chenqiang-user - namespace: dev
name: shjq-dev01-chenqiang
通过rbac鉴权机制创建用户shjq-dev01-chenqiang-user
用户-》role-〉roleBinding
创建用户
openssl genrsa -out deploy.key 2048 #创建用户私钥
openssl req -new -key deploy.key -out deploy.csr -subj "/CN=deploy/O=DEPLOY" #创建证书签署请求
openssl x509 -req -in deploy.csr -CA /etc/kubernetes/ssl/kube-ca.pem -CAkey /etc/kubernetes/ssl/kube-ca-key.pem -CAcreateserial -out deploy.crt -days 365 #签署证书
role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: my-role
namespace: my-ns
rules:
- apiGroups: [""] # 默认 core api group
resources: ["pods"]
verbs: ["get","watch","list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get","list","create","update","patch","delete","watch"]
rolebinding
绑定 Role
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-rolebinding-1
namespace: my-ns
subjects:
- kind: User # 权限资源类型
name: eli # 名称
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: my-role
apiGroup: rbac.authorization.k8s.io