0
点赞
收藏
分享

微信扫一扫

RBAC实战-配置用户操作集群权限(二)

生成私钥

cd /etc/kubernetes/pki
 (umask 077; openssl genrsa -out lucky.key 2048)

生成证书请求

openssl req -new -key lucky.key  -out lucky.csr -subj "/CN=lucky"

生成lucky ca 证书,获取APIServer信任

openssl x509 -req  -in lucky.csr  -CA ca.crt -CAkey ca.key -CAcreateserial -out lucky.crt -days 3650

添加用户到kubernetes集群config文件

cd /root/.kube/config

kubectl config set-credentials lucky --client-certificate=./lucky.crt --client-key=./lucky.key --embed-certs=true

添加上下文,关联用户及kubernetes集群

cd /root/.kube/config
kubectl config set-context lucky@kubernetes --cluster=kubernetes --user=lucky

切换当前操作kubernetes集群用户

kubectl config use-context lucky@kubernetes

--------------------------到目前为止,lucky用户只是配置了kubernetes集群信任,但无操作权限,接下来,进行rbac授权操作----------------------------

用户创建私有操作空间

apiVersion: v1
kind: Namespace
metadata:
  name: lucky-test
  labels:
    environment: test

通过Rolebinding绑定用户角色,获取角色权限

[root@k8smaster4 sa]# cat rolebinding-demo2.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-demo2
  namespace: lucky-test
  labels:
    environment: test
subjects:
- name: lucky
  kind: User
  apiGroup: rbac.authorization.k8s.io
roleRef:
  name: cluster-admin
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io

--------------到目前为止,lucky用户获得指定操作空间操作权限-------------

修改默认config文件,删除kubernetes-admin授权数据
新建系统用户

useradd test

配置用户密码

passwd test

配置用户目录权限

chown -R test:test /home/test


举报

相关推荐

0 条评论