k8s认证授权

pod绑定sa

[root@k8s2 ~]# kubectl create sa admin        //在当前 Kubernetes 集群中创建一个名为 "admin" 的新服务账户[root@k8s2 secret]# vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:name: mypod
spec:serviceAccountName: admincontainers:- name: nginximage: nginx

[root@k8s2 secret]# cd /etc/kubernetes/pki/
[root@k8s2 pki]# openssl genrsa -out test.key 2048
[root@k8s2 pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test"
[root@k8s2 pki]# openssl  x509 -req -in test.csr -CA ca.crt -CAkey ca.key  -CAcreateserial -out test.crt -days 365
[root@k8s2 pki]#  kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
[root@k8s2 pki]# kubectl config set-context test@kubernetes --cluster=kubernetes --user=test

[root@k8s2 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:certificate-authority-data: DATA+OMITTEDserver: https://192.168.56.172:6443name: kubernetes
contexts:
- context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-admin@kubernetes
- context:cluster: kubernetesuser: testname: test@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-adminuser:client-certificate-data: REDACTEDclient-key-data: REDACTED
- name: testuser:client-certificate-data: REDACTEDclient-key-data: REDACTED

默认用户没有任何权限，需要授权

授权

[root@k8s2 rbac]# vim roles.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:namespace: defaultname: myrole
rules:
- apiGroups: [""]resources: ["pods"]verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: test-read-podsnamespace: default
subjects:
- kind: Username: testapiGroup: rbac.authorization.k8s.io
roleRef:kind: Rolename: myroleapiGroup: rbac.authorization.k8s.io---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: myclusterrole
rules:
- apiGroups: [""]resources: ["pods"]verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]resources: ["deployments"]verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding						#RoleBinding必须指定namespace
metadata:name: rolebind-myclusterrolenamespace:  default
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.iokind: Username: test---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding				#ClusterRoleBinding全局授权，无需指定namespace
metadata:name: clusterrolebinding-myclusterrole
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.iokind: Username: test

[root@k8s2 rbac]# kubectl apply -f roles.yaml[root@k8s2 rbac]# kubectl config use-context test@kubernetes[root@k8s2 rbac]# kubectl get deployments.apps -A

切回admin 回收

[root@k8s2 rbac]# kubectl config use-context kubernetes-admin@kubernetes[root@k8s2 rbac]# kubectl delete -f roles.yaml[root@k8s2 rbac]# kubectl config delete-user test
[root@k8s2 rbac]# kubectl config delete-context test@kubernetes