现在有一组数据库集群,有一组nginx集群。整个公司规模比较大,有两个项目组,一个项目组叫DBA,一个项目组SA,那么就需要做资源的分割。在名称空间下可以限制CPU使用多少核数,内存是多大,也就是不同的名称空间下赋予不同的系统资源。

Dba可以对mysql名称空间下的所有资源进行操作。Sa可以对nginx名称空间下的资源进行操作

实践:创建一个用户只能管理 dev 空间

创建用户

现在有个用户叫devuser,可以管理dev空间下面所有资源。对于k8s来说没有用户的管理,也就是创建用户想要在linux上面创建

[root@k8s-master ~]# useradd devuser
[root@k8s-master ~]# passwd devuser
Changing password for user devuser.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.

下载cfssl工具帮我们创建证书

⒈安装CFSSL
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64①生成证书②利用Json生成证书③查看证书信息的工具⒉修改权限
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64⒊移动文件
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo⒋验证指令
cfssl --help

devuser要访问pod那么就要创建访问证书信息,下面创建证书请求,下面是证书请求的json格式

[root@k8s-master ~]# cat /usr/local/cert/devuser/devuser-crs.json
{"CN": "devuser","hosts": [ ],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "BeiJing","ST": "BeiJing","O": "k8s","OU": "System"}]
}

生成证书和私钥

[root@k8s-master ~]# ll ca*
-rw-r--r-- 1 root root  294 Sep 15 12:49 ca-config.json
-rw-r--r-- 1 root root 1001 Sep 15 12:52 ca.csr
-rw-r--r-- 1 root root  264 Sep 15 12:29 ca-csr.json
-rw------- 1 root root 1675 Sep 15 12:52 ca-key.pem
-rw-r--r-- 1 root root 1359 Sep 15 12:52 ca.pem[root@k8s-master ~]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem  -profile=kubernetes /usr/local/cert/devuser/devuser-crs.json | cfssljson -bare devuser
2020/10/22 16:14:54 [INFO] generate received request
2020/10/22 16:14:54 [INFO] received CSR
2020/10/22 16:14:54 [INFO] generating key: rsa-2048
2020/10/22 16:14:56 [INFO] encoded CSR
2020/10/22 16:14:56 [INFO] signed certificate with serial number 403540224452990814881414641640830816053670285991
2020/10/22 16:14:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").[root@k8s-master ~]# ls devuser*
devuser.csr  devuser-key.pem  devuser.pem

指定 ca证书-ca=ca.pem   ca私钥  -ca-key=ca-key.pem    json文件证书  /usr/local/cert/devuser/devuser-crs.json   输出格式为devuser

设置集群参数

[root@k8s-master devuser]# export KUBE_APISERVER="https://192.168.179.99:6443"
[root@k8s-master ~]# cd /usr/local/cert/devuser/
[root@k8s-master devuser]# kubectl config set-cluster kubernetes \
> --certificate-authority=/root/ca.pem \
> --embed-certs=true \
> --server=${KUBE_APISERVER} \
> --kubeconfig=devuser.kubeconfig
Cluster "kubernetes" set.--certificate-authority=/root/ca.pem   指定ca证书
--embed-certs=true 指定是否要加密
--server=${KUBE_APISERVER} 指定服务器信息
--kubeconfig=devuser.kubeconfig 创建出来devuser.kubeconfig文件[root@k8s-master devuser]# ls
devuser-crs.json  devuser.kubeconfig这里指定了集群信息和证书
[root@k8s-master devuser]# cat devuser.kubeconfig
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVQjJQTFcyZW85aG1iWTZDUUpQR1N4YVZlUTBvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURreE5UQTBORGN3TUZvWERUSTFNRGt4TkRBME5EY3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdG5uMlVsRE5GTEZ1Q3ZlR1ppMWYKSjRpcGNxRWtDeEFRQUUycTRmaVdrL0dSazRrcWJNU0g2Z0RyR1RTTkdpdjhLSi9EdGZmVmd5QjNJNDE1ekVSbgpLRzBORlFya2ZZRnpWdE1GMTZBdno5c0JNRmVLNld6cWh1YmpHWGdVaktRRWs4b2VOWHNPUWZlU2NOWlVKT0h5CnBoN0dFS1paSFZtVFRjLzI1S1RPNXV1UVBBVk9lRElDbzJyWXZPUU5NNHZ2WHFWWElSQ09HOFNYMHVQUEdjRUUKTWx1K1VKSjNIOVJKc2dWUHhPUnoxMThPd0cyNmhhWSswTC84WUJQM1pWSWErVUkzUVVXbFdFMkdYTW1hRWJpVApxTlBiMWJoaXlJKzJTbElJM1YrSENacWhJSTIzb1NvK0xEd0lYclFpNmRIN0hRSWg2TWJMaU5ybGQ5Z0JVSGIrCkt3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVNXR3YXdqZVpnZExkLzM5aVhLMjZabEVFc0ZFd0h3WURWUjBqQkJnd0ZvQVU1dHdhd2plWgpnZExkLzM5aVhLMjZabEVFc0ZFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFMQU1aSThvWVNjYjRaYzJIMGVRCndRc25RTE9pdG9SQ3llL2tNdHFuMTZLWEtiM2wzMVRmaFlCNURuTUNqL29jckxpMy9FVU56U0oxR0VMUDMvYTMKcHFCeXI5OE10eGFDT1JuekZFL2lhOGoreWk0VHlFelpyRGt0RGxzWG1Eb3UxOU8xOUN5ek5IOS9YRDRqcFNXRAoreGVSam55U1c4QTlGNTFwZUVXSnJOYTJReURMb2lVaTZVeWFnUktRSEIxK3oxaTVjOEViL3NTamd0RTFMVTdUCmhCQkZVRFpKMzJuSGdPRTNzK2xlN1EvZkpaYWdyQkp6bHp6Q2hxdFB0U2NrRmxBbHVnQVdmMDBQcXRVRGhwRFYKTS9TbVlxV0RqL3RXaURzTk9vTGhQeU5IU2RhYVE5d203blNOWXhZNldzbTFYQVZYWGlTeWVDVndVVk5mZ1BJNApRaUk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kserver: https://192.168.179.99:6443name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

设置客户端认证参数

[root@k8s-master ~]# cd /usr/local/cert/devuser/
[root@k8s-master devuser]# ls
devuser-crs.json  devuser.kubeconfig
[root@k8s-master devuser]# kubectl config set-credentials devuser \
> --client-certificate=/root/devuser.pem \
> --client-key=/root/devuser-key.pem \
> --embed-certs=true \
> --kubeconfig=devuser.kubeconfig
User "devuser" set.--client-certificate=/root/devuser.pem  指定客户端证书
--client-key=/root/devuser-key.pem 指定客户端私钥
--embed-certs=true 开启认证方式[root@k8s-master devuser]# cat devuser.kubeconfig
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVQjJQTFcyZW85aG1iWTZDUUpQR1N4YVZlUTBvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURreE5UQTBORGN3TUZvWERUSTFNRGt4TkRBME5EY3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdG5uMlVsRE5GTEZ1Q3ZlR1ppMWYKSjRpcGNxRWtDeEFRQUUycTRmaVdrL0dSazRrcWJNU0g2Z0RyR1RTTkdpdjhLSi9EdGZmVmd5QjNJNDE1ekVSbgpLRzBORlFya2ZZRnpWdE1GMTZBdno5c0JNRmVLNld6cWh1YmpHWGdVaktRRWs4b2VOWHNPUWZlU2NOWlVKT0h5CnBoN0dFS1paSFZtVFRjLzI1S1RPNXV1UVBBVk9lRElDbzJyWXZPUU5NNHZ2WHFWWElSQ09HOFNYMHVQUEdjRUUKTWx1K1VKSjNIOVJKc2dWUHhPUnoxMThPd0cyNmhhWSswTC84WUJQM1pWSWErVUkzUVVXbFdFMkdYTW1hRWJpVApxTlBiMWJoaXlJKzJTbElJM1YrSENacWhJSTIzb1NvK0xEd0lYclFpNmRIN0hRSWg2TWJMaU5ybGQ5Z0JVSGIrCkt3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVNXR3YXdqZVpnZExkLzM5aVhLMjZabEVFc0ZFd0h3WURWUjBqQkJnd0ZvQVU1dHdhd2plWgpnZExkLzM5aVhLMjZabEVFc0ZFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFMQU1aSThvWVNjYjRaYzJIMGVRCndRc25RTE9pdG9SQ3llL2tNdHFuMTZLWEtiM2wzMVRmaFlCNURuTUNqL29jckxpMy9FVU56U0oxR0VMUDMvYTMKcHFCeXI5OE10eGFDT1JuekZFL2lhOGoreWk0VHlFelpyRGt0RGxzWG1Eb3UxOU8xOUN5ek5IOS9YRDRqcFNXRAoreGVSam55U1c4QTlGNTFwZUVXSnJOYTJReURMb2lVaTZVeWFnUktRSEIxK3oxaTVjOEViL3NTamd0RTFMVTdUCmhCQkZVRFpKMzJuSGdPRTNzK2xlN1EvZkpaYWdyQkp6bHp6Q2hxdFB0U2NrRmxBbHVnQVdmMDBQcXRVRGhwRFYKTS9TbVlxV0RqL3RXaURzTk9vTGhQeU5IU2RhYVE5d203blNOWXhZNldzbTFYQVZYWGlTeWVDVndVVk5mZ1BJNApRaUk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kserver: https://192.168.179.99:6443name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: devuseruser:client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQxRENDQXJ5Z0F3SUJBZ0lVVHdQVzkySWIzNnVUM0JEdHQ1Rm5LNjkzdHNJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TVRBeU1qRXhNalF3TUZvWERUSXhNVEF5TWpFeE1qUXdNRm93WWpFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUkF3RGdZRFZRUURFd2RrWlhaMWMyVnlNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzVjR5KzUxSWFTS202SmNWU3ZZK2c1MlUKRkpXK0hoL3RFMCtzSnFyenhvd1lRcDVqamRITzVQQWlvVHFic3ZJbVMzRXZQUTZWS2YvN3k1d0lKVzZRSUczaApmYVRQMlZWN1c5bEoyTXJENHZGa2p0OHRTblYySVJHbXVzL3E0cXhmbFFIZ1Q0Y3ZsQ0tLZjByN2prTnRjUE5LCjdGSlRCc21SMnFhRTg5d2g2M2NZZzYzS01MRXFkTWhZTWxtK2x1WDQ1SU1FM0tMN1dEWVNTQ2NYV28xWUt1RzQKU0JPK2F4clVnK3Y0TEY5d2xLUWN5TmR2VXBQQUxwbjNoS21zajJPRURheG4vZ2F5UTlYbzJVc1ZIazQ0VkFBNgpLNndqcXN3ZHFGekl1ZnJOejFKa0hFUlhnU0FqRnJqNmhOaGN4OHF3SEhZcnM4b050ZEI1UXNMTUR3K0xCd0lECkFRQUJvMzh3ZlRBT0JnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0cKQVFVRkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZGSWdNMFFMVkFPVmZIem01dHd4L2pyago1MHFRTUI4R0ExVWRJd1FZTUJhQUZPYmNHc0kzbVlIUzNmOS9ZbHl0dW1aUkJMQlJNQTBHQ1NxR1NJYjNEUUVCCkN3VUFBNElCQVFCTFR3MGpodmZsbHpyY0thSEdTMjN5WmRzWWVRQ3NrazUxRmhCSnk0cFQ5U0ZFbWRsSnNyYXAKZmhLa01RVU1VNkYzbUlIeEVDOEhNRFJxaE16dHM4SHRqOUVVLzR5dzFxNnR3c29PMGhodnpUTHM0SEpTdW8wcwpDcWlVOEQ0Z1gyaDBVbWNxZnl3OWhvQjBINWRNbUUvQjBEdUl6cU1EZVNpM0RJampVa21PRHhqK0NMK0NiVURsCjV1QmV4TzI1OE96UXg3U1J4RWRvcHdvTUIvMVZYL1phT1RyWDhQc1FXdTRWYW5VcE5kQ3gvR3BzY0ovcWl5S2IKR0VYUzFRbWdnVUhVV1VnbGlBcTFCYzJXWDhxQ2haR3BTVE9WdXRZY01FNXFTaWRidG00Tkw1bTJ6ZDhjaWZjWgpCZ05vVnVXYWpBWEI1UjRDc2JPRTdITHFyc3dIaTBsRgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBc1Y0eSs1MUlhU0ttNkpjVlN2WStnNTJVRkpXK0hoL3RFMCtzSnFyenhvd1lRcDVqCmpkSE81UEFpb1RxYnN2SW1TM0V2UFE2VktmLzd5NXdJSlc2UUlHM2hmYVRQMlZWN1c5bEoyTXJENHZGa2p0OHQKU25WMklSR211cy9xNHF4ZmxRSGdUNGN2bENLS2Ywcjdqa050Y1BOSzdGSlRCc21SMnFhRTg5d2g2M2NZZzYzSwpNTEVxZE1oWU1sbStsdVg0NUlNRTNLTDdXRFlTU0NjWFdvMVlLdUc0U0JPK2F4clVnK3Y0TEY5d2xLUWN5TmR2ClVwUEFMcG4zaEttc2oyT0VEYXhuL2dheVE5WG8yVXNWSGs0NFZBQTZLNndqcXN3ZHFGekl1ZnJOejFKa0hFUlgKZ1NBakZyajZoTmhjeDhxd0hIWXJzOG9OdGRCNVFzTE1EdytMQndJREFRQUJBb0lCQUFUY1ZBRlpPaGJIZ0ZOMwpjSG54YlowbHdGMGdEV205N2oxTlBhYUJvTlNjR2o0WklSbE4ycUdqZ3c5d0Q3eERycEQ2dFJTelJaczFESzF6CnhUVmhaa205T1NTOFU0WGROZGc2aUMrTXZ2bUZMQUJPVld0bzlLZkxXQXBla0UxTjlBQ2RZSXhOWkJ4bkpleC8KSFkyMGcxZEpFNUNPWVFBYW5naWo3NWpQTzQ2OFZSSXFzMEJEVkVndUZvOXkwVGI1eXJvdm5CZkVESFQ0bVpwTgpjZTdrNExYc1JOVE1TbmN4cnNFRWdhUzFCeVdwMDFvWnF4WW5QbGt3WnFFN0pObk5qMTZ1OUhmdGVpN1RyR05qClVPNUI0Qlh5cUFMTUI2c3U3V09Fc0hIenRuUkVZQVU5R2pVNDhNN215b0grbEs0dUcxdFlYMFpUUUU0anQxeXkKVzJsZnFvRUNnWUVBNkxTZ3VkUEdBQWplWmg3M2RPREJWVTk2dnFZeGFYWlAxZHNwN2xBZGhmMDk5ZnhsTU0wQgp0ZFU2SWxZNEFNanpmS1JLQUk1K0p3ZUtSeGlpb1hMdUFtcTl3UlNWS0UzMElPY1NCaHRZN1pINXRKZURJdWlHCkV3UkVhaGsvK1lCM3dVeHBKbmdwenA3K2NXMjBLQm4vUDVQNUtPbjFzSnVsdE01bXJDaitpWGNDZ1lFQXd4OTUKd3ZnMEVXZVZ2ZmoxM1NCVmJmMmJucTBFRVhPMVorbjlJSENxQ0lPWDlwa1FKNklSYmg2TTkwMkJpc2VQYVdzYgpPM296dnJpaEdzNzdWL0orZGpMWnJWZkd3dTdHaG9NVnFkNmpiUDRTTjBLZlBuS200dk9lN29BMVd0NGhTMWthCmpzZUVBbU5DbWhWR21xRGFuVjVWM2VuMzZKZVpLZUlucDZKWmJ2RUNnWUVBeXBoZmlnbHV5NTd0Q1JtU3RVWHIKNi9yN1VUcGRzSVNac3dWUTl6TDIwUzJPSVRmeFhWQk9XZUZlOElBQjErVWIzdnNsbG1CNFFrQ1ZTWnFRRkdGOApCOHlva1kzNjRoRWtKdlVsd3YxU0tkczUrOWtoQ1daSlBBc3VDUFVjdG5yN1IrWGZjZWVSOWxxRUNYcktLMU9lCjN0cFVSU09UaklPbCs4anFxSjQwSkxjQ2dZQmxoUkRqQWlTRkViSDFQMzBjYWVCSTgvUnQ0SE1IYVg1dTdHMUkKM1pWNkRJMmFQaFVMcWVVTHVGVjdyaFhDVVFZcXdSRlFKc3FaWnBKYjBta3ZYdm14SWMvandwR2xobnBBTGgrdApYQ3NIWUVHMkFyRzcyZ2MrZWFhdFRJTjJIYkNROVhFOTdFeWd1V2hEcHVJdlBaWEEzdjRxRWJ0c2hzT242UVRjCjBUbGE0UUtCZ0grK3ZmaXhPMGgzekJBWG5vZys1YkpuWXQweTNmTmNCQU9aVHFhMzhiSm5tME4vT3VSN3BWSVAKY1VWV1BNc2xLeERVdmZ0bEFiaUx5YUMxN2NSRW5LbmFOZkp4NWhGbG1Wc3BsVnJOUzczTDFWTUFCYTVCUWJmcApwSGRCd0ozRHJXZ3VYUEJjekJkN2ZBSVI1Wi9ybUYzdGxRL3NrNkl2TmMrcCtlSm9FWTJtCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==这里多出了客户的信息,如私钥信息

设置上下文(就是绑定名称空间)

[root@k8s-master devuser]# kubectl create namespace dev
namespace/dev created
[root@k8s-master devuser]# kubectl config set-context kubernetes \
> --cluster=kubernetes \
> --user=devuser \
> --namespace=dev \
> --kubeconfig=devuser.kubeconfig
Context "kubernetes" created.[root@k8s-master devuser]# kubectl create namespace dev
namespace/dev created[root@k8s-master devuser]# kubectl config set-context kubernetes \
> --cluster=kubernetes \
> --user=devuser \
> --namespace=dev \
> --kubeconfig=devuser.kubeconfig
Context "kubernetes" created.[root@k8s-master devuser]# cat devuser.kubeconfig
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVQjJQTFcyZW85aG1iWTZDUUpQR1N4YVZlUTBvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TURreE5UQTBORGN3TUZvWERUSTFNRGt4TkRBME5EY3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdG5uMlVsRE5GTEZ1Q3ZlR1ppMWYKSjRpcGNxRWtDeEFRQUUycTRmaVdrL0dSazRrcWJNU0g2Z0RyR1RTTkdpdjhLSi9EdGZmVmd5QjNJNDE1ekVSbgpLRzBORlFya2ZZRnpWdE1GMTZBdno5c0JNRmVLNld6cWh1YmpHWGdVaktRRWs4b2VOWHNPUWZlU2NOWlVKT0h5CnBoN0dFS1paSFZtVFRjLzI1S1RPNXV1UVBBVk9lRElDbzJyWXZPUU5NNHZ2WHFWWElSQ09HOFNYMHVQUEdjRUUKTWx1K1VKSjNIOVJKc2dWUHhPUnoxMThPd0cyNmhhWSswTC84WUJQM1pWSWErVUkzUVVXbFdFMkdYTW1hRWJpVApxTlBiMWJoaXlJKzJTbElJM1YrSENacWhJSTIzb1NvK0xEd0lYclFpNmRIN0hRSWg2TWJMaU5ybGQ5Z0JVSGIrCkt3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVNXR3YXdqZVpnZExkLzM5aVhLMjZabEVFc0ZFd0h3WURWUjBqQkJnd0ZvQVU1dHdhd2plWgpnZExkLzM5aVhLMjZabEVFc0ZFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFMQU1aSThvWVNjYjRaYzJIMGVRCndRc25RTE9pdG9SQ3llL2tNdHFuMTZLWEtiM2wzMVRmaFlCNURuTUNqL29jckxpMy9FVU56U0oxR0VMUDMvYTMKcHFCeXI5OE10eGFDT1JuekZFL2lhOGoreWk0VHlFelpyRGt0RGxzWG1Eb3UxOU8xOUN5ek5IOS9YRDRqcFNXRAoreGVSam55U1c4QTlGNTFwZUVXSnJOYTJReURMb2lVaTZVeWFnUktRSEIxK3oxaTVjOEViL3NTamd0RTFMVTdUCmhCQkZVRFpKMzJuSGdPRTNzK2xlN1EvZkpaYWdyQkp6bHp6Q2hxdFB0U2NrRmxBbHVnQVdmMDBQcXRVRGhwRFYKTS9TbVlxV0RqL3RXaURzTk9vTGhQeU5IU2RhYVE5d203blNOWXhZNldzbTFYQVZYWGlTeWVDVndVVk5mZ1BJNApRaUk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kserver: https://192.168.179.99:6443name: kubernetes
contexts:
- context:cluster: kubernetesnamespace: devuser: devusername: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: devuseruser:client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQxRENDQXJ5Z0F3SUJBZ0lVVHdQVzkySWIzNnVUM0JEdHQ1Rm5LNjkzdHNJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl3TVRBeU1qRXhNalF3TUZvWERUSXhNVEF5TWpFeE1qUXdNRm93WWpFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUkF3RGdZRFZRUURFd2RrWlhaMWMyVnlNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzVjR5KzUxSWFTS202SmNWU3ZZK2c1MlUKRkpXK0hoL3RFMCtzSnFyenhvd1lRcDVqamRITzVQQWlvVHFic3ZJbVMzRXZQUTZWS2YvN3k1d0lKVzZRSUczaApmYVRQMlZWN1c5bEoyTXJENHZGa2p0OHRTblYySVJHbXVzL3E0cXhmbFFIZ1Q0Y3ZsQ0tLZjByN2prTnRjUE5LCjdGSlRCc21SMnFhRTg5d2g2M2NZZzYzS01MRXFkTWhZTWxtK2x1WDQ1SU1FM0tMN1dEWVNTQ2NYV28xWUt1RzQKU0JPK2F4clVnK3Y0TEY5d2xLUWN5TmR2VXBQQUxwbjNoS21zajJPRURheG4vZ2F5UTlYbzJVc1ZIazQ0VkFBNgpLNndqcXN3ZHFGekl1ZnJOejFKa0hFUlhnU0FqRnJqNmhOaGN4OHF3SEhZcnM4b050ZEI1UXNMTUR3K0xCd0lECkFRQUJvMzh3ZlRBT0JnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0cKQVFVRkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZGSWdNMFFMVkFPVmZIem01dHd4L2pyago1MHFRTUI4R0ExVWRJd1FZTUJhQUZPYmNHc0kzbVlIUzNmOS9ZbHl0dW1aUkJMQlJNQTBHQ1NxR1NJYjNEUUVCCkN3VUFBNElCQVFCTFR3MGpodmZsbHpyY0thSEdTMjN5WmRzWWVRQ3NrazUxRmhCSnk0cFQ5U0ZFbWRsSnNyYXAKZmhLa01RVU1VNkYzbUlIeEVDOEhNRFJxaE16dHM4SHRqOUVVLzR5dzFxNnR3c29PMGhodnpUTHM0SEpTdW8wcwpDcWlVOEQ0Z1gyaDBVbWNxZnl3OWhvQjBINWRNbUUvQjBEdUl6cU1EZVNpM0RJampVa21PRHhqK0NMK0NiVURsCjV1QmV4TzI1OE96UXg3U1J4RWRvcHdvTUIvMVZYL1phT1RyWDhQc1FXdTRWYW5VcE5kQ3gvR3BzY0ovcWl5S2IKR0VYUzFRbWdnVUhVV1VnbGlBcTFCYzJXWDhxQ2haR3BTVE9WdXRZY01FNXFTaWRidG00Tkw1bTJ6ZDhjaWZjWgpCZ05vVnVXYWpBWEI1UjRDc2JPRTdITHFyc3dIaTBsRgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBc1Y0eSs1MUlhU0ttNkpjVlN2WStnNTJVRkpXK0hoL3RFMCtzSnFyenhvd1lRcDVqCmpkSE81UEFpb1RxYnN2SW1TM0V2UFE2VktmLzd5NXdJSlc2UUlHM2hmYVRQMlZWN1c5bEoyTXJENHZGa2p0OHQKU25WMklSR211cy9xNHF4ZmxRSGdUNGN2bENLS2Ywcjdqa050Y1BOSzdGSlRCc21SMnFhRTg5d2g2M2NZZzYzSwpNTEVxZE1oWU1sbStsdVg0NUlNRTNLTDdXRFlTU0NjWFdvMVlLdUc0U0JPK2F4clVnK3Y0TEY5d2xLUWN5TmR2ClVwUEFMcG4zaEttc2oyT0VEYXhuL2dheVE5WG8yVXNWSGs0NFZBQTZLNndqcXN3ZHFGekl1ZnJOejFKa0hFUlgKZ1NBakZyajZoTmhjeDhxd0hIWXJzOG9OdGRCNVFzTE1EdytMQndJREFRQUJBb0lCQUFUY1ZBRlpPaGJIZ0ZOMwpjSG54YlowbHdGMGdEV205N2oxTlBhYUJvTlNjR2o0WklSbE4ycUdqZ3c5d0Q3eERycEQ2dFJTelJaczFESzF6CnhUVmhaa205T1NTOFU0WGROZGc2aUMrTXZ2bUZMQUJPVld0bzlLZkxXQXBla0UxTjlBQ2RZSXhOWkJ4bkpleC8KSFkyMGcxZEpFNUNPWVFBYW5naWo3NWpQTzQ2OFZSSXFzMEJEVkVndUZvOXkwVGI1eXJvdm5CZkVESFQ0bVpwTgpjZTdrNExYc1JOVE1TbmN4cnNFRWdhUzFCeVdwMDFvWnF4WW5QbGt3WnFFN0pObk5qMTZ1OUhmdGVpN1RyR05qClVPNUI0Qlh5cUFMTUI2c3U3V09Fc0hIenRuUkVZQVU5R2pVNDhNN215b0grbEs0dUcxdFlYMFpUUUU0anQxeXkKVzJsZnFvRUNnWUVBNkxTZ3VkUEdBQWplWmg3M2RPREJWVTk2dnFZeGFYWlAxZHNwN2xBZGhmMDk5ZnhsTU0wQgp0ZFU2SWxZNEFNanpmS1JLQUk1K0p3ZUtSeGlpb1hMdUFtcTl3UlNWS0UzMElPY1NCaHRZN1pINXRKZURJdWlHCkV3UkVhaGsvK1lCM3dVeHBKbmdwenA3K2NXMjBLQm4vUDVQNUtPbjFzSnVsdE01bXJDaitpWGNDZ1lFQXd4OTUKd3ZnMEVXZVZ2ZmoxM1NCVmJmMmJucTBFRVhPMVorbjlJSENxQ0lPWDlwa1FKNklSYmg2TTkwMkJpc2VQYVdzYgpPM296dnJpaEdzNzdWL0orZGpMWnJWZkd3dTdHaG9NVnFkNmpiUDRTTjBLZlBuS200dk9lN29BMVd0NGhTMWthCmpzZUVBbU5DbWhWR21xRGFuVjVWM2VuMzZKZVpLZUlucDZKWmJ2RUNnWUVBeXBoZmlnbHV5NTd0Q1JtU3RVWHIKNi9yN1VUcGRzSVNac3dWUTl6TDIwUzJPSVRmeFhWQk9XZUZlOElBQjErVWIzdnNsbG1CNFFrQ1ZTWnFRRkdGOApCOHlva1kzNjRoRWtKdlVsd3YxU0tkczUrOWtoQ1daSlBBc3VDUFVjdG5yN1IrWGZjZWVSOWxxRUNYcktLMU9lCjN0cFVSU09UaklPbCs4anFxSjQwSkxjQ2dZQmxoUkRqQWlTRkViSDFQMzBjYWVCSTgvUnQ0SE1IYVg1dTdHMUkKM1pWNkRJMmFQaFVMcWVVTHVGVjdyaFhDVVFZcXdSRlFKc3FaWnBKYjBta3ZYdm14SWMvandwR2xobnBBTGgrdApYQ3NIWUVHMkFyRzcyZ2MrZWFhdFRJTjJIYkNROVhFOTdFeWd1V2hEcHVJdlBaWEEzdjRxRWJ0c2hzT242UVRjCjBUbGE0UUtCZ0grK3ZmaXhPMGgzekJBWG5vZys1YkpuWXQweTNmTmNCQU9aVHFhMzhiSm5tME4vT3VSN3BWSVAKY1VWV1BNc2xLeERVdmZ0bEFiaUx5YUMxN2NSRW5LbmFOZkp4NWhGbG1Wc3BsVnJOUzczTDFWTUFCYTVCUWJmcApwSGRCd0ozRHJXZ3VYUEJjekJkN2ZBSVI1Wi9ybUYzdGxRL3NrNkl2TmMrcCtlSm9FWTJtCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==这里又多了绑定信息namespace,集群名称

创建角色绑定

[root@k8s-master devuser]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=dev
rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created

在集群当中已经有了ClusterRole的角色admin,admin角色是一个ClusterRole,这个集群角色可以在集群当中为所欲为,将集群角色进行角色绑定至用户devuser,代表用户devuser可以在dev下面为所欲为。

[root@k8s-master devuser]# cp devuser.kubeconfig /home/devuser/.kube/
[root@k8s-master devuser]# chown devuser:devuser /home/devuser/.kube/devuser.kubeconfig
[root@k8s-master devuser]# mv /home/devuser/.kube/devuser.kubeconfig /home/devuser/.kube/config

现在还是不能访问集群的,因为还要切换上下文,切换上下文就是让Kubect读取到kubeconfig 的信息

[devuser@k8s-master ~]$ whoami
devuser
[devuser@k8s-master ~]$ kubectl config use-context kubernetes --kubeconfig=.kube/config
Switched to context "kubernetes".[devuser@k8s-master ~]$ kubectl get pod
No resources found in dev namespace.

[root@k8s-master devuser]# kubectl get rolebinding -n dev
NAME                    ROLE                AGE
devuser-admin-binding   ClusterRole/admin   14m[root@k8s-master devuser]# kubectl get rolebinding devuser-admin-binding  -o yaml -n dev
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
.......................................................
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: admin
subjects:
- apiGroup: rbac.authorization.k8s.iokind: Username: devuser

Kubernetes 集群安全 - 鉴权 实战rolebinding和clusterrole相关推荐

  1. Kubernetes集群安全概述

    转自Kubernetes集群安全概述 - 我是程序员 - 博客园 (cnblogs.com) API的访问安全性 API Server的端口和地址 在默认情况下,API Server通过本地端口和安全 ...

  2. Kubernetes 集群安全机制详解

    本文主要介绍 Kubernetes 的安全机制,如何使用一系列概念.技术点.机制确保集群的访问是安全的,涉及到的关键词有:api-server,认证,授权,准入控制,RBAC,Service Acco ...

  3. kubernetes集群安全——认证、鉴权、准入控制

    机制说明 Kubernetes 作为一个分布式集群的管理工具,保证集群的安全性是其一个重要的任务.API Server 是集群内部各个组件通信的中介,也是外部控制的入口.所以 Kubernetes 的 ...

  4. 11、Kubernetes集群安全机制

    文章目录 一.概述 1.1 认证 1.2 鉴权 1.3 准入控制 二.RBAC介绍 三.RBAC实现鉴权 3.1 创建命名空间 3.2 命名空间创建Pod 3.3 创建角色 3.4 创建角色绑定 3. ...

  5. 一键运行CIS安全扫描,集群安全无忧!

    CIS安全扫描是Rancher 2.4推出的其中一个重磅功能,旨在帮助用户快速.有效地加强集群的安全性.本文将详细介绍CIS安全扫描这一功能,包含详细的操作demo. 本文来自Rancher Labs ...

  6. Kubernetes API Server 之集群安全认证

    文章目录 前言 一.为什么要有 api-server 集群安全认证? 二.安全机制的三个流程 三.HTTP Bearer Token 认证 四.HTTPS 双向证书认证 总结 前言 kubernete ...

  7. k8s(六):配置管理与集群安全机制

    文章目录 1. 配置管理 1.1 Secret 1.1.1 变量形式挂载到Pod 1.1.2 数据卷形式挂载 1.2 ConfigMap 1.2.1 数据卷形式挂载到pod容器中 1.2.1 变量形式 ...

  8. EMR集群安全认证和授权管理

    简介:介绍EMR高安全集群如何使用Kerberos和Apache Ranger进行鉴权和访问授权管理 直达最佳实践:[EMR集群安全认证和授权管理] 最佳实践频道:[点击查看更多上云最佳实践] 这里有 ...

  9. k8s核心技术-集群安全机制(RBAC实现鉴权)---K8S_Google工作笔记0040

    技术交流QQ群[JAVA,C++,Python,.NET,BigData,AI]:170933152 然后我们来利用RBAC实现鉴权. 首先我们先去创建一个命名空间 kubectl create ns ...

  10. k8s核心技术-集群安全机制(RBAC介绍)---K8S_Google工作笔记0039

    技术交流QQ群[JAVA,C++,Python,.NET,BigData,AI]:170933152 然后咱们来说k8s中鉴权所用的rbac 来看看他的工作过程,其实他就是基于角色的鉴权. 可以看到首 ...

最新文章

  1. 进阶第四课 Python模块之os
  2. 白话阿里巴巴Java开发手册(编程规约)
  3. 奇怪吸引子---一个奇妙的四维混沌吸引子
  4. 在 SAP BTP 里使用 SAP HANA Cloud 试用版 Trial Version 的一些限制
  5. XCode的使用心得
  6. Sharepoin学习笔记—架构系列—07nSharepoint服务(Services)与服务应用程序框架(Service Application Framework) 2
  7. JDBC 连接MYSQL数据库
  8. java固定数组_Java在固定长度的数组里加入一个数
  9. [转]Android截屏及图片解析
  10. 请假打游戏!《艾尔登法环》发售当天褒贬不一 宫崎英高跌落神坛了?
  11. Bailian4097 报站【暴力】
  12. 数据结构笔记(二十六)-- 图的存储
  13. HDU 1212 大整数的取模运算
  14. maya2022|autodesk maya 2022新功能介绍
  15. Spring常用注解整理
  16. 【数据库】浅析Innodb的聚集索引与非聚集索引
  17. ReentrantLock原理及AQS(羊群效应+实操)
  18. 今天Delphi盒子打不开了
  19. Python 雪球API 股票价格监控预警程序脚本
  20. 如何实现产销平衡_实现SOP平衡的流程和策略

热门文章

  1. Java中swing修改左上角的图标
  2. php程序的完整路径和文件名,php从完整文件路径中分离文件目录和文件名的方法...
  3. 我要考华为认证,需不需要培训呢?
  4. python为什么被称为胶水语言_为什么只有python成了胶水语言?
  5. 人工神经网络matlab啊6,基于MATLAB6.x的BP人工神经网络的土壤环境质量评价方法研究...
  6. MS17010原生打法
  7. 分享typecho博客的Next主题包
  8. 5年迭代5次,抖音推荐系统演进历程
  9. 来咯来咯~你想要的unity3d人物游戏模型素材都在这里
  10. 初级java程序员面试题大全_Java初级程序员面试题大全