• 周五. 9月 30th, 2022

5G编程聚合网

5G时代下一个聚合的编程学习网

热门标签

RBAC

admin

11月 28, 2021

创建一个lichuan 只能管理lichuan-dev这个namespace

#下载证书制作软件
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64 -o cfssl chmod +x cfssl curl -L https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_amd64 -o cfssljson chmod +x cfssljson curl -L https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl-certinfo_1.4.1_linux_amd64 -o cfssl-certinfo chmod +x cfssl-certinfo cp cfssl* /usr/local/bin #这里的CN就会作为用户名,而O就为作为用户组名,例如创建 lichuan-csr.json文件如下 { "CN": "lichuan", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "O": "Beijing", "OU": "k8s-dev", "ST": "System" } ] } #根据上面的请求信息生成CA认证后的用户证书和私钥 cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -profile=kubernetes lichuan-csr.json | cfssljson -bare lichuan #生成用户专属的认证config文件 kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=https://10.3.65.37:6443 --kubeconfig=lichuan.config #设置客户端认证证书 kubectl config set-credentials lichuan --client-certificate=/etc/kubernetes/pki/lichuan.pem --client-key=/etc/kubernetes/pki/lichuan-key.pem --embed-certs=true --kubeconfig=lichuan.config #创建一个新的namespace kubectl create namespace lichuan-dev #给lichuan用户设置context kubectl config set-context kubernetes --cluster=kubernetes --user=lichuan --namespace=lichuan-dev --kubeconfig=lichuan.config #设置下current-context kubectl config use-context kubernetes --kubeconfig=lichuan.config #做rolebinding kubectl create rolebinding lichuan-admin-dev-binding --clusterrole=admin --user=lichuan --namespace=lichuan-dev

参考:https://blog.csdn.net/Victor2code/article/details/106143273

https://www.qikqiak.com/k8s-book/docs/30.RBAC.html

第二个有创建角色的,可以参考,第一个默认用的admin,自带的,权限大

https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb

官网:https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/

发表回复

您的电子邮箱地址不会被公开。