RBAC 可授权对象
- Pods
- ConfigMaps
- Deployments
- Nodes
- Secrets
- Namespaces
- endpoints
- crontabs
- jobs
- Daemonsets
以上资源对象可授权操作有:
- create
- get
- delete
- list
- update
- edis
- watch
- exec
创建一个用户对dev namespace下的Pod只有create和get权限
创建Cluster
kubectl config set-cluster dev-cluster --server=https://192.168.3.134:6443 --insecure-skip-tls-verify
创建用户
- 给dev用户创建一个私钥,命名为dev.key
openssl genrsa -out dev.key 2048
- 利用私钥创建一个证书
openssl req -new -key dev.key -out dev.csr -subj "/CN=dev-user/O=devorg"
- 利用搭建kubernetes集群的ca相关证书生产最终文件
openssl x509 -req -in dev.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dev.crt -days 500
- 利用刚刚创建的证书文件和私钥文件创建dev-user用户
kubectl config set-credentials dev-user--client-certificate=dev.crt --client-key=dev.key
- 创建上下文(Context)
kubectl config set-context dev-context --cluster=dev-cluster --namespace=dev --user=dev-user
- 验证
[root@master-1 rbac]# kubectl get pods --context=dev-context
Error from server (Forbidden): pods is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "dev"
到这里用户已经创建完成,这里出错是因为还没有给用户定义任何操作权限
授权
创建权限
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-role
namespace: dev
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list","get","create"] # 也可以使用['*']授予所有权限
用户与权限绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-rolebinding
namespace: dev
subjects:
- kind: User
name: dev-user
apiGroup: ""
roleRef:
kind: Role
name: dev-role
apiGroup: ""
验证
切换context
kubectl config use-context dev-context
创建pod
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: dev
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
[root@master-1 rbac]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 21m
删除pod测试
[root@master-1 rbac]# kubectl delete pod nginx
Error from server (Forbidden): pods "nginx" is forbidden: User "dev-user" cannot delete resource "pods" in API group "" in the namespace "dev"