[root@cce-21day-cluster-62954-81jwz ~]# kubectl get namespace
NAME STATUS AGE
default Active 8d
kube-public Active 8d
kube-system Active 8d
[root@cce-21day-cluster-62954-81jwz ~]#
创建一个namespace,后续只读用户只能在该namespace下操作
[root@cce-21day-cluster-62954-81jwz ~]# kubectl create namespace cce
namespace "cce" created
[root@cce-21day-cluster-62954-81jwz ~]# kubectl get namespace
NAME STATUS AGE
cce Active 3s
default Active 8d
kube-public Active 8d
kube-system Active 8d
在cce namespace下创建一个serviceAccount(sa)并获取对应的secret下的token
[root@cce-21day-cluster-62954-81jwz ~]# kubectl create sa cce-service-account -ncce
serviceaccount "cce-service-account" created
获取sa对应的secret名字
[root@cce-21day-cluster-62954-81jwz ~]# kubectl get sa cce-service-account -ncce -oyaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-12-16T02:02:02Z
name: cce-service-account
namespace: cce
resourceVersion: "506135"
selfLink: /api/v1/namespaces/cce/serviceaccounts/cce-service-account
uid: 94960f67-00d6-11e9-8978-fa163efa3106
secrets:
- name: cce-service-account-token-b86r5
[root@cce-21day-cluster-62954-81jwz ~]#
获取secret下的token,并base64解码获取token明文
[root@cce-21day-cluster-62954-81jwz ~]# token=`kubectl get secret cce-service-account-token-b86r5 -ncce -oyaml |grep token: | awk '{print $2}' | xargs echo -n | base64 -d`
[root@cce-21day-cluster-62954-81jwz ~]# echo $token
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2NlLXNlcnZpY2UtYWNjb3VudC10b2tlbi1iODZyNSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjY2Utc2VydmljZS1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTQ5NjBmNjctMDBkNi0xMWU5LTg5NzgtZmExNjNlZmEzMTA2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmNjZTpjY2Utc2VydmljZS1hY2NvdW50In0.CfUnS_anvuK8QFEpzkkA-_epJ42N6v-kxAU6TPNpIEbpzyNylnAydUnpzc1t72RR13W1j5ESgm91ksQAeu09Xois_OtEnEVt6BfNKU_gKfRYXxv4ZoFO07wpbkgRojGa8aics3w4hCyaZWZNV7xNbzGArQwFFv2TR2WsQaJKmf8vRiwySzCNfIivOgD5lROULEHtAWcx7xxWr5xWWfFvBKDigJkNumZWPnEx_hLJgav3pt2lUucWpuDZQoM8g1UwMHV06eO8-Uu4VfaHJsAoBXPFgWvKGPOlbFfrNUX-SZAcMS9ej8vvuBvi8ZPFWkKnwedBDxzL7uwi6XImf9lTTA
[root@cce-21day-cluster-62954-81jwz ~]#
新增cce-user用户(绿色字体为自定义字段,可以不修改)
[root@cce-21day-cluster-62954-81jwz ~]# kubectl config set-cluster cce-viewer --server=https://192.168.47.160:5443 --certificate-authority=/var/paas/srv/kubernetes/ca.crt
Cluster "cce-viewer" set.
[root@cce-21day-cluster-62954-81jwz ~]# kubectl config set-context cce-viewer --cluster=cce-21days-cluster
Context "cce-viewer" created.
[root@cce-21day-cluster-62954-81jwz ~]# kubectl config set-credentials cce-user --token=$token
[root@cce-21day-cluster-62954-81jwz ~]# kubectl config set-context cce-viewer --user=cce-user
Context "cce-viewer" modified.
[root@cce-21day-cluster-62954-81jwz ~]#
通过如下命令可以看到已经有新建的context:
[root@cce-21day-cluster-62954-81jwz ~]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
cce-viewer cce-21days-cluster cce-user
* internal internalCluster user
[root@cce-21day-cluster-62954-81jwz ~]#
[root@cce-21day-cluster-62954-81jwz day13]# cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: cce
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
[root@cce-21day-cluster-62954-81jwz day13]# cat rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: pod-reader-binding
namespace: cce
subjects:
- kind: ServiceAccount
name: cce-service-account
namespace: cce
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
[root@cce-21day-cluster-62954-81jwz day13]#
[root@cce-21day-cluster-62954-81jwz day13]# kubectl create -f role.yaml
[root@cce-21day-cluster-62954-81jwz day13]# kubectl create -f rolebinding.yaml
切换context到cce-viewer用户下,验证权限设置结果:
[root@cce-21day-cluster-62954-81jwz day13]# kubectl config use-context cce-viewer
Switched to context "cce-viewer".
[root@cce-21day-cluster-62954-81jwz day13]#
[root@cce-21day-cluster-62954-81jwz day13]# kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?
上述错误,说明没有环境变量,即增加环境变量
[root@cce-21day-cluster-62954-81jwz day13]# export KUBERNETES_MASTER=https://192.168.47.160:5443
#查看default namespace下的pod,应该会反回403无权限的错误
[root@cce-21day-cluster-62954-81jwz day13]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:cce:cce-service-account" cannot list pods in the namespace "default"
[root@cce-21day-cluster-62954-81jwz day13]#
[root@cce-21day-cluster-62954-81jwz day13]# kubectl config use-context cce-viewer
Switched to context "cce-viewer".
[root@cce-21day-cluster-62954-81jwz day13]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:cce:cce-service-account" cannot list pods in the namespace "default"
[root@cce-21day-cluster-62954-81jwz day13]# kubectl get pods -ncce
No resources found.
#适用如下命令即可切换回admin管理员权限的context:
[root@cce-21day-cluster-62954-81jwz day13]# kubectl config use-context internal
Switched to context "internal".
[root@cce-21day-cluster-62954-81jwz day13]#
21天转型容器实战营(十三容器进阶之Kubernetes安全原理分析-实战)
猜你喜欢
转载自blog.csdn.net/xsjzdrxsjzdr/article/details/85028422
今日推荐
周排行