Goal: devuser user namespace is only under the dev resources have operating authority
First, the basic configuration settings
1, first create a devuser useradd user, and change passwords:
Use devuser execution kubectl get pod command will not succeed, because devuser now have no permissions to resources in any namespace
2, create a namespace dev of
two , k8s config file generation
1, create a json file used to generate keys
cat /k8s/cert/devuser.json
{
"CN": "devuser",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ShenZhen",
"L": "ShenZhen",
"O": "k8s",
"OU": "System"
}
]
}
2, obtaining the key generation command file:
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget HTTPS: / /pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
specify the key file, generates the key (this step is performed in order as far as possible under / etc / kubernetes / pki path because this path is itself related to the authentication storage k8s file)
cfssl the gencert -ca = ca.crt -ca-key = ca.key -profile = Kubernetes /k8s/cert/devuser.json | cfssljson -bare devuser
execution is completed, key file has been devuser
Statement about apiserver environment variables:
Export KUBE_APISERVER = " https://10.18.6.127:6443 "
3, set cluster parameters:
[root@kb-master cert]# kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=devuser.kubeconfig
4, set the client authentication parameters:
[root@kb-master cert]# kubectl config set-credentials devuser \
--client-certificate=/etc/kubernetes/pki/devuser.pem \
--client-key=/etc/kubernetes/pki/devuser-key.pem \
--embed-certs=true \
--kubeconfig=devuser.kubeconfig
5, context parameter set
[root@kb-master cert]# kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=devuser \
--namespace=dev \
--kubeconfig=devuser.kubeconfig
6, a binding role RoleBinding
kubectl create rolebinding devuser-admin-rolebinding (rolebinding name) --clusterrole = admin (clusterrole name, admin under k8s all namespace has the highest authority) --user = devuser (the admin user privileges given devuser) - namespace = dev (dev this range namespace) i.e. dev
7, devuser.kubeconfig copied to the directory /home/devuser/.kube
cp devuser.kubeconfig /home/devuser/.kube/config
chown devuser.devuser devuser.kubeconfig
8, switching user context under dev
View pod resources are not being given, but under the current dev namespace does not have any pod running
using devuser create deployment
using the root user to view information pod, pod are found under dev namespace
Description devuser of kubectl command takes effect only on dev default namespace can only be effective in the namespace dev
This is in business for authority to control or necessary