其实用到的是RBAC授权,官方文档在:https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/

生成证书

1
2
3
4
5
6
7
8
# 生成私钥
openssl genrsa -out dev.key 2048

# 基于这个私钥生成证书请求
openssl req -new -key dev.key -out dev.csr -subj "/CN=dev"

# 使用CA证书签发
openssl  x509 -req -in dev.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dev.crt -days 3000

通过证书生成kubeconfig配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 生成用户kubeconfig
kubectl config set-cluster  kubernetes \   # kubeconfig 里面的 name
  --kubeconfig=dev.conf \                  # 生成的 kubeconfig 配置文件位置
  --server="https://10.0.0.20:6443" \      # 这里是你的集群apiserver地址
  --certificate-authority=/etc/kubernetes/pki/ca.crt \
  --embed-certs=true



# users 设置用户信息
kubectl config set-credentials dev \
    --certificate-authority=/etc/kubernetes/pki/ca.crt \
    --embed-certs=true \
    --client-key=dev.key \
    --client-certificate=dev.crt \
    --kubeconfig=dev.conf

  

#  根据 config 创建  contexts  
kubectl config set-context dev \
    --cluster=kubernetes \
    --user=dev \
    --kubeconfig=dev.conf


# 设置当前的上下文 -- 更改用户
kubectl config use-context dev --kubeconfig=dev.conf

创建clusterrole和clusterrolebinding

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# 提供基本权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-dev-readonly
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dev-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: dev-readonly
rules:
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "watch", "list"]

  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "watch", "list"]

  - apiGroups: [""]
    resources: ["pods", "pods/exec"]
    verbs: ["create", "get", "list", "watch"]

  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["delete"]

  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]

  - apiGroups: [""]
    resources: ["endpoints", "services"]
    verbs: ["get", "watch", "list"]

  - apiGroups: [""]
    resources:
      [
        "resourcequotas/status",
        "resourcequotas",
        "bindings",
        "events",
        "limitranges",
        "namespaces/status",
        "pods/log",
        "pods/status",
        "replicationcontrollers/status",
      ]
    verbs: ["get", "watch", "list"]

  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "watch", "list"]

  - apiGroups: ["apps"]
    resources:
      [
        "deployments",
        "deployments/rollback",
        "deployments/scale",
        "deployments/rollout",
        "statefulsets",
      ]
    verbs: ["get", "watch", "list","patch"]

  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["batch"]
    resources: ["cronjobs", "jobs", "scheduledjobs"]
    verbs: ["get", "watch", "list"]

  - apiGroups: ["extensions"]
    resources: ["daemonsets", "deployments", "ingresses", "replicasets"]
    verbs: ["get", "watch", "list"]

测试

1
kubectl --kubeconfig=./dev.conf get pod