RBAC最佳实践

通过设置apiserver的启动参数--authorization-mode修改鉴权的模式

/etc/kubernetes/manifests/kube-apiserver.yaml

1. 创建一个用户useradd dev

   {  "CN": "devuser",
      "hosts": [],  
      "key": {    
        "algo": "rsa",    
        "size": 2048  
      },  
      "names": [    
        {      
          "C": "CN",      
          "ST": "BeiJing",      
          "L": "BeiJing",      
          "O": "k8s",      
          "OU": "System"    
        }  
     ] 
   }

2. 为用户生成证书 chmod +x *

   wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
   mv cfssl_linux-amd64 /usr/local/bin/cfssl 
   wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 
   mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
   wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 
   mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo 
   
   cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /root/dev.json | cfssljson -bare dev 

3. 设置集群参数

   cd /home/dev
   kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server="https://10.0.0.10:6443" --kubeconfig=dev.kubeconfig

4. 设置认证参数

   kubectl config set-credentials dev --client-certificate=/etc/kubernetes/pki/dev.pem --client-key=/etc/kubernetes/pki/dev-key.pem --embed-certs=true --kubeconfig=dev.kubeconfig

5. 设置上下文参数 kubectl create namespace dev

   kubectl config set-context kubernetes \ 
   --cluster=kubernetes \ 
   --user=dev \ 
   --namespace=dev \ 
   --kubeconfig=dev.kubeconfig 

6. kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=dev

7. mkdir .kube mv dev.kubeconfig .kube/config

8. 切换集群角色kubectl config use-context kubernetes --kubeconfig=.kube/config 

通过sa生成config文件

kubectl describe sa yqms-user -n yqms

kubectl describe secret yqms-user-token-gdwqn -n yqms

users:
- name: yqms-user
  user:
    token: