本文参考:
链接:www.cnblogs.com/tempted/p/1…
链接:www.colabug.com/2020/0707/7…
需求: Java开发需要一个普通的账号对k8s的日志进行查看,或者查看一些其他的资源 因此需要使用到UserAccount、Role、RoleBinding 在此记录一下
# 普通账户develop的请求文件
cat > develop-csr.json <<EOF
{
"CN": "develop",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "SiChuan",
"L": "ChengDu",
"O": "k8s",
"OU": "devops"
}
]
}
EOF
# 生成普通账户的证书,需要k8s的CA,cfssl等进行签名:
cfssl gencert -ca=/data/k8s/cert/ca.pem -ca-key=/data/k8s/cert/ca-key.pem -config=/data/k8s/cert/ca-config.json -profile=kubernetes develop-csr.json | cfssljson -bare develop
# 设置集群
kubectl config set-cluster kubernetes \
--server=https://172.16.1.202:6443 \
--certificate-authority=/data/k8s/cert/ca.pem \
--embed-certs=true \
--kubeconfig=develop.conf
# 设置认证
kubectl config set-credentials develop \
--client-certificate=develop.pem \
--client-key=develop-key.pem \
--embed-certs=true \
--kubeconfig=develop.conf
# 设置上下文
kubectl config set-context develop@kubernetes \
--cluster=kubernetes \
--user=develop \
--kubeconfig=develop.conf
# 设置使用的上下文
kubectl config use-context develop@kubernetes --kubeconfig=develop.conf
# 最后进行查看一下,可以对比kubectl admin权限查看一下
kubectl config view --kubeconfig=develop.conf
# linux
# Java开发用户的账号
useradd develop
mkdir -p /home/develop/.kube
cp develop.conf /home/develop/.kube/config
chown develop.develop -R /home/develop/
su - develop
# 创建一个role可以访问namespace下的权限:
# 可以访问的资源是pod pods/logs, 权限是get list 和watch
cat > stage-pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: stage
name: pods-reader
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- watch
EOF
# 将role绑定到develop上,使其有权限查看
# api组相关的权限:
cat > stage-pods-reader-binding.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: stage
name: develop-pods-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: develop
EOF
后面用develop账号即可查看pod相关
