[root@xksmaster1 RBAC-yaml-case]# vim xks-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: xks
name: xks-role
rules:
- apiGroups: ["*"]
resources: ["pods/exec"]
#verbs: ["*"]
##RO-Role
verbs: ["get", "list", "watch", "create"]
- apiGroups: ["*"]
resources: ["pods"]
#verbs: ["*"]
##RO-Role
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["apps/v1"]
resources: ["deployments"]
#verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
##RO-Role
verbs: ["get", "watch", "list"]
[root@xksmaster1 RBAC-yaml-case]# kubectl apply -f xks-role.yaml
role.rbac.authorization.k8s.io/xks-role created
[root@xksmaster1 RBAC-yaml-case]# vim xks-role-bind.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-bind-xks
namespace: xks
subjects:
- kind: ServiceAccount
name: xks
namespace: xks
roleRef:
kind: Role
name: xks-role
apiGroup: rbac.authorization.k8s.io
[root@xksmaster1 RBAC-yaml-case]# kubectl apply -f xks-role-bind.yaml
rolebinding.rbac.authorization.k8s.io/role-bind-xks created
[root@xksmaster1 RBAC-yaml-case]# vim xks-token.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: xks-admin-user
namespace: xks
annotations:
kubernetes.io/service-account.name: "xks"
[root@xksmaster1 RBAC-yaml-case]# kubectl apply -f xks-token.yaml
secret/xks-admin-user created
#获取token名称
[root@xksmaster1 RBAC-yaml-case]# kubectl get secrets -n xks
NAME TYPE DATA AGE
xks-admin-user kubernetes.io/service-account-token 3 10s
[root@xksmaster1 RBAC-yaml-case]# kubectl describe secrets -n xks xks-admin-user
Name: xks-admin-user
Namespace: xks
Labels: <none>
Annotations: kubernetes.io/service-account.name: xks
kubernetes.io/service-account.uid: 875e6b2c-a7c8-4e34-8489-7259256143c6
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1099 bytes
namespace: 3 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjR4TEdScXNNN1MwbFdNOWlKV0J0clV3N1lNeElxRUdqMmRDV2NwdUdKV28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ4a3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoieGtzLWFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoieGtzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODc1ZTZiMmMtYTdjOC00ZTM0LTg0ODktNzI1OTI1NjE0M2M2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Onhrczp4a3MifQ.BZKW-B_BLyNxnP4oN8ooiTn4mEcJKmM9R2Kx6amJVc9HK8ZYlxdozZP7vy0B_R4sjz4Qma18-XnqdMmtR02mGYFpnz8rViYR5FEQDWM7FD3mUg6A5CkF2KDN9tZPQmYnFC8IsCVRa6QA5fjVDrYkuuYwApABIpjgpj05sw9i9DTe-_jjayCTilTrAa38PVxSf6S364MQUfFeYfcFZXh77ilq8dcJeuUOF1wWgdEdWjRpqs_46g4xSd2dAx7IzNpbCpmevLNJyiVdgAjnSWmApvOpBHtwqA7KZcznGCtS7kykjwW-8fThBu_lb6yj88eKIIGbLuTG7KY2Ew7y6MqHlg
[root@xksmaster1 RBAC-yaml-case]# kubectl get secrets -n xks
NAME TYPE DATA AGE
xks-admin-user kubernetes.io/service-account-token 3 6m8s
#使用base加密:
[root@xksmaster1 RBAC-yaml-case]# kubectl get secret xks-admin-user -o jsonpath={.data.token} -n xks |base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IjR4TEdScXNNN1MwbFdNOWlKV0J0clV3N1lNeElxRUdqMmRDV2NwdUdKV28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ4a3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoieGtzLWFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoieGtzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODc1ZTZiMmMtYTdjOC00ZTM0LTg0ODktNzI1OTI1NjE0M2M2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Onhrczp4a3MifQ.BZKW-B_BLyNxnP4oN8ooiTn4mEcJKmM9R2Kx6amJVc9HK8ZYlxdozZP7vy0B_R4sjz4Qma18-XnqdMmtR02mGYFpnz8rViYR5FEQDWM7FD3mUg6A5CkF2KDN9tZPQmYnFC8IsCVRa6QA5fjVDrYkuuYwApABIpjgpj05sw9i9DTe-_jjayCTilTrAa38PVxSf6S364MQUfFeYfcFZXh77ilq8dcJeuUOF1wWgdEdWjRpqs_46g4xSd2dAx7IzNpbCpmevLNJyiVdgAjnSWmApvOpBHtwqA7KZcznGCtS7kykjwW-8fThBu_lb6yj88eKIIGbLuTG7KY2Ew7y6MqHlg[root@xksmaster1 RBAC-yaml-case]#
浙公网安备 33010602011771号