在一个公司内部。因为工作性质的不同,所以一定由不同的权限。不同的工作组可以在同一个kubernetes集群中工作。那么就需要通过命名空间进行分割,这样即使在同一个集群内部但是相互之间也不会产生干扰。而不同工作组可能还会有不同的人去管理那么就可以在套用上一个用户概念。
实际在kubernetes中权限分为两种。一种是给服务(pod中的进程)用的,也就是service account,而另一种就是给系统管理员、运维、用户用的,也就是user。
本文结合RBAC介绍一下基于名称空间以及用户名分割权限(因为我这个分割名称空间是基于不同的用户,所以需要基于RBAC授权user能访问什么资源,基于访问的资源能做什么事)
1、 创建证书
因为我是https访问的api-server,所以需要证书。这里使用openssl创建
- 创建用户私钥
- 创建证书签名请求文件
- 签署证书
2、创建集群授权文件
就是kubeconfig,我习惯这么称呼因为访问集群(api-server)的信息都在这里面,并且文件另行新建
- 设置访问的集群
- 设置访问集群的用户(带证书)
- 设置访问集群的上下文(带名称空间)
- 把创建好的集群授权文件拷贝用户家目录下
- 修改拷贝好的文件权限属主与属组(因为文件是600有属主就够了)
3、创建ROLE
就是常说的角色文件可以理解为给用户授予什么能力
- role这个是角色有名称空间的概念,基于某个空间就用它
- clusterrole这个是集群角色没有名称空间概念
4、绑定ROLE与USER
这个就是ROLEBINDING,把用户与角色绑定在一起,关联上。
- rolebinding同样这个有名称空间概念,但是可以结合集群角色访问集群内这个空间中的所有权限。对clusterrole所定义的、位于rolebinding命名空间内的资源授权。这可以允许管理者在 整个集群中定义一组通用的角色,然后在多个命名空间中重用它们(就是一个clusterrole多个rolebinding)
- clusterrolebinding比较特殊,虽然rolebinding能够绑定clusterrole,但是这个不可以绑定role。这个只能绑定集群角色
正文开始
开始创建证书
创建用户私钥
umask 077;openssl genrsa -out dev.key 2048
umask 077;openssl genrsa -out prod.key 2048
创建签名请求文件
openssl req -new -key dev.key -out dev.csr -subj "/CN=dev"
openssl req -new -key prod.key -out prod.csr -subj "/CN=prod"
签署证书
openssl x509 -req -in dev.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dev.crt -days 3650
openssl x509 -req -in prod.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out prod.crt -days 3650
验证文件
[root@ECS1 ssl]# ls
dev.crt dev.csr dev.key prod.crt prod.csr prod.key
以上证书结束
创建集群授权文件
设置指定访问集群,并且指定新配置文件。当然可以不指定,因为如果和源config在一起的话可以不配置这个。
kubectl config set-cluster kubernetes-cluster --server=https://172.16.0.1:6443 --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --kubeconfig=/root/dev.conf
kubectl config set-cluster kubernetes-cluster --server=https://172.16.0.1:6443 --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --kubeconfig=/root/prod.conf
意义为访问那个集群。因为访问kubernetes集群是通过api-server,所以指定的就是api-server的ip。如果是https记得带证书。
设置访问集群用户
kubectl config set-credentials dev --client-certificate=dev.crt --client-key=dev.key --embed-certs=true --kubeconfig=/root/dev.conf
kubectl config set-credentials prod --client-certificate=prod.crt --client-key=prod.key --embed-certs=true --kubeconfig=/root/prod.conf
意义为哪个用户能访问集群
设置访问集群上下文
kubectl config set-context dev --namespace=dev --cluster=kubernetes-cluster --user=dev --kubeconfig=/root/dev.conf
kubectl config set-context prod --namespace=prod --cluster=kubernetes-cluster --user=prod --kubeconfig=/root/prod.conf
意义为访问集群中的那部分
拷贝授权配置文件到用户家目录下并授权
mkdir -p /home/dev/.kube
cp /root/dev.conf /home/dev/.kube/config
chown dev.dev -R /home/dev/
mkdir -p /home/prod/.kube
cp /root/prod.conf /home/prod/.kube/config
chown prod.prod -R /home/prod/
验证配置文件权限
[root@ECS1 ~]# su - dev
Last login: Tue Jun 22 17:35:22 CST 2021 on pts/0
[dev@ECS1 ~]$ ll .kube/
total 12
drwxr-x--- 4 dev dev 4096 Jun 22 15:37 cache
-rw------- 1 dev dev 5315 Jun 22 15:37 config
[dev@ECS1 ~]$
[root@ECS1 ~]# su - prod
Last login: Tue Jun 22 16:27:33 CST 2021 on pts/0
[prod@ECS1 ~]$ ll .kube/
total 12
drwxr-x--- 4 prod prod 4096 Jun 22 16:28 cache
-rw------- 1 prod prod 5328 Jun 22 16:28 config
查看配置文件
[prod@ECS1 ~]$ cat .kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXdPREV4TWpFek1Gb1hEVE14TURZd05qRXhNakV6TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTm5OCktJNXpwV01yYmhYdkZtNWNnNVJ5Y2xZb1VmSWdCVVdxOXJzMkJOK056WVgybXFFTmdFL011RHd3K1p5cDFMblAKZktjU2pBczVNbm1iQjVqT2cyU1B4RkFkalBhaTlnQjZ6Z21qQkZoLy9YN25RZGVaa2FUN1huUjY5Q3dQQk5TMQo5ejZBeDhkVjdxSTFpWDdBTVFSTUNRZGQxSE8zTy9rYVE5U2tpT2pKK21rVnVTUWdTQlpSTm1zTDNQTi9TbjlSCis4YmlZZXFPaWJNRExEdXNDUGJqT0w0WmpFdjRCNThWblVmRkYxTWNOcjV3WVpRZ1pabkY3RHFEYmVRazVKbXIKTWpFdFZjRFNuNi95LytNYUNpcXpENUVxQ0k3cC8rbFZsUVlaY20rUjBFd0VBcmxvMDdlWUFic2JyZmlxMlhsagp2N2lZSkRaU2lZMS9jRjdlUTRFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZCM2kwTzB4WjBYckR1ZkNXK2pGeFh0NG1GckJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCaDhLN3RLMVZIMnk2WURMUk5LemdkTmd3RlpzZ2dGS0tndTc4K2JSU05GQnEwTjladwpiTnd1cldIYmF2R3M3OVFjNnFwbktDOXQ2T1NKQlBFQnhuODZiMDBJV3FobE00NDk1akNBS0trUFJRODc0eGllCkNFbFdJL05tQlJtejZhQU9jWWI4S29jWGlmcXhheTV4Z3VkWEQrM2VlQkNZcVlvM0h6RU9wZ1pnWFhJc1BHdW4KZzhJMHMvdTBlZGNOL0JpZEdieklCc2dJNkdRK3ZqVm00dVQvVXcyc2VNaXdONUY0NExKbjFwNE5iR2hmVTcrbgpFZXlrOU8vSk9YdlRRV3BVYTVEeFE1TFV0eXEzWFAvSlMzUGRyQi9UZVNDMEt3WDdZc1FYN25xaTNnVUZJbmE4CjRCOXVTNUJGY0xSdjNUWDQvR3gzZlR4ZnJkWnBnWDRrMVZ3YwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://172.16.0.1:6443
name: kubernetes-cluster
contexts:
- context:
cluster: kubernetes-cluster
namespace: prod
user: prod
name: prod
current-context: prod
kind: Config
preferences: {}
users:
- name: prod
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQVlnQ0NRRHdNY2c4TVRyUjFqQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXhNRFl5TWpBM016TXdORm9YRFRNeE1EWXlNREEzTXpNd05Gb3dEekVOTUFzRwpBMVVFQXd3RWNISnZaRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFQWE1PZjJPCktWVzBhd3BkVXFCZE9SNm5NZGNCSkJhTHpMa2t2U0pjU1dsbW9MU3VBNzBuYjZxdStSd2xhbGJObVdtcVltRkkKcHFmVTBkaktLU1pTZkFLQ3AxVkNYTlZab2Zzb1FPMDAyNWJIZjFwMmZtSGZlemxoam5iK2dGaW5OdWJWL29wYwp6NWFOTC93YWV1TnBDKzk1YnBYOEhYZW9XT2Zjakt0c3NCdExFL0dYdk5MUHhtUE1KZndDOEsrS3Z0QXVtNUFLCjA5Qnl3S251SE5UaUsvVDA4MW1pSHJuVlBpK3ZpY04xbE8xTXdBQTlJUzZTR2REL1lENkZLeTNhMjJ1U0J4Um8KczF0c2hRWjZYeDNIby9ObzQ5bUFiSy9CR3VxZUFYaVhMWEp1NWVHb2EzNzNFVFZvc0ZxbEdwNVI4bUhVaGNycApzY0FTeGpUVVB0eUczT01DQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFLTklzVmZoc3JOSm9JbzhjCmRsZmxLM2prM1VZc1lFOGNzb2VFQ3l0UFhJOTlTajZwTWlLUCs0c0x2K2wvQkFTdmZhNGxxZjdyZC9kUGxWaG4KajIwOFVoT085UCtjUUdYOUlITXJDREFSdUxZKzVSUElSejd2K1lEZkhiRis3a2p6RHBJUEhZbHVHaml6QjFIKwpld2ZDY1J0Mkx0b0prWjNiaUlGTWp1c1BkVjdrV3NpcmxrU1dweWZhUzhMeWhJWVAvWmV4VHNFcUlZV0tVV0lMCkVvbllQS0pqeXZNUEtQWDZ0TUZtQy9XdG8zdHdIako0WEt4bU53dWVFRWlrczFvWUJxRXY3d3NCM0lscTBUZnYKWklZVnNlajlRbE5odjZvc3lVNDFKK0V3ZzA3Unl3ZzJBamg2RFQvcW5IRXE5ME5Ub1BxSUF5YUExaTdHa0pmRAp1aFZSdlE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBOWN3NS9ZNHBWYlJyQ2wxU29GMDVIcWN4MXdFa0Zvdk11U1M5SWx4SmFXYWd0SzRECnZTZHZxcTc1SENWcVZzMlphYXBpWVVpbXA5VFIyTW9wSmxKOEFvS25WVUpjMVZtaCt5aEE3VFRibHNkL1duWisKWWQ5N09XR09kdjZBV0tjMjV0WCtpbHpQbG8wdi9CcDY0MmtMNzNsdWxmd2RkNmhZNTl5TXEyeXdHMHNUOFplOAowcy9HWTh3bC9BTHdyNHErMEM2YmtBclQwSExBcWU0YzFPSXI5UFR6V2FJZXVkVStMNitKdzNXVTdVekFBRDBoCkxwSVowUDlnUG9VckxkcmJhNUlIRkdpelcyeUZCbnBmSGNlajgyamoyWUJzcjhFYTZwNEJlSmN0Y203bDRhaHIKZnZjUk5XaXdXcVVhbmxIeVlkU0Z5dW14d0JMR05OUSszSWJjNHdJREFRQUJBb0lCQVFEVCtiK2RPcWZOSU40YgpQeVpONUhlcFJ0bUZxWmM4MW0zRTBibEcwNzMvNXlEN0VRTnFjb01yK09BZTlPbURXS1pRYVQrVTFIbmRUWDEzCjc4aVRJeG1OZEszb3FtV3pIU3pEbEJDQ1FVNks5eHVPb1pnV3dndmNEWlUyYS8rMTlPYzFKaUh4bzE3bllIV2MKZmgyeTExb1N1VyswYTR2aU1NNFRqN0hFK09QYmREQlBtRnQzc1l3Q09wTE9OclJmbG9PVklveUlDSU1qTXBXYgpBdDdUWGplRzFqamtVdFJ3OVhBcEZzMDhQRDA1djVBQUJxZ1RGazRpeGFjM0pBUThUR3gxYld1M2xVUElpQ25aCjZzWEViMFVZdHlxcGFMYm5SaktTamZ4M0ZZUGgzNU5EZUxQMlBLZjhhMWl2WGpFZUtXOG1jZGNyZEpBT3FvelMKanlkRFhNTTVBb0dCQVA5ZDVjUnlEQzFjK3JDYTBZSk91Z05aNlh5SzVSVnZ6dUNFTUZjNjNJcDhhemJXSjFPYgpaQm9HbG1kYnhyRkpVZkNaM04wUDJzRkVoTnp1bUtha0RyTEdwSnRlTERxb1llWGFWS1ZiZUovYUZIWHhKR0tECnRNYVMxWk5qZmtnSkllWFN3SmtOL0YrUy9iUnNFNm93cUJHeXp5NkF2RE5uT1pWaFdCVU9hR1NmQW9HQkFQWm8KUVRhOEZRMWQyQ3ZHN1VCUDlqZWNmU2s2RXVqUXN6TVkybFN2bDA2eDVVWDFFT0hpaUE0aHBieHlhVW1nTGpQUwovNU5SanJ2Y2NteGp2QkxVVzdyWGpKSkdqSks1L1dxcjFaTHJCT2xycVJISDBxSUd4bDBlR1F5eTYrZS9MQ3kzCjZKY1BmVGFvMXROSUNNMDBHS2NzZmIvRTdWRm1lWXBFeDc4K016MDlBb0dBSTI1ZXc5dmpEcVE0OENuNjZhNk0KcG94aUZmS2JpRmJrQ0VpdkFGdGRZQ1dWSnAyZUJUNnBLK2RBRlFVcDAwMU4vaWtLK08wTE9BZU91NnlySjJ2Wgowam8zZW9zZGJlSVEremhJeUV5aHR1UW1OSnNKcGxXSnpvZHU5SzA0Unp4bEpLTVNMK285MnZEbEhKUm1RaFhRCksreDRUSVoyRmxlN0tKdkNBZUhtNEJjQ2dZRUFxTytwWm1Gay9aa05rRlgrYTAxblBaRm9yazlHajZBbWZDM1oKNHAzUVd2L1VkVFlqc1BxaTFTMTBkOUxwSkxWUmQrNTlrdjhqb09EdkFpa08xTW9MYWZwR1FqTmtSV1NHdmcrNQppZFRmdFRrKzNSWG03M2M5b0xIMThxTG80aVpMbncwbnhnbTBpemtPc0NSL0JGRm5aWlkzVUxjdkRkUDRHRGczCnlvSldsdkVDZ1lFQWxDdVdOWWlFbVNtSkI4RnlKUnc4Q0thOENXY2wzanFOcnhxS3lmazlpbkNOZWw4aElSdTcKb1BUTC91dXpCMFVNTDRFc2JPZU9VcE5uNmZuMTRBQ25FMVIySVhzdUZkV1NtWVhiQWlYRitUMVhUMmlld2RGTApuWW8rb3U5djFXQmRra2p6S05jeHVXUzRuZDlOTUV1NG5tM2k4M0dYQ1hhalVBaWNrbURtZng0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
[dev@ECS1 ~]$ cat .kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXdPREV4TWpFek1Gb1hEVE14TURZd05qRXhNakV6TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTm5OCktJNXpwV01yYmhYdkZtNWNnNVJ5Y2xZb1VmSWdCVVdxOXJzMkJOK056WVgybXFFTmdFL011RHd3K1p5cDFMblAKZktjU2pBczVNbm1iQjVqT2cyU1B4RkFkalBhaTlnQjZ6Z21qQkZoLy9YN25RZGVaa2FUN1huUjY5Q3dQQk5TMQo5ejZBeDhkVjdxSTFpWDdBTVFSTUNRZGQxSE8zTy9rYVE5U2tpT2pKK21rVnVTUWdTQlpSTm1zTDNQTi9TbjlSCis4YmlZZXFPaWJNRExEdXNDUGJqT0w0WmpFdjRCNThWblVmRkYxTWNOcjV3WVpRZ1pabkY3RHFEYmVRazVKbXIKTWpFdFZjRFNuNi95LytNYUNpcXpENUVxQ0k3cC8rbFZsUVlaY20rUjBFd0VBcmxvMDdlWUFic2JyZmlxMlhsagp2N2lZSkRaU2lZMS9jRjdlUTRFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZCM2kwTzB4WjBYckR1ZkNXK2pGeFh0NG1GckJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCaDhLN3RLMVZIMnk2WURMUk5LemdkTmd3RlpzZ2dGS0tndTc4K2JSU05GQnEwTjladwpiTnd1cldIYmF2R3M3OVFjNnFwbktDOXQ2T1NKQlBFQnhuODZiMDBJV3FobE00NDk1akNBS0trUFJRODc0eGllCkNFbFdJL05tQlJtejZhQU9jWWI4S29jWGlmcXhheTV4Z3VkWEQrM2VlQkNZcVlvM0h6RU9wZ1pnWFhJc1BHdW4KZzhJMHMvdTBlZGNOL0JpZEdieklCc2dJNkdRK3ZqVm00dVQvVXcyc2VNaXdONUY0NExKbjFwNE5iR2hmVTcrbgpFZXlrOU8vSk9YdlRRV3BVYTVEeFE1TFV0eXEzWFAvSlMzUGRyQi9UZVNDMEt3WDdZc1FYN25xaTNnVUZJbmE4CjRCOXVTNUJGY0xSdjNUWDQvR3gzZlR4ZnJkWnBnWDRrMVZ3YwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://172.16.0.1:6443
name: kubernetes-cluster
contexts:
- context:
cluster: kubernetes-cluster
namespace: dev
user: dev
name: dev
current-context: dev
kind: Config
preferences: {}
users:
- name: dev
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNuekNDQVljQ0NRRHdNY2c4TVRyUjFUQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXhNRFl5TWpBM016TXdORm9YRFRNeE1EWXlNREEzTXpNd05Gb3dEakVNTUFvRwpBMVVFQXd3RFpHVjJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTBLNWJuY0pMCjdacWFiUVRqYVpMODNUQ2JFV0VqU1VqZmpRU1NaM0IxUzJxODBMNkkvRWhTd3lrRkZYNXRoTXAzNWt6WW1jaTkKQWJ6dzFpeHJ2MWtWbnpsMkxCNWNDRytBemZxVFhtT0J0YlVlOXd5NnV0b20vUUZKYUt5MHZ1SlJva3UzbFpiUgpqejMvZDZXMytlNkVOZXhaMWtlVkhNaFVYQmpPZkhkbVhJUjJXYlB6bzkvZWs1ZjdHVWhBOERmbGN2OC9XMHR6Cjhpb2ZzZVBkeThZRFB4M2QwSmROVzBmYThhaG4rdlpTcndmTjFycU5Pd0t3Umx0cVpyT3BVVjRrSU5sOEV3RlAKV2ZZbFQyRElWMlZ2YmxxaU9uN3NKZFdRU3J1eE5ndTY0SGRDTDhUTHVkMG9ZSGg5b08rbGo1OFZNSXJJMHdPWgpJS0ZQb1FTeC8xRzVXd0lEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQi9KUjB1VkF6ZmpKVWVCaEJtClBqSnI2WkFWTlZod1NId0F5TjJ3blkva3I3c0NDRWFRVGhuM1hCZC9vRGJvT25nd3Z6YWs1QWZXZHA5cnp6ZHgKa1FuSVFzaWJ1bVloSFgxNmFFNHl2TGlYMW13OTVmRC95RFpvL2hTM1Awb2NBSld3b1dKOWMxcTdoWWRIZ2Y4TApWalFVemNPNWtvSXJIS21JYVhtV0dxdjgwNWVyQUo2MkxnczF6Ymw3aHoyM3FqVTZwcjc0S1dhbzRlTk9sbFVxCkxoTXFTaUlPTGl4LzlxeExpbkVjS0Z4d29YTTF5STFmT0Vra091ZGJiL280T2lqM2Z1Q2czSjNIS1hPbmZpaXEKRlQwREtnc2taYmVtVHZOTDJWMEFURU1xWXFzZGtYTUVzRjJKaVRObXZlRzFTWVhTd2VLdjM3bi9BcUJ4MXkveQpidXJxCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMEs1Ym5jSkw3WnFhYlFUamFaTDgzVENiRVdFalNVamZqUVNTWjNCMVMycTgwTDZJCi9FaFN3eWtGRlg1dGhNcDM1a3pZbWNpOUFiencxaXhydjFrVm56bDJMQjVjQ0crQXpmcVRYbU9CdGJVZTl3eTYKdXRvbS9RRkphS3kwdnVKUm9rdTNsWmJSanozL2Q2VzMrZTZFTmV4WjFrZVZITWhVWEJqT2ZIZG1YSVIyV2JQegpvOS9lazVmN0dVaEE4RGZsY3Y4L1cwdHo4aW9mc2VQZHk4WURQeDNkMEpkTlcwZmE4YWhuK3ZaU3J3Zk4xcnFOCk93S3dSbHRxWnJPcFVWNGtJTmw4RXdGUFdmWWxUMkRJVjJWdmJscWlPbjdzSmRXUVNydXhOZ3U2NEhkQ0w4VEwKdWQwb1lIaDlvTytsajU4Vk1Jckkwd09aSUtGUG9RU3gvMUc1V3dJREFRQUJBb0lCQUR0UWsvSHZmQzE1T0ZPcwpoQWRLSkYycXB5ajFkMVlwUklHTXZ5QnZzcWRSRzRJcDVqM3ZRTGNBUGRXeUxlY0V0YmZjTitUZVRmcmtmWUFpCitDMVhZUEgxSDBYREMxM0tjODRZWHpNQkRhbGNaZ1RLdFhqTzhTNFE0NURCSms3cmZWQ29QUEprQUFTN0ZwWW4Kb0hlRitFWnJlODJRWXkzZk16dEtRY2JYR1YxS05aNW01bzU2anYvZjhJYlcwZ2JmK016aExqZFNIcm1LRUoyMApyeG5YRjkvVGROSjQxRll1bzlkOXZoMHFlN3dhNjhIWXRkM2ViVkM5QitRRFhHVkxzNVlaTzg3ZnVSajFGcDd2Cko2Zk41UFVpMWkrVXhDeXZZS1lMZkllQ0did21IMHZYZ1dqc1VjS2hWVWZSNi8wMlRraGRrQnV4SFJUVC9HRWUKd0JzSVVJRUNnWUVBK2QxejJtQ2JQTTM2WmY2NDlPL3VWWmpOZ0s4c0V2YTd4aFhabGoxazYrV0xQSGZpUzZpdAovVEo4RitGM3JLam9IQVZhb08veldBcHcvaHE1b09JdTQycGpZWHRlN3NubzBsbkhvdEt6OGRyY01mVUR1MnNrCnc0RVRVVW1VbWkzVjRWZlpkcms5U0dCUnllc0E5SWcxK0dqd1llRWN3d1NwaVhWbFh0L1MzbXNDZ1lFQTFjNEsKUk5YNGEvb1NqaU9qa2J4czk3eGZjQ3EzV0hkaFBNQytNRVRNUXRqSTdzWXZ4ZlV2WEFwMksvK21iMmJ5UEVlQQpQL3FGKzdxem03andoSENjekVKb0FVM2VvRFcwWXdLMlB0L1FYNjlzQ0ZmTkM2aXFrZVRyNWhFWVNTQWlkVFh2CnFGVWxhdTFBN0tVUk4wZXg5TGxlSmJ0b25MOXYzb0hpUXpZL2JORUNnWUFHM2RBV096dG80MXd6TzFuSDJXUWEKVkJXcHFLYTBhclZrVHl0b2xvMVVjajF1VHZrWURTMmkzS1ZPWHJMVU90d09FUk9aZ3A2VVY4MGRIb3psWC9IYgo3QXVKSFVQUm1oamMxdnpHZTdYWU9xUjhkdmhBU1VSOFh1cXgvQ3lxUkFJeHJDRmN3dUJ0UWNCZHBTaWtqNjIwCkF1WkFPbGg0LzRMTk5UMnc2c08zdXdLQmdRQ0xkTEE0QkFUY2tTbW5NdEhQRGtOWk43SmNuRkFvMFAxSXZrT1AKZ21CbFBiZWFId1VzTHVmc05ocXNTajFLTHJEVDVxTmRsOC9xeVBXOEhkNHIxTFJCZXhNUnZyUDJkZkVxSDZ1MQp5UkRHU01yRGlsbUJRRXU1aThMZXRzbkxjTDFwREh3OHBRVWFBSlMzaGxkN1lqVk45ZGJWNzY2bGh5eTF5cXhGCndNMlA4UUtCZ1FEdWtZK0lmei9tendLT1hyN25PRmlPYTM2WmduTlhCUlRzVXBDd1BocXlQbmhaS1BCSTcxSGoKTVlCZ201U2xkQnVVNkJlTUk3R1A0MmFjTUs5L3ZjOGxoZ3ZOcjRMWFU3Q1UrblhNbmdBZUlUS0FKRlA1dWV0SwpHV1UwWkRuYWVkWTl2V3BHanFkbUMzVWVmczVETngvWTluejFPU3ZjNnFsSWNZVTQ4dUZ6T1E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
到此集群授权配置文件结束
创建鉴权文件
创建role
[root@ECS1 rbac]# cat dev.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev
namespace: dev
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- get
- list
- watch
- create
- patch
- delete
- exec
- edit
[root@ECS1 rbac]# cat prod.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: prod
namespace: prod
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "*"
创建rolebinding
[root@ECS1 rbac]# cat rolebind.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-rolebinding
namespace: dev
subjects:
- kind: User
name: dev
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: dev
apiGroup: rbac.authorization.k8s.io
[root@ECS1 rbac]# cat rolebindprod.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: prod-rolebinding
namespace: prod
subjects:
- kind: User
name: prod
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: prod
apiGroup: rbac.authorization.k8s.io
验证结果
[root@ECS1 rbac]# kubectl get role,rolebinding -n dev
NAME CREATED AT
role.rbac.authorization.k8s.io/dev 2021-06-22T08:25:01Z
NAME ROLE AGE
rolebinding.rbac.authorization.k8s.io/dev-rolebinding Role/dev 81m
[root@ECS1 rbac]# kubectl describe role,rolebinding -n dev
Name: dev
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [get list watch create patch delete exec edit]
Name: dev-rolebinding
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: dev
Subjects:
Kind Name Namespace
---- ---- ---------
User dev
[root@ECS1 rbac]# kubectl get role,rolebinding -n prod
NAME CREATED AT
role.rbac.authorization.k8s.io/prod 2021-06-22T08:27:25Z
NAME ROLE AGE
rolebinding.rbac.authorization.k8s.io/prod-rolebinding Role/prod 78m
[root@ECS1 rbac]# kubectl describe role,rolebinding -n prod
Name: prod
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
Name: prod-rolebinding
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: prod
Subjects:
Kind Name Namespace
---- ---- ---------
User prod
到此整体结束
查验效果
[dev@ECS1 ~]$ kubectl -n dev get pod,role,rolebinding
NAME CREATED AT
role.rbac.authorization.k8s.io/dev 2021-06-22T08:25:01Z
NAME ROLE AGE
rolebinding.rbac.authorization.k8s.io/dev-rolebinding Role/dev 85m
[dev@ECS1 ~]$ kubectl -n prod get pod,role,rolebinding
Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" in the namespace "prod"
Error from server (Forbidden): roles.rbac.authorization.k8s.io is forbidden: User "dev" cannot list resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "prod"
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "dev" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "prod"
[prod@ECS1 ~]$ kubectl -n prod get pod,role,rolebinding
NAME CREATED AT
role.rbac.authorization.k8s.io/prod 2021-06-22T08:27:25Z
NAME ROLE AGE
rolebinding.rbac.authorization.k8s.io/prod-rolebinding Role/prod 84m
[prod@ECS1 ~]$ kubectl -n dev get pod,role,rolebinding
Error from server (Forbidden): pods is forbidden: User "prod" cannot list resource "pods" in API group "" in the namespace "dev"
Error from server (Forbidden): roles.rbac.authorization.k8s.io is forbidden: User "prod" cannot list resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "dev"
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "prod" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "dev"
完成设想,互不干预。生产可用
作者K&
针对,生活我不是想赢。我只是不想输!
浙公网安备 33010602011771号