k8s分配指定命名空间的操作权限
背景:
我们公司把测试业务部署在了test命名空间。我想开一个test命名空间权限的账号给我的客户用,让他可以通过kubectl客户端访问test命名空间的资源。
1. 创建一个 ServiceAccount
# serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: test-user namespace: test
kubectl apply -f serviceaccount.yaml
2. 创建一个 Role(定义权限)
# role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: test name: test-user-role rules: - apiGroups: [""] resources: ["pods", "services", "configmaps"] verbs: ["get", "list", "watch", "create", "delete", "update"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "delete", "update"]
kubectl apply -f role.yaml
3. 创建 RoleBinding(把权限绑定给ServiceAccount)
# rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: test-user-rolebinding namespace: test subjects: - kind: ServiceAccount name: test-user namespace: test roleRef: kind: Role name: test-user-role apiGroup: rbac.authorization.k8s.io
kubectl apply -f rolebinding.yaml
4. 创建一个 Secret,类型为 kubernetes.io/service-account-token
因为k8s1.24+版本不再自动创建Secret了
# test-token-secret.yaml apiVersion: v1 kind: Secret metadata: name: test-token namespace: test annotations: kubernetes.io/service-account.name: test type: kubernetes.io/service-account-token
kubectl apply -f test-token-secret.yaml
这个 annotation 是关键,它会让 Kubernetes 生成一个有效的 JWT token 绑定给 test 这个 ServiceAccount。
kubectl apply -f test-token-secret.yaml
5.获取 Secret 内容:
# 查看 Secret 中的 token(base64 编码的) kubectl -n test get secret test-token -o jsonpath='{.data.token}' | base64 -d eyJhbGciOiJSUzI1NiIsImtpZCI6InlhRElSNmVkdElSTnZjaFpyVkM0cklRdDdobmhMNWZnc3Vfam5LNS1qb2sifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ0ZXN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InhobC10b2tlbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ4aGwiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3OTM4NDRlYy04MWI1LTQ4MzUtOTk1OC05NzE3NzFmODVlNmMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dGVzdDp4aGwifQ.l1yBleJ-AWmjNVAVkn_nkyEaSe89R-wcHbTx74UsztbaDhm4FiSCiNcr2jbcS6VUhNq3XbYnEewQaREnfpzOXkc9tUGsDLuVIyrH232upJRP-3qABN4hMoijwWS4LKw7hUMSLqpC9NuwGCYzZVBzBTtNQiIO3-pJ65JMUj6MOfOvG3XGZyBaghh2rvnbhISy9-NzvIWnoK0-YBa4RctzWSFSgv0Jg_fbU4zuXxbF77n9lWDw66Yl7AUJJnUuPY1bYq3K5_a48tHzwJddCt09v_LzQin8tH56LkBNIlcAG63ZDCrrX5FzT5C3yfI_QNMRj4nCuq2Sae9e2yzB6fte8Q # 获取CA证书 kubectl get secret xhl-token -n test -o jsonpath='{.data.ca\.crt}' | base64 --decode LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1UQXlNREExTkRVeU5sb1hEVE15TVRBeE56QTFORFV5Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDc1Cm16dEpxUXd3TEVVTjFrY1FTTG55T2dwVU9rc0lBL3J2RXhJTnVoVmRUVSs4QkMzUDd0VWpFeXdOZGdLSktaaDMKVGJ3TmVJNG1PelhNaXprQ1poNS9lUGZieVZ0VzV4TTJ5N1pZZURiSFJzSWdaZkpqcU1SQUEvem5LcGhxc2IzTQpzbkVmNVFmZDllWm0rTStYSUdNMnYvcnZwbG9JYTFRMjl0M1p6K3JGVll0R1BQZDRkZUgvV2x0MEs3QmtqR0JIClFiTmY3dzJncG9kNm5KS1E1VnhmNGhhaWF2UDh4cjhpRkJBam5WQi9LaWJSZk9Tck0ydFhqWjVxTHoxN3BnVUkKcW91RDQ2K3h0YTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSDVpcWF5RERsS2tTQVMyc0l0dgozbDBiS0IwakhoaHdHaXFVQ0c5VENKNi9wZk9JQlBhTUxFZ1F0MEhNNm15ZktCczQyRDNLOUpvQ3AxRWV5cUdlCmMraVMzZ1E2UjJCbGw2bXVWTFFDbE5RMytseHFuNy9wc1J6Vm1LZjNEaGRMSlpla2NKaWkzYmttUldzd0xVQTEKNHBSZWhaUzFaUzkxQ0NaSm5hQkV0ektiWG5rMVBXUVlMT0ZJclczN0RhVmZMbHh0SEl4Zm9sTU9SNE8wY3hZcgpxOHFPMWRoOGt1eWVhcUZad1MrL3Q3VnFnak14SUpkb1RqTzFsYzRuNGRKcm0vTmpOMWJwb0hack1seVNnbTFuClg2TVpzb2QyQ1YyRmd6dm96TStjM2NJVFJVYmZ3RVJEQUNZVjF3SzRqQm9QY3hadWs5SEljalVJc2Y0d0liNGMKZkwwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
6.生成kubeconfig
apiVersion: v1 kind: Config clusters: - name: test-cluster cluster: certificate-authority-data: <填入base64编码的ca.crt内容> server: https://<your-k8s-api-server> users: - name: test-user user: token: <上面获取的token> contexts: - name: test-context context: cluster: test-cluster user: test-user namespace: test current-context: test-context
7.使用kubeconfig获取test集群资源
KUBECONFIG=./kubeconfig kubectl get pods
浙公网安备 33010602011771号