k8s-学习笔记12-权限体系

创建低权限账户

先创建一个角色，只在一个ns里起作用

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-reader
  namespace: rrb
rules:
  - verbs:
      - get
      - watch
      - list
    apiGroups:
      - ''
    resources:
      - pods
  - verbs:
      - create
    apiGroups:
      - ''
    resources:
      - pods/exec

　　

再创建一个sa

kind: ServiceAccount
apiVersion: v1
metadata:
  name: eks-reader
  namespace: rrb

　　

最后把这个角色歌sa绑定，这样sa生成的secrets里的token，就可以用来登陆dashboard，只有这个ns的pod的list和exec权限

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: eks-reader
  namespace: rrb
subjects:
  - kind: ServiceAccount
    name: eks-reader
    namespace: rrb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader

　　

 

kuceconfig管理员账户

在python调用api时，需要使用这份config，最高权限

cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "hangzhou",
      "ST": "hangzhou",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client admin-csr.json | cfssljson -bare admin

　　

# 设置集群参数
kubectl config set-cluster kubernetes \
  --server=https://192.168.18.56:6443 \
  --certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \
  --embed-certs=true \
  --kubeconfig=admin.kubeconfig


# 设置客户端认证参数
kubectl config set-credentials cluster-admin \
  --certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \
  --embed-certs=true \
  --client-key=/opt/kubernetes/server/bin/cert/admin-key.pem \
  --client-certificate=/opt/kubernetes/server/bin/cert/admin.pem \
  --kubeconfig=admin.kubeconfig


# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=cluster-admin \
  --kubeconfig=admin.kubeconfig


# 设置默认上下文
kubectl config use-context default --kubeconfig=admin.kubeconfig