k8s添加用户之kubeconfig模式


k8s添加用户之kubeconfig模式

添加一个用户stjr-dev,该用户只有stjr下面的所有资源的只读权限。

操作

创建用户相关证书

openssl genrsa -out stjr-dev.key 2048
openssl req -new -key stjr-dev.key -out stjr-dev.csr -subj "/CN=stjr-dev"
openssl x509 -req -in stjr-dev.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out stjr-dev.crt -days 3650

查看证书

# openssl x509 -in stjr-dev.crt  -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            ff:80:a3:7e:64:66:e7:fe
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Jul 24 03:34:31 2019 GMT
            Not After : Jul 21 03:34:31 2029 GMT
        Subject: CN=stjr-dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                ...

k8s中创建用户和权限

创建role

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: stjr-dev
  namespace: stjr
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "list","watch"]

创建绑定

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: stjr-dev
  namespace: stjr
subjects:
- kind: User
  name: stjr-dev
  namespace: stjr
roleRef:
  kind: Role
  name: stjr-dev
  apiGroup: ""

配置kubeconfig

kubectl config set-cluster kubernetes --server=https://10.0.2.100:16443 --embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=stjr-dev-kubeconfig

kubectl config set-credentials stjr-dev --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --client-key=stjr-dev.key --client-certificate=stjr-dev.crt --kubeconfig=stjr-dev-kubeconfig

kubectl config set-context default --user=stjr-dev --cluster=kubernetes --namespace stjr --kubeconfig=stjr-dev-kubeconfig 

kubectl config use-context default  --kubeconfig=stjr-dev-kubeconfig

查看生成完整的kubeconfig

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ERXhNREEyTVRRd05sb1hEVEk1TURFd056QTJNVFF3Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXhWClVaZjBFZlI4WWRWR1dheWhxbXNmQk5iMHVPYURxa0EzMWI0ZWhnM3lZc0V0Q1JVU2RKcHlHUloxWDNWUzZvR2MKNE5rSk4yUXE5ekFnL1o4eE8vWkdRZnAvR1ZVSkt4QTcwRmxsSi9LZEprUFlwSWRoSHB6SVNQS1RVU3krNW95WApPTTZza0tncUtLYkZ3K1dheTVjc1JISDV3OWl3SHFZYy91OGJCdWNsamo2QWVSQXNqSnZjbkxhNVV5L1lyWGxpCkVmSkcxL3N1eG5mOVNKdUFpMXFUVWFsVkdEOGJtUU5oeXRraVJ2Z0RaQmhxdVQxZUNDV3NYWTIxaGxoTTZsTzAKZG9IZWxUaHhVMkV0TEVNVEtzVTNsVEdwVWJjU09xSkZ0MS83b2xuVjF0cGFJTUJ6K3BTYXRyZGFJeVF5RDRwcQpMbW9hQnZHeGZOMkNrVWJCWUhzQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFITCt6SHo1bDBQR3g0UWQxaWR4ODlyY3d6U28KVW0zMytkcnZXZS85cjQ4SkdSbHB3VDArTWcxMk8yWnVxN0pCcU14R3ZLQnZFZFRDaFVLcU54NGhWVmJ4R0VxcgpnOFhBQ3ZTTjV4cjgwWmU2dGVIRXdrU252V0tWV1o3OFNBYXBRQzlvTXlVdUMzZ3lVcUt4c1ZpTDMyN1pJcUw3Cmk4Mk1XR2dFdWQwTDFpak1LSEVvSVZqOENoZVA0RUdYZzBIOGxkeGZnemZ2WXVsaHJSYUJMbGM2NlliNm9md3MKWGhXWnI1ZkhQWmhmeDNON2cwVkdXT2k5N0xtOVpjYTRySFVlRjBIRmJoRG9nQTAyZFRIb1I5ZHZMSHVpVHNzTQp0T2dFbVNjV25UU21VN3VXMXlNeEpkNGhJNVh0WlhwbFl6Mm5jOExsK2RkUGdjQVlsU2lMYVdqSC9Tdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://10.0.2.100:16443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: stjr
    user: stjr-dev
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: stjr-dev
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZ0FURS0tLS0tCk1JSUNwRENDQVl3Q0NRRC9nS04rWkdibi9qQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERURTVNRGN5TkRBek16UXpNVm9YRFRJNU1EY3lNVEF6TXpRek1Wb3dFekVSTUE4RwpBMVVFQXd3SWMzUnFjaTFrWlhZd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURzCkN2RGgzT2IvMUgxY1pKNmZIdXJjL3hCdHpkZENZSTdzOXFaZVRLUVRreld1QkJtdmN2MVNrMjF2dU05eExMMHMKLzhoUFpFek1zNWRFdkxmRCtwVWpoekl0cVNjMWE4MWhIakZ3YzRuWHFiZ204MmFDcnlYS1N5SGNVcHpPMS9odwo0MEdBYUsxc3g0cnM1Z1ZoRjk0VEU0UGR1aEI4ZmlheEREdmZsYmx1T3YzZWJONEYvSndIM3JNS280WnNkdTlQCktmUW0yS0MzdEZLRERKam02UENHYzNlaEpSYTdHOEJRcmFMa2lTQ1VBQ0Y3VHNBcmc1alJTVzJkWStuMjBsKzAKRnp5K2xaVDRMTDY1R1BuTWI1cm83dDNDZjNsVG9maGNoZXQxMk4vTkpFdGdURzBDMmx0ZVpKU0FCang2NGtONApQT3d1ZVEybzhpZHdYeVFzVjdLQkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUdlVWxQQmhXTzA2CmY4TjJjNXJDWTFqcVZkeDhkOGZNOHNWUE1vM0x4Z1hxaUVDREYxVmFjc05nMjdSVEIxbGFEME94VHJjNGRIek8KTUVhLzNQZXJsMU54aERmZmpOYUNwejkwWWlUNm80ZDJPV3NwMjcrZUs0Ykc3bk9XUXFLTGpFakd2MVhRZGVNaAp5ZzV3b1BHeUpzd3RENlllc0ErNE1CMGlJUFV2YzlESzY1QlA5V1dvKytMdU5PUEZDb3RTSUNwQWQvWjQxN20vClNsMEpSdE84WnVJem9zWVVhdHFJVHpUWVA1ZTNEcTFJdVFzdDdtMUN4ek5RdzFjS2JESjZXOVdOWTFTM3RKcWQKMUF5eTAwL3o4TDBUdTh5R2R5cGNlVVgzaXZIemlzQmt3b3NWQy91NlhsNkpzTFBzSXZ0V3g0YWdETlJpSVh4SgpGZ291V1lNQmNidz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBN0FydzRkem0vOVI5WEdTZW54N3EzUDhRYmMzWFFtQ083UGFtWGt5a0U1TTFyZ1FaCnIzTDlVcE50YjdqUGNTeTlMUC9JVDJSTXpMT1hSTHkzdy9xVkk0Y3lMYWtuTld2TllSNHhjSE9KMTZtNEp2Tm0KZ3E4bHlrc2gzRktjenRmNGNPTkJnR2l0Yk1lSzdPWUZZUmZlRXhPRDNib1FmSDRtc1F3NzM1VzVianI5M216ZQpCZnljQjk2ekNxT0diSGJ2VHluMEp0aWd0N1JTZ3d5WTV1andobk4zb1NVV3V4dkFVSzJpNUlrZ2xBQWhlMDdBCks0T1kwVWx0bldQcDl0SmZ0QmM4dnBXVStDeSt1Umo1ekcrYTZPN2R3bjk1VTZINFhJWHJkZGpmelNSTFlFeHQKQXRwYlhtU1VnQVk4ZXVKRGVEenNMbmtOcVBJbmNGOGtMRmV5Z1FJREFRQUJBb0lCQVFEbEhzMnBnR0xlQytYUAp6SC9JVnh1RmZ6VDBVTzFWS2lNeVUwMDBsZEppaWU5K1JjNms1c3FNNER4SFNTNWJYaUVYVUFXaFF1dmxlNkltCi84U2xRRlNLRXc2YkVlblVTaHNtM1VjQ0w3U3FtYnorV2grMFZNMHE2dmtvUXl5Zy96VFNaMVhLamxGaEdPUjYKaGVETTJYMGdLVDVEK1B0TnpLcEVDMnNHNGZBSDFQQWtYTFUyV2pMVE9qcDlQVFpPODhVRjdQN2hsWnM3VDlMUQpKS1JxWHBuMjZCaE5TTTdkb0xPZ2tLWTRvK1lUQlg2TDAyMjY0Q0Q4UVlJVHVVamlZVnBnTm8vTmV6OHM3RVIwCk4rUjkwek1hWDljNzY3S2dlbENXV2R3TUxsNGladzk1azAxR1Iya2JQSjdGSFFtdVRuTlVLeG9IN1J2aXNmeGMKbmFIaDhTNUJBb0dCQVBZQkhiOEpWWE9yclhHNjQzMzZXSGdGNHRDR011WWo0cXJESWZhTFZQcVBmdFREeWJXcgpYSVYwYVZGRk84V3puV2xETjFRUXNrcEZuanQ5a0lZQ21FcThJVTVWWEJDakV1UVRGTXY5bG1WYVdaWE1UcXNrCjFBTWlyUDdLSXV2SU5CSWhPeWtVV2s1UlkxR3FNaS9wN2o4SWJZVVhMVUZzMEhvdmFIVmlDczE1QW9HQkFQV2kKTk1TcDBCK1Y3R2o5QTN3TWJVemdWN0lPMmpXUjBwN2VUamNMUzRIeTMvUjNUbjQzRThzcDFoM2owVjdLMll4VQpiaGp6aWJKVUMweno2WUZLdGM2aW5wb1ZaVzBySEZIRmFuT0taZDhsbUlXc2d2NWVOTFkzWE5VWXhlNmJqMGJqCno3WXNMQ1lTR3MxOWpNOHlGd3FlbGZqd3RSZUthanl1b3FmQjlETkpBb0dBT2k2UlpubENxSlRWOUt3SzJlUzMKdjh0RWxhVG5yTjZYNFdNOVNSNHkvditwTTVFS3g5aTdqU1MzTSsxMzhZNUZrSHZCUGpTa3RrUTQ1RUVTU1YrYgp2VEU1ZjFsWTZPWm90V0I5N3JFUFBQRmRkcnhYYnNyTENlTE5uNFVYTlVTb2JCRkgrTE5EbUhwUFR5VTlzVzlXClZib2NqUG1xVG1yNTg2djZ2S2h2ZmFFQ2dZQlZleUJ2L0VTZ2FWVS9hQ1dKU3UzU25oUUd0Q0orR0FRN0kxUUcKMWRodUhhNlFiZUNVRGVqR2dBV3ltekNtazJOSDhhM3E0djNkWUdBYVpKdXpVZU9aU0lCM1VORGVQKzE0QzRLegpPTXVnNzMxM3I0UmFyMEFhMVlOcDZWZ2daR1JsSUN5TjBpdC9DRGZwb1RLYWZHMEdWaEFNOVArZ2RKdnFDRUEwCnIwdWplUUtCZ0VGbXVyb3ZPOW0xUlZjZm04WnBhaUc5UHg1UFJ2MEh6NmlpVGVqejB3NTgramdGQnZlR3BneHAKN2QxNnBIZjBKcXBwZnJZUDZUaGJsOG9XU0M3WXFrNEp3RWRCL3ArOFFSVHhwMW5NNVdHTjdXblY1VnFEVVdvTAoralJmZUExS2R5MU5qbkQ3eWh4cjZsbUtCWVN0QUZHSEVGKzlYTzRXR3pSbTh3VllQUWxRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

验证

# kubectl --kubeconfig=stjr-dev-kubeconfig get pod -n stjr
NAME                                   READY   STATUS    RESTARTS   AGE
autoins-857854cb95-fg8zd               1/1     Running   0          5d19h

[root@k8s-master-01.novalocal 12:11 ~/yaml/stjr-ceshi/kube-config]
# kubectl --kubeconfig=stjr-dev-kubeconfig get pod -n monitoring
Error from server (Forbidden): pods is forbidden: User "stjr-dev" cannot list resource "pods" in API group "" in the namespace "monitoring"