k8s添加用户之serveraccount模式


k8s添加用户之serveraccount模式

添加一个用户stjr-user-read-2,该用户只有stjr下面的所有资源的只读权限。

配置

  • 添加用户
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    labels:
      k8s-app: stjr-user-2
    name: stjr-user-read-2
    namespace: stjr
  • 添加角色 ``` kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: stjr-user-read-2 namespace: stjr rules:
  • apiGroups: [""] resources: [""] verbs: ["get", "list","watch"] ```
  • 添加角色绑定 ``` kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: stjr-user-read-2-RoleBind namespace: stjr subjects:
  • kind: ServiceAccount name: stjr-user-read-2 namespace: stjr roleRef: kind: Role name: stjr-user-read-2 apiGroup: rbac.authorization.k8s.io ```

验证

1,获取用户的token

[root@k8s-master-01.novalocal 12:14 ~/yaml/stjr-ceshi]
# kubectl get secret -n stjr
NAME                                                                       TYPE                                  DATA   AGE
ceph-kubernetes-dynamic-user-5ab847ce-5c35-11e9-9663-128f26a7c4e5-secret   Opaque                                1      103d
default-token-sxnq7                                                        kubernetes.io/service-account-token   3      194d
stjk-secret                                                                kubernetes.io/tls                     2      35d
stjr-secret                                                                kubernetes.io/tls                     2      36d
stjr-user-read-2-token-dxt7q                                               kubernetes.io/service-account-token   3      117d
stnts-secret                                                               kubernetes.io/tls                     2      104d

[root@k8s-master-01.novalocal 12:16 ~/yaml/stjr-ceshi]
# kubectl describe secret stjr-user-read-2-token-dxt7q  -n stjr
Name:         stjr-user-read-2-token-dxt7q
Namespace:    stjr
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: stjr-user-read-2
              kubernetes.io/service-account.uid: ea724276-51d5-11e9-bc20-fa163e93898e

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  4 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.=ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJzdGpyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InN0anItdXNlci1yZWFkLTItdG9rZW4tZHh0N3EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic3Rqci11c2VyLXJlYWQtMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImVhNzI0Mjc2LTUxZDUtMTFlOS1iYzIwLWZhMTYzZTkzODk4ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpzdGpyOnN0anItdXNlci1yZWFkLTIifQ.q3vz3jWiM1OhQZNs5Qboo6q0aHvSpcve0xcVNCO0vypKa3ueKi7PszruBeW1bt01Kju2Qrjsj8GFJX7CtQ_-eRle5he6nhRogoXL6q-anc_DIEl7IlL-RBGINt1jgzHWwpdsh_L6pHYY-ex-16Fs3WY0zkStdc3S_GOaUgh5PR-OTSsTjqo55tDSsjiPTeolFUE_Phsj0HCxTu3_H5_nevbOQXpZ2U9hQDjxO75lW0Tr9_YjCZdLVWlkvBGTM4UDEqGBkKACc2VmOaX2AD1X8Ek_RpkQP9Bj-WZvakYb6_dp2gon0i3UQ-C_n_2NzhCmwXFl8qhZ0CtOMbm9eFDruQ

2,采用上述查询到token登录kubernetes下面的dashboard即可。