我们知道搭完k8s集群会创建一个默认的管理员kubernetes-admin用户该用户拥有所以权限,有一天开发或测试的同学需要登录到k8s集群了解业务pod的状态等,我们不可能提供管理员的账户给他不安全如果他因为某个高管。。。删库跑路啥办??,所以建一个只读账户迫在眉睫。
kubectl config view:打印kubeconfig⽂件内容。
kubectl config set-cluster:设置kubeconfig的clusters配置段。
kubectl config set-credentials:设置kubeconfig的users配置段。
kubectl config set-context:设置kubeconfig的contexts配置段。
kubectl config use-context:设置kubeconfig的current-context配置段。
cd /etc/kubernetes/pki/
umask 077;openssl genrsa -out jackhe.key 2048
openssl req -new -key jackhe.key -out jackhe.csr -subj "/CN=jackhe"
openssl x509 -req -in jackhe.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out jackhe.crt -days 3650
openssl x509 -in jackhe.crt -text -noout
kubectl config set-cluster mycluster --kubeconfig=/tmp/config --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server="https://192.168.10.129:6443"
--kubeconfig="":配置文件存放路径
--certificate-authority="": 设置kuebconfig配置文件中集群选项中的certificate-authority路径。
--embed-certs=false: 设置kuebconfig配置文件中集群选项中的embed-certs开关。
--server="": 设置kuebconfig配置文件中集群选项中的server。
kubectl config set-credentials jackhe --embed-certs=true --client-certificate=/etc/kubernetes/pki/jackhe.crt --client-key=/etc/kubernetes/pki/jackhe.key --kubeconfig=/tmp/config
--client-certificate="": 设置kuebconfig配置文件中用户选项中的证书文件路径。
--client-key="": 设置kuebconfig配置文件中用户选项中的证书密钥路径。
--embed-certs=false: 设置kuebconfig配置文件中用户选项中的embed-certs开关。
kubectl config set-context jackhe@mycluster --cluster=mycluster --user=jackhe --kubeconfig=/tmp/config
jackhe@mycluster要对应上你新建的集群名字!!!
kubectl config use-context jackhe@mycluster --kubeconfig=/tmp/config
kubectl config view --kubeconfig=/tmp/config
kubectl get pod --kubeconfig=/tmp/config
kubectl apply -f readonly.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cluster-readonly
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
kubectl apply -f readonly.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: jackhe
kubectl get pod --kubeconfig=/tmp/config
mkdir -p /home/jackhe/.kube
cp /tmp/config /home/jackhe/.kube/
chown -R jackhe.jackhe /home/jackhe/.kube/
OS切换到jackhe用户,我们能看到只有只读权限,也无法 上下文切换到kubernetes-admin@kubernetes ,因为配置文件里并没有相关信息。哈哈,还想删库跑路!!!