kubectl多用户使用以及RBAC授权
这里是不需要存在的目录
- Creating a kubeconfig file for a self-hosted Kubernetes cluster
- Create user incubator
- Author a ServiceAccount spec
- Fetch the name of the secrets used by the serviceaccount
- Fetch the token from the secret
- Get the certificate info for the cluster
- Create a kubeconfig file
- Create RBAC.yaml
- The end
Creating a kubeconfig file for a self-hosted Kubernetes cluster
This tutorial explains how to create a kubeconfig file to authenticate to a self hosted Kubernetes cluster.
Create user incubator
useradd incubator cd /home/incubator mkdir .kube
Author a ServiceAccount spec
sa-incubator.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: sa-incubator ##any name you'd like
执行:
kubectl create -f sa-incubator.yaml
Fetch the name of the secrets used by the serviceaccount
kubectl describe sa sa-incubator
output
Name: sa-incubator Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: sa-incubator-token-bstl2 Tokens: sa-incubator-token-bstl2 Events: <none>
Note down the
Mountable secretsinfromation whcih has the name of the secret that holds the token
Fetch the token from the secret
Using the Mountable secret value,you can get the token used by the service account.Run the following command to extract this infromation.
kubectl describe secret sa-incubator-token-bstl2
output
Name: sa-incubator-token-bstl2 Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name: sa-incubator kubernetes.io/service-account.uid: c07ec304-b81b-11e9-bcf3-000c29974f23 Type: kubernetes.io/service-account-token Data ==== namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNhLWluY3ViYXRvci10b2tlbi1ic3RsMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzYS1pbmN1YmF0b3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjMDdlYzMwNC1iODFiLTExZTktYmNmMy0wMDBjMjk5NzRmMjMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzYS1pbmN1YmF0b3IifQ.IrZvA3HxH-FN76zyUUpcaDfedtnfSuTmsBTnE4s4SOY2dqG6bWrPHJcMbVbVg5NpF6tjO6WvdV3lKNoZyIeY_eJF3X1GLxeWIFbus543QbjtJWq5e9LUuPJ7gqjfjh0svphgMlbS-Jl-ZZD9S0Bvvj3nZ5St5BLIW9x25RUdKW6FkKj51lzz_TWTpP4uH_bJqdzyhONtm1i7GaDtYeQjtzX9h2imCbUgm6H7aPVaFc5qGm_u-lM5lxwyueo5N0wrZuDnI4IBlH7zXQm1eJjx22C2OJZTCxKMOZZM_YoVlMiq5n7zUqWxgx1dtu5r4L4tcMYeItWi9Mu9nOmEH0TqLA ca.crt: 1025 bytes
This will output the token infromation that looks something like above.Note down the
tokenvalue
Get the certificate info for the cluster
Every cluster has a certificate that clients can use to encryt traffic.Fetch the certificate and write to a file by running this command.In this case,we are using a file name cluster-cert.txt.
kubectl config view --flatten --minify > cluster-cert.txt cat cluster-cert.txt
output
apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1EWXdNekEwTVRZd00xb1hEVEk1TURVek1UQTBNVFl3TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT011Ckc3ZFg2MmNyS0k4aW02em4rQnBCUDN3M2RsV2pUT3pXTDNKZmpqazZGM3pqeWpTN2RINmFuYk40SDAwME0rbDkKdWcrZ2lIcStISUxNWURXZXFsR2NuZlJSNWw2VG9EcFp2Qk1NSXdTVkc0VGcyVi94RGJhVU1yWDNMRDhNTXYwWgpjYzltVGtGdnpFdDdXaVpKY2lsTElJUVFRdFFBall1ZGRVanRoTHZlUEdQOS9pcFAzdkRHVGRkdUxSRnNHSllNClRVazlPeFc4ZS8wQ2grSCtncGpnRDJZQTRiSW91VURQdDNqaFhtclQ3b05ZdldMbDJKaGVuclFyT252Um9BMjQKSmJJa0l6NkdyOG8xRTFWaHBXR0dsWVg1Wm5nSGFuR2w4RVA4djFiYWNxN0tLRlJoQlFSVTA3aFUxWFByeVhGKwpmSC9KM1VKUUtoVmFxWjZ6dlowQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKVkQyMFZoTGNVUFB5Nlg1SXBrd1lhbmV3ZDEKNGpmYVdTYTA2TDJYeE9SWnhIL2JCU2toQVoxTmxwZFFzQ3ZsMlBnWm1RancxWkltS0tsMnlQQWZpemVoVGNTOQpUNDBEUERkUVc3bjdsTG1IbVdkRkEwWmZYWXEzWmtzV1VCVC94TklXU0QvbDh2VTlnU3cvMytjWWtBQTFJUWUvCk96ZWJjUE96VVJvcHZCVFY1Z3ZuVnJkMXVYc3pkSnYyMXd3clFRWldpUXFzV1crUU81a1o2eWpkMG92RUR2T1gKUU1sc0xJVGE4WWlaUTI3K1hnaUl2dmFYUTZ1cTJyR2pPQUZ4N1pKR01ETEZrbU1iVEQrcmVCd0lDYTc5ZnNDZwozc3dtbk1IMUtoOTN4eHU4WklJZ05HVFZsSlRDUTROakE1UStvV1N0a1pmVXV0REM2Nk9WVjlzVWVMdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= server: https://192.168.22.45:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJRGNZUVFNNzd2YVF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T1RBMk1ETXdOREUyTUROYUZ3MHlNREEyTURJd05ERTJNRE5hTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXA1RFBUS0w1Wlk3bWppK0MKbmxLRkRYSGlkQkd5RFljR010UGptd2VCdGNuNWVNelkzaDNyRnFnTFkzbTVhb0w1MWdBVUVxRU4rcjl1VFVyaQpyV2oxbVJtRkdwLytac2VoaDZTUENQMEJvRHN2RGNhenJzQ2c0eUlid2o3SVViRkJoL1hDUmZQbFgrQU5SNU5SCnBNYUEvdnBySCtFd1ZwT3UwVUFFZXlZOHVBamdKak9TczlHa3FLejUwRkFPMDNGeW54bTdJRkpCaDhLcWRsL2MKcE1pUGpleFJpZ0dodE15V0NqemFJM1Bad0F4eXNubG9UcFhRUnpYR05ja0o4ak54azJDb2w3bUh1RjNteVJ1WQpIblRFWk8xWHN1aG9HRlFCdkllTC9qRTJrZjhKQ1VxUldMRTdWTnNubzZGbVVZZEYyNEpYQ0phbWdKOEFGL0VkCkIrNW9td0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHUW8wTzAvdjFkWDFDNWIyeURpRUhxSG1Xc3FzV3RGRU9RWgp2WEVtRnhNa1h6VWUyZjErcEN2VVBrOCt0QkFQOG5SUk5JbCtrRU91Nnl4dE5xcGtHaElEUmkzUjladGRhbkZPCnlRVXB5OFlrQUJCTkJCenFVTE1kNUlpZW5rQmVnbDRkOHF0ckgxRXJXYXgrMlM0bHVibElib2E3c2RDQkRqWE0KcXBmZlJFYlI2eElielArRDdyakJxK0Vtc0VodUNwTC95azBuMEVBdUQyeUY2dVJ0QzQ5NERGbnVjc01uYXp0bQo1S0N6eUphS2FrdW1TWUNwY2VHQ3dPZmRBQUZjODJ1Z2dTb3ZFVmc1M0dTRE5uaWNZd0JuRTRIRXJtR2pVblorCjlwY2VjZWZFRytEYTI0d3lyNzBVNENOL3JJMWJsSjQvY3hhZkIvYXJXQWhIckxCeDgxbz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcDVEUFRLTDVaWTdtamkrQ25sS0ZEWEhpZEJHeURZY0dNdFBqbXdlQnRjbjVlTXpZCjNoM3JGcWdMWTNtNWFvTDUxZ0FVRXFFTityOXVUVXJpcldqMW1SbUZHcC8rWnNlaGg2U1BDUDBCb0RzdkRjYXoKcnNDZzR5SWJ3ajdJVWJGQmgvWENSZlBsWCtBTlI1TlJwTWFBL3ZwckgrRXdWcE91MFVBRWV5WTh1QWpnSmpPUwpzOUdrcUt6NTBGQU8wM0Z5bnhtN0lGSkJoOEtxZGwvY3BNaVBqZXhSaWdHaHRNeVdDanphSTNQWndBeHlzbmxvClRwWFFSelhHTmNrSjhqTnhrMkNvbDdtSHVGM215UnVZSG5URVpPMVhzdWhvR0ZRQnZJZUwvakUya2Y4SkNVcVIKV0xFN1ZOc25vNkZtVVlkRjI0SlhDSmFtZ0o4QUYvRWRCKzVvbXdJREFRQUJBb0lCQUJ3bkxWMGY2SzBTaEZRUgpVVzNPU1lLSHh0ZGZmYjNlR01HRGJqTkc0Smt0ZFJmQnV4SWVqcmdBeGVFUnU0QlV2eXNnV2o4REJqbEIzb05uCitJdlFIYXQ2YVMyZkFmdzh3RHZzL3djd2t3eGJ4VDBZVEdvby9SOE1SUU91enJOREI5S1RETy81MldqeFdPblUKcTV2MnFnZXRCVUNXOGlzcHB1NkxSZlYyNkM2M01YRUpGU2JmL0t5a0hndm05Z3pqSFcrN2hFWFE3YWx5emZhYwpycmgzRHlvbkNtQWw5MEljTVBYMmxjTnN6ZUFnVnlUTFZ4cHhvNjY3cGhkMHdjTm5HbVIzQzBscFNBbWE4RUVlClFQVlgvRklGdEpuVitzaVU3S2UrbUpsUWx5YklaUkJTcVZ0anBNa2pJTEEwVGVTT1NRMFNZdC85RWpsMlZ4cjcKeEtLaFc5a0NnWUVBenJsN3k2SnBIQXNCaS9QWkNLWUpyeW1BQklFcDVDZ0dIaU1uRHYvc2h1bE83RVdFbUFhSgpHZnBJS1IwbG1Vb2o1ZE45ZmRrSEZmTDlsVGwxQVp3ODFjblkrTGRxT1M0bEh6dHFwdXJVaERMQ0M1YjUrVHl3Ci9mQlQ3Tjg2VjhTSUIrT0FiT003M25OYXZ1NnF2ZmdvZHlabG1qWVQ4R2VTbkVqeGlkdmF1UTBDZ1lFQXo0SFEKODlNQTVlRFJxSmJEU0pUV29mdlNIZEdDNlF4T2ViMHpoSmMzbVV2ZDVvMnhic1NHc254YS90MFlLcUdFOTJ1Vgo3RHN2SDRDR2VmYWN4bXQ0NFZBdVRHMTNxRThOYkNpUlFGb3N4MFozSDJORlFXUmxvWFhIQ2R5RFQwQnJ1MmZlCit6eC9TVWxoM1A0NUNGbDFqZmo5bGFOaW1VMTJmTDlzazhwbjdrY0NnWUVBeFhLY0wwK2NuVkJWMWRxK3ZXZjUKYi9odmNkMzhxUk1oWkwrbW1za09uWDFTQ0pJTnB6YjIxSDBkVjBlamxkb2VsM0Y5TnlxSGZndHM4WTdEbHhvbgpjUHN0NWNFcUVCdG5FWUdxeUdzYk9IbFNwY2M2VXpnSXhVTTZwZEJBNVh1dGdmdGx1cHIvbitVR0U3L2FEVUJ0ClJnRENvcHhzUnY1bUppZjFxL3IxMmpFQ2dZQUd5UWpySUNnMFhDQ2U4YWNiRlhyYk94L0l4OVFQQ003OEhocTAKS0RteU1vL2ovUmdqTmh2dGRER0ppZk5EV1pxK2VHOGpsVi9hR05yTTNDcU9ObTl5ZHF1ODVndDJubmNpNVVTeQpwUUEzMSs4SFFMakFCYWRwR3kvUis3cnplWGpNWFA0bW12alNqYXE4amplUk5WT3B1ODJXK2d1OFZaTWRTeWtpCndBaWIrd0tCZ1FDVHNURWdid1lHUkt4Tkc5WVVvZjVzWStyZG1DdlFoUTY3R0xLUFNlYkViWjkzdmpTVjZFdkkKeTNtTHUzZDhaZWJYaFJ3Ykk0d3pzWjZtWjh5UWY4S0g0allVaDJnTHl1OUhFTGg1dXQ1R004RVBKWTBDSys5ZApqTlNEWG9XVEVIS3J1NTVRanJZMDNsNFMrT3piOHRiOWVTZUFQanVydk9QaVNIUGcyWlpSS3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
Copy two pieces of information from here
certificate-authority-dataand
server
Create a kubeconfig file
From the steps above,you should have the following pieces of information
-
token
-
certificate-authority-data
-
server
Create a file called “config” and paste this content on to it
apiVersion: v1 kind: Config users: - name: sa-incubator user: token: <replace this with token info> clusters: - cluster: certificate-authority-data: <replace this with certificate-authority-data info> server: <replace this with server info> name: self-hosted-cluster contexts: - context: cluster: self-hosted-cluster user: sa-incubator name: svcs-acct-context current-context: svcs-acct-context
Replace the placeholder above with the information gathered so far
- replace the token
- replace the certificate-authority-data
- replace the server
Create RBAC.yaml
ServerAccount is under the default namespace, but only allows the created user to access only the PO of the KUBE-system namespace, so write YAML like this
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: sa-incubator-rb namespace: kube-system roleRef: apiGroup: "" kind: Role name: role-grantor subjects: - kind: ServiceAccount name: sa-incubator namespace: default --- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: kube-system name: role-grantor rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - get - list - watch - apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews verbs: - create - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - create - delete - deletecollection - get - list - patch - update - watch
The end
There are still many unclear places,if you have any questions,please contact me on Wechat.
Wechat QR code:
- Yii2框架之使用Restful自定义Api以及用户的授权认证
- 使用“成员资格管理用户”以及“Forms 身份验证提供程序”保护需要授权才能访问的资源
- QuickCSharp框架开发(20)------授权部分的代码以及如何使用授权 添加用户、角色与分配资源部分的代码暂且省略
- mysql grant 使用 授权 添加用户
- mysql中使用grant增加用户和权限,以及mysq加密函数
- Oracle创建表空间、创建用户以及授权、查看权限
- 让XP HOME使用组策略、本地用户和组、安全策略以及文件访问权限的修改
- Ubuntu的su至root用户问题以及在文件管理器中使用root权限
- ORACLE创建表空间、创建用户、以及授权、权限 .
- Flash开发iOS应用全攻略(三)——如何使用iOS开发者授权以及如何申请证书
- 演示事件(Event)怎样使用以及怎样为用户控件添加一个事件(示例代码下载)
- Oracle创建表空间、创建用户以及授权、查看权限
- Flash开发iOS应用全攻略(三)——如何使用iOS开发者授权以及如何申请证书
- 创建ORACLE10g中的表空间和用户,以及授权
- ORACLE创建表空间、创建用户、以及授权、权限
- linux下更改root用户的密码 以及VIM编辑器使用命令 :q,:x :w :q!
- 判断 网络是否通常,以及判断用户使用的网络类型,时2G\3G\还是wifi
- Oracle创建表空间、创建用户以及授权、查看权限
- 演示事件(Event)怎样使用以及怎样为用户控件添加一个事件(示例代码下载)
- oracle创建表空间,创建用户以及授权