院长:如果你觉得此博客或者此文章对您有帮助,请在网站最下方“赞助院长”按钮进行赞助,诚邀各位大佬入驻官方QQ群
实验目的:
代码语言:javascript复制指定myuser1用户只授权操作zabbix命名空间下的资源创建zabbix命名空间
[root@k8s-master ~]# kubectl create ns zabbix
代码语言:javascript复制namespace/zabbix created创建资源清单存放目录
代码语言:javascript复制[root@k8s-master ~]# mkdir /zabbix && cd /zabbix/创建Pod资源清单
代码语言:javascript复制[root@k8s-master zabbix]# vi deploy-zabbix.yaml创建资源
[root@k8s-master zabbix]# kubectl apply -f deploy-zabbix.yaml
代码语言:javascript复制deployment.apps/zabbix-web-nginx created查看zabbix命名空间下的资源
[root@k8s-master zabbix]# kubectl get pods -n zabbix
代码语言:javascript复制NAME READY STATUS RESTARTS AGE
zabbix-web-nginx-d96d7d955-f5rnx 1/1 Running 0 2m58s
zabbix-web-nginx-d96d7d955-wzkr2 1/1 Running 0 2m58s创建用户并设置密码
代码语言:javascript复制[root@k8s-master ~]# useradd myuser1
[root@k8s-master ~]# passwd myuser1
Changing password for user myuser1.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.创建新用户的证书
代码语言:javascript复制[root@k8s-master ~]# cd /opt
[root@k8s-master opt]# mkdir mytest && cd mytest/创建证书key
代码语言:javascript复制[root@k8s-master mytest]# openssl genrsa -out myuser1.key 2048
显示如下:
Generating RSA private key, 2048 bit long modulus
......................................
.....................................................................
e is 65537 (0x10001)
[root@k8s-master mytest]# openssl req -new -key myuser1.key -out myuser1.csr -subj "/CN=myuser1"
[root@k8s-master mytest]# openssl x509 -req -in myuser1.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out myuser1.crt -days 365
显示如下:
Signature ok
subject=/CN=myuser1
Getting CA Private Key
[root@k8s-master mytest]# openssl x509 -in myuser1.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
e8:c5:4e:60:38:77:24:9f
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Dec 17 02:01:10 2020 GMT
Not After : Dec 17 02:01:10 2021 GMT
Subject: CN=myuser1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:98:c2:d5:68:49:45:be:ad:1a:4a:21:93:89:8c:
51:52:56:5c:69:8f:8c:15:09:45:51:c3:ed:d1:4b:
84:f4:6b:70:f8:28:3f:12:31:40:b4:95:97:23:8d:
a6:b3:3d:e8:5a:b3:88:9d:aa:c4:af:f0:2c:cd:02:
51:4c:3b:a6:cf:83:76:5e:00:d6:d9:80:55:1f:db:
b7:5a:f4:b2:85:2f:2d:be:00:e8:cd:33:20:ed:75:
2d:b1:e3:8d:5a:e8:a0:28:c7:c3:f7:a9:6a:f5:76:
8a:27:9a:ec:aa:9e:7e:be:21:4b:62:ce:83:aa:35:
cf:a6:69:07:e5:4e:81:26:3a:ad:ae:69:7e:f9:57:
67:5b:c8:a8:43:cb:64:89:b4:1c:7f:f4:82:2c:6f:
71:53:17:20:b7:c8:09:ed:81:94:a5:62:4a:df:17:
47:69:ed:1f:2a:04:d4:cf:34:79:65:f9:7e:6f:5b:
29:88:60:1d:a2:d0:42:bc:a6:75:d0:6d:d3:60:df:
0d:21:37:d7:b1:dc:34:71:0b:a7:70:98:2f:fb:27:
fd:02:95:7e:0a:55:26:11:e9:89:04:8d:a9:b1:fb:
35:30:13:1c:20:8c:29:38:a7:a4:b2:4f:58:03:93:
49:bd:75:30:21:01:9d:0d:da:29:e3:de:67:53:b7:
35:a5
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
05:f1:59:51:46:96:7c:ec:8f:f6:e0:cf:4c:3c:ce:6c:7b:4b:
ec:bb:2b:77:30:79:79:8c:ee:c3:90:bd:c6:d3:bb:d9:ec:b8:
8f:9a:7d:29:d8:e1:85:37:57:ca:48:68:1d:ff:30:b9:44:76:
18:6c:b1:dd:36:7d:07:18:db:4e:c3:2a:99:fc:2a:8b:ae:88:
2f:fc:e3:55:9f:e7:89:c9:7c:f1:44:f2:d9:18:d4:4c:3a:c0:
71:29:17:c5:b1:2b:d2:62:83:7c:b1:f7:a7:2a:a8:f7:83:58:
83:f2:b3:a8:37:40:96:47:7b:06:b0:7e:37:cc:08:17:7b:fb:
d8:1c:4a:7d:69:75:dd:ac:b7:ed:c3:51:e8:03:62:22:93:c9:
1e:50:9e:4e:fd:f7:24:af:b6:fe:a2:10:64:c6:a1:3f:62:93:
83:7b:d7:f8:31:c8:22:a1:5a:88:78:1e:67:53:a7:6c:1d:b7:
0f:a3:7b:67:cd:ce:a4:0c:1e:6a:9c:3c:55:71:cd:20:67:fd:
24:95:34:f6:71:66:25:68:dc:6d:2a:68:e0:dd:b2:c4:54:4e:
4f:62:f9:7d:e7:3c:fa:03:32:db:55:05:bf:ca:86:b4:c7:90:
c2:fe:27:ca:25:a8:7e:80:a5:6e:c3:a8:32:7b:14:36:45:b1:
42:81:d2:6e更改集群配置和用户上下文环境
代码语言:javascript复制[root@k8s-master mytest]# kubectl config set-credentials myuser1 --client-certificate=/opt/mytest/myuser1.crt --client-key=/opt/mytest/myuser1.key --embed-certs=true
显示如下:
User "myuser1" set.
[root@k8s-master mytest]# kubectl config set-context myuser1@kubernetes --cluster=kubernetes --user=myuser1
显示如下:
Context "myuser1@kubernetes" created.
[root@k8s-master mytest]# kubectl config use-context myuser1@kubernetes
显示如下:
Switched to context "myuser1@kubernetes".赋权
切换回管理员身份
[root@k8s-master mytest]# kubectl config use-context kubernetes-admin@kubernetes
代码语言:javascript复制Switched to context "kubernetes-admin@kubernetes".创建角色role.yaml
[root@k8s-master mytest]# cat role.yaml
代码语言:javascript复制kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: zabbix #执行命名空间
name: myrole1 #role名字
rules:
- apiGroups: [""]
resources: ["pods","pods/exec"] #可操作pod,和pod的exec进入
verbs: ["get","watch","list","create","update","patch","delete"] #可以操作pod的动作
- apiGroups: [""]
resources: ["services"] #可操作svc
verbs: ["get","watch","list"] #可以操作svc的动作创建角色绑定rolebinding.yaml
[root@k8s-master mytest]# cat rolebinding.yaml
代码语言:javascript复制kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: my-rolebinding1
namespace: zabbix
subjects:
- kind: User
name: myuser1
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: myrole1
apiGroup: rbac.authorization.k8s.io进行创建
[root@k8s-master mytest]# kubectl create -f role.yaml
代码语言:javascript复制role.rbac.authorization.k8s.io/myrole1 created进行创建
[root@k8s-master mytest]# kubectl create -f rolebinding.yaml
代码语言:javascript复制rolebinding.rbac.authorization.k8s.io/my-rolebinding1 created切换角色,进行验证
代码语言:javascript复制[root@manager mytest]*# kubectl config use-context myuser1@kubernetes*
显示如下:
Switched to context "myuser1@kubernetes".
这时候再次get zabbix命名空间下的pod和svc就属于正常了使用 kubeconfig 共享集群访问
使用myuser1用户登录
代码语言:javascript复制ssh myuser1@你的k8s-master主机在myuser1用户下在root目录下创建.kube目录,用于存放k8s的config
代码语言:javascript复制[myuser1@k8s-master ~]$ mkdir .kube/在root用户下复制 kubeconfig 到新主机
代码语言:javascript复制[root@k8s-master mytest]# cp /root/.kube/config /home/myuser1/.kube/在root用户下赋值权限
代码语言:javascript复制[root@k8s-master mytest]# chown myuser1.myuser1 /home/myuser1/.kube/config 查看default命名空间下的pod资源,可以看到是查看不到的
[myuser1@k8s-master ~]$ kubectl get pods
代码语言:javascript复制Error from server (Forbidden): pods is forbidden: User "myuser1" cannot list resource "pods" in API group "" in the namespace "default"查看我们指定的zabbix命名空间,是正常的
[myuser1@k8s-master ~]$ kubectl get pods -n zabbix
代码语言:javascript复制NAME READY STATUS RESTARTS AGE
zabbix-web-nginx-d96d7d955-f5rnx 1/1 Running 0 125m
zabbix-web-nginx-d96d7d955-wzkr2 1/1 Running 0 125m
