背景说明

kubernetes支持多用户登录,这里演示创建一个John用户登录集群,使用集群资源,在kubectl连接kubernetes集群时可以使用证书鉴权[为不同的用户生成单独的证书]的方式进行登录。

官方文档

https://kubernetes.io/zh/docs/reference/access-authn-authz/certificate-signing-requests/#request-signing-process

证书流程

在本地生成 CSR(证书请求),然后交给 K8s 授权生成证书,再最后把证书配置到 kubectl 控制文件中

  1. 编写一个json文件,描述server的信息,包括域名(或IP),CN,加密方式
  2. 执行cfssl命令生成server的密钥,和认证请求文件server.csr
  3. 将server.csr内容编码,在k8s中创建一个server的CSR资源
  4. 手动对该CSR资源进行认证签发
  5. 将k8s生成的server.crt 即服务端证书拷贝下来。
  6. server.crt 和server-key.pem 即server的https服务配置

    解决方案

    生成私钥

    创建证书请求文件john-csr.json ```yaml

{ “CN”:”john”, “key”:{ “algo”:”rsa”, “size”:2048 }, “names”:[ { “C”:”CN”, “ST”:”ZheJiang”, “L”:”HangZhou” } ] }

  1. > 不要配置ca配置节,否则会出现ca section only permitted in initca
  2. > CN[Common Name]会作为kubernetes用户名称,标识客户端用户信息
  3. > 这里没有配置hosts配置节,"hosts": []表示所有主机
  4. > O[Organization],会作为请求用户所属的组 (Group),标识客户端用户信息,这里不配置也可以
  6. 通过cfssl工具生成证书请求文件和私钥
  7. ```bash
  8. [root@cka-master pki]# ./cfssl genkey john-csr.json | ./cfssljson -bare john
  9. 2022/03/15 02:06:27 [INFO] generate received request
  10. 2022/03/15 02:06:27 [INFO] received CSR
  11. 2022/03/15 02:06:27 [INFO] generating key: rsa-2048
  12. 2022/03/15 02:06:28 [INFO] encoded CSR
  13. [root@cka-master role]# ls
  14. cfssl  cfssljson  john.csr  john-csr.json  john-key.pem

对证书请求文件john.csr进行base64编码

  1. [root@cka-master role]# cat john.csr | base64 | tr -d '\n'
  2. LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2h6Q0NBVzhDQVFBd1FqRUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURU5NQXNHQTFVRUF4TUVhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9HaHY3eUV3UDFidlR6ZnAxL3BZYzlXTXVMVzdwUkNibVpmbExIOS9nNjgKa05vWUxsejhCK1h5enhWTUh0aHpZL2poUXNKcWEzbnlEVXNXVk9COHZhR1BZa2tQektlb0tibm4wR3BSWUVGaQpCNk9FZ0N2VERHeENpaERmdWNVNHVQR2tmNWpUc1FGTVRCaGs3eGpEREZXOGNvRjF2UTI2b0o0bVJBcWROUFJECkJXZVJGbWNMWnMrMllMNUZ4dCtrSjlKalA4amNnUXgxWCtTZGc3T2RCWjE5RU9oMWRPLzY3eGpxMUtTTVNRL3cKTVBlb3FPQURMZ2UxOGdIU2Y5ZERIL1RQcjM2VkJqcFpvMytJb3NqQ2FsV2owMi9EUXMyR0RXZ3hxb0M1blZBWAppcFRJRVBacmJ2UlcvOUc2ZFRFOWR2NGo2ejdiNXVVTnA3NjBnL3JvUUtzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ3BLQ3h2RkdpWGs0U3VvOXFnWUc1ZXl5ZnM0QUp5NDRhdTd1UGcrT2srdzdvWE42a0EKeUFZclBrSjErdWxleEhnNEYyaU9IU0NJR2pwL1dxU2NYL09vbFRIUnRSMGZZeVFpUnNPRGhGYldBbCtRU1lMSwp2emlvZm05YXFvTnRkTkRHak9HRVZBd2FwVzY3YTJ0Z1dvQjZMOWdITWgxOGl5K29XU3AzMjBsZDdYNys5N2c3CmNPSFlvYjRYYmptTzFNTGEvVkc2UkRCd0J6M1VBRVl2cnhqSjZCMkp1Vk1FL1dmemZxempOWmd3NmJYcnZ4aXoKVDhrYlpDL1JONVl6STlFV2dtckt4SDhKWERwellVaWsxaVhKOUJQZklOZ29OeFJuUC8vU0d2QTVJS3dlY1JTaQpYN083cU1yYnYxaGdINUJ0aHdPbnI3Z2lzZnJEQ0lxYy9SMUIKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  3. [root@cka-master role]#

CertificateSigningRequest不能直接使用原始 CSR 文件信息,只能使用CSR的base64编码结果

请求签名

创建文件john-csr.yaml

  1. apiVersion: certificates.k8s.io/v1
  2. kind: CertificateSigningRequest
  3. metadata:
  4.   name: john
  5. spec:
  6.   request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2h6Q0NBVzhDQVFBd1FqRUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURU5NQXNHQTFVRUF4TUVhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9HaHY3eUV3UDFidlR6ZnAxL3BZYzlXTXVMVzdwUkNibVpmbExIOS9nNjgKa05vWUxsejhCK1h5enhWTUh0aHpZL2poUXNKcWEzbnlEVXNXVk9COHZhR1BZa2tQektlb0tibm4wR3BSWUVGaQpCNk9FZ0N2VERHeENpaERmdWNVNHVQR2tmNWpUc1FGTVRCaGs3eGpEREZXOGNvRjF2UTI2b0o0bVJBcWROUFJECkJXZVJGbWNMWnMrMllMNUZ4dCtrSjlKalA4amNnUXgxWCtTZGc3T2RCWjE5RU9oMWRPLzY3eGpxMUtTTVNRL3cKTVBlb3FPQURMZ2UxOGdIU2Y5ZERIL1RQcjM2VkJqcFpvMytJb3NqQ2FsV2owMi9EUXMyR0RXZ3hxb0M1blZBWAppcFRJRVBacmJ2UlcvOUc2ZFRFOWR2NGo2ejdiNXVVTnA3NjBnL3JvUUtzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ3BLQ3h2RkdpWGs0U3VvOXFnWUc1ZXl5ZnM0QUp5NDRhdTd1UGcrT2srdzdvWE42a0EKeUFZclBrSjErdWxleEhnNEYyaU9IU0NJR2pwL1dxU2NYL09vbFRIUnRSMGZZeVFpUnNPRGhGYldBbCtRU1lMSwp2emlvZm05YXFvTnRkTkRHak9HRVZBd2FwVzY3YTJ0Z1dvQjZMOWdITWgxOGl5K29XU3AzMjBsZDdYNys5N2c3CmNPSFlvYjRYYmptTzFNTGEvVkc2UkRCd0J6M1VBRVl2cnhqSjZCMkp1Vk1FL1dmemZxempOWmd3NmJYcnZ4aXoKVDhrYlpDL1JONVl6STlFV2dtckt4SDhKWERwellVaWsxaVhKOUJQZklOZ29OeFJuUC8vU0d2QTVJS3dlY1JTaQpYN083cU1yYnYxaGdINUJ0aHdPbnI3Z2lzZnJEQ0lxYy9SMUIKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  7.   signerName: kubernetes.io/kube-apiserver-client
  8.   expirationSeconds: 8640000
  9.   usages:
  10.   - client auth

spec.request部分未john-csr的base64编码内容 signerName固定写成kubernetes.io/kube-apiserver-client即可 expirationSeconds

应用证书签名请求

  1. [root@cka-master role]# kubectl apply -f john-csr.yaml 
  2. certificatesigningrequest.certificates.k8s.io/john created

查看证书签名请求

  1. [root@cka-master role]# kubectl get csr
  2. NAME   AGE   SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
  3. john   10s   kubernetes.io/kube-apiserver-client   kubernetes-admin   100d                Pending

查看csr状态可以发现状态为Pending,需要集群管理员批准才能变成Approved状态

同意证书签名请求

  1. [root@cka-master role]# kubectl certificate approve john
  2. certificatesigningrequest.certificates.k8s.io/john approved
  3. [root@cka-master role]# kubectl get csr
  4. NAME   AGE   SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
  5. john   34s   kubernetes.io/kube-apiserver-client   kubernetes-admin   100d                Approved,Issued

加签查看

通过kubectl命令查看已经加签的证书文件

  1. [root@cka-master role]# kubectl get csr john -o yaml
  2. apiVersion: certificates.k8s.io/v1
  3. kind: CertificateSigningRequest
  4. metadata:
  5.   annotations:
  6.     kubectl.kubernetes.io/last-applied-configuration: |
  7.       {"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"john"},"spec":{"expirationSeconds":8640000,"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2h6Q0NBVzhDQVFBd1FqRUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURU5NQXNHQTFVRUF4TUVhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9HaHY3eUV3UDFidlR6ZnAxL3BZYzlXTXVMVzdwUkNibVpmbExIOS9nNjgKa05vWUxsejhCK1h5enhWTUh0aHpZL2poUXNKcWEzbnlEVXNXVk9COHZhR1BZa2tQektlb0tibm4wR3BSWUVGaQpCNk9FZ0N2VERHeENpaERmdWNVNHVQR2tmNWpUc1FGTVRCaGs3eGpEREZXOGNvRjF2UTI2b0o0bVJBcWROUFJECkJXZVJGbWNMWnMrMllMNUZ4dCtrSjlKalA4amNnUXgxWCtTZGc3T2RCWjE5RU9oMWRPLzY3eGpxMUtTTVNRL3cKTVBlb3FPQURMZ2UxOGdIU2Y5ZERIL1RQcjM2VkJqcFpvMytJb3NqQ2FsV2owMi9EUXMyR0RXZ3hxb0M1blZBWAppcFRJRVBacmJ2UlcvOUc2ZFRFOWR2NGo2ejdiNXVVTnA3NjBnL3JvUUtzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ3BLQ3h2RkdpWGs0U3VvOXFnWUc1ZXl5ZnM0QUp5NDRhdTd1UGcrT2srdzdvWE42a0EKeUFZclBrSjErdWxleEhnNEYyaU9IU0NJR2pwL1dxU2NYL09vbFRIUnRSMGZZeVFpUnNPRGhGYldBbCtRU1lMSwp2emlvZm05YXFvTnRkTkRHak9HRVZBd2FwVzY3YTJ0Z1dvQjZMOWdITWgxOGl5K29XU3AzMjBsZDdYNys5N2c3CmNPSFlvYjRYYmptTzFNTGEvVkc2UkRCd0J6M1VBRVl2cnhqSjZCMkp1Vk1FL1dmemZxempOWmd3NmJYcnZ4aXoKVDhrYlpDL1JONVl6STlFV2dtckt4SDhKWERwellVaWsxaVhKOUJQZklOZ29OeFJuUC8vU0d2QTVJS3dlY1JTaQpYN083cU1yYnYxaGdINUJ0aHdPbnI3Z2lzZnJEQ0lxYy9SMUIKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}
  8.   creationTimestamp: "2022-03-14T18:24:43Z"
  9.   name: john
  10.   resourceVersion: "136286"
  11.   uid: fc25048e-25a1-417e-b4f4-d5845d14b9c9
  12. spec:
  13.   expirationSeconds: 8640000
  14.   groups:
  15.   - system:masters
  16.   - system:authenticated
  17.   request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2h6Q0NBVzhDQVFBd1FqRUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURU5NQXNHQTFVRUF4TUVhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9HaHY3eUV3UDFidlR6ZnAxL3BZYzlXTXVMVzdwUkNibVpmbExIOS9nNjgKa05vWUxsejhCK1h5enhWTUh0aHpZL2poUXNKcWEzbnlEVXNXVk9COHZhR1BZa2tQektlb0tibm4wR3BSWUVGaQpCNk9FZ0N2VERHeENpaERmdWNVNHVQR2tmNWpUc1FGTVRCaGs3eGpEREZXOGNvRjF2UTI2b0o0bVJBcWROUFJECkJXZVJGbWNMWnMrMllMNUZ4dCtrSjlKalA4amNnUXgxWCtTZGc3T2RCWjE5RU9oMWRPLzY3eGpxMUtTTVNRL3cKTVBlb3FPQURMZ2UxOGdIU2Y5ZERIL1RQcjM2VkJqcFpvMytJb3NqQ2FsV2owMi9EUXMyR0RXZ3hxb0M1blZBWAppcFRJRVBacmJ2UlcvOUc2ZFRFOWR2NGo2ejdiNXVVTnA3NjBnL3JvUUtzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ3BLQ3h2RkdpWGs0U3VvOXFnWUc1ZXl5ZnM0QUp5NDRhdTd1UGcrT2srdzdvWE42a0EKeUFZclBrSjErdWxleEhnNEYyaU9IU0NJR2pwL1dxU2NYL09vbFRIUnRSMGZZeVFpUnNPRGhGYldBbCtRU1lMSwp2emlvZm05YXFvTnRkTkRHak9HRVZBd2FwVzY3YTJ0Z1dvQjZMOWdITWgxOGl5K29XU3AzMjBsZDdYNys5N2c3CmNPSFlvYjRYYmptTzFNTGEvVkc2UkRCd0J6M1VBRVl2cnhqSjZCMkp1Vk1FL1dmemZxempOWmd3NmJYcnZ4aXoKVDhrYlpDL1JONVl6STlFV2dtckt4SDhKWERwellVaWsxaVhKOUJQZklOZ29OeFJuUC8vU0d2QTVJS3dlY1JTaQpYN083cU1yYnYxaGdINUJ0aHdPbnI3Z2lzZnJEQ0lxYy9SMUIKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  18.   signerName: kubernetes.io/kube-apiserver-client
  19.   usages:
  20.   - client auth
  21.   username: kubernetes-admin
  22. status:
  23.   certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLRENDQWhDZ0F3SUJBZ0lSQUo3UjNaRHB2SWxNcloxdFEzMnRjZzR3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UUXhPREl3TVRSYUZ3MHlNakEyTWpJeApPREl3TVRSYU1FSXhDekFKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJRXdoYWFHVkthV0Z1WnpFUk1BOEdBMVVFCkJ4TUlTR0Z1WjFwb2IzVXhEVEFMQmdOVkJBTVRCR3B2YUc0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFEaG9iKzhoTUQ5VzcwODM2ZGY2V0hQVmpMaTF1NlVRbTVtWDVTeC9mNE92SkRhR0M1YwovQWZsOHM4VlRCN1ljMlA0NFVMQ2FtdDU4ZzFMRmxUZ2ZMMmhqMkpKRDh5bnFDbTU1OUJxVVdCQllnZWpoSUFyCjB3eHNRb29RMzduRk9ManhwSCtZMDdFQlRFd1laTzhZd3d4VnZIS0JkYjBOdXFDZUprUUtuVFQwUXdWbmtSWm4KQzJiUHRtQytSY2JmcENmU1l6L0kzSUVNZFYva25ZT3puUVdkZlJEb2RYVHYrdThZNnRTa2pFa1A4REQzcUtqZwpBeTRIdGZJQjBuL1hReC8wejY5K2xRWTZXYU4vaUtMSXdtcFZvOU52dzBMTmhnMW9NYXFBdVoxUUY0cVV5QkQyCmEyNzBWdi9SdW5VeFBYYitJK3MrMitibERhZSt0SVA2NkVDckFnTUJBQUdqUmpCRU1CTUdBMVVkSlFRTU1Bb0cKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVd2hCbXZqZkd0N3FEQ0ZZawphQnZwNW5UWEo0Z3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRXkxWFFWaDBUN2xwWmZUblk0aUVCVWlJdzJCCi9LTnR5RTRQN0hBckdRMFRjakNNTkZnRzI5c2JodEhRaTZqcVJjRENLZzgrTVUyOFIrbjVNdXhxZGowYnZNRXoKVzZaYTZtWWtYU2VZWFNIK1UyUktydHdpYjhrMldiMWtQUkZ1S0ZUSnFlSUZsQktqdStuZlQzMUVIeHFsUVI2YwpLNldwRWFQczEvdnFxaERoNk9Fck9JTEtKemdqMXBkcTh6ZUt5L2Q5ajhySGdzbVhRbUtyNW9OalcrS1hVdjJpCjRnU1BVYkdNZ1E5R0ZYUlE4MWp1ZkhNOGJFeEdJTGVNd0QwbHFXRllUSk9sRWg0bGtwYnliUVU1K1BHK1BKWjgKRCtDcnBnK2xtMDl3UWNyc0RRN21KTkdpeVJTNDJWSk9Ua3AvMHl1dWhIZjBvTnZhNlRFZUJzVFlmaWs9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  24.   conditions:
  25.   - lastTransitionTime: "2022-03-14T18:25:14Z"
  26.     lastUpdateTime: "2022-03-14T18:25:14Z"
  27.     message: This CSR was approved by kubectl certificate approve.
  28.     reason: KubectlApprove
  29.     status: "True"
  30.     type: Approved
  31. [root@cka-master role]#

这里的status.certificate即为加签后的证书文件base64编码内容

加签导出

[root@cka-master role]# kubectl get csr john -o jsonpath='{.status.certificate}'| base64 -d > john.crt
[root@cka-master role]# ls
cfssl  cfssljson  john.crt  john.csr  john-csr.json  john-csr.yaml  john-key.pem

john.crt是用户john身份认证的客户端证书。

凭据写入

查看当前上下文

[root@cka-master pki]# kubectl config get-contexts 
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   nsrole

写入凭据信息

[root@cka-master pki]# kubectl config set-credentials john --client-key=john-key.pem  --client-certificate=john.crt --embed-certs=true
User "john" set.
[root@cka-master pki]# cat ~/.kube/config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ETXhNekUxTWpNME5Wb1hEVE15TURNeE1ERTFNak0wTlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUEJnCmlMZXVkdzk1eEFQak1VKzlZdVNsNkhGUmxUeEdJMGZpbG9raU9XYWI3Y1ltK1lWdGtsZ09oY25KSWdVZ3cvQk8KSUF1QTBlSk9pRThFYmNYVDFiZlpLNHNjVUVJTE5CK0ZvbDBBZkdsYk9JbVJTS3N5clF4VmxkWU1KdXNKVDJGcApkREtCUFpNMmhoMXg5QU9CYjBvN2NYZ01zTWNHSHlwQmUvSWFGY3RGUlZ5UDZQMW15TVIyVGtWL3h5WHNHUUkxCit1QklnT2g1V0l0enAzVE1yOFBSVGVOYzdwekczK044eTFWWkNEYVBIVkV6UTk0L1hBN1h2K3hnaGJNS25LbWgKMTZOY1ZVR3FXSHRxSFd3dkovei9ScGkvZUUraVRON3FwOWtTdEtaZ1V1dVhXOUxTdFp3RCtiQ2hUM0lTWWJCeQplK21CWTBEZTJGWkZ6eFhQOGdjQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNSVFacjQzeHJlNmd3aFdKR2diNmVaMDF5ZUlNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSE5LajZndkZUeTJ3TmtHVlBnbgo1V25wdWlhWmlvYnNYTGlraVZUQ1NnRERkbVk4ZTJxWG5BTzVST3R6ZkhDVGg3OWMrankvdGV1M1JleGtUT0F4ClQ2L1hOZ3FYRi9BMnROSk9oUW9USlZrOHJ4M0Q3aTRxYjAveldsdzEreWwvbUxFM3hLRTBxMG95RzFKMmNFRkoKK3EyZDEyd2Ywc1dJZit3Qjh5bG53YWd0cy9FdW5oUFF3QlRCKzU1bVA1WVBYWjNZeS9mUEd3c1Y3TjRsc3hKTAplWWF0aUpldTBJdlYxQmdoZGNNclg0d2pidXZuZk5WUWhRY3ZDd3ZxRVQ1dVcyeXNPQnJTNGJsaDZRZmdOYkxOCjdRK0hMWEE3SDNrMjhrVnRJWFlYSHpFL3NNWTVFc2hPcWNYenIxWWpPSlkzb2RxQjNuOWRMcy9hbkFtYVdEelUKRlJBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.184.128:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: nsrole
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: john
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLRENDQWhDZ0F3SUJBZ0lSQUo3UjNaRHB2SWxNcloxdFEzMnRjZzR3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UUXhPREl3TVRSYUZ3MHlNakEyTWpJeApPREl3TVRSYU1FSXhDekFKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJRXdoYWFHVkthV0Z1WnpFUk1BOEdBMVVFCkJ4TUlTR0Z1WjFwb2IzVXhEVEFMQmdOVkJBTVRCR3B2YUc0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFEaG9iKzhoTUQ5VzcwODM2ZGY2V0hQVmpMaTF1NlVRbTVtWDVTeC9mNE92SkRhR0M1YwovQWZsOHM4VlRCN1ljMlA0NFVMQ2FtdDU4ZzFMRmxUZ2ZMMmhqMkpKRDh5bnFDbTU1OUJxVVdCQllnZWpoSUFyCjB3eHNRb29RMzduRk9ManhwSCtZMDdFQlRFd1laTzhZd3d4VnZIS0JkYjBOdXFDZUprUUtuVFQwUXdWbmtSWm4KQzJiUHRtQytSY2JmcENmU1l6L0kzSUVNZFYva25ZT3puUVdkZlJEb2RYVHYrdThZNnRTa2pFa1A4REQzcUtqZwpBeTRIdGZJQjBuL1hReC8wejY5K2xRWTZXYU4vaUtMSXdtcFZvOU52dzBMTmhnMW9NYXFBdVoxUUY0cVV5QkQyCmEyNzBWdi9SdW5VeFBYYitJK3MrMitibERhZSt0SVA2NkVDckFnTUJBQUdqUmpCRU1CTUdBMVVkSlFRTU1Bb0cKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVd2hCbXZqZkd0N3FEQ0ZZawphQnZwNW5UWEo0Z3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRXkxWFFWaDBUN2xwWmZUblk0aUVCVWlJdzJCCi9LTnR5RTRQN0hBckdRMFRjakNNTkZnRzI5c2JodEhRaTZqcVJjRENLZzgrTVUyOFIrbjVNdXhxZGowYnZNRXoKVzZaYTZtWWtYU2VZWFNIK1UyUktydHdpYjhrMldiMWtQUkZ1S0ZUSnFlSUZsQktqdStuZlQzMUVIeHFsUVI2YwpLNldwRWFQczEvdnFxaERoNk9Fck9JTEtKemdqMXBkcTh6ZUt5L2Q5ajhySGdzbVhRbUtyNW9OalcrS1hVdjJpCjRnU1BVYkdNZ1E5R0ZYUlE4MWp1ZkhNOGJFeEdJTGVNd0QwbHFXRllUSk9sRWg0bGtwYnliUVU1K1BHK1BKWjgKRCtDcnBnK2xtMDl3UWNyc0RRN21KTkdpeVJTNDJWSk9Ua3AvMHl1dWhIZjBvTnZhNlRFZUJzVFlmaWs9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBNGFHL3ZJVEEvVnU5UE4rblgrbGh6MVl5NHRidWxFSnVabCtVc2YzK0RyeVEyaGd1ClhQd0g1ZkxQRlV3ZTJITmorT0ZDd21wcmVmSU5TeFpVNEh5OW9ZOWlTUS9NcDZncHVlZlFhbEZnUVdJSG80U0EKSzlNTWJFS0tFTis1eFRpNDhhUi9tTk94QVV4TUdHVHZHTU1NVmJ4eWdYVzlEYnFnbmlaRUNwMDA5RU1GWjVFVwpad3RtejdaZ3ZrWEczNlFuMG1NL3lOeUJESFZmNUoyRHM1MEZuWDBRNkhWMDcvcnZHT3JVcEl4SkQvQXc5NmlvCjRBTXVCN1h5QWRKLzEwTWY5TSt2ZnBVR09sbWpmNGlpeU1KcVZhUFRiOE5DellZTmFER3FnTG1kVUJlS2xNZ1EKOW10dTlGYi8wYnAxTVQxMi9pUHJQdHZtNVEybnZyU0QrdWhBcXdJREFRQUJBb0lCQVFDM0RSUFI3TjNwYm5FRApudXRhVzZ3WG12WWpwSDNnV0ZqYXd6YU9oT0tGc0NQUVhJZll0anZ1S1dRcUFoeVFQR1ZoOTliQ2hiWDJOQkxtCjFSSTlJZFp5NlRHeTFwZVJlVk9JMkhIMG4xcDVFUC9qZ0U2L3Z6UTM3Rys0cXRrN0VQNnlSR09rYURJVlBJSUwKMUc5SjVvdnVUcm1USUNNbHJVQTdyZzNMa3Fqd2RKME44SVZRajR6RkozbVhXMG1pR3JndHRpWUNSUDlZcnFiOApKRDhsNDlIOWJRaTNtYUdMYzVVdCs3UG13UEZGdERwUXpMN1ExVFhUTVJ4Vm5SVjRiNW4yOTBxL3pjY3BmbEo0Ck9sQ0h6ay9DNUMrczBvTUptQ3pNRDg4T2RwWitJRU00eTU4NFZGMlFmaWxIM3lYVlNuckNhMHF2MzA1ME1JQk0KcXpnS3l5WlJBb0dCQU9nejhBL09MZEhzbXhVVEE2TWczeThlWFZnMFJTVkczVCtsS29RNGlPSzZNYlJTVkRRcgpGOEwwcmVQaUttWERwT3JCMk5hUldZSzl6d3dnOENhQS9nZzZoSnFNcnJ6dC9EQ0d1SmJHSXpzMFZjVWozRkpBClYyeHkxS0lFOUhTdm9VcjNHSVJDMnBTOEpoUndLMlRtTEFaZ2Z6TWR0ZWFqTVROQmlmeUcrWnh6QW9HQkFQakIKYWR4b3ZlNmM3eHh1Y3BPeGE4WjZRMEd3SllJNyt6N3JXaWdtcWtTc0lYVWNNNzcvemxEN1lVSmpTUW5UK29BZgpkMEpmNWxaeHpFaXBOQkllUmVQWVdkL1dPZVZuVWlzS1dxck5qYThyaUNpWEcrT2FtR0o5V0l6Si9tSWJrWjFHCkhBU21Hd1Q3RVcwOHIwem1lR0s2OUxaaGcyRGNHRklDVXA1cmFMVHBBb0dCQUxiNHhrQU9IYmova3F5bWtRVW8KVC9YWEhZTDFuVTdrYWs5T25SUVhZSFlZZGpZN2NiS3lDa1ZMZlFMSEl0V1J0eEJ0czZwUVdwSlZjeU9CaVBzdQpSZjdCN2QvQzM2WnNlWDdiaWZUMUtLbnNjWEdvOG1HMTVhM0ZScHhzL3h3N2tRTjdka3d5U2Y5TnkwdnJuNllnCllheWN1VjdVR0pRbklBdmRweGZnWEN6VkFvR0JBS2JVaUp2aXYyYjFaMFBwS3Z5MG8vUno4UUZ3RW1mYXRIRUoKUk9qaXJaVHE0SEY3WFpUK1dLOWxPR0JlMkJBNFU2dHo3dmJiL0U0RGVoOU5JM2YzUjZZOFptSkJlWWpLRjRoNApKRUNqSlIvVEVUa3Z4dXVKdGlOdnIyQ1U0LytHUDgxN3hMUzFkaStMOXE4TllRQXhIWklSa3FkeWxMcjBRWGRXCnlYUW4wd3hwQW9HQkFNamE3MHpjVVE4aWZoYkVrcFE2N2VMUjJuWTlwSWtyYllIOC9hdXFQVzFWNWlHdHBoZDYKS0llNlRIQzRIRHgwSm45U2hQYVFVcEl1VFpTbW1HQlltZGxKblgvT2RCMTZXdkFjTTRnNGplVFF6MUhtK09VRwpYSG9MVmlTVWIxUkpEVU5EOTFON0lzVi8rdTZwK3MrcDJhNCtwcWxPM1Y4VWMrRDJLbDhNZFBsMQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJQkhPbXArdGo3VHd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UTXhOVEl6TkRWYUZ3MHlNekF6TVRNeE5USXpORGRhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXp4Qk1BMVN1K3dJUEtjM2IKZFE4YzY1dGE5WmRWSGtRWk9KSjZHQ01Pcm04dFBrL3VPU2R5dGVscjJMQUd5TU9sTWJXV2pocmJHcHFyanA4UwpnNzRsWEhMbjBPcGhrcEMvWnVQb1FOaitldnFsaUxUTGt4czEwN2NLN2FubDJTaXZURVJvbkdjUHc1V3FzUVBHClF5bnRCR3VZcHdDb0o5Z2tiWTdHTlF2MlFpQkJ3bUV0UkV3STJtREtYY1hlTVZGUDNKQzFwaTFqNkZXUnFkNFcKbjV3YU1wMkhXMVFqZ29nSERIZk9EZHp0cUROOHdwYkpzQkU4SlBNUWY4cWNkSWduYmh4N2JCY2luSGNrSysxTQpyMndYZi8yMm5NWHpCVUtpeHgvalc5VU41THkxQWJ0WVRiMFdEYnNUcDA3RFdPZ0hyYXNNbkJkekIrckU5dzRNCitpMmFMUUlEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JUQ0VHYStOOGEzdW9NSVZpUm9HK25tZE5jbgppREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBd2hYclhOT3g0TEtRcWU0K3RBRVRKN2pmTTVxdnovS3FhWUc2CmxDWERlSXFkTCtPRUU3Tnh1TUJYb3lHNHVTODJCQUtTbk5YU1F2a0RBNm55RU9VVkFWZDdTcThXcTQ2K1cwSDQKVzkza1loUGVWTzd4MGV1WFlYemxsQUxYSTZRQmF5UkRuL1pJV2tzMGtaSjBpTVRVaEt2RVZ1TXBGaE9tYUh1Zgp5ck1iUGpYKzNIb013a1k4YmJsUk5kcTdlbE1FTjB2RTFpRmFRTXN2andYYlR2Z3h5czdLa21iMm9neDhvUHdIClgyd0NhWGR4OFRvK2NFWHllMG1FYUJuS0pKYVVVaThndTdzdjJUR2ZCRjZlZHhLeVpJc214WVJDYlJaa05XRnMKdDBPSitjVHpLcW43UWhiZ1Q2U1Bkb29VR0NwcStuMy9VcVRHMHNaK3VRdXBGMk5kS3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBenhCTUExU3Urd0lQS2MzYmRROGM2NXRhOVpkVkhrUVpPSko2R0NNT3JtOHRQay91Ck9TZHl0ZWxyMkxBR3lNT2xNYldXamhyYkdwcXJqcDhTZzc0bFhITG4wT3Boa3BDL1p1UG9RTmorZXZxbGlMVEwKa3hzMTA3Y0s3YW5sMlNpdlRFUm9uR2NQdzVXcXNRUEdReW50Qkd1WXB3Q29KOWdrYlk3R05RdjJRaUJCd21FdApSRXdJMm1ES1hjWGVNVkZQM0pDMXBpMWo2RldScWQ0V241d2FNcDJIVzFRamdvZ0hESGZPRGR6dHFETjh3cGJKCnNCRThKUE1RZjhxY2RJZ25iaHg3YkJjaW5IY2tLKzFNcjJ3WGYvMjJuTVh6QlVLaXh4L2pXOVVONUx5MUFidFkKVGIwV0Ric1RwMDdEV09nSHJhc01uQmR6QityRTl3NE0raTJhTFFJREFRQUJBb0lCQVFERlVEOVBFVHhwSHM0NgpSTnR5a2dNNkZPRzVsQXJkZTRFWklxUE1LbVFNSHc5YkNLbjJ0cnVkMDZBY2Jha1pXUzRxejJKM2Flb09VUU5ZCk5nZGJtUzliQ0hnVTRiUTNDVTRMQ3ZUQURzZDVneTJJdHRnakIxUGt1dEZrSm5sTDFYUXVWaVhsbkdRdU9ZbmQKZ3I1RU5FaVM1TUVqcXdHU2JtcFFLRFNDU2pMUlVOamJVaG5OejFVZWJxQ2xIbXVVa25BTURLSzU4TzZrcDBxVQpUb2hMRHo3YS9aT0FiQjNSVzVDT3gySzM2S2o4Vll4QUxKOWhQSTV4VCtWY1VvM1hHeHpma0ozQ0VwdXIxWEN3CjA4K0Zaa0pNZkpiKzV4Rk5zQ0k5TzFNVFhjZTZUNnNqdzl6d1k1VG1NSjVaK0t3dFFwSGZuVXQ4c0kzQkY4MkYKR1l3KzU0d1ZBb0dCQU5Ec2lJR2lzWVN2SWoycWhBb1IrYTBrNUhtMElPZnp5UFIzditWZXBPS0pBSitwSGZydgo0WFBvTmFnUEFTVWZpY0tQWW1iNXZCYkhCYTVoNnVEMTZoOS85cnEwamxQU2F4RFZoZWdzckFCMjhCMzJ6U0t4Cnd2UUJPU3QrS1V4bC9aR2hRcTQ5NjdkMDh2b25CakwzM0FoRkZCZGpGZHZMVEluenhRa3NmU0p2QW9HQkFQMjQKZElhd2hCWHZENHNwLzdGd1kwZG8ycnAyRmZtLzRnSUdtYWlEalJYRTc3NTZna2Vudm1FV3ZVcDJBQ2tDUktGUQptTFVkZm1HYStzWEwzNlpWK2xkY3IxTS9xdlNNcFFQYWkwaXVLWFFNTFZyaUtoNUhIeGJSV3pJMVRPZGI4bUJqClJGbnlHc2Y1Nmh2TFUrR2REVnkzM0EzSCtHREZvTCsvOTdmRDZ1c2pBb0dCQUlHdUFBRXZZaTZ3b25sU2FRanoKSlY0Q28wcWpzelVtamRxb3BkVVNqUmdMMy9ZNmUrQnhteWhkdjBoa245cFNIQ2xHNU5aME52cVFhSWRZUWZtRwp5dDdvaDlaV0VtNFhFdHZ0SFdRQ3JuVFBYclhLcG9QZGdOd0NFbUZidXZpdjZkZkdGK1NkakwxZit4Mm9zV0ZiCmxoa1AvNnVRbGxYS2QrUzlDZFZxNXZWREFvR0JBSkhMRzVLRi9mQ0lwWnJuTUZtcTVqR1RqQlNYWkh0V0NxMzEKVXZpbFZ6NEtJMldHQ2pUWXJDb29JZStXclBManJjSXdpUCtTQ2h4V0xRSFo3Qk10MXFPNnk3aC9ubUhXSzhCeQpKWlZIRnVUclZtaWlDMmZJb0pIQkRiRmxOV0xBMEI4WkM1N1A0eG5FZndVbnFuUzdoWUVnMlo5RnFIRWJQd3JRCmFhMDhORktYQW9HQkFNYWIvTlpIUk42ek5vaU9nVVl6MFNqKzdCZVh5NWFrV3IzME10NUVIWisxRVFDT2dBNzMKY2txYVJrTnYrbE5md01jOCtxMDhBVlNjaXRjd2Q0WG1lZmtDYXpUaVVQTHBTUjAyd0R6SDg4bGxiM0EvUWluagpvNkkzYTJ5SEkwdEk1c1BaaHZXQlNsd0MvQld5azc2MTNQMzk1bkFDckJpRnJEdVR3ODhpUVAzWAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
[root@cka-master pki]#

这里的client-certificate-data和client-key-data均为证书的具体内容,故john.csr文件和john-key.pem均可以移动位置 当前凭据信息写入后,可以校验

权限验证

创建测试命名空间ns1

[root@cka-master ~]# kubectl create ns  ns1
namespace/ns1 created
[root@cka-master ~]# kubectl get ns
NAME              STATUS   AGE
default           Active   30h
kube-node-lease   Active   30h
kube-public       Active   30h
kube-system       Active   30h
ns1               Active   18h

验证john权限

[root@cka-master ~]# kubectl auth can-i list pods --namespace ns1
yes
[root@cka-master ~]# kubectl auth can-i list pods --namespace ns1 --as john
no

可以看到当前john用户没有相关权限对资源对象进行操作

登录配置

通过写入上下文信息,来更改集群配置文件config

[root@cka-master pki]# kubectl config set-context john --cluster=kubernetes --user=john
Context "john" created.
[root@cka-master pki]# kubectl config get-contexts 
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
          john                          kubernetes   john               
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   nsrole
[root@cka-master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.184.128:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: john
  name: john
- context:
    cluster: kubernetes
    namespace: nsrole
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: john
kind: Config
preferences: {}
users:
- name: john
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
[root@cka-master pki]#

切换上下文

[root@cka-master pki]# kubectl config get-contexts 
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
          john                          kubernetes   john               
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   nsrole
[root@cka-master pki]# kubectl config use-context john
Switched to context "john".
[root@cka-master pki]# kubectl config get-contexts 
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         john                          kubernetes   john               
          kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   nsrole

权限绑定

为用户john绑定集群角色cluster-admin

[root@cka-master role]# kubectl create clusterrolebinding john-cluster-role-binding --clusterrole=cluster-admin  --user=john
clusterrolebinding.rbac.authorization.k8s.io/john-cluster-role-binding created
[root@cka-master role]#

查看当前用角色绑定

[root@cka-master role]# kubectl get clusterrolebinding
NAME                                                   ROLE                                                                               AGE
calico-kube-controllers                                ClusterRole/calico-kube-controllers                                                24h
calico-node                                            ClusterRole/calico-node                                                            24h
cluster-admin                                          ClusterRole/cluster-admin                                                          27h
john-cluster-role-binding                              ClusterRole/cluster-admin                                                          90s
kubeadm:get-nodes                                      ClusterRole/kubeadm:get-nodes                                                      27h
kubeadm:kubelet-bootstrap                              ClusterRole/system:node-bootstrapper                                               27h
kubeadm:node-autoapprove-bootstrap                     ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient       27h
kubeadm:node-autoapprove-certificate-rotation          ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   27h
kubeadm:node-proxier                                   ClusterRole/system:node-proxier                                                    27h
system:basic-user                                      ClusterRole/system:basic-user                                                      27h
system:controller:attachdetach-controller              ClusterRole/system:controller:attachdetach-controller                              27h
system:controller:certificate-controller               ClusterRole/system:controller:certificate-controller                               27h
system:controller:clusterrole-aggregation-controller   ClusterRole/system:controller:clusterrole-aggregation-controller                   27h
system:controller:cronjob-controller                   ClusterRole/system:controller:cronjob-controller                                   27h
system:controller:daemon-set-controller                ClusterRole/system:controller:daemon-set-controller                                27h
system:controller:deployment-controller                ClusterRole/system:controller:deployment-controller                                27h
system:controller:disruption-controller                ClusterRole/system:controller:disruption-controller                                27h
system:controller:endpoint-controller                  ClusterRole/system:controller:endpoint-controller                                  27h
system:controller:endpointslice-controller             ClusterRole/system:controller:endpointslice-controller                             27h
system:controller:endpointslicemirroring-controller    ClusterRole/system:controller:endpointslicemirroring-controller                    27h
system:controller:ephemeral-volume-controller          ClusterRole/system:controller:ephemeral-volume-controller                          27h
system:controller:expand-controller                    ClusterRole/system:controller:expand-controller                                    27h
system:controller:generic-garbage-collector            ClusterRole/system:controller:generic-garbage-collector                            27h
system:controller:horizontal-pod-autoscaler            ClusterRole/system:controller:horizontal-pod-autoscaler                            27h
system:controller:job-controller                       ClusterRole/system:controller:job-controller                                       27h
system:controller:namespace-controller                 ClusterRole/system:controller:namespace-controller                                 27h
system:controller:node-controller                      ClusterRole/system:controller:node-controller                                      27h
system:controller:persistent-volume-binder             ClusterRole/system:controller:persistent-volume-binder                             27h
system:controller:pod-garbage-collector                ClusterRole/system:controller:pod-garbage-collector                                27h
system:controller:pv-protection-controller             ClusterRole/system:controller:pv-protection-controller                             27h
system:controller:pvc-protection-controller            ClusterRole/system:controller:pvc-protection-controller                            27h
system:controller:replicaset-controller                ClusterRole/system:controller:replicaset-controller                                27h
system:controller:replication-controller               ClusterRole/system:controller:replication-controller                               27h
system:controller:resourcequota-controller             ClusterRole/system:controller:resourcequota-controller                             27h
system:controller:root-ca-cert-publisher               ClusterRole/system:controller:root-ca-cert-publisher                               27h
system:controller:route-controller                     ClusterRole/system:controller:route-controller                                     27h
system:controller:service-account-controller           ClusterRole/system:controller:service-account-controller                           27h
system:controller:service-controller                   ClusterRole/system:controller:service-controller                                   27h
system:controller:statefulset-controller               ClusterRole/system:controller:statefulset-controller                               27h
system:controller:ttl-after-finished-controller        ClusterRole/system:controller:ttl-after-finished-controller                        27h
system:controller:ttl-controller                       ClusterRole/system:controller:ttl-controller                                       27h
system:coredns                                         ClusterRole/system:coredns                                                         27h
system:discovery                                       ClusterRole/system:discovery                                                       27h
system:kube-controller-manager                         ClusterRole/system:kube-controller-manager                                         27h
system:kube-dns                                        ClusterRole/system:kube-dns                                                        27h
system:kube-scheduler                                  ClusterRole/system:kube-scheduler                                                  27h
system:monitoring                                      ClusterRole/system:monitoring                                                      27h
system:node                                            ClusterRole/system:node                                                            27h
system:node-proxier                                    ClusterRole/system:node-proxier                                                    27h
system:public-info-viewer                              ClusterRole/system:public-info-viewer                                              27h
system:service-account-issuer-discovery                ClusterRole/system:service-account-issuer-discovery                                27h
system:volume-scheduler                                ClusterRole/system:volume-scheduler                                                27h
[root@cka-master role]#

再次对john用户进行权限校验

[root@cka-master ~]# kubectl auth can-i list pods --namespace ns1 --as john
yes

相关文件

john.zip