背景说明
kubernetes支持多用户登录,这里演示创建一个John用户登录集群,使用集群资源,在kubectl连接kubernetes集群时可以使用证书鉴权[为不同的用户生成单独的证书]的方式进行登录。
官方文档
https://kubernetes.io/zh/docs/reference/access-authn-authz/certificate-signing-requests/#request-signing-process
证书流程
在本地生成 CSR(证书请求),然后交给 K8s 授权生成证书,再最后把证书配置到 kubectl 控制文件中
- 编写一个json文件,描述server的信息,包括域名(或IP),CN,加密方式
- 执行cfssl命令生成server的密钥,和认证请求文件server.csr
- 将server.csr内容编码,在k8s中创建一个server的CSR资源
- 手动对该CSR资源进行认证签发
- 将k8s生成的server.crt 即服务端证书拷贝下来。
- server.crt 和server-key.pem 即server的https服务配置
解决方案
生成私钥
创建证书请求文件john-csr.json ```yaml
{ “CN”:”john”, “key”:{ “algo”:”rsa”, “size”:2048 }, “names”:[ { “C”:”CN”, “ST”:”ZheJiang”, “L”:”HangZhou” } ] }
> 不要配置ca配置节,否则会出现ca section only permitted in initca
> CN[Common Name]会作为kubernetes用户名称,标识客户端用户信息
> 这里没有配置hosts配置节,"hosts": []表示所有主机
> O[Organization],会作为请求用户所属的组 (Group),标识客户端用户信息,这里不配置也可以
通过cfssl工具生成证书请求文件和私钥
```bash
[root@cka-master pki]# ./cfssl genkey john-csr.json | ./cfssljson -bare john
2022/03/15 02:06:27 [INFO] generate received request
2022/03/15 02:06:27 [INFO] received CSR
2022/03/15 02:06:27 [INFO] generating key: rsa-2048
2022/03/15 02:06:28 [INFO] encoded CSR
[root@cka-master role]# ls
cfssl cfssljson john.csr john-csr.json john-key.pem
对证书请求文件john.csr进行base64编码
[root@cka-master role]# cat john.csr | base64 | tr -d '\n'
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2h6Q0NBVzhDQVFBd1FqRUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURU5NQXNHQTFVRUF4TUVhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9HaHY3eUV3UDFidlR6ZnAxL3BZYzlXTXVMVzdwUkNibVpmbExIOS9nNjgKa05vWUxsejhCK1h5enhWTUh0aHpZL2poUXNKcWEzbnlEVXNXVk9COHZhR1BZa2tQektlb0tibm4wR3BSWUVGaQpCNk9FZ0N2VERHeENpaERmdWNVNHVQR2tmNWpUc1FGTVRCaGs3eGpEREZXOGNvRjF2UTI2b0o0bVJBcWROUFJECkJXZVJGbWNMWnMrMllMNUZ4dCtrSjlKalA4amNnUXgxWCtTZGc3T2RCWjE5RU9oMWRPLzY3eGpxMUtTTVNRL3cKTVBlb3FPQURMZ2UxOGdIU2Y5ZERIL1RQcjM2VkJqcFpvMytJb3NqQ2FsV2owMi9EUXMyR0RXZ3hxb0M1blZBWAppcFRJRVBacmJ2UlcvOUc2ZFRFOWR2NGo2ejdiNXVVTnA3NjBnL3JvUUtzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ3BLQ3h2RkdpWGs0U3VvOXFnWUc1ZXl5ZnM0QUp5NDRhdTd1UGcrT2srdzdvWE42a0EKeUFZclBrSjErdWxleEhnNEYyaU9IU0NJR2pwL1dxU2NYL09vbFRIUnRSMGZZeVFpUnNPRGhGYldBbCtRU1lMSwp2emlvZm05YXFvTnRkTkRHak9HRVZBd2FwVzY3YTJ0Z1dvQjZMOWdITWgxOGl5K29XU3AzMjBsZDdYNys5N2c3CmNPSFlvYjRYYmptTzFNTGEvVkc2UkRCd0J6M1VBRVl2cnhqSjZCMkp1Vk1FL1dmemZxempOWmd3NmJYcnZ4aXoKVDhrYlpDL1JONVl6STlFV2dtckt4SDhKWERwellVaWsxaVhKOUJQZklOZ29OeFJuUC8vU0d2QTVJS3dlY1JTaQpYN083cU1yYnYxaGdINUJ0aHdPbnI3Z2lzZnJEQ0lxYy9SMUIKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
[root@cka-master role]#
CertificateSigningRequest不能直接使用原始 CSR 文件信息,只能使用CSR的base64编码结果
请求签名
创建文件john-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2h6Q0NBVzhDQVFBd1FqRUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURU5NQXNHQTFVRUF4TUVhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9HaHY3eUV3UDFidlR6ZnAxL3BZYzlXTXVMVzdwUkNibVpmbExIOS9nNjgKa05vWUxsejhCK1h5enhWTUh0aHpZL2poUXNKcWEzbnlEVXNXVk9COHZhR1BZa2tQektlb0tibm4wR3BSWUVGaQpCNk9FZ0N2VERHeENpaERmdWNVNHVQR2tmNWpUc1FGTVRCaGs3eGpEREZXOGNvRjF2UTI2b0o0bVJBcWROUFJECkJXZVJGbWNMWnMrMllMNUZ4dCtrSjlKalA4amNnUXgxWCtTZGc3T2RCWjE5RU9oMWRPLzY3eGpxMUtTTVNRL3cKTVBlb3FPQURMZ2UxOGdIU2Y5ZERIL1RQcjM2VkJqcFpvMytJb3NqQ2FsV2owMi9EUXMyR0RXZ3hxb0M1blZBWAppcFRJRVBacmJ2UlcvOUc2ZFRFOWR2NGo2ejdiNXVVTnA3NjBnL3JvUUtzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ3BLQ3h2RkdpWGs0U3VvOXFnWUc1ZXl5ZnM0QUp5NDRhdTd1UGcrT2srdzdvWE42a0EKeUFZclBrSjErdWxleEhnNEYyaU9IU0NJR2pwL1dxU2NYL09vbFRIUnRSMGZZeVFpUnNPRGhGYldBbCtRU1lMSwp2emlvZm05YXFvTnRkTkRHak9HRVZBd2FwVzY3YTJ0Z1dvQjZMOWdITWgxOGl5K29XU3AzMjBsZDdYNys5N2c3CmNPSFlvYjRYYmptTzFNTGEvVkc2UkRCd0J6M1VBRVl2cnhqSjZCMkp1Vk1FL1dmemZxempOWmd3NmJYcnZ4aXoKVDhrYlpDL1JONVl6STlFV2dtckt4SDhKWERwellVaWsxaVhKOUJQZklOZ29OeFJuUC8vU0d2QTVJS3dlY1JTaQpYN083cU1yYnYxaGdINUJ0aHdPbnI3Z2lzZnJEQ0lxYy9SMUIKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 8640000
usages:
- client auth
spec.request部分未john-csr的base64编码内容 signerName固定写成kubernetes.io/kube-apiserver-client即可 expirationSeconds
应用证书签名请求
[root@cka-master role]# kubectl apply -f john-csr.yaml
certificatesigningrequest.certificates.k8s.io/john created
查看证书签名请求
[root@cka-master role]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
john 10s kubernetes.io/kube-apiserver-client kubernetes-admin 100d Pending
查看csr状态可以发现状态为Pending,需要集群管理员批准才能变成Approved状态
同意证书签名请求
[root@cka-master role]# kubectl certificate approve john
certificatesigningrequest.certificates.k8s.io/john approved
[root@cka-master role]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
john 34s kubernetes.io/kube-apiserver-client kubernetes-admin 100d Approved,Issued
加签查看
通过kubectl命令查看已经加签的证书文件
[root@cka-master role]# kubectl get csr john -o yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"john"},"spec":{"expirationSeconds":8640000,"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2h6Q0NBVzhDQVFBd1FqRUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURU5NQXNHQTFVRUF4TUVhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9HaHY3eUV3UDFidlR6ZnAxL3BZYzlXTXVMVzdwUkNibVpmbExIOS9nNjgKa05vWUxsejhCK1h5enhWTUh0aHpZL2poUXNKcWEzbnlEVXNXVk9COHZhR1BZa2tQektlb0tibm4wR3BSWUVGaQpCNk9FZ0N2VERHeENpaERmdWNVNHVQR2tmNWpUc1FGTVRCaGs3eGpEREZXOGNvRjF2UTI2b0o0bVJBcWROUFJECkJXZVJGbWNMWnMrMllMNUZ4dCtrSjlKalA4amNnUXgxWCtTZGc3T2RCWjE5RU9oMWRPLzY3eGpxMUtTTVNRL3cKTVBlb3FPQURMZ2UxOGdIU2Y5ZERIL1RQcjM2VkJqcFpvMytJb3NqQ2FsV2owMi9EUXMyR0RXZ3hxb0M1blZBWAppcFRJRVBacmJ2UlcvOUc2ZFRFOWR2NGo2ejdiNXVVTnA3NjBnL3JvUUtzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ3BLQ3h2RkdpWGs0U3VvOXFnWUc1ZXl5ZnM0QUp5NDRhdTd1UGcrT2srdzdvWE42a0EKeUFZclBrSjErdWxleEhnNEYyaU9IU0NJR2pwL1dxU2NYL09vbFRIUnRSMGZZeVFpUnNPRGhGYldBbCtRU1lMSwp2emlvZm05YXFvTnRkTkRHak9HRVZBd2FwVzY3YTJ0Z1dvQjZMOWdITWgxOGl5K29XU3AzMjBsZDdYNys5N2c3CmNPSFlvYjRYYmptTzFNTGEvVkc2UkRCd0J6M1VBRVl2cnhqSjZCMkp1Vk1FL1dmemZxempOWmd3NmJYcnZ4aXoKVDhrYlpDL1JONVl6STlFV2dtckt4SDhKWERwellVaWsxaVhKOUJQZklOZ29OeFJuUC8vU0d2QTVJS3dlY1JTaQpYN083cU1yYnYxaGdINUJ0aHdPbnI3Z2lzZnJEQ0lxYy9SMUIKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}
creationTimestamp: "2022-03-14T18:24:43Z"
name: john
resourceVersion: "136286"
uid: fc25048e-25a1-417e-b4f4-d5845d14b9c9
spec:
expirationSeconds: 8640000
groups:
- system:masters
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2h6Q0NBVzhDQVFBd1FqRUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURU5NQXNHQTFVRUF4TUVhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9HaHY3eUV3UDFidlR6ZnAxL3BZYzlXTXVMVzdwUkNibVpmbExIOS9nNjgKa05vWUxsejhCK1h5enhWTUh0aHpZL2poUXNKcWEzbnlEVXNXVk9COHZhR1BZa2tQektlb0tibm4wR3BSWUVGaQpCNk9FZ0N2VERHeENpaERmdWNVNHVQR2tmNWpUc1FGTVRCaGs3eGpEREZXOGNvRjF2UTI2b0o0bVJBcWROUFJECkJXZVJGbWNMWnMrMllMNUZ4dCtrSjlKalA4amNnUXgxWCtTZGc3T2RCWjE5RU9oMWRPLzY3eGpxMUtTTVNRL3cKTVBlb3FPQURMZ2UxOGdIU2Y5ZERIL1RQcjM2VkJqcFpvMytJb3NqQ2FsV2owMi9EUXMyR0RXZ3hxb0M1blZBWAppcFRJRVBacmJ2UlcvOUc2ZFRFOWR2NGo2ejdiNXVVTnA3NjBnL3JvUUtzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ3BLQ3h2RkdpWGs0U3VvOXFnWUc1ZXl5ZnM0QUp5NDRhdTd1UGcrT2srdzdvWE42a0EKeUFZclBrSjErdWxleEhnNEYyaU9IU0NJR2pwL1dxU2NYL09vbFRIUnRSMGZZeVFpUnNPRGhGYldBbCtRU1lMSwp2emlvZm05YXFvTnRkTkRHak9HRVZBd2FwVzY3YTJ0Z1dvQjZMOWdITWgxOGl5K29XU3AzMjBsZDdYNys5N2c3CmNPSFlvYjRYYmptTzFNTGEvVkc2UkRCd0J6M1VBRVl2cnhqSjZCMkp1Vk1FL1dmemZxempOWmd3NmJYcnZ4aXoKVDhrYlpDL1JONVl6STlFV2dtckt4SDhKWERwellVaWsxaVhKOUJQZklOZ29OeFJuUC8vU0d2QTVJS3dlY1JTaQpYN083cU1yYnYxaGdINUJ0aHdPbnI3Z2lzZnJEQ0lxYy9SMUIKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
username: kubernetes-admin
status:
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLRENDQWhDZ0F3SUJBZ0lSQUo3UjNaRHB2SWxNcloxdFEzMnRjZzR3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UUXhPREl3TVRSYUZ3MHlNakEyTWpJeApPREl3TVRSYU1FSXhDekFKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJRXdoYWFHVkthV0Z1WnpFUk1BOEdBMVVFCkJ4TUlTR0Z1WjFwb2IzVXhEVEFMQmdOVkJBTVRCR3B2YUc0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFEaG9iKzhoTUQ5VzcwODM2ZGY2V0hQVmpMaTF1NlVRbTVtWDVTeC9mNE92SkRhR0M1YwovQWZsOHM4VlRCN1ljMlA0NFVMQ2FtdDU4ZzFMRmxUZ2ZMMmhqMkpKRDh5bnFDbTU1OUJxVVdCQllnZWpoSUFyCjB3eHNRb29RMzduRk9ManhwSCtZMDdFQlRFd1laTzhZd3d4VnZIS0JkYjBOdXFDZUprUUtuVFQwUXdWbmtSWm4KQzJiUHRtQytSY2JmcENmU1l6L0kzSUVNZFYva25ZT3puUVdkZlJEb2RYVHYrdThZNnRTa2pFa1A4REQzcUtqZwpBeTRIdGZJQjBuL1hReC8wejY5K2xRWTZXYU4vaUtMSXdtcFZvOU52dzBMTmhnMW9NYXFBdVoxUUY0cVV5QkQyCmEyNzBWdi9SdW5VeFBYYitJK3MrMitibERhZSt0SVA2NkVDckFnTUJBQUdqUmpCRU1CTUdBMVVkSlFRTU1Bb0cKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVd2hCbXZqZkd0N3FEQ0ZZawphQnZwNW5UWEo0Z3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRXkxWFFWaDBUN2xwWmZUblk0aUVCVWlJdzJCCi9LTnR5RTRQN0hBckdRMFRjakNNTkZnRzI5c2JodEhRaTZqcVJjRENLZzgrTVUyOFIrbjVNdXhxZGowYnZNRXoKVzZaYTZtWWtYU2VZWFNIK1UyUktydHdpYjhrMldiMWtQUkZ1S0ZUSnFlSUZsQktqdStuZlQzMUVIeHFsUVI2YwpLNldwRWFQczEvdnFxaERoNk9Fck9JTEtKemdqMXBkcTh6ZUt5L2Q5ajhySGdzbVhRbUtyNW9OalcrS1hVdjJpCjRnU1BVYkdNZ1E5R0ZYUlE4MWp1ZkhNOGJFeEdJTGVNd0QwbHFXRllUSk9sRWg0bGtwYnliUVU1K1BHK1BKWjgKRCtDcnBnK2xtMDl3UWNyc0RRN21KTkdpeVJTNDJWSk9Ua3AvMHl1dWhIZjBvTnZhNlRFZUJzVFlmaWs9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
conditions:
- lastTransitionTime: "2022-03-14T18:25:14Z"
lastUpdateTime: "2022-03-14T18:25:14Z"
message: This CSR was approved by kubectl certificate approve.
reason: KubectlApprove
status: "True"
type: Approved
[root@cka-master role]#
这里的status.certificate即为加签后的证书文件base64编码内容
加签导出
[root@cka-master role]# kubectl get csr john -o jsonpath='{.status.certificate}'| base64 -d > john.crt
[root@cka-master role]# ls
cfssl cfssljson john.crt john.csr john-csr.json john-csr.yaml john-key.pem
john.crt是用户john身份认证的客户端证书。
凭据写入
查看当前上下文
[root@cka-master pki]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin nsrole
写入凭据信息
[root@cka-master pki]# kubectl config set-credentials john --client-key=john-key.pem --client-certificate=john.crt --embed-certs=true
User "john" set.
[root@cka-master pki]# cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ETXhNekUxTWpNME5Wb1hEVE15TURNeE1ERTFNak0wTlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUEJnCmlMZXVkdzk1eEFQak1VKzlZdVNsNkhGUmxUeEdJMGZpbG9raU9XYWI3Y1ltK1lWdGtsZ09oY25KSWdVZ3cvQk8KSUF1QTBlSk9pRThFYmNYVDFiZlpLNHNjVUVJTE5CK0ZvbDBBZkdsYk9JbVJTS3N5clF4VmxkWU1KdXNKVDJGcApkREtCUFpNMmhoMXg5QU9CYjBvN2NYZ01zTWNHSHlwQmUvSWFGY3RGUlZ5UDZQMW15TVIyVGtWL3h5WHNHUUkxCit1QklnT2g1V0l0enAzVE1yOFBSVGVOYzdwekczK044eTFWWkNEYVBIVkV6UTk0L1hBN1h2K3hnaGJNS25LbWgKMTZOY1ZVR3FXSHRxSFd3dkovei9ScGkvZUUraVRON3FwOWtTdEtaZ1V1dVhXOUxTdFp3RCtiQ2hUM0lTWWJCeQplK21CWTBEZTJGWkZ6eFhQOGdjQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNSVFacjQzeHJlNmd3aFdKR2diNmVaMDF5ZUlNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSE5LajZndkZUeTJ3TmtHVlBnbgo1V25wdWlhWmlvYnNYTGlraVZUQ1NnRERkbVk4ZTJxWG5BTzVST3R6ZkhDVGg3OWMrankvdGV1M1JleGtUT0F4ClQ2L1hOZ3FYRi9BMnROSk9oUW9USlZrOHJ4M0Q3aTRxYjAveldsdzEreWwvbUxFM3hLRTBxMG95RzFKMmNFRkoKK3EyZDEyd2Ywc1dJZit3Qjh5bG53YWd0cy9FdW5oUFF3QlRCKzU1bVA1WVBYWjNZeS9mUEd3c1Y3TjRsc3hKTAplWWF0aUpldTBJdlYxQmdoZGNNclg0d2pidXZuZk5WUWhRY3ZDd3ZxRVQ1dVcyeXNPQnJTNGJsaDZRZmdOYkxOCjdRK0hMWEE3SDNrMjhrVnRJWFlYSHpFL3NNWTVFc2hPcWNYenIxWWpPSlkzb2RxQjNuOWRMcy9hbkFtYVdEelUKRlJBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.184.128:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: nsrole
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: john
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLRENDQWhDZ0F3SUJBZ0lSQUo3UjNaRHB2SWxNcloxdFEzMnRjZzR3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UUXhPREl3TVRSYUZ3MHlNakEyTWpJeApPREl3TVRSYU1FSXhDekFKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJRXdoYWFHVkthV0Z1WnpFUk1BOEdBMVVFCkJ4TUlTR0Z1WjFwb2IzVXhEVEFMQmdOVkJBTVRCR3B2YUc0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFEaG9iKzhoTUQ5VzcwODM2ZGY2V0hQVmpMaTF1NlVRbTVtWDVTeC9mNE92SkRhR0M1YwovQWZsOHM4VlRCN1ljMlA0NFVMQ2FtdDU4ZzFMRmxUZ2ZMMmhqMkpKRDh5bnFDbTU1OUJxVVdCQllnZWpoSUFyCjB3eHNRb29RMzduRk9ManhwSCtZMDdFQlRFd1laTzhZd3d4VnZIS0JkYjBOdXFDZUprUUtuVFQwUXdWbmtSWm4KQzJiUHRtQytSY2JmcENmU1l6L0kzSUVNZFYva25ZT3puUVdkZlJEb2RYVHYrdThZNnRTa2pFa1A4REQzcUtqZwpBeTRIdGZJQjBuL1hReC8wejY5K2xRWTZXYU4vaUtMSXdtcFZvOU52dzBMTmhnMW9NYXFBdVoxUUY0cVV5QkQyCmEyNzBWdi9SdW5VeFBYYitJK3MrMitibERhZSt0SVA2NkVDckFnTUJBQUdqUmpCRU1CTUdBMVVkSlFRTU1Bb0cKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVd2hCbXZqZkd0N3FEQ0ZZawphQnZwNW5UWEo0Z3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRXkxWFFWaDBUN2xwWmZUblk0aUVCVWlJdzJCCi9LTnR5RTRQN0hBckdRMFRjakNNTkZnRzI5c2JodEhRaTZqcVJjRENLZzgrTVUyOFIrbjVNdXhxZGowYnZNRXoKVzZaYTZtWWtYU2VZWFNIK1UyUktydHdpYjhrMldiMWtQUkZ1S0ZUSnFlSUZsQktqdStuZlQzMUVIeHFsUVI2YwpLNldwRWFQczEvdnFxaERoNk9Fck9JTEtKemdqMXBkcTh6ZUt5L2Q5ajhySGdzbVhRbUtyNW9OalcrS1hVdjJpCjRnU1BVYkdNZ1E5R0ZYUlE4MWp1ZkhNOGJFeEdJTGVNd0QwbHFXRllUSk9sRWg0bGtwYnliUVU1K1BHK1BKWjgKRCtDcnBnK2xtMDl3UWNyc0RRN21KTkdpeVJTNDJWSk9Ua3AvMHl1dWhIZjBvTnZhNlRFZUJzVFlmaWs9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBNGFHL3ZJVEEvVnU5UE4rblgrbGh6MVl5NHRidWxFSnVabCtVc2YzK0RyeVEyaGd1ClhQd0g1ZkxQRlV3ZTJITmorT0ZDd21wcmVmSU5TeFpVNEh5OW9ZOWlTUS9NcDZncHVlZlFhbEZnUVdJSG80U0EKSzlNTWJFS0tFTis1eFRpNDhhUi9tTk94QVV4TUdHVHZHTU1NVmJ4eWdYVzlEYnFnbmlaRUNwMDA5RU1GWjVFVwpad3RtejdaZ3ZrWEczNlFuMG1NL3lOeUJESFZmNUoyRHM1MEZuWDBRNkhWMDcvcnZHT3JVcEl4SkQvQXc5NmlvCjRBTXVCN1h5QWRKLzEwTWY5TSt2ZnBVR09sbWpmNGlpeU1KcVZhUFRiOE5DellZTmFER3FnTG1kVUJlS2xNZ1EKOW10dTlGYi8wYnAxTVQxMi9pUHJQdHZtNVEybnZyU0QrdWhBcXdJREFRQUJBb0lCQVFDM0RSUFI3TjNwYm5FRApudXRhVzZ3WG12WWpwSDNnV0ZqYXd6YU9oT0tGc0NQUVhJZll0anZ1S1dRcUFoeVFQR1ZoOTliQ2hiWDJOQkxtCjFSSTlJZFp5NlRHeTFwZVJlVk9JMkhIMG4xcDVFUC9qZ0U2L3Z6UTM3Rys0cXRrN0VQNnlSR09rYURJVlBJSUwKMUc5SjVvdnVUcm1USUNNbHJVQTdyZzNMa3Fqd2RKME44SVZRajR6RkozbVhXMG1pR3JndHRpWUNSUDlZcnFiOApKRDhsNDlIOWJRaTNtYUdMYzVVdCs3UG13UEZGdERwUXpMN1ExVFhUTVJ4Vm5SVjRiNW4yOTBxL3pjY3BmbEo0Ck9sQ0h6ay9DNUMrczBvTUptQ3pNRDg4T2RwWitJRU00eTU4NFZGMlFmaWxIM3lYVlNuckNhMHF2MzA1ME1JQk0KcXpnS3l5WlJBb0dCQU9nejhBL09MZEhzbXhVVEE2TWczeThlWFZnMFJTVkczVCtsS29RNGlPSzZNYlJTVkRRcgpGOEwwcmVQaUttWERwT3JCMk5hUldZSzl6d3dnOENhQS9nZzZoSnFNcnJ6dC9EQ0d1SmJHSXpzMFZjVWozRkpBClYyeHkxS0lFOUhTdm9VcjNHSVJDMnBTOEpoUndLMlRtTEFaZ2Z6TWR0ZWFqTVROQmlmeUcrWnh6QW9HQkFQakIKYWR4b3ZlNmM3eHh1Y3BPeGE4WjZRMEd3SllJNyt6N3JXaWdtcWtTc0lYVWNNNzcvemxEN1lVSmpTUW5UK29BZgpkMEpmNWxaeHpFaXBOQkllUmVQWVdkL1dPZVZuVWlzS1dxck5qYThyaUNpWEcrT2FtR0o5V0l6Si9tSWJrWjFHCkhBU21Hd1Q3RVcwOHIwem1lR0s2OUxaaGcyRGNHRklDVXA1cmFMVHBBb0dCQUxiNHhrQU9IYmova3F5bWtRVW8KVC9YWEhZTDFuVTdrYWs5T25SUVhZSFlZZGpZN2NiS3lDa1ZMZlFMSEl0V1J0eEJ0czZwUVdwSlZjeU9CaVBzdQpSZjdCN2QvQzM2WnNlWDdiaWZUMUtLbnNjWEdvOG1HMTVhM0ZScHhzL3h3N2tRTjdka3d5U2Y5TnkwdnJuNllnCllheWN1VjdVR0pRbklBdmRweGZnWEN6VkFvR0JBS2JVaUp2aXYyYjFaMFBwS3Z5MG8vUno4UUZ3RW1mYXRIRUoKUk9qaXJaVHE0SEY3WFpUK1dLOWxPR0JlMkJBNFU2dHo3dmJiL0U0RGVoOU5JM2YzUjZZOFptSkJlWWpLRjRoNApKRUNqSlIvVEVUa3Z4dXVKdGlOdnIyQ1U0LytHUDgxN3hMUzFkaStMOXE4TllRQXhIWklSa3FkeWxMcjBRWGRXCnlYUW4wd3hwQW9HQkFNamE3MHpjVVE4aWZoYkVrcFE2N2VMUjJuWTlwSWtyYllIOC9hdXFQVzFWNWlHdHBoZDYKS0llNlRIQzRIRHgwSm45U2hQYVFVcEl1VFpTbW1HQlltZGxKblgvT2RCMTZXdkFjTTRnNGplVFF6MUhtK09VRwpYSG9MVmlTVWIxUkpEVU5EOTFON0lzVi8rdTZwK3MrcDJhNCtwcWxPM1Y4VWMrRDJLbDhNZFBsMQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJQkhPbXArdGo3VHd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UTXhOVEl6TkRWYUZ3MHlNekF6TVRNeE5USXpORGRhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXp4Qk1BMVN1K3dJUEtjM2IKZFE4YzY1dGE5WmRWSGtRWk9KSjZHQ01Pcm04dFBrL3VPU2R5dGVscjJMQUd5TU9sTWJXV2pocmJHcHFyanA4UwpnNzRsWEhMbjBPcGhrcEMvWnVQb1FOaitldnFsaUxUTGt4czEwN2NLN2FubDJTaXZURVJvbkdjUHc1V3FzUVBHClF5bnRCR3VZcHdDb0o5Z2tiWTdHTlF2MlFpQkJ3bUV0UkV3STJtREtYY1hlTVZGUDNKQzFwaTFqNkZXUnFkNFcKbjV3YU1wMkhXMVFqZ29nSERIZk9EZHp0cUROOHdwYkpzQkU4SlBNUWY4cWNkSWduYmh4N2JCY2luSGNrSysxTQpyMndYZi8yMm5NWHpCVUtpeHgvalc5VU41THkxQWJ0WVRiMFdEYnNUcDA3RFdPZ0hyYXNNbkJkekIrckU5dzRNCitpMmFMUUlEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JUQ0VHYStOOGEzdW9NSVZpUm9HK25tZE5jbgppREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBd2hYclhOT3g0TEtRcWU0K3RBRVRKN2pmTTVxdnovS3FhWUc2CmxDWERlSXFkTCtPRUU3Tnh1TUJYb3lHNHVTODJCQUtTbk5YU1F2a0RBNm55RU9VVkFWZDdTcThXcTQ2K1cwSDQKVzkza1loUGVWTzd4MGV1WFlYemxsQUxYSTZRQmF5UkRuL1pJV2tzMGtaSjBpTVRVaEt2RVZ1TXBGaE9tYUh1Zgp5ck1iUGpYKzNIb013a1k4YmJsUk5kcTdlbE1FTjB2RTFpRmFRTXN2andYYlR2Z3h5czdLa21iMm9neDhvUHdIClgyd0NhWGR4OFRvK2NFWHllMG1FYUJuS0pKYVVVaThndTdzdjJUR2ZCRjZlZHhLeVpJc214WVJDYlJaa05XRnMKdDBPSitjVHpLcW43UWhiZ1Q2U1Bkb29VR0NwcStuMy9VcVRHMHNaK3VRdXBGMk5kS3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBenhCTUExU3Urd0lQS2MzYmRROGM2NXRhOVpkVkhrUVpPSko2R0NNT3JtOHRQay91Ck9TZHl0ZWxyMkxBR3lNT2xNYldXamhyYkdwcXJqcDhTZzc0bFhITG4wT3Boa3BDL1p1UG9RTmorZXZxbGlMVEwKa3hzMTA3Y0s3YW5sMlNpdlRFUm9uR2NQdzVXcXNRUEdReW50Qkd1WXB3Q29KOWdrYlk3R05RdjJRaUJCd21FdApSRXdJMm1ES1hjWGVNVkZQM0pDMXBpMWo2RldScWQ0V241d2FNcDJIVzFRamdvZ0hESGZPRGR6dHFETjh3cGJKCnNCRThKUE1RZjhxY2RJZ25iaHg3YkJjaW5IY2tLKzFNcjJ3WGYvMjJuTVh6QlVLaXh4L2pXOVVONUx5MUFidFkKVGIwV0Ric1RwMDdEV09nSHJhc01uQmR6QityRTl3NE0raTJhTFFJREFRQUJBb0lCQVFERlVEOVBFVHhwSHM0NgpSTnR5a2dNNkZPRzVsQXJkZTRFWklxUE1LbVFNSHc5YkNLbjJ0cnVkMDZBY2Jha1pXUzRxejJKM2Flb09VUU5ZCk5nZGJtUzliQ0hnVTRiUTNDVTRMQ3ZUQURzZDVneTJJdHRnakIxUGt1dEZrSm5sTDFYUXVWaVhsbkdRdU9ZbmQKZ3I1RU5FaVM1TUVqcXdHU2JtcFFLRFNDU2pMUlVOamJVaG5OejFVZWJxQ2xIbXVVa25BTURLSzU4TzZrcDBxVQpUb2hMRHo3YS9aT0FiQjNSVzVDT3gySzM2S2o4Vll4QUxKOWhQSTV4VCtWY1VvM1hHeHpma0ozQ0VwdXIxWEN3CjA4K0Zaa0pNZkpiKzV4Rk5zQ0k5TzFNVFhjZTZUNnNqdzl6d1k1VG1NSjVaK0t3dFFwSGZuVXQ4c0kzQkY4MkYKR1l3KzU0d1ZBb0dCQU5Ec2lJR2lzWVN2SWoycWhBb1IrYTBrNUhtMElPZnp5UFIzditWZXBPS0pBSitwSGZydgo0WFBvTmFnUEFTVWZpY0tQWW1iNXZCYkhCYTVoNnVEMTZoOS85cnEwamxQU2F4RFZoZWdzckFCMjhCMzJ6U0t4Cnd2UUJPU3QrS1V4bC9aR2hRcTQ5NjdkMDh2b25CakwzM0FoRkZCZGpGZHZMVEluenhRa3NmU0p2QW9HQkFQMjQKZElhd2hCWHZENHNwLzdGd1kwZG8ycnAyRmZtLzRnSUdtYWlEalJYRTc3NTZna2Vudm1FV3ZVcDJBQ2tDUktGUQptTFVkZm1HYStzWEwzNlpWK2xkY3IxTS9xdlNNcFFQYWkwaXVLWFFNTFZyaUtoNUhIeGJSV3pJMVRPZGI4bUJqClJGbnlHc2Y1Nmh2TFUrR2REVnkzM0EzSCtHREZvTCsvOTdmRDZ1c2pBb0dCQUlHdUFBRXZZaTZ3b25sU2FRanoKSlY0Q28wcWpzelVtamRxb3BkVVNqUmdMMy9ZNmUrQnhteWhkdjBoa245cFNIQ2xHNU5aME52cVFhSWRZUWZtRwp5dDdvaDlaV0VtNFhFdHZ0SFdRQ3JuVFBYclhLcG9QZGdOd0NFbUZidXZpdjZkZkdGK1NkakwxZit4Mm9zV0ZiCmxoa1AvNnVRbGxYS2QrUzlDZFZxNXZWREFvR0JBSkhMRzVLRi9mQ0lwWnJuTUZtcTVqR1RqQlNYWkh0V0NxMzEKVXZpbFZ6NEtJMldHQ2pUWXJDb29JZStXclBManJjSXdpUCtTQ2h4V0xRSFo3Qk10MXFPNnk3aC9ubUhXSzhCeQpKWlZIRnVUclZtaWlDMmZJb0pIQkRiRmxOV0xBMEI4WkM1N1A0eG5FZndVbnFuUzdoWUVnMlo5RnFIRWJQd3JRCmFhMDhORktYQW9HQkFNYWIvTlpIUk42ek5vaU9nVVl6MFNqKzdCZVh5NWFrV3IzME10NUVIWisxRVFDT2dBNzMKY2txYVJrTnYrbE5md01jOCtxMDhBVlNjaXRjd2Q0WG1lZmtDYXpUaVVQTHBTUjAyd0R6SDg4bGxiM0EvUWluagpvNkkzYTJ5SEkwdEk1c1BaaHZXQlNsd0MvQld5azc2MTNQMzk1bkFDckJpRnJEdVR3ODhpUVAzWAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
[root@cka-master pki]#
这里的client-certificate-data和client-key-data均为证书的具体内容,故john.csr文件和john-key.pem均可以移动位置 当前凭据信息写入后,可以校验
权限验证
创建测试命名空间ns1
[root@cka-master ~]# kubectl create ns ns1
namespace/ns1 created
[root@cka-master ~]# kubectl get ns
NAME STATUS AGE
default Active 30h
kube-node-lease Active 30h
kube-public Active 30h
kube-system Active 30h
ns1 Active 18h
验证john权限
[root@cka-master ~]# kubectl auth can-i list pods --namespace ns1
yes
[root@cka-master ~]# kubectl auth can-i list pods --namespace ns1 --as john
no
登录配置
通过写入上下文信息,来更改集群配置文件config
[root@cka-master pki]# kubectl config set-context john --cluster=kubernetes --user=john
Context "john" created.
[root@cka-master pki]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
john kubernetes john
* kubernetes-admin@kubernetes kubernetes kubernetes-admin nsrole
[root@cka-master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.184.128:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: john
name: john
- context:
cluster: kubernetes
namespace: nsrole
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: john
kind: Config
preferences: {}
users:
- name: john
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@cka-master pki]#
切换上下文
[root@cka-master pki]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
john kubernetes john
* kubernetes-admin@kubernetes kubernetes kubernetes-admin nsrole
[root@cka-master pki]# kubectl config use-context john
Switched to context "john".
[root@cka-master pki]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* john kubernetes john
kubernetes-admin@kubernetes kubernetes kubernetes-admin nsrole
权限绑定
为用户john绑定集群角色cluster-admin
[root@cka-master role]# kubectl create clusterrolebinding john-cluster-role-binding --clusterrole=cluster-admin --user=john
clusterrolebinding.rbac.authorization.k8s.io/john-cluster-role-binding created
[root@cka-master role]#
查看当前用角色绑定
[root@cka-master role]# kubectl get clusterrolebinding
NAME ROLE AGE
calico-kube-controllers ClusterRole/calico-kube-controllers 24h
calico-node ClusterRole/calico-node 24h
cluster-admin ClusterRole/cluster-admin 27h
john-cluster-role-binding ClusterRole/cluster-admin 90s
kubeadm:get-nodes ClusterRole/kubeadm:get-nodes 27h
kubeadm:kubelet-bootstrap ClusterRole/system:node-bootstrapper 27h
kubeadm:node-autoapprove-bootstrap ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient 27h
kubeadm:node-autoapprove-certificate-rotation ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 27h
kubeadm:node-proxier ClusterRole/system:node-proxier 27h
system:basic-user ClusterRole/system:basic-user 27h
system:controller:attachdetach-controller ClusterRole/system:controller:attachdetach-controller 27h
system:controller:certificate-controller ClusterRole/system:controller:certificate-controller 27h
system:controller:clusterrole-aggregation-controller ClusterRole/system:controller:clusterrole-aggregation-controller 27h
system:controller:cronjob-controller ClusterRole/system:controller:cronjob-controller 27h
system:controller:daemon-set-controller ClusterRole/system:controller:daemon-set-controller 27h
system:controller:deployment-controller ClusterRole/system:controller:deployment-controller 27h
system:controller:disruption-controller ClusterRole/system:controller:disruption-controller 27h
system:controller:endpoint-controller ClusterRole/system:controller:endpoint-controller 27h
system:controller:endpointslice-controller ClusterRole/system:controller:endpointslice-controller 27h
system:controller:endpointslicemirroring-controller ClusterRole/system:controller:endpointslicemirroring-controller 27h
system:controller:ephemeral-volume-controller ClusterRole/system:controller:ephemeral-volume-controller 27h
system:controller:expand-controller ClusterRole/system:controller:expand-controller 27h
system:controller:generic-garbage-collector ClusterRole/system:controller:generic-garbage-collector 27h
system:controller:horizontal-pod-autoscaler ClusterRole/system:controller:horizontal-pod-autoscaler 27h
system:controller:job-controller ClusterRole/system:controller:job-controller 27h
system:controller:namespace-controller ClusterRole/system:controller:namespace-controller 27h
system:controller:node-controller ClusterRole/system:controller:node-controller 27h
system:controller:persistent-volume-binder ClusterRole/system:controller:persistent-volume-binder 27h
system:controller:pod-garbage-collector ClusterRole/system:controller:pod-garbage-collector 27h
system:controller:pv-protection-controller ClusterRole/system:controller:pv-protection-controller 27h
system:controller:pvc-protection-controller ClusterRole/system:controller:pvc-protection-controller 27h
system:controller:replicaset-controller ClusterRole/system:controller:replicaset-controller 27h
system:controller:replication-controller ClusterRole/system:controller:replication-controller 27h
system:controller:resourcequota-controller ClusterRole/system:controller:resourcequota-controller 27h
system:controller:root-ca-cert-publisher ClusterRole/system:controller:root-ca-cert-publisher 27h
system:controller:route-controller ClusterRole/system:controller:route-controller 27h
system:controller:service-account-controller ClusterRole/system:controller:service-account-controller 27h
system:controller:service-controller ClusterRole/system:controller:service-controller 27h
system:controller:statefulset-controller ClusterRole/system:controller:statefulset-controller 27h
system:controller:ttl-after-finished-controller ClusterRole/system:controller:ttl-after-finished-controller 27h
system:controller:ttl-controller ClusterRole/system:controller:ttl-controller 27h
system:coredns ClusterRole/system:coredns 27h
system:discovery ClusterRole/system:discovery 27h
system:kube-controller-manager ClusterRole/system:kube-controller-manager 27h
system:kube-dns ClusterRole/system:kube-dns 27h
system:kube-scheduler ClusterRole/system:kube-scheduler 27h
system:monitoring ClusterRole/system:monitoring 27h
system:node ClusterRole/system:node 27h
system:node-proxier ClusterRole/system:node-proxier 27h
system:public-info-viewer ClusterRole/system:public-info-viewer 27h
system:service-account-issuer-discovery ClusterRole/system:service-account-issuer-discovery 27h
system:volume-scheduler ClusterRole/system:volume-scheduler 27h
[root@cka-master role]#
再次对john用户进行权限校验
[root@cka-master ~]# kubectl auth can-i list pods --namespace ns1 --as john
yes