鉴权 实战rolebinding和clusterrole - 图1
现在有一组数据库集群,有一组nginx集群。整个公司规模比较大,有两个项目组,一个项目组叫DBA,一个项目组SA,那么就需要做资源的分割。在名称空间下可以限制CPU使用多少核数,内存是多大,也就是不同的名称空间下赋予不同的系统资源。

Dba可以对mysql名称空间下的所有资源进行操作。Sa可以对nginx名称空间下的资源进行操作

实践:创建一个用户只能管理 dev 空间

创建用户

现在有个用户叫devuser,可以管理dev空间下面所有资源。对于k8s来说没有用户的管理,也就是创建用户想要在linux上面创建 

  1. [root@k8s-master01 ~]# useradd devuser
  2. [root@k8s-master01 ~]# passwd devuser
  3. 更改用户 devuser 的密码 
  4. 新的 密码:
  5. 重新输入新的 密码:
  6. passwd:所有的身份验证令牌已经成功更新。

下载cfssl工具帮我们创建证书

安装CFSSL

生成证书: wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
利用Json生成证书: wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
查看证书信息的工具: wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

修改权限

chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64



移动文件 

mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo


验证指令

cfssl --help

devuser要访问pod那么就要创建访问证书信息

下面创建证书请求以及证书请求的json格式

mkdir -p /usr/local/cert/devuser/
cat >> /usr/local/cert/devuser/devuser-crs.json <<EOF
{
    "CN": "devuser",
    "hosts": [ ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

生成证书和私钥

指定 ca证书-ca=ca.pem ca私钥 -ca-key=ca-key.pem json文件证书 /usr/local/cert/devuser/devuser-crs.json 输出格式为devuser

[root@k8s-master01 pki]# pwd
/etc/kubernetes/pki
[root@k8s-master01 pki]# ll
总用量 56
-rw-r--r-- 1 root root 1249 4月   5 12:50 apiserver.crt
-rw-r--r-- 1 root root 1090 4月   5 12:50 apiserver-etcd-client.crt
-rw------- 1 root root 1679 4月   5 12:50 apiserver-etcd-client.key
-rw------- 1 root root 1675 4月   5 12:50 apiserver.key
-rw-r--r-- 1 root root 1099 4月   5 12:50 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 4月   5 12:50 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 4月   5 12:50 ca.crt
-rw------- 1 root root 1679 4月   5 12:50 ca.key
drwxr-xr-x 2 root root  162 4月   5 12:50 etcd
-rw-r--r-- 1 root root 1038 4月   5 12:50 front-proxy-ca.crt
-rw------- 1 root root 1679 4月   5 12:50 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 4月   5 12:50 front-proxy-client.crt
-rw------- 1 root root 1675 4月   5 12:50 front-proxy-client.key
-rw------- 1 root root 1675 4月   5 12:50 sa.key
-rw------- 1 root root  451 4月   5 12:50 sa.pub

[root@k8s-master01 pki]# cfssl gencert -ca=ca.crt -ca-key=ca.key  -profile=kubernetes /usr/local/cert/devuser/devuser-crs.json | cfssljson -bare devuser
2021/05/04 12:47:05 [INFO] generate received request
2021/05/04 12:47:05 [INFO] received CSR
2021/05/04 12:47:05 [INFO] generating key: rsa-2048
2021/05/04 12:47:05 [INFO] encoded CSR
2021/05/04 12:47:05 [INFO] signed certificate with serial number 535689430602598080208400243551900398664030909127
2021/05/04 12:47:05 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

[root@k8s-master01 pki]# ls devuser*
devuser.csr  devuser-key.pem  devuser.pem

设置集群参数

export KUBE_APISERVER="https://192.168.18.128:6443"

kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=devuser.kubeconfig

--certificate-authority=/etc/kubernetes/pki/ca.crt   指定ca证书
--embed-certs=true 指定是否要加密
--server=${KUBE_APISERVER} 指定服务器信息
--kubeconfig=devuser.kubeconfig 创建出来devuser.kubeconfig文件

[root@k8s-master01 devuser]# ls
devuser-crs.json  devuser.kubeconfig

这里指定了集群信息和证书

[root@k8s-master01 devuser]# cat devuser.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EUXdOVEEwTlRBek1Wb1hEVE14TURRd016QTBOVEF6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXJaCjRqK3VWeGxrc0N1NWdPU1BTUm1FM0kzODNTVnMydis0WGROb1VJNnFicUhPeUVLWU0rRXRTMnlrNUdEU29yQUIKYm5YdzlQRVJKYkRxc2tGdzQxWlI2RktDQjBrbi9PM2VQTUQyS1lIbVFDeTdVUnJ5N08rUjJ3SksyTk1kbzRXOQpXM3BNWm5kQnBSRFB5Qmx1NEYrOU82eE9vVm9pQlh2Q0ZxS0VnQUhqN0lkR3dFRm54bER6R0FwQ2p4dEpGcWtMCklPZ3JIalBNc2ZkQmJNdFRSTHJkZ0dKTDFtb0orVnp3Rmduc2RqanBoUkZXTnoxYk0xWWdSSEs5dnF1QlQ4N2QKK1Y2ZVZWTEJnSmI2ZlJWNGN4T2w4WklSNEJHRzA0N0NHVGtTaElaMnNPNHJjcW9Vd0g0L2Jta1VSeHRjZkdmZQpDdTlOUXBYdVV3QndpeWdlYWVNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCT0Q3V2pLWGdsY2FOT04rTnRsV0ZnNVZLVkkKVUp0TVFvUVdXSUVuS0hRVzVZQnFTcmRVQ1pRNzdiUTRROFVKak0zTHlxN2JLakFoYU00c3dTSjhXaHhiYTkySwpKWnI1TGpQeTJzRFR4RHVkTU1YYnA0T3lPNzNTODJsMUttcG1vdGkySVp0R3g1Mkp2Q3Q3ekd6eldKcFR3TmE3ClpVTmxKZUpxaTVHZTRiY0pERlFJN2xhR1UyMURyVkFHVEEwWTdvd2hsUTJzVTM5dEtOdEJhTW1HWUVXeThCMk8KNDArSDBIN1hZMHRWN1lIcE5PSW5hSXFkVGllWnJjVnRzTWhQVndoZGFYaTFJelhhNUxFM2hpSVdzT01VV29JUgpKQTJ4L1NTOGpTT0kzMEZJYW10R1F4cW5scndpc0swY0IvQWNIemNVTmtVd3dWY2NqeTFZRCtBZGYwdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.18.128:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

设置客户端认证参数

[root@k8s-master01 devuser]# cd /usr/local/cert/devuser/
[root@k8s-master01 devuser]# ls
devuser-crs.json  devuser.kubeconfig
[root@k8s-master01 devuser]# ls /etc/kubernetes/pki/
apiserver.crt              apiserver.key                 ca.crt       devuser-key.pem  front-proxy-ca.crt      front-proxy-client.key
apiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.key       devuser.pem      front-proxy-ca.key      sa.key
apiserver-etcd-client.key  apiserver-kubelet-client.key  devuser.csr  etcd             front-proxy-client.crt  sa.pub

## 设置客户端认证
kubectl config set-credentials devuser \
--client-certificate=/etc/kubernetes/pki/devuser.pem \
--client-key=/etc/kubernetes/pki/devuser-key.pem \
--embed-certs=true \
--kubeconfig=devuser.kubeconfig

--client-certificate=/etc/kubernetes/pki//devuser.pem  指定客户端证书
--client-key=/etc/kubernetes/pki/devuser-key.pem 指定客户端私钥
--embed-certs=true 开启认证方式

这里多出了客户的信息,如私钥信息

[root@k8s-master01 devuser]# cat devuser.kubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EUXdOVEEwTlRBek1Wb1hEVE14TURRd016QTBOVEF6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXJaCjRqK3VWeGxrc0N1NWdPU1BTUm1FM0kzODNTVnMydis0WGROb1VJNnFicUhPeUVLWU0rRXRTMnlrNUdEU29yQUIKYm5YdzlQRVJKYkRxc2tGdzQxWlI2RktDQjBrbi9PM2VQTUQyS1lIbVFDeTdVUnJ5N08rUjJ3SksyTk1kbzRXOQpXM3BNWm5kQnBSRFB5Qmx1NEYrOU82eE9vVm9pQlh2Q0ZxS0VnQUhqN0lkR3dFRm54bER6R0FwQ2p4dEpGcWtMCklPZ3JIalBNc2ZkQmJNdFRSTHJkZ0dKTDFtb0orVnp3Rmduc2RqanBoUkZXTnoxYk0xWWdSSEs5dnF1QlQ4N2QKK1Y2ZVZWTEJnSmI2ZlJWNGN4T2w4WklSNEJHRzA0N0NHVGtTaElaMnNPNHJjcW9Vd0g0L2Jta1VSeHRjZkdmZQpDdTlOUXBYdVV3QndpeWdlYWVNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCT0Q3V2pLWGdsY2FOT04rTnRsV0ZnNVZLVkkKVUp0TVFvUVdXSUVuS0hRVzVZQnFTcmRVQ1pRNzdiUTRROFVKak0zTHlxN2JLakFoYU00c3dTSjhXaHhiYTkySwpKWnI1TGpQeTJzRFR4RHVkTU1YYnA0T3lPNzNTODJsMUttcG1vdGkySVp0R3g1Mkp2Q3Q3ekd6eldKcFR3TmE3ClpVTmxKZUpxaTVHZTRiY0pERlFJN2xhR1UyMURyVkFHVEEwWTdvd2hsUTJzVTM5dEtOdEJhTW1HWUVXeThCMk8KNDArSDBIN1hZMHRWN1lIcE5PSW5hSXFkVGllWnJjVnRzTWhQVndoZGFYaTFJelhhNUxFM2hpSVdzT01VV29JUgpKQTJ4L1NTOGpTT0kzMEZJYW10R1F4cW5scndpc0swY0IvQWNIemNVTmtVd3dWY2NqeTFZRCtBZGYwdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.18.128:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: devuser
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lVWGRVbEZLdmhMUkdoZVVNQS9Tdk5TQ2ZvY3Njd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1UQTFNRFF3TkRReU1EQmFGdzB5TWpBMQpNRFF3TkRReU1EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhaR1YyZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxJWgppUWtSbHlYUmFDQ3hxaHhUM2JZUDN0NUYzMXhtMGRQeHVjb2VOeFF6YzA2Nm8wWGlnSzU4VEFUYld2Q1NYUUxkCjh0T1U1WHhLcTMyNVdVcUZGaDZmS2dWcTM4MjgxMDZWZ2gyZnBjQW9qYTdvZks3UlJoaGhNbzdMcnFtREo1SE0KWE1xaVZjbWx4RFVuQzUza25hSnFSVFBiOXdkcmM1Vk16SGZPWU9ibkRSQXQzYlJyU1JKbFZLQTZ5VVVZYjgrTQpRbUhkK2paVW1Kb2c0VTBOZm5zeG11MEYrRDczbGJVSjEwRFBINVNWSHBDTHJVLzk0bW50bmYwOUIwbDhCUWFkClhtSzR6NDljK2J5bTcwSGFYRnZwV2Rpam1FNzlwWnBZSFhPT2kyQXNyZHhjV2EzZnAzeEtMWjBNNG5DMjh3M2UKWnQxaFlwb3VYdEFyVDk0RGV3MENBd0VBQWFOZU1Gd3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlNjCkliRVUvV2ZQWi9mOFRRcHJUZHN2b1U2aDlUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFxU0VKMEgxUG05dGoKMU1hdkFEQ2dyVnk4MVhJQzZHN0lnVDFyMGJwaS9PQ2ZYOGg0RGhzbGFjeEQ2aThBVWFRa2xHVzhBUnN6TEZKWQpJdXJFSjhqUHpXeHB1ckEvMnFDajhGYWVUSnFaYm1tWmF2dEVkclY2NE93VmpaZWNSSGZhVjdocFpBdjdTeGRRClk4cW5HcG9ucVVQNlVqYVVpY0tlRXc1WTJ5aGtIME1jTDJuUkVub2QzbE5Zb1B1alp1RWU5dXFoNHM3cjZOVW8KODNUbU4vZm1MTmtkd2JmZFBBN1ljTEI4SXF0OHc5c3NkOUNOTm80VHBXWVExS0ZhK0xWbkFVL0ZrV0xHNHBVYgp3czNyWERTbXN4M3VvblQvQmFZZmtRd2tQWGhML1c1aXJLUUpVaVgyL21XN29JM2dpMURUdVo2ckRERVk1RGY3Ci8va2JQeWdOZWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBc2htSkNSR1hKZEZvSUxHcUhGUGR0Zy9lM2tYZlhHYlIwL0c1eWg0M0ZETnpUcnFqClJlS0FybnhNQk50YThKSmRBdDN5MDVUbGZFcXJmYmxaU29VV0hwOHFCV3JmemJ6WFRwV0NIWitsd0NpTnJ1aDgKcnRGR0dHRXlqc3V1cVlNbmtjeGN5cUpWeWFYRU5TY0xuZVNkb21wRk05djNCMnR6bFV6TWQ4NWc1dWNORUMzZAp0R3RKRW1WVW9EckpSUmh2ejR4Q1lkMzZObFNZbWlEaFRRMStlekdhN1FYNFB2ZVZ0UW5YUU04ZmxKVWVrSXV0ClQvM2lhZTJkL1QwSFNYd0ZCcDFlWXJqUGoxejV2S2J2UWRwY1crbFoyS09ZVHYybG1sZ2RjNDZMWUN5dDNGeFoKcmQrbmZFb3RuUXppY0xiekRkNW0zV0ZpbWk1ZTBDdFAzZ043RFFJREFRQUJBb0lCQUZYYnJZNXJwbndheWFJSgpSRUxIdzNpRGlpT0pkN1pwOHZuRDdKY2RuZHZsT2M5WWRtRzRZZVM4RTBHOEpja1lKaks5b05TVFVWWnNBT1JwCk9EeU9rQzFPK2NrR3pzRzJLZTIrY2EycVN4T3ArVE82N0hDeWZxSStLVXRoc2VBU1ZEOGJVQmgzemZlYUxFNmIKZGlRMkZEQTZId1p6SWxHM1lVODJhTlBROERJZm5rUHJ2SHM3QnZNYldLNFh3aUFUT2dzY2dvYmFsV1p5TXJBdwozTGgxY21ORzdqUDhSaTF3UDB0ZjRhNnhjNEJ5bUF5cGdtdWVjc1phVnU2ZzBVNnQ3bEJRRVY5amJwWFlvYnk3CkZUNlZYbE8wSW9FNGhJSFlsdEYwUlA1ek5uOEV6T0V2ams0RjVLRXdnK05nSE42d3Yraml1NVZEZ3pXRHNEaXQKbXkzd0FBRUNnWUVBeE5vUXZqSGl2WlBFWVpBOXd4SXM3amRxUGlnTTZ3YzdSUHFHSlBlYVErTGoyMzlwZVhvcgpPMGI2UnJRL0dZYVI0YVVwbS9mejR4ZEdqOGZFbm02M1BMSHJFRlArWGJ2TU1nYVBuZVp5b3oydTZ6SEdUK1IyCmFBTUt2NDI4WXZZY20rR1A3RFhrcWtQd3JvcTRFY3VzajlJcHF5UkFCVVQxU2tmckg0UDNHdzBDZ1lFQTU1ME4KUVNrK2xMODR6RGpmSDROdlJlZ0JmcW9VZ1VlQ0FYVTIxa0NHL2l5d0VrZXZzcEJ2T3RrbmRaZ3daSXpyQWEyRApmYnZzWXZMTnRqQTR4VXVoZG1Td040bEFuRy9UalBSMXR6WkY3Vkxvc0lBYnhoNjk4Z0g1bElWaE1uVzhqQjhZCmQreTVXZVFtOVdPL2p6TXUzSkZNZnJtc0pVVDJJeERSR2IrbDRBRUNnWUJlRXpqZExFb0gvNDVpY2VTU1RTVmIKMHUvYk5KaTMyWVRodWpoUmdtTWUvbGVXbHBWNWtJRUlteXNRanlONHQyOFFQelpiYTJ3S294ejlxYUsxZElQdApaYm5JMjlzOFFIdWRqTFVsNlBQd1A1SlFwRUQ1L1Z6NDZEdEN3Q0cveVk1eWtLR1BhVklXYk5HaEdIcFBSdDc0Ci9KOGRRdjIxaHZjU3dMd0ZHN1FFSVFLQmdRQ3dtdnhrVjBLMHdTcFo3bk9UMy9DVTZWZGFjZTI0dGdIWGdyMFIKbVpwVmJWWEVXbzBLSnovcEszUC9JdENqbXlBRzQzdUVBQ3M3TjlETHZ2RkszMlI2bGtRWDFMeERqTEZPcFlpcwo3dUZiR1FEOHRISjVHeS9Tdk5iRi9QNGtMOHBaUGN5MmhQYkFLRXZjaVBha0JtOFJHR212cDN3djN1bWZ5MDdsCngxQ0FBUUtCZ0hzNEx3cllSeDgzWHJOYlg1WCsyTGVHMDFMdVVic1ZSSlpnRTNWUVk5KzJ2S2U5WnhlRjVyUXcKSWdOeGk3SDJlQnMva01VTGxtQTU4bVJqWlRkd3g5OFk2YVMwc0pXV2hEZlgrWDVXdmxpOENpREZVdXplOTU4WQpFQ051U3hta0JmOU5DTlBERU41UU0wcndxRm0xV3NjY2xSL2VLbkRHZWszYjNzMC8zMWlMCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

设置上下文(就是绑定名称空间)

[root@k8s-master01 devuser]# cd
[root@k8s-master01 ~]# kubectl create namespace dev
namespace/dev created
[root@k8s-master01 ~]# cd /usr/local/cert/devuser/

kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=devuser \
--namespace=dev \
--kubeconfig=devuser.kubeconfig

这里又多了绑定信息namespace,集群名称

[root@k8s-master01 devuser]# cat devuser.kubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EUXdOVEEwTlRBek1Wb1hEVE14TURRd016QTBOVEF6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXJaCjRqK3VWeGxrc0N1NWdPU1BTUm1FM0kzODNTVnMydis0WGROb1VJNnFicUhPeUVLWU0rRXRTMnlrNUdEU29yQUIKYm5YdzlQRVJKYkRxc2tGdzQxWlI2RktDQjBrbi9PM2VQTUQyS1lIbVFDeTdVUnJ5N08rUjJ3SksyTk1kbzRXOQpXM3BNWm5kQnBSRFB5Qmx1NEYrOU82eE9vVm9pQlh2Q0ZxS0VnQUhqN0lkR3dFRm54bER6R0FwQ2p4dEpGcWtMCklPZ3JIalBNc2ZkQmJNdFRSTHJkZ0dKTDFtb0orVnp3Rmduc2RqanBoUkZXTnoxYk0xWWdSSEs5dnF1QlQ4N2QKK1Y2ZVZWTEJnSmI2ZlJWNGN4T2w4WklSNEJHRzA0N0NHVGtTaElaMnNPNHJjcW9Vd0g0L2Jta1VSeHRjZkdmZQpDdTlOUXBYdVV3QndpeWdlYWVNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCT0Q3V2pLWGdsY2FOT04rTnRsV0ZnNVZLVkkKVUp0TVFvUVdXSUVuS0hRVzVZQnFTcmRVQ1pRNzdiUTRROFVKak0zTHlxN2JLakFoYU00c3dTSjhXaHhiYTkySwpKWnI1TGpQeTJzRFR4RHVkTU1YYnA0T3lPNzNTODJsMUttcG1vdGkySVp0R3g1Mkp2Q3Q3ekd6eldKcFR3TmE3ClpVTmxKZUpxaTVHZTRiY0pERlFJN2xhR1UyMURyVkFHVEEwWTdvd2hsUTJzVTM5dEtOdEJhTW1HWUVXeThCMk8KNDArSDBIN1hZMHRWN1lIcE5PSW5hSXFkVGllWnJjVnRzTWhQVndoZGFYaTFJelhhNUxFM2hpSVdzT01VV29JUgpKQTJ4L1NTOGpTT0kzMEZJYW10R1F4cW5scndpc0swY0IvQWNIemNVTmtVd3dWY2NqeTFZRCtBZGYwdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.18.128:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: dev
    user: devuser
  name: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: devuser
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lVWGRVbEZLdmhMUkdoZVVNQS9Tdk5TQ2ZvY3Njd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1UQTFNRFF3TkRReU1EQmFGdzB5TWpBMQpNRFF3TkRReU1EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhaR1YyZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxJWgppUWtSbHlYUmFDQ3hxaHhUM2JZUDN0NUYzMXhtMGRQeHVjb2VOeFF6YzA2Nm8wWGlnSzU4VEFUYld2Q1NYUUxkCjh0T1U1WHhLcTMyNVdVcUZGaDZmS2dWcTM4MjgxMDZWZ2gyZnBjQW9qYTdvZks3UlJoaGhNbzdMcnFtREo1SE0KWE1xaVZjbWx4RFVuQzUza25hSnFSVFBiOXdkcmM1Vk16SGZPWU9ibkRSQXQzYlJyU1JKbFZLQTZ5VVVZYjgrTQpRbUhkK2paVW1Kb2c0VTBOZm5zeG11MEYrRDczbGJVSjEwRFBINVNWSHBDTHJVLzk0bW50bmYwOUIwbDhCUWFkClhtSzR6NDljK2J5bTcwSGFYRnZwV2Rpam1FNzlwWnBZSFhPT2kyQXNyZHhjV2EzZnAzeEtMWjBNNG5DMjh3M2UKWnQxaFlwb3VYdEFyVDk0RGV3MENBd0VBQWFOZU1Gd3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlNjCkliRVUvV2ZQWi9mOFRRcHJUZHN2b1U2aDlUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFxU0VKMEgxUG05dGoKMU1hdkFEQ2dyVnk4MVhJQzZHN0lnVDFyMGJwaS9PQ2ZYOGg0RGhzbGFjeEQ2aThBVWFRa2xHVzhBUnN6TEZKWQpJdXJFSjhqUHpXeHB1ckEvMnFDajhGYWVUSnFaYm1tWmF2dEVkclY2NE93VmpaZWNSSGZhVjdocFpBdjdTeGRRClk4cW5HcG9ucVVQNlVqYVVpY0tlRXc1WTJ5aGtIME1jTDJuUkVub2QzbE5Zb1B1alp1RWU5dXFoNHM3cjZOVW8KODNUbU4vZm1MTmtkd2JmZFBBN1ljTEI4SXF0OHc5c3NkOUNOTm80VHBXWVExS0ZhK0xWbkFVL0ZrV0xHNHBVYgp3czNyWERTbXN4M3VvblQvQmFZZmtRd2tQWGhML1c1aXJLUUpVaVgyL21XN29JM2dpMURUdVo2ckRERVk1RGY3Ci8va2JQeWdOZWc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBc2htSkNSR1hKZEZvSUxHcUhGUGR0Zy9lM2tYZlhHYlIwL0c1eWg0M0ZETnpUcnFqClJlS0FybnhNQk50YThKSmRBdDN5MDVUbGZFcXJmYmxaU29VV0hwOHFCV3JmemJ6WFRwV0NIWitsd0NpTnJ1aDgKcnRGR0dHRXlqc3V1cVlNbmtjeGN5cUpWeWFYRU5TY0xuZVNkb21wRk05djNCMnR6bFV6TWQ4NWc1dWNORUMzZAp0R3RKRW1WVW9EckpSUmh2ejR4Q1lkMzZObFNZbWlEaFRRMStlekdhN1FYNFB2ZVZ0UW5YUU04ZmxKVWVrSXV0ClQvM2lhZTJkL1QwSFNYd0ZCcDFlWXJqUGoxejV2S2J2UWRwY1crbFoyS09ZVHYybG1sZ2RjNDZMWUN5dDNGeFoKcmQrbmZFb3RuUXppY0xiekRkNW0zV0ZpbWk1ZTBDdFAzZ043RFFJREFRQUJBb0lCQUZYYnJZNXJwbndheWFJSgpSRUxIdzNpRGlpT0pkN1pwOHZuRDdKY2RuZHZsT2M5WWRtRzRZZVM4RTBHOEpja1lKaks5b05TVFVWWnNBT1JwCk9EeU9rQzFPK2NrR3pzRzJLZTIrY2EycVN4T3ArVE82N0hDeWZxSStLVXRoc2VBU1ZEOGJVQmgzemZlYUxFNmIKZGlRMkZEQTZId1p6SWxHM1lVODJhTlBROERJZm5rUHJ2SHM3QnZNYldLNFh3aUFUT2dzY2dvYmFsV1p5TXJBdwozTGgxY21ORzdqUDhSaTF3UDB0ZjRhNnhjNEJ5bUF5cGdtdWVjc1phVnU2ZzBVNnQ3bEJRRVY5amJwWFlvYnk3CkZUNlZYbE8wSW9FNGhJSFlsdEYwUlA1ek5uOEV6T0V2ams0RjVLRXdnK05nSE42d3Yraml1NVZEZ3pXRHNEaXQKbXkzd0FBRUNnWUVBeE5vUXZqSGl2WlBFWVpBOXd4SXM3amRxUGlnTTZ3YzdSUHFHSlBlYVErTGoyMzlwZVhvcgpPMGI2UnJRL0dZYVI0YVVwbS9mejR4ZEdqOGZFbm02M1BMSHJFRlArWGJ2TU1nYVBuZVp5b3oydTZ6SEdUK1IyCmFBTUt2NDI4WXZZY20rR1A3RFhrcWtQd3JvcTRFY3VzajlJcHF5UkFCVVQxU2tmckg0UDNHdzBDZ1lFQTU1ME4KUVNrK2xMODR6RGpmSDROdlJlZ0JmcW9VZ1VlQ0FYVTIxa0NHL2l5d0VrZXZzcEJ2T3RrbmRaZ3daSXpyQWEyRApmYnZzWXZMTnRqQTR4VXVoZG1Td040bEFuRy9UalBSMXR6WkY3Vkxvc0lBYnhoNjk4Z0g1bElWaE1uVzhqQjhZCmQreTVXZVFtOVdPL2p6TXUzSkZNZnJtc0pVVDJJeERSR2IrbDRBRUNnWUJlRXpqZExFb0gvNDVpY2VTU1RTVmIKMHUvYk5KaTMyWVRodWpoUmdtTWUvbGVXbHBWNWtJRUlteXNRanlONHQyOFFQelpiYTJ3S294ejlxYUsxZElQdApaYm5JMjlzOFFIdWRqTFVsNlBQd1A1SlFwRUQ1L1Z6NDZEdEN3Q0cveVk1eWtLR1BhVklXYk5HaEdIcFBSdDc0Ci9KOGRRdjIxaHZjU3dMd0ZHN1FFSVFLQmdRQ3dtdnhrVjBLMHdTcFo3bk9UMy9DVTZWZGFjZTI0dGdIWGdyMFIKbVpwVmJWWEVXbzBLSnovcEszUC9JdENqbXlBRzQzdUVBQ3M3TjlETHZ2RkszMlI2bGtRWDFMeERqTEZPcFlpcwo3dUZiR1FEOHRISjVHeS9Tdk5iRi9QNGtMOHBaUGN5MmhQYkFLRXZjaVBha0JtOFJHR212cDN3djN1bWZ5MDdsCngxQ0FBUUtCZ0hzNEx3cllSeDgzWHJOYlg1WCsyTGVHMDFMdVVic1ZSSlpnRTNWUVk5KzJ2S2U5WnhlRjVyUXcKSWdOeGk3SDJlQnMva01VTGxtQTU4bVJqWlRkd3g5OFk2YVMwc0pXV2hEZlgrWDVXdmxpOENpREZVdXplOTU4WQpFQ051U3hta0JmOU5DTlBERU41UU0wcndxRm0xV3NjY2xSL2VLbkRHZWszYjNzMC8zMWlMCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

创建角色绑定

kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=dev

在集群当中已经有了ClusterRole的角色admin,admin角色是一个ClusterRole,这个集群角色可以在集群当中为所欲为,将集群角色进行角色绑定至用户devuser,代表用户devuser可以在dev下面为所欲为。 

mkdir -p /home/devuser/.kube/
# 将配置文件拷贝置devuser用户家目录并授权
cp devuser.kubeconfig /home/devuser/.kube/
chown devuser:devuser /home/devuser/.kube/devuser.kubeconfig
mv /home/devuser/.kube/devuser.kubeconfig /home/devuser/.kube/config
# 特别注意要授权,报错error: open /home/devuser/.kube/config.lock: permission 
# -R : 处理指定目录以及其子目录下的所有文件
chown -R devuser:devuser /home/devuser/.kube

现在还是不能访问集群的,因为还要切换上下文,切换上下文就是让Kubect读取到kubeconfig 的信息

[devuser@k8s-master ~]$ whoami 
devuser
[devuser@k8s-master01 .kube]$ pwd
/home/devuser/.kube
[devuser@k8s-master01 .kube]$ ls
config
[devuser@k8s-master01 .kube]$ kubectl config use-context kubernetes --kubeconfig=config
Switched to context "kubernetes".

devuser用户可以在dev空间下为所欲为

[root@k8s-master01 devuser]# kubectl get rolebinding -n dev
NAME                    AGE
devuser-admin-binding   26m
[root@k8s-master01 devuser]#  kubectl get rolebinding devuser-admin-binding  -o yaml -n dev
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-05-04T05:05:36Z"
  name: devuser-admin-binding
  namespace: dev
  resourceVersion: "523904"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/dev/rolebindings/devuser-admin-binding
  uid: 055f8071-c7c8-4360-843a-9e8005f72769
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: devuser

参考文献

Kubernetes 集群安全 - 鉴权 实战rolebinding和clusterrole