526互联

k8s创建只读用户

发布时间 2023-11-01 16:03:32作者: 力王7314

第一步,创建clusterrole,clusterrolebinding,sa

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-only-cluster-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: read-only-sa
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-only-cluster-role-binding
subjects:
- kind: ServiceAccount
  name: read-only-sa
  namespace: default
roleRef:
  kind: ClusterRole
  name: read-only-cluster-role
  apiGroup: rbac.authorization.k8s.io

第二步,根据sa创建用户名和上下文,最后切换上下文实现用户的切换

kubectl get secret
kubectl config set-credentials read-only-user --token=$(kubectl get secret read-only-sa-token-2fdz4 -o jsonpath='{.data.token}'| base64 -d)
kubectl config set-context read-only-context --cluster=kubernetes --user=read-only-user
kubectl config use-context read-only-context

第三步,查看用户是否切换过来

[root@k8s-node .kube]# kubectl config use-context read-only-context
Switched to context "read-only-context".
[root@k8s-node .kube]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.50.133:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    user: read-only-user
  name: read-only-context
current-context: read-only-context
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: read-only-user
  user:
    token: REDACTED

第四步,测试是否还能删除pod等操作,可以看到是可以查看的,但是不能删除

[root@k8s-node .kube]# kubectl get pods 
NAME                                     READY   STATUS             RESTARTS   AGE
elasticsearch-6c5bb8f49-wn2hj            1/1     Running            1          25d
httpbin-74fb669cc6-ws2hq                 1/1     Running            1          19d
iis-pod                                  0/1     ImagePullBackOff   0          67m
kibana-667cfddb9b-j5tk6                  1/1     Running            1          27d
mysql-deployment-8476558cf4-vvnbk        1/1     Running            1          34d
nfs-client-provisioner-66f9b655d-m67kr   0/1     Unknown            0          43d
nginx                                    1/1     Running            0          11d
order-cluster-es-default-0               1/1     Running            9          125d
order-cluster-es-default-1               1/1     Running            9          125d
order-cluster-es-default-2               1/1     Running            9          125d
zk-0                                     1/1     Running            6          239d
zk-1                                     1/1     Running            6          349d
zk-2                                     1/1     Running            6          349d
[root@k8s-node .kube]# kubectl delete pod iis-pod
Error from server (Forbidden): pods "iis-pod" is forbidden: User "system:serviceaccount:default:read-only-sa" cannot delete resource "pods" in API group "" in the namespace "default"