第一步,创建clusterrole,clusterrolebinding,sa
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-only-cluster-role rules: - apiGroups: [""] resources: ["pods", "services", "configmaps", "secrets"] verbs: ["get", "list", "watch"] --- apiVersion: v1 kind: ServiceAccount metadata: name: read-only-sa --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-only-cluster-role-binding subjects: - kind: ServiceAccount name: read-only-sa namespace: default roleRef: kind: ClusterRole name: read-only-cluster-role apiGroup: rbac.authorization.k8s.io
第二步,根据sa创建用户名和上下文,最后切换上下文实现用户的切换
kubectl get secret kubectl config set-credentials read-only-user --token=$(kubectl get secret read-only-sa-token-2fdz4 -o jsonpath='{.data.token}'| base64 -d) kubectl config set-context read-only-context --cluster=kubernetes --user=read-only-user kubectl config use-context read-only-context
第三步,查看用户是否切换过来
[root@k8s-node .kube]# kubectl config use-context read-only-context Switched to context "read-only-context". [root@k8s-node .kube]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.50.133:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes - context: cluster: kubernetes user: read-only-user name: read-only-context current-context: read-only-context kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: read-only-user user: token: REDACTED
第四步,测试是否还能删除pod等操作,可以看到是可以查看的,但是不能删除
[root@k8s-node .kube]# kubectl get pods NAME READY STATUS RESTARTS AGE elasticsearch-6c5bb8f49-wn2hj 1/1 Running 1 25d httpbin-74fb669cc6-ws2hq 1/1 Running 1 19d iis-pod 0/1 ImagePullBackOff 0 67m kibana-667cfddb9b-j5tk6 1/1 Running 1 27d mysql-deployment-8476558cf4-vvnbk 1/1 Running 1 34d nfs-client-provisioner-66f9b655d-m67kr 0/1 Unknown 0 43d nginx 1/1 Running 0 11d order-cluster-es-default-0 1/1 Running 9 125d order-cluster-es-default-1 1/1 Running 9 125d order-cluster-es-default-2 1/1 Running 9 125d zk-0 1/1 Running 6 239d zk-1 1/1 Running 6 349d zk-2 1/1 Running 6 349d [root@k8s-node .kube]# kubectl delete pod iis-pod Error from server (Forbidden): pods "iis-pod" is forbidden: User "system:serviceaccount:default:read-only-sa" cannot delete resource "pods" in API group "" in the namespace "default"