https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/ #使用RBAC鉴权 RBAC是基于角色的访问控制(Role-Based Access Control) https://kubernetes.io/zh/docs/reference/access-authn-authz/authorization/ #鉴权概述 1.1:在指定namespace创建账户: # kubectl create serviceaccount magedu -n magedu serviceaccount/magedu created 1.2:创建role规则: # kubectl apply -f magedu-role.yaml role.rbac.authorization.k8s.io/magedu-role created # cat magedu-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: magedu name: magedu-role rules: - apiGroups: ["*"] resources: ["pods","pods/exec"] verbs: ["*"] ##RO-Role #verbs: ["get", "watch", "list"] - apiGroups: ["extensions", "apps/v1"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ##RO-Role #verbs: ["get", "watch", "list"] 1.3:将规则与账户进行绑定: # kubectl apply -f magedu-role-bind.yaml rolebinding.rbac.authorization.k8s.io/role-bind-magedu created # cat magedu-role-bind.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: role-bind-magedu namespace: magedu subjects: - kind: ServiceAccount name: magedu namespace: magedu roleRef: kind: Role name: magedu-role apiGroup: rbac.authorization.k8s.io 1.4:获取token名称: # kubectl get secret -n magedu | grep magedu magedu-token-8d897 kubernetes.io/service-account-token 3 5m45s 1.5:使用base加密: # kubectl get secret magedu-token-8d897 -o jsonpath={.data.token} -n magedu |base64 -d eyJhbGciOiJSUzI1NiIsImtpZCI6IlYwMDNHdWJwTmtoaTJUMFRPTVlwV3RiVWFWczJYRHJCNkFkMGRtQWFqRTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtYWdlZHUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoibWFnZWR1LXRva2VuLThkODk3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Im1hZ2VkdSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjBlZmNiNGI0LWM3YTUtNGJkZS1iZjk4LTFiNTkwNThjOTFjNiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDptYWdlZHU6bWFnZWR1In0.SJHLgshKcGtIf-ycivn_4SWVRdWw4SuWymBVaA8YJXHPd5PYnwERVNtfUPX88nv-wXkCuZY7fIjGYkoYj6AJEhSPoG15fcmUPaojYeyjkQYghan3CBsZR8C12buSB6t5zCCt22GdG_ScZymxLU7n3Z0PhOzTLzgpXRs1Poqz4DOYylqZyLmW_BPgoNhtQYKlBH6OFzDe8v3JytnaaJUObVZCRxtI6x4iKLt2Evhs8XKfczqqesgoo61qTqtbU4jzlXuHeW7cUMhWoipUc-BkEdV6OtKWOetecxu5uB-44eTRHa1FBjnRMv9SEGj0hxTJCQ08ZNlP0Kc01JZlKXBGdQroot@k8s-master1:~/role/magedu-RBAC# 1.6:登录dashboard测试: pods "magedu-tomcat-app1-deployment-798fc69b75-rc7l5" is forbidden: User "system:serviceaccount:magedu:magedu" cannot create resource "pods/exec" in API group "" in the namespace "magedu" 二:基于kube-config文件登录: 2.1:创建csr文件: # cat magedu-csr.json { "CN": "China", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] } 2.2:签发证书: # ln -sv /etc/kubeasz/bin/cfssl* /usr/bin/ # cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=/etc/kubeasz/clusters/k8s-01/ssl/ca-config.json -profile=kubernetes user1-csr.json | cfssljson -bare user1 # ls magedu* magedu-csr.json magedu-key.pem magedu-role-bind.yaml magedu-role.yaml magedu.csr magedu.pem 2.3:生成普通用户kubeconfig文件: # kubectl config set-cluster cluster1 --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://172.31.7.188:6443 --kubeconfig=user1.kubeconfig #--embed-certs=true为嵌入证书信息 2.4:设置客户端认证参数: # cp *.pem /etc/kubernetes/ssl/ # kubectl config set-credentials user1 \ --client-certificate=/etc/kubernetes/ssl/user1.pem \ --client-key=/etc/kubernetes/ssl/user1-key.pem \ --embed-certs=true \ --kubeconfig=user1.kubeconfig 2.5:设置上下文参数(多集群使用上下文区分) https://kubernetes.io/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/ # kubectl config set-context cluster1 \ --cluster=cluster1 \ --user=user1 \ --namespace=magedu \ --kubeconfig=user1.kubeconfig 2.5: 设置默认上下文 # kubectl config use-context cluster1 --kubeconfig=user1.kubeconfig 2.7:获取token: # kubectl get secrets -n magedu | grep magedu # kubectl describe secrets magedu-token-8d897 -n magedu token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlYwMDNHdWJwTmtoaTJUMFRPTVlwV3RiVWFWczJYRHJCNkFkMGRtQWFqRTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtYWdlZHUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoibWFnZWR1LXRva2VuLThkODk3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Im1hZ2VkdSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjBlZmNiNGI0LWM3YTUtNGJkZS1iZjk4LTFiNTkwNThjOTFjNiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDptYWdlZHU6bWFnZWR1In0.SJHLgshKcGtIf-ycivn_4SWVRdWw4SuWymBVaA8YJXHPd5PYnwERVNtfUPX88nv-wXkCuZY7fIjGYkoYj6AJEhSPoG15fcmUPaojYeyjkQYghan3CBsZR8C12buSB6t5zCCt22GdG_ScZymxLU7n3Z0PhOzTLzgpXRs1Poqz4DOYylqZyLmW_BPgoNhtQYKlBH6OFzDe8v3JytnaaJUObVZCRxtI6x4iKLt2Evhs8XKfczqqesgoo61qTqtbU4jzlXuHeW7cUMhWoipUc-BkEdV6OtKWOetecxu5uB-44eTRHa1FBjnRMv9SEGj0hxTJCQ08ZNlP0Kc01JZlKXBGdQ 2.8:将token写入用户kube-config文件: 3.9:dashboard登录测试: https://xxxxx:30002/#/login