手工创建kubeconfig配置文件便于分配不同权限

手工创建kubeconfig配置文件便于分配不同权限

编写kubeconfig文件这个 kubeconfig 文件定义了集群和客户端信息，包括insecure-skip-tls-verify: true 来替换 certificate-authority: /etc/kubernetes/ssl/ca.crt 以跳过集群验证。一般参考如下：-[appuser@k8s-master-1 ~]$ cat /etc/kubernetes/kubeconfig apiVersion: v1kind: Configclusters:

name: shjq-dev01-chenqiang-cluster

cluster: server: certificate-authority: /etc/kubernetes/ssl/ca.crtusers:

name: shjq-dev01-chenqiang-user

user: client-certificate: /etc/kubernetes/ssl/cs_client.crt client-key: /etc/kubernetes/ssl/cs_client.keycontexts:

context:cluster: shjq-dev01-chenqiang-clusteruser: shjq-dev01-chenqiang-usernamespace: dev

name: shjq-dev01-chenqiang

通过rbac鉴权机制创建用户shjq-dev01-chenqiang-user

用户-》role-〉roleBinding

创建用户

openssl genrsa -out deploy.key 2048 #创建用户私钥

openssl req -new -key deploy.key -out deploy.csr -subj "/CN=deploy/O=DEPLOY" #创建证书签署请求

openssl x509 -req -in deploy.csr -CA /etc/kubernetes/ssl/kube-ca.pem -CAkey /etc/kubernetes/ssl/kube-ca-key.pem -CAcreateserial -out deploy.crt -days 365      #签署证书​

role

apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: my-role namespace: my-nsrules:

apiGroups: [""] # 默认 core api group

resources: ["pods"] verbs: ["get","watch","list"]

apiGroups: ["apps"]

resources: ["deployments"] verbs: ["get","list","create","update","patch","delete","watch"]

rolebinding

绑定 Role

apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: my-rolebinding-1 namespace: my-nssubjects:

kind: User # 权限资源类型

name: eli # 名称 apiGroup: rbac.authorization.k8s.ioroleRef: kind: Role name: my-role apiGroup: rbac.authorization.k8s.io

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。