生成私钥
cd /etc/kubernetes/pki
(umask 077; openssl genrsa -out lucky.key 2048)生成证书请求
openssl req -new -key lucky.key -out lucky.csr -subj "/CN=lucky"生成lucky ca 证书,获取APIServer信任
openssl x509 -req -in lucky.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lucky.crt -days 3650添加用户到kubernetes集群config文件
cd /root/.kube/config
kubectl config set-credentials lucky --client-certificate=./lucky.crt --client-key=./lucky.key --embed-certs=true添加上下文,关联用户及kubernetes集群
cd /root/.kube/config
kubectl config set-context lucky@kubernetes --cluster=kubernetes --user=lucky切换当前操作kubernetes集群用户
kubectl config use-context lucky@kubernetes--------------------------到目前为止,lucky用户只是配置了kubernetes集群信任,但无操作权限,接下来,进行rbac授权操作----------------------------
用户创建私有操作空间
apiVersion: v1
kind: Namespace
metadata:
name: lucky-test
labels:
environment: test通过Rolebinding绑定用户角色,获取角色权限
[root@k8smaster4 sa]# cat rolebinding-demo2.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-demo2
namespace: lucky-test
labels:
environment: test
subjects:
- name: lucky
kind: User
apiGroup: rbac.authorization.k8s.io
roleRef:
name: cluster-admin
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io--------------到目前为止,lucky用户获得指定操作空间操作权限-------------
修改默认config文件,删除kubernetes-admin授权数据
新建系统用户
useradd test配置用户密码
passwd test配置用户目录权限
chown -R test:test /home/test