在设置admin的权限时, O(组) 是 system:masters, 是管理员。
通过设置 set-context --- rbac 对namespace 使用用户名控制
[root@master2 ssl]# cat long-csr.json { "CN": "long", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "devops", "OU": "System" } ] }
CN:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name),浏览器使用该字段验证网站是否合法;
O:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
kube-apiserver 将提取的 User、Group 作为 RBAC 授权的用户标识;
kubectl config set-credentials long --client-certificate=/etc/kubernetes/ssl/long.pem --embed-certs=true --client-key=/etc/kubernetes/ssl/long-key.pem
kubectl config set-context long --cluster=kubernetes --user=long
kubectl config use-context long
[root@master2 ~]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "long" cannot list resource "pods" in API group "" in the namespace "default"
[root@master1 ~]# cat pod-reader.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
[root@master1 ~]# cat devuser-role-bind.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: kube-system
subjects:
- kind: User
name: long # 目标用户
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader # 角色信息
apiGroup: rbac.authorization.k8s.io
通过set-context 控制namespace 进行隔离
原文:https://www.cnblogs.com/fengjian2016/p/10331225.html