创建k8s账号与RBAC授权使用

创建账号
1、创建私钥

[root@kub-k8s-master ~]# (umask 077; openssl genrsa -out soso.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................+++
..........................+++
e is 65537 (0x10001)
?

用此私钥创建一个csr(证书签名请求)文件

[root@kub-k8s-master ~]# openssl  req -new -key soso.key -out soso.csr -subj  

"/CN=soso" # 这个地方是用户名
?
拿着私钥和请求文件生成证书

[root@kub-k8s-master ~]# openssl x509 -req -in soso.csr -CA  /etc/kubernetes/pki/ca.crt  -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out soso.crt -days 365
Signature ok
subject=/CN=soso
Getting CA Private Key
?

生成账号

[root@kub-k8s-master ~]# kubectl config set-credentials soso --client-certificate=soso.crt --client-key=soso.key --embed-certs=true
User "soso" set.
?

3、设置上下文环境--指的是创建这个账号的环境在当前名称空间中

[root@kub-k8s-master ~]# kubectl config set-context soso@kubernetes --cluster=kubernetes --user=soso
Context "soso@kubernetes" created.

查看当前的工作上下文

[root@kub-k8s-master ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
 ?  certificate-authority-data: DATA+OMITTED
 ?  server: https://192.168.96.10:6443
....

4、切换用户（切换上下文）

[root@kub-k8s-master ~]# kubectl  config use-context soso@kubernetes
Switched to context "soso@kubernetes".

验证是否已经切换到了新的上下文

[root@kub-k8s-master ~]# kubectl config current-context
soso@kubernetes

5.测试（还未赋予权限）

[root@kub-k8s-master ~]# kubectl  get pod
Error from server (Forbidden): pods is forbidden: User "soso" cannot list resource "pods" in API group "" in the namespace "default"

创建一个角色（role）---设置权限
1.切回管理帐号先

[root@kub-k8s-master ~]# kubectl  config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
?

创建角色（命令）：

[root@kub-k8s-master ~]# kubectl  create role  role-reader  --verb=get,list,watch --resource=pod,svc
role.rbac.authorization.k8s.io/role-reader created

--verb： 相当于是权限
--resource：给什么资源使用
?
yaml文件方式:

[root@kub-k8s-master ~]# vim role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 name: role-reader
rules: #定义规则
 - apiGroups: [""] ?#表示当前pod使用核心的APIserver组，默认用""表示就可以
 ? resources: ["pods","svc"]
 ? verbs: ["get", "list", "watch", "create", "update", "delete"] #["*"]表示所有权限

?

[root@kub-k8s-master ~]# kubectl apply -f role.yaml 
role.rbac.authorization.k8s.io/role-reader created
?
[root@kub-k8s-master ~]# kubectl get roles
NAME ? ? ? ?  AGE
role-reader ? 30s
?
[root@kub-k8s-master ~]# kubectl describe role role-reader
Name: ? ? ? ? role-reader
Labels: ? ? ? <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
 ? ? ? ? ? ? ?  {"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"Role","metadata":{"annotations":{},"name":"role-reader","namespace":"default"},"...
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
 ?--------- ?----------------- ?-------------- ?-----
  pods ? ? ? [] ? ? ? ? ? ? ? ? [] ? ? ? ? ? ?  [get list watch create update delete]
  svc ? ? ?  [] ? ? ? ? ? ? ? ? [] ? ? ? ? ? ?  [get list watch create update delete]

?
2.绑定用户soso（上面创建的用户），绑定用户到role-reader

[root@kub-k8s-master ~]# kubectl  create  rolebinding myrole-binding  --role=role-reader  --user=soso
rolebinding.rbac.authorization.k8s.io/myrole-binding created

?
yaml文件方式：

[root@k8s-master ~]# vim role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: myrolebind
subjects: ?#定义对那个主体进行操作，有三种Subjects:Service Account、User Account、Groups
- kind: User
  name: soso
  apiGroup: rbac.authorization.k8s.io
roleRef: ?#定义使用哪个角色
  kind: Role
  name: role-reader
  apiGroup: rbac.authorization.k8s.io

?

[root@k8s-master ~]# kubectl apply -f role-binding.yaml 
rolebinding.rbac.authorization.k8s.io/myrolebind created
?
[root@k8s-master ~]# kubectl get rolebinding 
NAME ? ? ? ? AGE
myrolebind ? 25s
?

3.切换用户

[root@kub-k8s-master ~]# kubectl  config use-context soso@kubernetes
Switched to context "soso@kubernetes".
?

4.查看权限（只授权了default名称空间pod和svc的get，list，watch权限）

[root@kub-k8s-master ~]# kubectl  get pod
NAME ? ? ? ? ? ? ? ? ?  READY ? STATUS ?  RESTARTS ? AGE
lifecycle-demo ? ? ? ? ?1/1 ? ? Running ? 1 ? ? ? ?  22h
mypod ? ? ? ? ? ? ? ? ? 1/1 ? ? Running ? 0 ? ? ? ?  8h
nginx-configmap ? ? ? ? 1/1 ? ? Running ? 0 ? ? ? ?  4h29m
nginx-pod ? ? ? ? ? ? ? 1/1 ? ? Running ? 0 ? ? ? ?  39m
[root@kub-k8s-master ~]#  kubectl  get pod -n kube-system  #无权访问kube-system
Error from server (Forbidden): pods is forbidden: User "soso" cannot list resource "pods" in API group "" in the namespace "kube-system"
?
[root@kub-k8s-master ~]# kubectl  delete pod nginx-pod ? #无权限删除
Error from server (Forbidden): pods "nginx-pod" is forbidden: User "soso" cannot delete resource "pods" in API group "" in the namespace "default"

?
5.切换用户

[root@kub-k8s-master ~]# kubectl  config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
?

?
?
实验二，绑定用户到集群角色
?
6.删除soso账号之前绑定的rolebinding

[root@kub-k8s-master ~]# kubectl  delete rolebinding myrolebind
rolebinding.rbac.authorization.k8s.io "myrolebind" deleted

?
7.创建clusterrole #可以访问全部的namespace

[root@kub-k8s-master ~]# kubectl create clusterrole myclusterrole --verb=get,list,watch --resource=pod,svc
clusterrole.rbac.authorization.k8s.io/myclusterrole created
?

yaml文件方式：

[root@kub-k8s-master ~]# vim clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: myclusterrole
rules:
- apiGroups:
 ?- ""
  resources:
 ?- pods
  verbs:
 ?- get
 ?- list
 ?- watch

[root@kub-k8s-master ~]# kubectl apply -f clusterrole.yaml
[root@kub-k8s-master ~]# kubectl get clusterrole
?

8.绑定集群角色到用户soso

[root@kub-k8s-master ~]# kubectl  create clusterrolebinding my-cluster-rolebinding ? --clusterrole=myclusterrole --user=soso
clusterrolebinding.rbac.authorization.k8s.io/my-cluster-rolebinding created
?

yaml文件方式：

[root@kub-k8s-master ~]# vim clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-cluster-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: soso
[root@kub-k8s-master ~]# kubectl apply -f clusterrolebinding.yaml
[root@kub-k8s-master ~]# kubectl get clusterrolebinding
?

9.切换账号

[root@kub-k8s-master ~]# kubectl  config use-context soso@kubernetes
Switched to context "soso@kubernetes".
?

10.查看权限 查看kube-system空间的pod

[root@kub-k8s-master ~]# kubectl  get pod -n kube-system
NAME ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? READY ? STATUS ?  RESTARTS ? AGE
coredns-5644d7b6d9-sm8hs ? ? ? ? ? ? ? ? 1/1 ? ? Running ? 0 ? ? ? ?  5d
coredns-5644d7b6d9-vddll ? ? ? ? ? ? ? ? 1/1 ? ? Running ? 0 ? ? ? ?  5d
etcd-kub-k8s-master ? ? ? ? ? ? ? ? ? ? ?1/1 ? ? Running ? 0 ? ? ? ?  5d
... 

?
注意：11.切换为管理员用户

[root@kub-k8s-master ~]# kubectl  config use-context kubernetes-admin@kubernetes