通过set-context 控制namespace 进行隔离

Posted 2021-02-06 fengjian2016

 

在设置admin的权限时， O(组) 是 system:masters,  是管理员。

 

通过设置 set-context  --- rbac  对namespace 使用用户名控制 

[[email protected] ssl]# cat long-csr.json 
{
  "CN": "long",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "devops",
      "OU": "System"
    }
  ]
}

 

CN：Common Name，kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name)，浏览器使用该字段验证网站是否合法；
O：Organization，kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group)；
kube-apiserver 将提取的 User、Group 作为 RBAC 授权的用户标识；

 

 

kubectl config set-credentials long --client-certificate=/etc/kubernetes/ssl/long.pem --embed-certs=true --client-key=/etc/kubernetes/ssl/long-key.pem
kubectl config set-context long --cluster=kubernetes --user=long
kubectl config use-context long
[[email protected] ~]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "long" cannot list resource "pods" in API group "" in the namespace "default"

[[email protected] ~]# cat pod-reader.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]


[[email protected] ~]# cat devuser-role-bind.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: kube-system
subjects:
- kind: User
name: long # 目标用户
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader # 角色信息
apiGroup: rbac.authorization.k8s.io