基于KubeConnfig的Kubernetes权限管理
前置条件
1、 kubernetes客户端与服务端版本>=1.19
2、kube-controller设置了如下参数(不同平台的kubernetes设置的地方都会有不同,下面是基于rke的设置,如果是单独的controller需要添加启动参数)
services
kube-controller:
image: ""
extra_args:
cluster-signing-cert-file: /etc/kubernetes/ssl/kube-ca.pem
cluster-signing-key-file: /etc/kubernetes/ssl/kube-ca-key.pem
config文件组成
示例
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3akNDQWFxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFTTVJBd0RnWURWUVFERXdkcmRXSmwKTFdOaE1CNFhEVEl3TURZd05EQTNNekV4T0ZvWERUTXdNRFl3TWpBM016RXhPRm93RWpFUU1BNEdBMVVFQXhNSAphM1ZpWlMxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1GK2FhdTlYTXRHCkg4NHpLbThOZEUvZXlkbko2L1pSc1ZFVjRZZThJM1FyZERzZEhLU2VqV1Mrck9oSHo3ZGFZSk93ajE1bXNBckMKeWg5b1h5Q0RTSDlsRkdyV0tPWjMyajhEcnlOUGlwR2hIdnNRTG5CblhjTi9oQkx0QldnUm9FanNoSVlGMm50MQpZTFRYNlZUWVg3UlVoZmtINWdXR3FXWVZUWE1kT3kvTDFQekJYVUljNTNkeXYvVnFRaXJ4T1dGbWY5a1VCRFZQCmhiSk5Wb0FhTVBpMFRWMmdQNDFvV3RKZm5KbGdVcDEzZ1lUdEdlS20rQ2FlR2NwQ1NvQW5sYVVuYmZZZjJwaHgKYytzL2lSV0RaeWZCbVhjbjJOa0o3RGlXNmhNN1dIYUZHRWpPUGR4dE45ZUdwaFBDRkI0cEE3ZFN2bjlRVjZnegpzdHF4aVp2TmtQRUNBd0VBQWFNak1DRXdEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CCkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQzRnWXhvVW5JeVE3MGZwSVdjMVVCOUh6UzFMem42RlhWc1gKVHU4UnU2YW53SkZDSS9BZ2ZIM0dSNi9nV3ErQjIwTUxqU1RKdGlSNEY0ZHRTbFRHNHhnaDR4TnpscFFIYzhUWApWZkRjUE1ZSHlNOXpPdko1bEpJTG5MOWprVk83a1FSZDRYNzZRS09tYy90c3hJY3ErV1piV24zQ3ZWd1VKMFprClhJZGRFRVY2aGxUY2FLL1ZhSWQrVGgzR09JaUdwMnpIeFNOTVYxN3VUTmdJa1VSUWNid1MzWDZ1RTdHeDdSNVMKNmRoQXg3TXpzQk9EaGNPNzZ0UjlVbDBlTDlOS1RBdE9ja3hpMkpXQlZBZXV0WXhqMUFpSkQ5U1MvSkp3ZFdQeQp0c0o3OUpBbkVPaVEzNzdWcUtKZTFqazVxNDJhdUNsczh2b2xZL2lEc2xVaVJ1ZXU0R0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://10.100.103.123:6443
name: john
contexts:
- context:
cluster: john
user: john
name: john
current-context: john
kind: Config
preferences: {}
users:
- name: john
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMzekNDQWNlZ0F3SUJBZ0lRSTF2K0wzM2RqeEJnTzFucXBNZVU4VEFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkcmRXSmxMV05oTUI0WERUSXdNVEV3TXpBek1UZ3lNbG9YRFRJeE1URXdNekF6TVRneQpNbG93SGpFTk1Bc0dBMVVFQ2hNRVlYQndjekVOTUFzR0ExVUVBeE1FYW05b2JqQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLTlRpcHNybjcyQ0ZGVlFlNHV4a0FJMkRUUG1PVjFoYnRYcmEySVMKSVJ2bllTTk85ekZpa3A4SUZOQy9MZGF3VFhTRitwdVEwc0xlazlubWNkQUMzcmNsVVVPK1RxYTFXZTczYnJycgpvQzU1ZGpJY2ZiMEt1OWE4WkdFeFFXVDhUUEJCUTZJS2VQUURML1Y3b1gvS29VVDVkenZNVFZ2MFBsNlB0MDZMCmlCdHJ6VDdjMDRHb0RYdTl2NWg5SlhYbjNMNForcU9WNmZPVmxXV0hna3NSa0NZTEN5QjhUejJERnpUaE83TGMKdVFNREFSa0JUN1RTUmhrN3N3R0gyaG1XRk9QcG5iSk5xR0VXYjNSeXM5Q0phQzdaOXdZYmVsekt1K0VVN1hObgphR2EyMktpakd4cFFiV2JiVXh6a0FMK2dadTlxMmdGQmIxc3kvV2MrQVlmdTRJTUNBd0VBQWFNbE1DTXdFd1lEClZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0MKQVFFQVlmT2o2d0c4ZWZSL25LeC9vby9RNUM4WXcvU1haRHFjNEJnRERVTDltdjhwS0FKYXVaRWRta0RGWWRjbgpMaTJLRmVTYzU0ZXhsVjN5TXBhVnN6QTlGQnExRzd2N3p1Q1dCbG5EOWVHaHFPL3o1aHFGa3hzcUtZZlZTTExmCnU3MEZsbEdnN1MyOHZqVW5OT0NRYXF4aEhQQlFLU1pBditQL2cvYzZsVGZYVzZ5Uk9UZUczdDl6c08vaHdMTDgKbmljN1JPUER5VHJBeVMyckZGR2hSOXRkU0VRR0RjbGRIbTVVQUhmVEZjUFVvUDR1aVVlb2sxWVgxQWdleFE1bgpqMjVCcnNEc1hSbUo4cnBoT1JJVS9BRkRMQ1lreGFqSU9yeUJxc2ZKd2h1QkhRdnJyN2hFSVRqZnJlaFZLNlRMCkdlZDRWb2pEdUVSdUNmMlhtMTdWTnoveDF3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbzFPS215dWZ2WUlVVlZCN2k3R1FBallOTStZNVhXRnUxZXRyWWhJaEcrZGhJMDczCk1XS1Nud2dVMEw4dDFyQk5kSVg2bTVEU3d0NlQyZVp4MEFMZXR5VlJRNzVPcHJWWjd2ZHV1dXVnTG5sMk1oeDkKdlFxNzFyeGtZVEZCWlB4TThFRkRvZ3A0OUFNdjlYdWhmOHFoUlBsM084eE5XL1ErWG8rM1RvdUlHMnZOUHR6VApnYWdOZTcyL21IMGxkZWZjdmhuNm81WHA4NVdWWlllQ1N4R1FKZ3NMSUh4UFBZTVhOT0U3c3R5NUF3TUJHUUZQCnROSkdHVHV6QVlmYUdaWVU0K21kc2syb1lSWnZkSEt6MElsb0x0bjNCaHQ2WE1xNzRSVHRjMmRvWnJiWXFLTWIKR2xCdFp0dFRIT1FBdjZCbTcycmFBVUZ2V3pMOVp6NEJoKzdnZ3dJREFRQUJBb0lCQUhyTlNaNDZRclUrcFFNdwpySFB3WWhNSGlRM0l3TUVSalVDUzdmNmpHdm5jRXhGMVFpK0RxaktnNU9XL21UdWUrOTN0RHUwQkN6Y3lHNER1CjRBeEMzQ3BnaUtXaTVZZzdPdytPUTFlUDZyU0c1dlB1c0N2L2NoU1hPZkpLRXAxWGhwSHV3R2VKOEQrb1Zkc0IKeGdCTDNzMzV0RWpsNkJTSHBJMTlDWnFwRndGbDdQaWZ5eVBkcFpPc1VocXErd0RuVVRFemhDQjQyRGVSc281UgppaWYvbFBKNkNMZ3o4Q2k0UHQ4Rm5wV2Y4dUFvYjBQK0srdURkcnI2OEhieTE3OWJKVmVybVZrUGM1Z281blJ5ClB1akk5SGtCM2lGeXYvRzc4c1dXdk9PK2dnNFI0Q2FtbUlyaTNIZjN6MkgwdXQyOUVTZ0VDQ3dyV1ZqTzdlbEsKVTZ3ODlXRUNnWUVBMVl1dFY2TmJZamJQVW9sM3NGMHFrOXJrcXIvV1Mxd1JyMkNURnl6RXZCa2pZUk5ROWluWgplcy9nRGZINGlGK1BnaWtWbEJwL0xLbTJRNEF2SkhlUEhaenM5Ym9RVEs1eWtrZHNkT1R5YUVNWTkwZnNBNWNUCkY0aEswZFpnNWNrNzI0R09rb0hNb1l1K0NTa2RuVGhSNjlObVdTdnVDZk9vQWVvQ3IxdVo1dzBDZ1lFQXc4djUKSDBxTEM3bzFmTXVLUW03eWc3Y3d5N1BOU2kxN0tOUnpuYXVaNjZyb1VBbW5hSGpYdWRMNWdKRy9RbjBkTE1tOQpKSG11VmkreHc1M1hPdjVNMlRhbDgvRDJVMTNmU0tYUjl1QytMNXBYeWl4Y2Q5bTFpbHphelliUVV6WDk2dmQwCjlnL1hocVFMSm9oTHB3aHJMMkRSSnhSYlU1Z3JOYmRWZXFsdUFjOENnWUJmQi9yTExuSmpnYnEvbzFkMVQvQzcKdmNUWFMrbmt2WU5OUmJBUHR5ZVNBYW5oOElPdUdLK2szTTk3eFR2eURIekQwdDY4ZXhJdllSTXdkT0lGMjRNQQpEYTdTSjh4TEk3THU4QVFPL1RmM09DenJGc0dzVTFYMnVmdDU2R3BVdURvQUZHYkxRaUk3bmdHaTkvNHEwajU2CnNTZ3g5TC9KQS9xM1oxbHNpbG95SFFLQmdFU3hmbkRGQlcyUzRnc3JtaEZldllVS3MzcjBWVFVPS2VTVVRRL24KVWJSR0hRVmZyYlZRbUZjZ3R0cXR4ODE2K2M1cDVRczBDYjlCTW52d0Y4QWgwakp2SXVBb0RUUUlmanNOdWxHRQpYaFZ6Y0JPRlp0ZkJzUmlmSlVEd2FJeVpKOEhWR2RydWllNDZCWk42UkJpUk1wSEh4UG1TQWN5ZFdhT1o4OHA2ClFSY3ZBb0dBTW5mbW95YjhjS3JXamhESHZkZ0gydXZHTjgvS3k1N2Izb3o2MWhCeXIxVU9hNmMzcDMvOUlCR3MKZ1ovSmUyVC9reFV4UnZwZTFoQS90bDY3VXBjdnZSVnRtUHZsRnIzeURueUMzZ2QxRVU0TFBvYzQ1SFpKSVBFaApyT0thY3orTFZucUVGVzJxNWM0U3N3cVpOQUpIYzFaUTN4aG5mbE85M3hGeTVuSmxPR1U9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
clusters
cluster表示kubernetes集群,可以包含多个集群,从而实现集群直接访问的切换
users
用户,kubernetes默认是通过rbac的授权和认证方式保护集群的,每个user主要包含client-certificate-data和client-key-data两部分,分别对应key文件和crt证书文件,这两个文件是成对存在的,用户的访问信息会被写入到crt文件中
name字段只用作标识,不需要要真实用户对应
contexts
context是集群与user的对应,通过特定的用户访问特定的集群
current-context
当前的context,可以通过kubectl进行切换,也可以直接修改config文件实现切换
创建受限的用户
kubernetes api规则
apis/{group}/{version}/namespaces/{ns}/{resources}
group---组,例如deployment的apiVersion为 apps/v1,说明该资源在apps的组中,并且版本为v1
创建私钥以及csr文件
openssl genrsa -out john.key 2048
openssl req -new -key john.key -out john.csr -subj "/CN=john/O=apps"
CN---用户名
O---组名,除了一些特殊的资源,该参数可以不填(例如clusterrole等资源需要特殊的权限,具体可以参照官方文档)
这时会生成私钥以及客户端请求文件
创建csr
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john
spec:
groups:
- system:authenticated
request: $(cat john.csr | base64 | tr -d "\n")
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
通过指令创建一个客户端认证的请求
通过csr请求
kubectl certificate approve john
获取crt证书文件
当接受了csr请求之后,kube-controller会用ca证书生成crt证书,通过kubectl将该信息生成成为文件
kubectl get csr john -o jsonpath='{.status.certificate}' | base64 -d > john.crt
创建role
kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
创建rolebinding
kubectl create rolebinding developer-binding-john --role=developer --user=john
其中user需要与csr文件中CN保持一致
将证书信息写入config文件
1、将user写入config文件,用户名为john,--embed-certs=true表示将文件内容写入,否则使用文件路径
kubectl config set-credentials john --client-key=/home/vagrant/work/john.key --client-certificate=/home/vagrant/work/john.crt --embed-certs=true
2、将context写入config文件,其中cluster是kubernetes集群对应的名称,如果没有还需要先创建cluster
kubectl config set-context john --cluster=kubernetes --user=john
3、切换context
kubectl config use-context john
完成之后的示例config
通过设置cluster的insecure-skip-tls-verify: true,可以跳过客户端的ca证书要求,避免ca证书的对外暴露,保证集群的安全
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: https://10.100.103.123:6443
name: john
contexts:
- context:
cluster: john
user: john
name: john
current-context: john
kind: Config
preferences: {}
users:
- name: john
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMzekNDQWNlZ0F3SUJBZ0lRSTF2K0wzM2RqeEJnTzFucXBNZVU4VEFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkcmRXSmxMV05oTUI0WERUSXdNVEV3TXpBek1UZ3lNbG9YRFRJeE1URXdNekF6TVRneQpNbG93SGpFTk1Bc0dBMVVFQ2hNRVlYQndjekVOTUFzR0ExVUVBeE1FYW05b2JqQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLTlRpcHNybjcyQ0ZGVlFlNHV4a0FJMkRUUG1PVjFoYnRYcmEySVMKSVJ2bllTTk85ekZpa3A4SUZOQy9MZGF3VFhTRitwdVEwc0xlazlubWNkQUMzcmNsVVVPK1RxYTFXZTczYnJycgpvQzU1ZGpJY2ZiMEt1OWE4WkdFeFFXVDhUUEJCUTZJS2VQUURML1Y3b1gvS29VVDVkenZNVFZ2MFBsNlB0MDZMCmlCdHJ6VDdjMDRHb0RYdTl2NWg5SlhYbjNMNForcU9WNmZPVmxXV0hna3NSa0NZTEN5QjhUejJERnpUaE83TGMKdVFNREFSa0JUN1RTUmhrN3N3R0gyaG1XRk9QcG5iSk5xR0VXYjNSeXM5Q0phQzdaOXdZYmVsekt1K0VVN1hObgphR2EyMktpakd4cFFiV2JiVXh6a0FMK2dadTlxMmdGQmIxc3kvV2MrQVlmdTRJTUNBd0VBQWFNbE1DTXdFd1lEClZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0MKQVFFQVlmT2o2d0c4ZWZSL25LeC9vby9RNUM4WXcvU1haRHFjNEJnRERVTDltdjhwS0FKYXVaRWRta0RGWWRjbgpMaTJLRmVTYzU0ZXhsVjN5TXBhVnN6QTlGQnExRzd2N3p1Q1dCbG5EOWVHaHFPL3o1aHFGa3hzcUtZZlZTTExmCnU3MEZsbEdnN1MyOHZqVW5OT0NRYXF4aEhQQlFLU1pBditQL2cvYzZsVGZYVzZ5Uk9UZUczdDl6c08vaHdMTDgKbmljN1JPUER5VHJBeVMyckZGR2hSOXRkU0VRR0RjbGRIbTVVQUhmVEZjUFVvUDR1aVVlb2sxWVgxQWdleFE1bgpqMjVCcnNEc1hSbUo4cnBoT1JJVS9BRkRMQ1lreGFqSU9yeUJxc2ZKd2h1QkhRdnJyN2hFSVRqZnJlaFZLNlRMCkdlZDRWb2pEdUVSdUNmMlhtMTdWTnoveDF3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbzFPS215dWZ2WUlVVlZCN2k3R1FBallOTStZNVhXRnUxZXRyWWhJaEcrZGhJMDczCk1XS1Nud2dVMEw4dDFyQk5kSVg2bTVEU3d0NlQyZVp4MEFMZXR5VlJRNzVPcHJWWjd2ZHV1dXVnTG5sMk1oeDkKdlFxNzFyeGtZVEZCWlB4TThFRkRvZ3A0OUFNdjlYdWhmOHFoUlBsM084eE5XL1ErWG8rM1RvdUlHMnZOUHR6VApnYWdOZTcyL21IMGxkZWZjdmhuNm81WHA4NVdWWlllQ1N4R1FKZ3NMSUh4UFBZTVhOT0U3c3R5NUF3TUJHUUZQCnROSkdHVHV6QVlmYUdaWVU0K21kc2syb1lSWnZkSEt6MElsb0x0bjNCaHQ2WE1xNzRSVHRjMmRvWnJiWXFLTWIKR2xCdFp0dFRIT1FBdjZCbTcycmFBVUZ2V3pMOVp6NEJoKzdnZ3dJREFRQUJBb0lCQUhyTlNaNDZRclUrcFFNdwpySFB3WWhNSGlRM0l3TUVSalVDUzdmNmpHdm5jRXhGMVFpK0RxaktnNU9XL21UdWUrOTN0RHUwQkN6Y3lHNER1CjRBeEMzQ3BnaUtXaTVZZzdPdytPUTFlUDZyU0c1dlB1c0N2L2NoU1hPZkpLRXAxWGhwSHV3R2VKOEQrb1Zkc0IKeGdCTDNzMzV0RWpsNkJTSHBJMTlDWnFwRndGbDdQaWZ5eVBkcFpPc1VocXErd0RuVVRFemhDQjQyRGVSc281UgppaWYvbFBKNkNMZ3o4Q2k0UHQ4Rm5wV2Y4dUFvYjBQK0srdURkcnI2OEhieTE3OWJKVmVybVZrUGM1Z281blJ5ClB1akk5SGtCM2lGeXYvRzc4c1dXdk9PK2dnNFI0Q2FtbUlyaTNIZjN6MkgwdXQyOUVTZ0VDQ3dyV1ZqTzdlbEsKVTZ3ODlXRUNnWUVBMVl1dFY2TmJZamJQVW9sM3NGMHFrOXJrcXIvV1Mxd1JyMkNURnl6RXZCa2pZUk5ROWluWgplcy9nRGZINGlGK1BnaWtWbEJwL0xLbTJRNEF2SkhlUEhaenM5Ym9RVEs1eWtrZHNkT1R5YUVNWTkwZnNBNWNUCkY0aEswZFpnNWNrNzI0R09rb0hNb1l1K0NTa2RuVGhSNjlObVdTdnVDZk9vQWVvQ3IxdVo1dzBDZ1lFQXc4djUKSDBxTEM3bzFmTXVLUW03eWc3Y3d5N1BOU2kxN0tOUnpuYXVaNjZyb1VBbW5hSGpYdWRMNWdKRy9RbjBkTE1tOQpKSG11VmkreHc1M1hPdjVNMlRhbDgvRDJVMTNmU0tYUjl1QytMNXBYeWl4Y2Q5bTFpbHphelliUVV6WDk2dmQwCjlnL1hocVFMSm9oTHB3aHJMMkRSSnhSYlU1Z3JOYmRWZXFsdUFjOENnWUJmQi9yTExuSmpnYnEvbzFkMVQvQzcKdmNUWFMrbmt2WU5OUmJBUHR5ZVNBYW5oOElPdUdLK2szTTk3eFR2eURIekQwdDY4ZXhJdllSTXdkT0lGMjRNQQpEYTdTSjh4TEk3THU4QVFPL1RmM09DenJGc0dzVTFYMnVmdDU2R3BVdURvQUZHYkxRaUk3bmdHaTkvNHEwajU2CnNTZ3g5TC9KQS9xM1oxbHNpbG95SFFLQmdFU3hmbkRGQlcyUzRnc3JtaEZldllVS3MzcjBWVFVPS2VTVVRRL24KVWJSR0hRVmZyYlZRbUZjZ3R0cXR4ODE2K2M1cDVRczBDYjlCTW52d0Y4QWgwakp2SXVBb0RUUUlmanNOdWxHRQpYaFZ6Y0JPRlp0ZkJzUmlmSlVEd2FJeVpKOEhWR2RydWllNDZCWk42UkJpUk1wSEh4UG1TQWN5ZFdhT1o4OHA2ClFSY3ZBb0dBTW5mbW95YjhjS3JXamhESHZkZ0gydXZHTjgvS3k1N2Izb3o2MWhCeXIxVU9hNmMzcDMvOUlCR3MKZ1ovSmUyVC9reFV4UnZwZTFoQS90bDY3VXBjdnZSVnRtUHZsRnIzeURueUMzZ2QxRVU0TFBvYzQ1SFpKSVBFaApyT0thY3orTFZucUVGVzJxNWM0U3N3cVpOQUpIYzFaUTN4aG5mbE85M3hGeTVuSmxPR1U9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
备注
1、key与crt必须要对应,否则无法通过认证
2、只要是通过同一个key生成的crt文件都拥有访问集群的权限,无论csr是否还存在,所以当需要删除用户的时候要将rolebinding删除
3、当config文件的cluster中有ca证书文件内容,则会不允许使用insecure-skip-tls-verify: true设置,可以在kubectl指令最后加入--insecure-skip-tls-verify=true来避开认证
4、生成的crt证书的默认过期时间是一年,可以通过指定kube-controller的--cluster-signing-duration参数来修改自动签发的证书过期时间,意思就是这个证书签发之后之后,只要集群中还有对应的用户,并且集群的ca证书没有变更,那么该证书就能访问集群,除非删除用户或者更换集群的ca证书
至此就完成了对用户权限的管控,当需要修改指定用户的权限的时候可以通过修改role的权限来实现
官方文档:https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
网友评论