美文网首页Kubernetes
kubernetes rbac只读账户

kubernetes rbac只读账户

作者: 定_格 | 来源:发表于2019-07-26 19:23 被阅读10次

    创建只读rbac账户

    readonly.json

    {
      "CN": "readonly",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "ST": "HangZhou",
          "L": "HangZhou",
          "O": "develop:readonly",
          "OU": "develop"
        }
      ]
    }
    

    ca-config-readonly.json

    {
        "signing": {
            "default": {
                "expiry": "87600h"
            },
            "profiles": {
                "kubernetes": {
                    "usages": [
                        "signing",
                        "key encipherment",
                        "server auth",
                        "client auth"
                    ],
                    "expiry": "87600h"
                }
            }
        }
    }
    

    下载证书制作工具

    curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
    chmod +x /bin/cfssl*
    

    基于以Kubernetes CA证书创建只读用户的证书

    生成readonly-key.pem、readonly.pem、readonly.csr

    cfssl gencert --ca /etc/kubernetes/pki/ca.crt --ca-key /etc/kubernetes/pki/ca.key --config ca-config-readonly.json --profile=kubernetes readonly.json |cfssljson --bare readonly
    

    创建kubeconfig

    KUBE_API_SERVER="https://192.168.67.19:6443"
    kubectl config set-cluster kubernetes --server=${KUBE_API_SERVER} \
        --certificate-authority=/etc/kubernetes/pki/ca.crt \
        --embed-certs=true \
        --kubeconfig=readonly.kubeconfig
    kubectl config set-credentials develop-readonly \
        --certificate-authority=/etc/kubernetes/pki/ca.crt \
        --embed-certs=true \
        --client-key=readonly-key.pem \
        --client-certificate=readonly.pem \
        --kubeconfig=readonly.kubeconfig
    kubectl config set-context default-system --cluster=kubernetes \
        --user=develop-readonly \
        --kubeconfig=readonly.kubeconfig
    kubectl config use-context default-system --kubeconfig=readonly.kubeconfig
    

    增加用于dashboard的kubeconfig方式登陆(可选)

    1. cluster-readonly-sc.yaml,在生成的kubeconfig文件最后添加token: ${token}即可
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: cluster-readonly
      namespace: kube-system
    
    1. 获取token
    kubectl -n kube-system describe secret cluster-readonly |awk '$1~/token:/ {print $2}'
    

    kubectl apply -f readonly-clusterrole.yaml,clusterrolebinding.yaml

    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
      name: cluster-readonly
    rules:
    - apiGroups:
      - ""
      resources:
      - pods
      - pods/attach
      - pods/exec
      - pods/portforward
      - pods/proxy
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      resources:
      - configmaps
      - endpoints
      - persistentvolumeclaims
      - replicationcontrollers
      - replicationcontrollers/scale
      - serviceaccounts
      - services
      - services/proxy
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      resources:
      - bindings
      - events
      - limitranges
      - namespaces/status
      - pods/log
      - pods/status
      - replicationcontrollers/status
      - resourcequotas
      - resourcequotas/status
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      resources:
      - namespaces
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - apps
      resources:
      - deployments
      - deployments/rollback
      - deployments/scale
      - statefulsets
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - autoscaling
      resources:
      - horizontalpodautoscalers
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - batch
      resources:
      - cronjobs
      - jobs
      - scheduledjobs
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - extensions
      resources:
      - daemonsets
      - deployments
      - ingresses
      - replicasets
      verbs:
      - get
      - list
      - watch
    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRoleBinding
    metadata:
      name: cluster-readonly
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-readonly
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: develop:readonly
    - kind: ServiceAccount
      name: cluster-readonly
      namespace: kube-system
    

    参考文章https://www.jianshu.com/p/71d125b6e083

    相关文章

      网友评论

        本文标题:kubernetes rbac只读账户

        本文链接:https://www.haomeiwen.com/subject/zbtjrctx.html