kubernetes rbac只读账户
2019-07-26 本文已影响10人
定_格
创建只读rbac账户
readonly.json
{
"CN": "readonly",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "HangZhou",
"L": "HangZhou",
"O": "develop:readonly",
"OU": "develop"
}
]
}
ca-config-readonly.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
下载证书制作工具
curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /bin/cfssl*
基于以Kubernetes CA证书创建只读用户的证书
生成readonly-key.pem、readonly.pem、readonly.csr
cfssl gencert --ca /etc/kubernetes/pki/ca.crt --ca-key /etc/kubernetes/pki/ca.key --config ca-config-readonly.json --profile=kubernetes readonly.json |cfssljson --bare readonly
创建kubeconfig
KUBE_API_SERVER="https://192.168.67.19:6443"
kubectl config set-cluster kubernetes --server=${KUBE_API_SERVER} \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--kubeconfig=readonly.kubeconfig
kubectl config set-credentials develop-readonly \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--client-key=readonly-key.pem \
--client-certificate=readonly.pem \
--kubeconfig=readonly.kubeconfig
kubectl config set-context default-system --cluster=kubernetes \
--user=develop-readonly \
--kubeconfig=readonly.kubeconfig
kubectl config use-context default-system --kubeconfig=readonly.kubeconfig
增加用于dashboard的kubeconfig方式登陆(可选)
- cluster-readonly-sc.yaml,在生成的kubeconfig文件最后添加token: ${token}即可
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-readonly
namespace: kube-system
- 获取token
kubectl -n kube-system describe secret cluster-readonly |awk '$1~/token:/ {print $2}'
kubectl apply -f readonly-clusterrole.yaml,clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cluster-readonly
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: develop:readonly
- kind: ServiceAccount
name: cluster-readonly
namespace: kube-system