本文介绍了在Kubernetes中为kubectl创建用户的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要创建用户以向他们分配RBAC的权限,我按如下方式创建他们:

I need to create users to assign them permissions with RBAC, I create them as follows:

echo -n "lucia" | base64
bHVjaWE=
echo -n "pass" | base64
cGFzcw==

apiVersion: v1
kind: Secret
metadata:
  name: lucia-secret
type: Opaque
data:
  username: bHVjaWE=
  password: cGFzcw==

或通过以下方式创建:

kubectl create secret generic lucia-secret --from-literal=username='lucia',password='pass'

我不知道如何继续

USER_NICK=lucia

kubectl config set-credentials $USER_NICK \
    --username=lucia \
    --password=pass

kubectl get secret lucia-secret -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt

endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"`

kubectl config set-cluster cluster-for-lucia \
  --embed-certs=true \
  --server=$endpoint \
  --certificate-authority=./ca.crt

kubectl config set-context context-lucia \
  --cluster=cluster-for-lucia \
  --user=$USER_NICK \
  --namespace=default

ca.crt为空

谢谢您的帮助!

推荐答案

作为kubernetes docs 和Articles使用证书为kubectl客户端创建或验证用户.但是,有一种使用ServiceAccount的简单方法.可以将ServiceAccount用作一个组来提供RBAC控制身份验证,它非常简单且具有描述性.步骤如下.我正在执行的所有步骤都在default命名空间中.我将创建一个pod只读用户,该用户可以获取,列出和监视所有命名空间中的任何pod.

As kubernetes docs and Articles uses certificate to create or authenticate users for kubectl client. However there is one easy way to do it by using ServiceAccount. One can use ServiceAccount as a group to provide RBAC control authentication and it is very easy and descriptive. Here are the steps.All the steps i am executing is in default namespace. I am going to create a pod readonly user which can get,list,watch any pod in all namespaces.

  • 创建一个ServiceAccount,说"readonlyuser".

  • Create a ServiceAccount, say 'readonlyuser'.

kubectl create serviceaccount readonlyuser

创建集群角色,说"readonlyuser".

Create cluster role, say 'readonlyuser'.

kubectl create clusterrole readonlyuser --verb=get --verb=list --verb=watch --resource=pods

创建群集角色绑定,例如"readonlyuser".

Create cluster role binding, say 'readonlyuser'.

kubectl create clusterrolebinding readonlyuser --serviceaccount=default:readonlyuser --clusterrole=readonlyuser

现在从我们之前创建的ServiceAccount的秘密中获取令牌.我们将使用此令牌来验证用户身份.

Now get the token from secret of ServiceAccount we have created before. we will use this token to authenticate user.

TOKEN=$(kubectl describe secrets "$(kubectl describe serviceaccount readonlyuser | grep -i Tokens | awk '{print $2}')" | grep token: | awk '{print $2}')

现在在kube配置文件中为用户设置凭据.我正在使用"vikash"作为用户名.

Now set the credentials for the user in kube config file. I am using 'vikash' as username.

kubectl config set-credentials vikash --token=$TOKEN

现在创建一个上下文,如podreader.我在这里使用我的集群名称"kubernetes".

Now Create a Context say podreader. I am using my clustername 'kubernetes' here.

kubectl config set-context podreader --cluster=kubernetes --user=vikash

最后使用上下文.

kubectl config use-context podreader

就是这样.现在可以执行kubectl get pods --all-namespaces了.您还可以通过执行以下命令来检查访问权限:

And that's it. Now one can execute kubectl get pods --all-namespaces. One can also check the access by executing as given:

~ : $ kubectl auth can-i get pods --all-namespaces
yes
~ : $ kubectl auth can-i create pods
no
~ : $ kubectl auth can-i delete pods
no

这篇关于在Kubernetes中为kubectl创建用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 21:00