Kubernetes 身份认证和授权操作全攻略：上手操作 Kubernetes 授权

kubectl config set-context eng-context \  --cluster=minikube \  --namespace=engineering \  --user=bobContext "eng-context" created.

apiVersion: v1kind: Podmetadata:  name: myapp  namespace: engineering  labels:    app: myappspec:  containers:  - name: myapp    image: busybox    command: ["/bin/sh", "-ec", "while :; do echo '.'; sleep 5 ; done"]

 kubectl create -f myapp.yamlpod/myapp created

kubectl get pods -n=engineeringNAME    READY   STATUS    RESTARTS   AGEmyapp   1/1     Running   0          89s

kubectl get pods --namespace engineering --as bobError from server (Forbidden): pods is forbidden: User "bob" cannot list resource "pods" in API group "" in the namespace "engineering"

apiVersion: rbac.authorization.k8s.io/v1metadata:  namespace: engineering   name: eng-readerrules:- apiGroups: [""] # "" indicates the core API group  resources: ["pods", "services", "nodes"]  verbs: ["get", "watch", "list"]

kubectl create -f role.yamlrole.rbac.authorization.k8s.io/eng-reader created

kubectl get roles --namespace=engineeringNAME         AGEeng-reader   58s

kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:  name: eng-read-access  namespace: engineeringsubjects:- kind: User  name: bob # Name is case sensitive  apiGroup: rbac.authorization.k8s.ioroleRef:  kind: Role #this must be Role or ClusterRole  name: eng-reader # this must match the name of the Role or ClusterRole you wish to bind to  apiGroup: rbac.authorization.k8s.io

kubectl create -f role-binding.yamlrolebinding.rbac.authorization.k8s.io/eng-read-access created

kubectl get rolebindings --namespace=engineeringNAME              AGEeng-read-access   31s

kubectl get pods --namespace engineering --as bobNAME    READY   STATUS    RESTARTS   AGEmyapp   1/1     Running   0          11m

kubectl get nodes --as bobError from server (Forbidden): nodes is forbidden: User "bob" cannot list resource "nodes" in API group "" at the cluster scope

kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:  # "namespace" omitted since ClusterRoles are not namespaced  name: cluster-node-readerrules:- apiGroups: [""]  resources: ["nodes"]  verbs: ["get", "watch", "list"]

kubectl create -f cluster-role.yamlclusterrole.rbac.authorization.k8s.io/cluster-node-reader created

kubectl get clusterroles cluster-node-readerNAME                  AGEcluster-node-reader   49s

kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:  name: read-cluster-nodessubjects:- kind: User  name: bob # Name is case sensitive  apiGroup: rbac.authorization.k8s.ioroleRef:  kind: ClusterRole  name: cluster-node-reader  apiGroup: rbac.authorization.k8s.io

kubectl create -f cluster-role-binding.yamlclusterrolebinding.rbac.authorization.k8s.io/read-cluster-nodes created

kubectl get clusterrolebindings read-cluster-nodesNAME                 AGEread-cluster-nodes   35s

kubectl get nodes --as bobNAME       STATUS   ROLES    AGE   VERSIONminikube   Ready    master   52m   v1.15.2