您当前的位置： 首页 > 慢生活 > 程序人生 网站首页程序人生

56、Kubernetes - 安全 鉴权（3]

发布时间：2023-01-12 23:35:36编辑：雪饮阅读（）

Step1

首先咱们要建立一个用于子账号的用户

[root@k8s-master01 ~]# useradd devuser

[root@k8s-master01 ~]# passwd devuser

更改用户 devuser 的密码 。

新的 密码：

重新输入新的 密码：

passwd：所有的身份验证令牌已经成功更新。

那么此账号自然是可以通过xshell等终端客户端连接登录的，只是未必有k8s集群权限

[devuser@k8s-master01 ~]$ kubectl get pod

The connection to the server localhost:8080 was refused - did you specify the right host or port?

Step2

接下来咱们准备一个目录

[root@k8s-master01 ~]# mkdir /usr/local/install-k8s/cert

[root@k8s-master01 ~]# mkdir /usr/local/install-k8s/cert/devuser

然后咱们需要将相关的证书请求所用工具得到

解压这个cfssl.zip.001(关于分卷解压请自行了解)

 

PS E:\9、Kubernetes - 安全\鸿鹄论坛_9、Kubernetes - 安全\2、资料> dir

 

 

    目录: E:\9、Kubernetes - 安全\鸿鹄论坛_9、Kubernetes - 安全\2、资料

 

 

Mode                 LastWriteTime         Length Name

----                 -------------         ------ ----

-a----          2020/5/8     18:14        1048576 cfssl.zip.001

-a----          2020/5/8     18:14        1048576 cfssl.zip.002

-a----          2020/5/8     18:14        1048576 cfssl.zip.003

-a----          2020/5/8     18:14        1048576 cfssl.zip.004

-a----          2020/5/8     18:14        1048576 cfssl.zip.005

-a----          2020/5/8     18:14         391674 cfssl.zip.006

-a----          2020/5/8     18:14         128512 课堂随笔.ppt

我这里是解压到压缩包名称后路径如

PS E:\9、Kubernetes - 安全\鸿鹄论坛_9、Kubernetes - 安全\2、资料\cfssl.zip> dir

 

 

    目录: E:\9、Kubernetes - 安全\鸿鹄论坛_9、Kubernetes - 安全\2、资料\cfssl.zip

 

 

Mode                 LastWriteTime         Length Name

----                 -------------         ------ ----

-a----         2016/3/30      8:50       10376657 cfssl

-a----         2016/3/30      8:51        6595195 cfssl-certinfo

-a----         2016/3/30      8:52        2277873 cfssljson

那么将这三个文件上传至/usr/local/bin目录

并给予权限

[root@k8s-master01 ~]# chmod a+x /usr/local/bin/*

[root@k8s-master01 ~]# ls /usr/local/bin

cfssl  cfssl-certinfo  cfssljson

关于这三个文件，虽然和老师的这个路径稍有出入。。



我这里姑且一试。

Step3

接下来咱们创建一个用于子账号生成证书请求的一个文件

[root@k8s-master01 pki]# cat /usr/local/install-k8s/cert/devuser/devuser-csr.json

{

 "CN": "devuser",

 "hosts":[],

 "key": {

  "algo": "rsa",

  "size": 2048

 },

 "names": [

  {

   "C":"CN",

   "ST":"BeiJing",

   "L":"BeiJing",

   "O":"k8s",

   "OU": "system"

  }

 ]

}

然后咱们进入之前k8s集群搭建过程中的用的那个与证书相关的目录

[root@k8s-master01 ~]# cd /etc/kubernetes/pki/

然后创建呗

[root@k8s-master01 pki]# cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /usr/local/install-k8s/cert/devuser/devuser-csr.json | cfssljson -bare devuser

2023/01/12 22:35:16 [INFO] generate received request

2023/01/12 22:35:16 [INFO] received CSR

2023/01/12 22:35:16 [INFO] generating key: rsa-2048

2023/01/12 22:35:16 [INFO] encoded CSR

2023/01/12 22:35:16 [INFO] signed certificate with serial number 495092303313449932337487004696422479701566077802

2023/01/12 22:35:16 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2.3 ("Information Requirements").

这里虽然有个警告，但是就在下来说，我认为是无碍的（对于这个’hosts’）

Step4

接下来的操作有缓存生成，所以我们到刚才一开始新建的那个目录吧，让缓存什么的就生成到这个目录吧

那么先是设置环境变量

[root@k8s-master01 pki]# cd /usr/local/install-k8s/cert/devuser/

[root@k8s-master01 devuser]# export KUBE_APISERVER=https://192.168.66.10:6443

然后集群环境参数设置

[root@k8s-master01 devuser]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=devuser.kubeconfig

Cluster "kubernetes" set.

可见确实生成了新文件哈。。。

[root@k8s-master01 devuser]# ls

devuser-csr.json  devuser.kubeconfig




 

其之内容如：

[root@k8s-master01 devuser]# cat devuser.kubeconfig

apiVersion: v1

clusters:

- cluster:

    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXhNekUwTWpZME5Wb1hEVE15TVRJeE1ERTBNalkwTlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjFECktWNllDQTdhTUd6TzJiK1VJTEd0UndGSWtoL282RE5FWGNRazJBV2NzemY2bnJOR0I0amVPTnpXc0lraFFvUHcKODVYNFk0WGRmMHNvYmRXUUVBbU1Qc1ZrdG1sZDhPUGZNbDlzRlA2eHZ2SCt2VE5XVTVjZXJObmxUWkRtMjIwMApPQnYyWWttOG9KU2p3MXJUQ3RBVi92QlBDVWVzcGRRcEt5Tm1oaG9ua1lIMW0ydEVPVjBWZGowSHBsa3pvbWZZCll3Tk5SOGoyeDJGTXNJblQ2Qkk1cWxLZW9BcmZFQm1GOTZudG0rNFJWbnp1cm52Uk1sSjJiemJSR24rUHBjWUIKZENXazl1dmNkMmlPbWlYVkNmRGFGWEc0WTJTbENkV252bzNLb2kweWhMZ0cvQnQ5V1J3R3NGc3oybVU4Y1BaOQpmWGxJZ1ZrY0RrMm8xMk5QSkkwQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFMcmpkRGNKNk5oUXdEYnZBeUsrbFJza3FzckQKejFJa0hLeEQyQittbWhnVlROdHZ6eVJMUG9BdG4zQXdxazJLamN4Zm5yTVgva3VxN1BncUwvQXRVdG1pb1UxegpscUZiM2lLMUZpZENYVnFUaTcxczNNckxlVVl5MzJyM2dlZHZGeUVjSW5oQjBTbmFFQUpnUkJveFZtemVwZThPClcrK0tFd0sydG9Ed1NQZDg3WS9kK2FDdW02aHpwdHZOMm40bVcvRmR1Q000L2NZT3lQUGpRS0huZUdTQnQ1cnkKSDA2a1VtNVRDdUtrTnZWUjBGSXA3TUY0L2NRQjhveXJSWHRsdWhmdmdOOWpFZm96VE5kZTNsYWxCRFN5N1M2RQpESHFYZWJRNExleTNJRzNjc2VQc3VJem9aZGJJd2Z5b3ZqczNWdjhxZ3dleVNsTlY4MXJZR1JMT3J4OD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

    server: https://192.168.66.10:6443

  name: kubernetes

contexts: []

current-context: ""

kind: Config

preferences: {}

users: []

Step5

接下来本王要配置的就是认证参数

[root@k8s-master01 devuser]# kubectl config set-credentials devuser --client-certificate=/etc/kubernetes/pki/devuser.pem --client-key=/etc/kubernetes/pki/devuser-key.pem --embed-certs=true --kubeconfig=devuser.kubeconfig           User "devuser" set.

再次查看刚才的那个devuser.kubeconfig

[root@k8s-master01 devuser]# cat devuser.kubeconfig

apiVersion: v1

clusters:

- cluster:

    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXhNekUwTWpZME5Wb1hEVE15TVRJeE1ERTBNalkwTlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjFECktWNllDQTdhTUd6TzJiK1VJTEd0UndGSWtoL282RE5FWGNRazJBV2NzemY2bnJOR0I0amVPTnpXc0lraFFvUHcKODVYNFk0WGRmMHNvYmRXUUVBbU1Qc1ZrdG1sZDhPUGZNbDlzRlA2eHZ2SCt2VE5XVTVjZXJObmxUWkRtMjIwMApPQnYyWWttOG9KU2p3MXJUQ3RBVi92QlBDVWVzcGRRcEt5Tm1oaG9ua1lIMW0ydEVPVjBWZGowSHBsa3pvbWZZCll3Tk5SOGoyeDJGTXNJblQ2Qkk1cWxLZW9BcmZFQm1GOTZudG0rNFJWbnp1cm52Uk1sSjJiemJSR24rUHBjWUIKZENXazl1dmNkMmlPbWlYVkNmRGFGWEc0WTJTbENkV252bzNLb2kweWhMZ0cvQnQ5V1J3R3NGc3oybVU4Y1BaOQpmWGxJZ1ZrY0RrMm8xMk5QSkkwQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFMcmpkRGNKNk5oUXdEYnZBeUsrbFJza3FzckQKejFJa0hLeEQyQittbWhnVlROdHZ6eVJMUG9BdG4zQXdxazJLamN4Zm5yTVgva3VxN1BncUwvQXRVdG1pb1UxegpscUZiM2lLMUZpZENYVnFUaTcxczNNckxlVVl5MzJyM2dlZHZGeUVjSW5oQjBTbmFFQUpnUkJveFZtemVwZThPClcrK0tFd0sydG9Ed1NQZDg3WS9kK2FDdW02aHpwdHZOMm40bVcvRmR1Q000L2NZT3lQUGpRS0huZUdTQnQ1cnkKSDA2a1VtNVRDdUtrTnZWUjBGSXA3TUY0L2NRQjhveXJSWHRsdWhmdmdOOWpFZm96VE5kZTNsYWxCRFN5N1M2RQpESHFYZWJRNExleTNJRzNjc2VQc3VJem9aZGJJd2Z5b3ZqczNWdjhxZ3dleVNsTlY4MXJZR1JMT3J4OD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

    server: https://192.168.66.10:6443

  name: kubernetes

contexts: []

current-context: ""

kind: Config

preferences: {}

users:

- name: devuser

  user:

    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lVVnJpMDZqT09IUUdNRUlsY2QxQU1PUm9JdTJvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU16QXhNVEl4TkRNd01EQmFGdzB5TkRBeApNVEl4TkRNd01EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhaR1YyZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtxZwpvV1JIU3VUaitUSERVZXQwOGZZckFSM01NZ1B3akFFVVV4YlVEUkt3ZW5paVpObHdjWUNORjZoeC9HUFhUUXgzCmtvREdFSXpycG5kUjdoU2Zlay9zUVBwZVg2RUJiTUhwc0NQR2dlaVBzb3ZLTlU2ejBueTUrR2pjNlNkaGhvWUkKUEdDVlVVRytXaFNVYllxVGllaHJGZjFHT1I0MUhmemxNcTdPbDcwMUtibzRPcEp6eC9CY1c2aU9yK2pWRHFxMQo0SkxJNFlJYXhXQkJnOEQ3eTJ4elJZZzYxR1o2ZnRrSlpRNGpZWkx1TlVRRVFURDZYMUVUK2JoWG5qOWVhYTdjCm0wd1dtVEtjNnhiRWJCVkNiNlBpNkZDd1FIZGZ1dWlvWVpDajFiaGZsSExKV2RpSDBYekVHbVI1WTRNaHVKN1QKN3RJNXlqL1pybHpZbzd5TFY4MENBd0VBQWFOZU1Gd3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlRFCk1NYkJmTEZBWFRWUjNqU2hRdEg5SDlzUGR6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUEyRXJvcm1tMmlaMjIKbnhVVVY1MzZMclc4VDVhaHBueFZNaHdYZzkyaDhUYUJTT3k2RWdZWFFic1FuOWIwVTlaSWVTMEVMdFBvZi83TApETzBPSnpCS0VxenZnRnZycm9ONVd5OXFLOUdiR3lBTUlDOWtNS3VhNDFmaVRWMDNPWXRRS3k0V2hrUTl1cS90CjdkbVJLWEJwTjBLZ0NESis3RW9Oc2dFblNmMldmRTVpTDZSdHNMcnA2ODFKQUJ2RTR3VGtLSmgvODNUc3pGZ0YKMkh1YkdzbThBYnByM25SaGJkaTNFY05aOUhqYjMzWGg2NnBrSTZNc2sxdDhSRHRqMHBFcGpGR1d3WHhwZG9vSwppOStFU2dYQnR0V1dtb2JQS1BBbzJERmhQT2hOSGkzVHN2TCsrWHZ2NXZqWHVGeUZES0hrcEw3QUwvTmh4bWxPCnlqUE5INCt0R2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBcXFDaFpFZEs1T1A1TWNOUjYzVHg5aXNCSGN3eUEvQ01BUlJURnRRTkVyQjZlS0prCjJYQnhnSTBYcUhIOFk5ZE5ESGVTZ01ZUWpPdW1kMUh1Rko5NlQreEErbDVmb1FGc3dlbXdJOGFCNkkreWk4bzEKVHJQU2ZMbjRhTnpwSjJHR2hnZzhZSlZSUWI1YUZKUnRpcE9KNkdzVi9VWTVIalVkL09VeXJzNlh2VFVwdWpnNgprblBIOEZ4YnFJNnY2TlVPcXJYZ2tzamhnaHJGWUVHRHdQdkxiSE5GaURyVVpucCsyUWxsRGlOaGt1NDFSQVJCCk1QcGZVUlA1dUZlZVAxNXBydHliVEJhWk1wenJGc1JzRlVKdm8rTG9VTEJBZDErNjZLaGhrS1BWdUYrVWNzbFoKMklmUmZNUWFaSGxqZ3lHNG50UHUwam5LUDltdVhOaWp2SXRYelFJREFRQUJBb0lCQUZrZWFPMXRaeXJCLzhnRQpFbWQrdjFvcC8vMUdSK0ZTNUcwejVtb0grNFFGZFJKSkQ0K2FjVTRKWTQveGFUZmtuak9peUh4Rjl5TURlZ0RjClpCT1ZjRmNLT0s0TVdMcEplanFXQ2cvRmdOaXRKVDVxTVFtWVZwb2FzQ3BsSjhvUDRDbGxaOU95YWF5QzlaM0cKSUtpK2dzdElFMFlrUlhVSG5WQVhqaTlMYkdtLzNmUWhheEhNY3dQZDdRTVNCTzhBeWIxZS9lNXdOR2QxQXpyaApBMnRYNjhFUmJBYXgzbzY5dFV1NVhONFVBbEp1T2VURU4zMjJ4RXYzaVhvU0ZRU3QxUmlIcnRVVzMxQ3IydDlDCklPOFluZDFpdncyWVNwMXhwTnhaUG1DdCtUaG5YY0VRVVE5RE1nK1FQdVhOUVNJbmRTSFZEdzRyVWg0RlcrS1UKQzAvUDdLa0NnWUVBeEFzbGRVYzBiUStROThLY29pdnA4aEJwQ1ZtbklTQUJ6UllkbHpvOEtpSzVMSDNXZG1GZAoxMnkweU9raG8rYVVxUjFhUTFmMnlmbXprblZVZk1ERHhJTFk4NVRycFIvWEZaQWs2Z3A4UnNCbWEzSzhuVVlGCkpQWHFLR2V5dWJnNTZvNXNCdG1WM0IyNWI5NWl5VUNLaFQ1MkZJZ2liYWlLZ3N4ZnpsM3RuQXNDZ1lFQTNzK1UKdW9mQk5nek95ME5WVTlZMnZ6aVRrTTZPd2FnNUt5VjZNb2FEb0hGbW1KazFXSlgxc0dicE1kaEVmbTNXZE05SAoya09WMHZuc0tDRGxxODFaaFhXQ29xT2ErNnpiamxXS0ljOTRhdTAwUk56d2duOVRlb1FWN2ZCRHhCdE9TWk9iCms3U3R0anE0NDZXTEJwNGdnSkFyZC81Ym9FOG9VMjFLeTNCVTZvY0NnWUJnSWZzZlZHaGY1cGMyOTJhcG01RWYKMDI0K1dJazlGQjN0L0o5TURoRjh0QVJMemZWQm5hTlB4UTJ0eTZ4a1craWdPVFdPK202WlFtb05NcDNZZ3dvOApyZEZIT01xSThXRWVRTTNwT25VUW1MNWdpQ1gzbFdObWFYU0dsYnN0bVNwRlc4dWJYRTFCWUE0VHptQnd3Y1pyCmFtS3ExTXJWTFNXbTJDTk81ZjVqV3dLQmdFMTBINkdRRzR3c2U1NlJNNUpIUHhUT0dBNFluK3VXRFBtQXQ2L2sKcnRFUldyYmxXM1FGL1RockxkbFQ4c3Q0WnpxSDY5Umw5aWszRSs4SE1JKytmTVkyQ1VsOFVoMzNBd1BCbkprUQpSQzMzYzFvVTY4NlJjSFdBZ1JjTGxLTVJVdStremtwVVhxYWdWekZibEs2aVBXNHpyOGl3dFMxUEZ4ZVpRSXpqCjZjRDFBb0dBUkJPaWNMT3hWcy9QS21uVDNUNHpEdXNtK1duQUwyZzZOYk11T216dG1xQjhoUjFmS25qeXp3VWMKVk1RWmJ1dXpOWWlwaDFicmQ1b2VFbVRiclNjc3Z0YlZhSnVHY2JYSGlwclhsQUVIVnRuUVZmbitoTmljRGIraQpCMG9LOFNUT29IQWlUek5yTDVsSEFhUnFnMXQ3b3ZFUEFWb3M0Nm1ocnJJdHFZVlR2TzQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

可见多了users的配置内容，刚才users字段里面是空的。

多了一些客户的信息。。。

Step6

接下来需要创建（个人理解应该也可配置到现有名称空间）一个名称空间，并设置集群上下文参数关联到该名称空间

[root@k8s-master01 devuser]# kubectl create namespace dev

namespace/dev created

[root@k8s-master01 devuser]# kubectl config set-context kubernetes --cluster=kubernetes --user=devuser --namespace=dev --kubeconfig=devuser.kubeconfig

Context "kubernetes" created.

然后再次查看devuser.kubeconfig，这次最重要的是上下文有了名称空间

[root@k8s-master01 devuser]# cat devuser.kubeconfig

apiVersion: v1

clusters:

- cluster:

    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXhNekUwTWpZME5Wb1hEVE15TVRJeE1ERTBNalkwTlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjFECktWNllDQTdhTUd6TzJiK1VJTEd0UndGSWtoL282RE5FWGNRazJBV2NzemY2bnJOR0I0amVPTnpXc0lraFFvUHcKODVYNFk0WGRmMHNvYmRXUUVBbU1Qc1ZrdG1sZDhPUGZNbDlzRlA2eHZ2SCt2VE5XVTVjZXJObmxUWkRtMjIwMApPQnYyWWttOG9KU2p3MXJUQ3RBVi92QlBDVWVzcGRRcEt5Tm1oaG9ua1lIMW0ydEVPVjBWZGowSHBsa3pvbWZZCll3Tk5SOGoyeDJGTXNJblQ2Qkk1cWxLZW9BcmZFQm1GOTZudG0rNFJWbnp1cm52Uk1sSjJiemJSR24rUHBjWUIKZENXazl1dmNkMmlPbWlYVkNmRGFGWEc0WTJTbENkV252bzNLb2kweWhMZ0cvQnQ5V1J3R3NGc3oybVU4Y1BaOQpmWGxJZ1ZrY0RrMm8xMk5QSkkwQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFMcmpkRGNKNk5oUXdEYnZBeUsrbFJza3FzckQKejFJa0hLeEQyQittbWhnVlROdHZ6eVJMUG9BdG4zQXdxazJLamN4Zm5yTVgva3VxN1BncUwvQXRVdG1pb1UxegpscUZiM2lLMUZpZENYVnFUaTcxczNNckxlVVl5MzJyM2dlZHZGeUVjSW5oQjBTbmFFQUpnUkJveFZtemVwZThPClcrK0tFd0sydG9Ed1NQZDg3WS9kK2FDdW02aHpwdHZOMm40bVcvRmR1Q000L2NZT3lQUGpRS0huZUdTQnQ1cnkKSDA2a1VtNVRDdUtrTnZWUjBGSXA3TUY0L2NRQjhveXJSWHRsdWhmdmdOOWpFZm96VE5kZTNsYWxCRFN5N1M2RQpESHFYZWJRNExleTNJRzNjc2VQc3VJem9aZGJJd2Z5b3ZqczNWdjhxZ3dleVNsTlY4MXJZR1JMT3J4OD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

    server: https://192.168.66.10:6443

  name: kubernetes

contexts:

- context:

    cluster: kubernetes

    namespace: dev

    user: devuser

  name: kubernetes

current-context: ""

kind: Config

preferences: {}

users:

- name: devuser

  user:

    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lVVnJpMDZqT09IUUdNRUlsY2QxQU1PUm9JdTJvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU16QXhNVEl4TkRNd01EQmFGdzB5TkRBeApNVEl4TkRNd01EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhaR1YyZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtxZwpvV1JIU3VUaitUSERVZXQwOGZZckFSM01NZ1B3akFFVVV4YlVEUkt3ZW5paVpObHdjWUNORjZoeC9HUFhUUXgzCmtvREdFSXpycG5kUjdoU2Zlay9zUVBwZVg2RUJiTUhwc0NQR2dlaVBzb3ZLTlU2ejBueTUrR2pjNlNkaGhvWUkKUEdDVlVVRytXaFNVYllxVGllaHJGZjFHT1I0MUhmemxNcTdPbDcwMUtibzRPcEp6eC9CY1c2aU9yK2pWRHFxMQo0SkxJNFlJYXhXQkJnOEQ3eTJ4elJZZzYxR1o2ZnRrSlpRNGpZWkx1TlVRRVFURDZYMUVUK2JoWG5qOWVhYTdjCm0wd1dtVEtjNnhiRWJCVkNiNlBpNkZDd1FIZGZ1dWlvWVpDajFiaGZsSExKV2RpSDBYekVHbVI1WTRNaHVKN1QKN3RJNXlqL1pybHpZbzd5TFY4MENBd0VBQWFOZU1Gd3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlRFCk1NYkJmTEZBWFRWUjNqU2hRdEg5SDlzUGR6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUEyRXJvcm1tMmlaMjIKbnhVVVY1MzZMclc4VDVhaHBueFZNaHdYZzkyaDhUYUJTT3k2RWdZWFFic1FuOWIwVTlaSWVTMEVMdFBvZi83TApETzBPSnpCS0VxenZnRnZycm9ONVd5OXFLOUdiR3lBTUlDOWtNS3VhNDFmaVRWMDNPWXRRS3k0V2hrUTl1cS90CjdkbVJLWEJwTjBLZ0NESis3RW9Oc2dFblNmMldmRTVpTDZSdHNMcnA2ODFKQUJ2RTR3VGtLSmgvODNUc3pGZ0YKMkh1YkdzbThBYnByM25SaGJkaTNFY05aOUhqYjMzWGg2NnBrSTZNc2sxdDhSRHRqMHBFcGpGR1d3WHhwZG9vSwppOStFU2dYQnR0V1dtb2JQS1BBbzJERmhQT2hOSGkzVHN2TCsrWHZ2NXZqWHVGeUZES0hrcEw3QUwvTmh4bWxPCnlqUE5INCt0R2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBcXFDaFpFZEs1T1A1TWNOUjYzVHg5aXNCSGN3eUEvQ01BUlJURnRRTkVyQjZlS0prCjJYQnhnSTBYcUhIOFk5ZE5ESGVTZ01ZUWpPdW1kMUh1Rko5NlQreEErbDVmb1FGc3dlbXdJOGFCNkkreWk4bzEKVHJQU2ZMbjRhTnpwSjJHR2hnZzhZSlZSUWI1YUZKUnRpcE9KNkdzVi9VWTVIalVkL09VeXJzNlh2VFVwdWpnNgprblBIOEZ4YnFJNnY2TlVPcXJYZ2tzamhnaHJGWUVHRHdQdkxiSE5GaURyVVpucCsyUWxsRGlOaGt1NDFSQVJCCk1QcGZVUlA1dUZlZVAxNXBydHliVEJhWk1wenJGc1JzRlVKdm8rTG9VTEJBZDErNjZLaGhrS1BWdUYrVWNzbFoKMklmUmZNUWFaSGxqZ3lHNG50UHUwam5LUDltdVhOaWp2SXRYelFJREFRQUJBb0lCQUZrZWFPMXRaeXJCLzhnRQpFbWQrdjFvcC8vMUdSK0ZTNUcwejVtb0grNFFGZFJKSkQ0K2FjVTRKWTQveGFUZmtuak9peUh4Rjl5TURlZ0RjClpCT1ZjRmNLT0s0TVdMcEplanFXQ2cvRmdOaXRKVDVxTVFtWVZwb2FzQ3BsSjhvUDRDbGxaOU95YWF5QzlaM0cKSUtpK2dzdElFMFlrUlhVSG5WQVhqaTlMYkdtLzNmUWhheEhNY3dQZDdRTVNCTzhBeWIxZS9lNXdOR2QxQXpyaApBMnRYNjhFUmJBYXgzbzY5dFV1NVhONFVBbEp1T2VURU4zMjJ4RXYzaVhvU0ZRU3QxUmlIcnRVVzMxQ3IydDlDCklPOFluZDFpdncyWVNwMXhwTnhaUG1DdCtUaG5YY0VRVVE5RE1nK1FQdVhOUVNJbmRTSFZEdzRyVWg0RlcrS1UKQzAvUDdLa0NnWUVBeEFzbGRVYzBiUStROThLY29pdnA4aEJwQ1ZtbklTQUJ6UllkbHpvOEtpSzVMSDNXZG1GZAoxMnkweU9raG8rYVVxUjFhUTFmMnlmbXprblZVZk1ERHhJTFk4NVRycFIvWEZaQWs2Z3A4UnNCbWEzSzhuVVlGCkpQWHFLR2V5dWJnNTZvNXNCdG1WM0IyNWI5NWl5VUNLaFQ1MkZJZ2liYWlLZ3N4ZnpsM3RuQXNDZ1lFQTNzK1UKdW9mQk5nek95ME5WVTlZMnZ6aVRrTTZPd2FnNUt5VjZNb2FEb0hGbW1KazFXSlgxc0dicE1kaEVmbTNXZE05SAoya09WMHZuc0tDRGxxODFaaFhXQ29xT2ErNnpiamxXS0ljOTRhdTAwUk56d2duOVRlb1FWN2ZCRHhCdE9TWk9iCms3U3R0anE0NDZXTEJwNGdnSkFyZC81Ym9FOG9VMjFLeTNCVTZvY0NnWUJnSWZzZlZHaGY1cGMyOTJhcG01RWYKMDI0K1dJazlGQjN0L0o5TURoRjh0QVJMemZWQm5hTlB4UTJ0eTZ4a1craWdPVFdPK202WlFtb05NcDNZZ3dvOApyZEZIT01xSThXRWVRTTNwT25VUW1MNWdpQ1gzbFdObWFYU0dsYnN0bVNwRlc4dWJYRTFCWUE0VHptQnd3Y1pyCmFtS3ExTXJWTFNXbTJDTk81ZjVqV3dLQmdFMTBINkdRRzR3c2U1NlJNNUpIUHhUT0dBNFluK3VXRFBtQXQ2L2sKcnRFUldyYmxXM1FGL1RockxkbFQ4c3Q0WnpxSDY5Umw5aWszRSs4SE1JKytmTVkyQ1VsOFVoMzNBd1BCbkprUQpSQzMzYzFvVTY4NlJjSFdBZ1JjTGxLTVJVdStremtwVVhxYWdWekZibEs2aVBXNHpyOGl3dFMxUEZ4ZVpRSXpqCjZjRDFBb0dBUkJPaWNMT3hWcy9QS21uVDNUNHpEdXNtK1duQUwyZzZOYk11T216dG1xQjhoUjFmS25qeXp3VWMKVk1RWmJ1dXpOWWlwaDFicmQ1b2VFbVRiclNjc3Z0YlZhSnVHY2JYSGlwclhsQUVIVnRuUVZmbitoTmljRGIraQpCMG9LOFNUT29IQWlUek5yTDVsSEFhUnFnMXQ3b3ZFUEFWb3M0Nm1ocnJJdHFZVlR2TzQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

Step7

接下来咱们需要的就是绑定一下了

[root@k8s-master01 devuser]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=dev

rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created

admin角色是一个clusterrole，则它代表的意思就是这个devuser在dev名称空间可以为所欲为。。。

然后咱们需要在刚才那个新建的ssh终端中devuser家目录创建对应k8s的相关用户配置的目录

[devuser@k8s-master01 ~]$ mkdir .kube/

那么接下来在原master（root）（当然这里可能未必原root，也可能devuser亦能实现，暂且先照做吧）上将上面配置生成的这个devuser.kubeconfig拷贝到这个kube目录中

[root@k8s-master01 devuser]# cp devuser.kubeconfig /home/devuser/.kube/config

啪啪打脸。。。应该只有root才行吧（关于我上面的论调）。。。

[root@k8s-master01 devuser]# chown devuser:devuser /home/devuser/.kube/config

接下来我们需要进入刚才这个devuser用户所在shell的tty中然后切换到这个新建的.kube目录切换上下文哈

[devuser@k8s-master01 ~]$ cd .kube/

[devuser@k8s-master01 .kube]$ kubectl config use-context kubernetes --kubeconfig=config

Switched to context "kubernetes".

Step8

那么现在的话，就可以使用获取pod列表的命令的权力了

[devuser@k8s-master01 .kube]$ kubectl get pod

No resources found.

就是说这里默认就是不是获取default的名称空间的pod了，而是获取上番创建的dev名称空间了。

所以这里的结果是没有pod，则也是正常的。

那么就是说我们创建一个pod自然也是有权限的

[devuser@k8s-master01 .kube]$ kubectl run nginx --image=wangyanglinux/myapp:v2

kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.

deployment.apps/nginx created

这里是k8s刚开始的那种命令直接run一个pod于命令行内，而不是通过yaml模板创建，用多了yaml模板后，这里突然用回这个命令行内创建，有点返璞归真，有点回到起点的感觉，不过再次看到如此命令反而不在感觉迷茫，反而感觉有点亲切，或许这就是这一路学习过来的收获吧。

那么pod也是pacific平平安安的建立了

[devuser@k8s-master01 .kube]$ kubectl get pod

NAME                     READY   STATUS    RESTARTS   AGE

nginx-6c6fdcd84c-zb5vw   1/1     Running   0          2m52s

然原master的root的tty上面也可以看到，亦足可见名称空间默认为dev，默认创建在dev名称空间的pod

[root@k8s-master01 devuser]# kubectl get pod --all-namespaces -o wide | grep nginx

dev             nginx-6c6fdcd84c-zb5vw                     1/1     Running        0          4m33s   10.224.2.216    k8s-node02     <none>           <none>

ingress-nginx   nginx-ingress-controller-5cb7db844-b6prb   0/1     ErrImagePull   0          3d2h    192.168.66.21   k8s-node02     <none>           <none>

那么重新回到devuser的会话中，我们查看k8s的默认名称空间default

[devuser@k8s-master01 .kube]$ kubectl get pod -n default

Error from server (Forbidden): pods is forbidden: User "devuser" cannot list resource "pods" in API group "" in the namespace "default"

可见devuser只给配置到dev名称空间，对不起default名称空间你是看不得的。你是没有权限的。