Question

在我的Linux服务器上，我有kubernetes集群。许多开发人员正在使用此集群。我想为只能访问特定kubernetes命名空间的用户创建Linux系统帐户。

Answer 1

在主机中创建Linux帐户。
为该帐户创建TLS认证。

openssl genrsa -out ${account-name}-key.pem 2048 
openssl req -new -sha256 -key ${account-name}-key.pem -out ${account-name}.csr -subj "/CN=${account-name}"
openssl x509 -req -sha256 -in ${account-name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${account-name}.pem -days 365

创建kubeconfig以使用TLS认证连接到apiserver。像这样：

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority: /home/account-name/ssl/ca.pem
    server: https://master-ip
  name: k8s
contexts:
- context:
    cluster: k8s
    user: account-name
  name: admin
current-context: admin
users:
- name: account-name
  user:
    client-certificate: /home/account-name/ssl/account-name.pem
    client-key: /home/account-name/ssl/account-name-key.pem

为用户提供RBAC的适当特权，例如对命名空间的完全特权：

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: account-name-admin
  namespace: namespace-name
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: account-name

如何创建只能访问kubernetes中特定名称空间的Linux系统帐户？

1 个答案: