机制说明

Kubernetes 作为一个分布式集群的管理工具,保证集群的安全性是其一个重要的任务。API Server 是集群内部各个组件通信的中介,也是外部控制的入口。所以 Kubernetes 的安全机制基本就是围绕保护 API Server 来设计的。Kubernetes 使用了认证(Authentication)、鉴权(Authorization)、准入控制(AdmissionControl)三步来保证API Server的安全。

认证(Authentication)

  • HTTP Token 认证:通过一个 Token 来识别合法用户
  • HTTP Base 认证:通过 用户名+密码 的方式认证
  • 最严格的 HTTPS 证书认证:基于 CA 根证书签名的客户端身份认证方式
HTTPS:双向认证(颁发证书)-集群组件ETCD服务端:ETCD客户端:ApiServerApiServer服务端:ApiServer客户端:需要加密:集群颁发:kubelet手动颁发:kubectl、kube-proxy非加密:都运行在master节点Controller Manager、SchedulerSA(ServiceAccount)-POD认证ca.crt:用户Pod验证apiserver发来的证书token:用户单点认证apiserer验证pod是否合法namespace:标识作用域

鉴权(Authorization)

上面认证过程,只是确认通信的双方都确认了对方是可信的,可以相互通信。而鉴权是确定请求方有哪些资源的权限。API Server 目前支持以下几种授权策略 (通过 API Server 的启动参数 “–authorization-mode” 设置)

  • AlwaysDeny:表示拒绝所有的请求,一般用于测试
  • AlwaysAllow:允许接收所有请求,如果集群不需要授权流程,则可以采用该策略
  • ABAC(Attribute-Based Access Control):基于属性的访问控制,表示使用用户配置的授权规则对用户请求进行匹配控制
  • Webbook:通过调用外部 REST 服务对用户进行授权
  • RBAC(Role-Based Access Control):基于角色的访问控制,现行默认规则

RBAC 授权模式

RBAC(Role-Based Access Control)基于角色的访问控制,在 Kubernetes 1.5 中引入,现行版本成为默认标准。相对其它访问控制方式,拥有以下优势:

  • 对集群中的资源和非资源均拥有完整的覆盖

  • 整个 RBAC 完全由几个 API 对象完成,同其它 API 对象一样,可以用 kubectl 或 API 进行操作

  • 可以在运行时进行调整,无需重启 API Server

RBAC 的 API 资源对象说明

RBAC 引入了 4 个新的顶级资源对象:Role(角色)、ClusterRole(集群角色)、RoleBinding(角色绑定)、ClusterRoleBinding(集群角色绑定),4 种对象类型均可以通过 kubectl 与 API 操作

Role and ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: defaultname: pod-reader
rules:- apiGroups: [""] # "" indicates the core API group#对象是pod类型,可以通过/分隔符控制子资源的访问权限,例如: resources: ["pods","pods/logs"],#如果为resources:["pods/logs"]表明只能访问pod下的logsresources: ["pods"] verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:# "namespace" omitted since ClusterRoles are not namespacedname: secret-reader
rules:- apiGroups: [""]resources: ["secrets"]verbs: ["get", "watch", "list"]
RoleBinding and ClusterRoleBinding

RoleBinding 包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(User、Group、ServiceAcount)

RoleBinding 可以绑定Role也可以绑定ClusterRole,而 ClusterRoleBinding 只能绑定ClusterRole
RoleBinding绑定Role

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: read-podsnamespace: default
subjects:- kind: Username: jane#Defaults to "" for ServiceAccount subjects.#Defaults to "rbac.authorization.k8s.io" for User and Group subjectsapiGroup: rbac.auorization.k8s.io
roleRef:kind: Rolename: pod-readerapiGroup: rbac.authorization.k8s.io

RoleBinding绑定ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:name: read-secretsnamespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: Username: daveapiGroup: rbac.authization.k8s.io
roleRef:kind: ClusterRolename: secret-readerapiGroup: rbac.authorization.k8s.io

ClusterRoleBinding绑定ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:name: read-secrets-global
subjects:- kind: Groupname: managerapiGroup: rbac.authorization.k8s.io
roleRef:kind: ClusterRolename: secret-readerapiGroup: rbac.authorization.k8s.io
实例:创建用户作为某个名称空间下的管理员
#在opt目录下创建test.json文件
{#用户为test"CN": "test",#当前证书可以在任意节点被调用,即任意节点可以通过证书访问apiserver"hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing",#所属组为k8s自定义的组,系统组为system:"O": "k8s","OU": "System"}]
}# 下载证书生成工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfsslwget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljsonwget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo#授予可执行权限
chmod a+x /usr/local/bin/cfssl
chmod a+x /usr/local/bin/cfssljson
chmod a+x /usr/local/bin/cfssl-certinfo#签发证书
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -profile=kubernetes /opt/test.json | cfssljson -bare test
[root@master opt]# ll test*
-rw-r--r--. 1 root root  993 54 15:52 test.csr
-rw-r--r--. 1 root root  217 54 15:28 test.json
-rw-------. 1 root root 1675 54 15:52 test-key.pem
-rw-r--r--. 1 root root 1233 54 15:52 test.pem# 设置集群参数(即服务端)
[root@master opt]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.116.128 master k8s-api registry
192.168.116.129 node1
#设置KUBE_APISERVER变量
export KUBE_APISERVER="https://k8s-api:6443"kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=/opt/test.kubeconfig[root@master opt]# cat test.kubeconfig
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=server: https://k8s-api:6443name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null# 设置客户端认证参数
kubectl config set-credentials test \
--client-certificate=/opt/test.pem \
--client-key=/opt/test-key.pem \
--embed-certs=true \
--kubeconfig=/opt/test.kubeconfig[root@master opt]# cat test.kubeconfig
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=server: https://k8s-api:6443name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: testuser:client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTURUb3ZweHVUajk0VUZrNDM3N1RRNDZFQmljd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFF3TnpRNE1EQmFGdzB5TXpBMQpNRFF3TnpRNE1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0o1RS9VRgo0TEVvMW5naUNrazJ4ZENTQVQ2cUpSMWo5ODVjNm0yZXFDdURleUIrVDREWXlCOXA3RmZxUnRVdTRyQ1hxWTJ4CmhVRXZyOFNDUUtPd1hXUDgxcXhURzZkRVB5ejMrV2h5dTJGcHJSZWhoL3NwRHZVdmJ2QUFPMmx6U3VJVFQ3WWYKUVdhRk95NzdldHR5bm95bjNZa1FMbE9xeGRmV2hMeUJFTHkvdElDSW14L0UyYmlzNGNRelVSeGIwQisva0kwegpoN0Z0YzZQNXQzc0dzVjdVL3hYY0NIb211Q1RoZC9JVjVTNjYvWjFFbTVUSEM3blgwSENaOWJZeWxvSmZJZzliCkpEOTNtQVB0WXR2VHdNQVI3LzB5Q1pka0RkV0l3N2NoUUF0UzBqNFBUSWRVZlVwZmwwMkNXRFRteHlSSUFYTUkKYjVnblg1SGl2VlBIRU5jQ0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVFdxZ0VRClNBSjdxN0dEZFlMQy82WkN5LzQ1bURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUxjVHJYRnUwWjBhMlNtUHgKaVU1WEk0S1dWSXp6QnBaSzJ3ei9xZGh5ZGc4bTFlRzBaZWRGejFPME9tMHVUV3Zpa24xa1IreUpqeE5RMmgrUgpncmtQUUEwQUpvUkhZR1RBckltOSszQkFKNGswNGgwUWpJaVIzdmk0Nklwdm1keTBibGU4ejNqUTlvazZlMUJLCmh6VzdpS2JDVzZrdkI5Q0JlaWxldGdaYTcvQmJPM0xlaDkwZUFOQ3FJWVFSSEZsbXpKMnVBTDdkN2MxdWtlUGIKUTdEdXRDRjdaV1dTczloOGRXT3pUVkRxZTU3a3l1MFB6aWQ0RkRkdHhuK0RCSVdXVEt5OCtnem1tanZnaVladgpvZk0yTzRtSnM2a1BabERzaW5iV0VveVl6NzBUeUdPcFQ5UDFJUDB6cTBkKzYvUVowSi9XdXhWd2YzMUpVUVBCCldFay9qUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kclient-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNG5rVDlRWGdzU2pXZUNJS1NUYkYwSklCUHFvbEhXUDN6bHpxYlo2b0s0TjdJSDVQCmdOaklIMm5zVitwRzFTN2lzSmVwamJHRlFTK3Z4SUpBbzdCZFkveldyRk1icDBRL0xQZjVhSEs3WVdtdEY2R0gKK3lrTzlTOXU4QUE3YVhOSzRoTlB0aDlCWm9VN0x2dDYyM0tlaktmZGlSQXVVNnJGMTlhRXZJRVF2TCswZ0lpYgpIOFRadUt6aHhETlJIRnZRSDcrUWpUT0hzVzF6by9tM2V3YXhYdFQvRmR3SWVpYTRKT0YzOGhYbExycjluVVNiCmxNY0x1ZGZRY0puMXRqS1dnbDhpRDFza1AzZVlBKzFpMjlQQXdCSHYvVElKbDJRTjFZakR0eUZBQzFMU1BnOU0KaDFSOVNsK1hUWUpZTk9iSEpFZ0Jjd2h2bUNkZmtlSzlVOGNRMXdJREFRQUJBb0lCQUNtR3pBc0VyZU91T2sxQwo2S0h1SWkyUmFCc0dkZEhDeitDT0Z3cE1xa2Q0VDI1dzJzRWtmdVdMdGFPVk9MSEViQnEzWklhdncyQmxqeFE0ClVnUHh4ZDRjc1h4ZHJOZHA0eStxdEpmYldkS04zd2hUUFN6bnBXOTk2QmluNGp6K3YvOWVUU0oyN3JZT3ZnQnEKYW1lc3g3ZkEzQlZTMnp2S040YlJOZnVlcXVRQTVuQ0J2UUhrNVpISk4vNW9MVS9tNjJOMnZyck1jYkw2UC9mcwpBUVlkWDZOTjdUemZDN01lUFBOQmhyeVFTbHBBMXhnZWtyWlVaOXVnb2ZTWWhacWtDNDllMlFCeGhrR2dxdnAvCjg1bmljZ1hkQnl4ZWpsb1g5SUNFSGhxNHpVTDlidHJpdnZES1Jsa0FFUVh5Y08zS0hFL1g3SVhMRkp3c0NrdHEKeHdoK0pURUNnWUVBNHJITWxWUWMvVzNGNWJ5M2dVckhmWVh2Zk0wVlBaNGpaL05Zd0pBcm0vejRaeUFBMEJGbAp6TlhNSzZDLzkya3FnRDdrd1lvdWRGMGRQOEF6WE9SUDU3dzQ5bS9SUnBKdTN3YWVPc0VaejVKUXpkb0UvSVlxCmRJMlFRa245S29OblNkdG9QNUhWWVdvV1BLWGNQZUQ0c2lYaktrYWMvMExmN1hIZG85S211YjhDZ1lFQS83L3kKUCtBeHFTYUZZTTBXaXVhNmZlRnoxSk0xSXhUaldDU3dYaXZYM3p5TVAzTTRKMkp0aVlSVXQ3OWpIZ01GR0lVMwpsNlE3WFZwZi9qbWFyY3pOTHYwbEtVWU4yR2twOFUrN2k0SW04OHJkTmNxd1BlYk55c2VWc0RZallhYkxlWTAwCkZNbUFQQ3Awam5GTGF2OTd4R0l4dElUeFY0SnpBRFVXVXdSa2Z1a0NnWUFZcitZb3FQVlRQLzRhSzdnTU0zbVEKR09MZ3czQzV1aHYrK1FoRVNDOEhtTC93Y3hMRGxmRnhJaU5PNlAyZTB1d1c5VUp5TlRzajN2UU5lai9kc050bQowQitmN3NOcW5RM0g2ZStYVkdvY0tjSDArUFlzRGV4WHJ3Ynp3Uno1NFQrQlVveUN4NzNtRXVpRENFajQwQ1FsCk9tMEhzSkx1VlhrUFlhUVNjQ0ZKL3dLQmdHU0xiTXlwOGp3aTFjcnh0Z3dUbTN2RHQ4cjV1S2s3SEFuYUdyQmIKSWpvMFRwcmZURk5IZ2ZMUFlKTUFuaEg5Yy9KbzVTc3J1TjhCbWIyVG5majREQzZOL1I4VjJIbWRGbzAxSUhFLwpVTnNGaFNRUnRHb1JwQlExbE9hNjBmd2hHOXVFcE5ZTFJldmhjUU5URFNoYW1xamhSZE5IZEs1SHJiaUdKbW1xCnoydUpBb0dCQUp2VmVIRmpKRkl2MFVHbzBIbGl2R3JOZWVJVzFGZjV0SmdUd2ZlQ1BtSEcxOUNJZDB4RFZEVVUKMlJEL2RMOXQ4MmdzUTFjS1JQVTNjQ08walpxck9pTGg1aWQ5aEpCMUg2MmtGa3IrNEpOK0IvcHNJM3VPWFlFTgo0b0k1NVl6NFJlTEtOTWZQSWNPVFpTRXFoTGdtVVNHZGhuUU9NWGNVMnFnK1FidzRYQ3ZRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=test \
--namespace=testns \
--kubeconfig=/opt/test.kubeconfig[root@master opt]# cat test.kubeconfig
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=server: https://k8s-api:6443name: kubernetes
contexts:
- context:cluster: kubernetesnamespace: testnsuser: testname: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: testuser:client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTURUb3ZweHVUajk0VUZrNDM3N1RRNDZFQmljd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFF3TnpRNE1EQmFGdzB5TXpBMQpNRFF3TnpRNE1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0o1RS9VRgo0TEVvMW5naUNrazJ4ZENTQVQ2cUpSMWo5ODVjNm0yZXFDdURleUIrVDREWXlCOXA3RmZxUnRVdTRyQ1hxWTJ4CmhVRXZyOFNDUUtPd1hXUDgxcXhURzZkRVB5ejMrV2h5dTJGcHJSZWhoL3NwRHZVdmJ2QUFPMmx6U3VJVFQ3WWYKUVdhRk95NzdldHR5bm95bjNZa1FMbE9xeGRmV2hMeUJFTHkvdElDSW14L0UyYmlzNGNRelVSeGIwQisva0kwegpoN0Z0YzZQNXQzc0dzVjdVL3hYY0NIb211Q1RoZC9JVjVTNjYvWjFFbTVUSEM3blgwSENaOWJZeWxvSmZJZzliCkpEOTNtQVB0WXR2VHdNQVI3LzB5Q1pka0RkV0l3N2NoUUF0UzBqNFBUSWRVZlVwZmwwMkNXRFRteHlSSUFYTUkKYjVnblg1SGl2VlBIRU5jQ0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVFdxZ0VRClNBSjdxN0dEZFlMQy82WkN5LzQ1bURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUxjVHJYRnUwWjBhMlNtUHgKaVU1WEk0S1dWSXp6QnBaSzJ3ei9xZGh5ZGc4bTFlRzBaZWRGejFPME9tMHVUV3Zpa24xa1IreUpqeE5RMmgrUgpncmtQUUEwQUpvUkhZR1RBckltOSszQkFKNGswNGgwUWpJaVIzdmk0Nklwdm1keTBibGU4ejNqUTlvazZlMUJLCmh6VzdpS2JDVzZrdkI5Q0JlaWxldGdaYTcvQmJPM0xlaDkwZUFOQ3FJWVFSSEZsbXpKMnVBTDdkN2MxdWtlUGIKUTdEdXRDRjdaV1dTczloOGRXT3pUVkRxZTU3a3l1MFB6aWQ0RkRkdHhuK0RCSVdXVEt5OCtnem1tanZnaVladgpvZk0yTzRtSnM2a1BabERzaW5iV0VveVl6NzBUeUdPcFQ5UDFJUDB6cTBkKzYvUVowSi9XdXhWd2YzMUpVUVBCCldFay9qUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kclient-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNG5rVDlRWGdzU2pXZUNJS1NUYkYwSklCUHFvbEhXUDN6bHpxYlo2b0s0TjdJSDVQCmdOaklIMm5zVitwRzFTN2lzSmVwamJHRlFTK3Z4SUpBbzdCZFkveldyRk1icDBRL0xQZjVhSEs3WVdtdEY2R0gKK3lrTzlTOXU4QUE3YVhOSzRoTlB0aDlCWm9VN0x2dDYyM0tlaktmZGlSQXVVNnJGMTlhRXZJRVF2TCswZ0lpYgpIOFRadUt6aHhETlJIRnZRSDcrUWpUT0hzVzF6by9tM2V3YXhYdFQvRmR3SWVpYTRKT0YzOGhYbExycjluVVNiCmxNY0x1ZGZRY0puMXRqS1dnbDhpRDFza1AzZVlBKzFpMjlQQXdCSHYvVElKbDJRTjFZakR0eUZBQzFMU1BnOU0KaDFSOVNsK1hUWUpZTk9iSEpFZ0Jjd2h2bUNkZmtlSzlVOGNRMXdJREFRQUJBb0lCQUNtR3pBc0VyZU91T2sxQwo2S0h1SWkyUmFCc0dkZEhDeitDT0Z3cE1xa2Q0VDI1dzJzRWtmdVdMdGFPVk9MSEViQnEzWklhdncyQmxqeFE0ClVnUHh4ZDRjc1h4ZHJOZHA0eStxdEpmYldkS04zd2hUUFN6bnBXOTk2QmluNGp6K3YvOWVUU0oyN3JZT3ZnQnEKYW1lc3g3ZkEzQlZTMnp2S040YlJOZnVlcXVRQTVuQ0J2UUhrNVpISk4vNW9MVS9tNjJOMnZyck1jYkw2UC9mcwpBUVlkWDZOTjdUemZDN01lUFBOQmhyeVFTbHBBMXhnZWtyWlVaOXVnb2ZTWWhacWtDNDllMlFCeGhrR2dxdnAvCjg1bmljZ1hkQnl4ZWpsb1g5SUNFSGhxNHpVTDlidHJpdnZES1Jsa0FFUVh5Y08zS0hFL1g3SVhMRkp3c0NrdHEKeHdoK0pURUNnWUVBNHJITWxWUWMvVzNGNWJ5M2dVckhmWVh2Zk0wVlBaNGpaL05Zd0pBcm0vejRaeUFBMEJGbAp6TlhNSzZDLzkya3FnRDdrd1lvdWRGMGRQOEF6WE9SUDU3dzQ5bS9SUnBKdTN3YWVPc0VaejVKUXpkb0UvSVlxCmRJMlFRa245S29OblNkdG9QNUhWWVdvV1BLWGNQZUQ0c2lYaktrYWMvMExmN1hIZG85S211YjhDZ1lFQS83L3kKUCtBeHFTYUZZTTBXaXVhNmZlRnoxSk0xSXhUaldDU3dYaXZYM3p5TVAzTTRKMkp0aVlSVXQ3OWpIZ01GR0lVMwpsNlE3WFZwZi9qbWFyY3pOTHYwbEtVWU4yR2twOFUrN2k0SW04OHJkTmNxd1BlYk55c2VWc0RZallhYkxlWTAwCkZNbUFQQ3Awam5GTGF2OTd4R0l4dElUeFY0SnpBRFVXVXdSa2Z1a0NnWUFZcitZb3FQVlRQLzRhSzdnTU0zbVEKR09MZ3czQzV1aHYrK1FoRVNDOEhtTC93Y3hMRGxmRnhJaU5PNlAyZTB1d1c5VUp5TlRzajN2UU5lai9kc050bQowQitmN3NOcW5RM0g2ZStYVkdvY0tjSDArUFlzRGV4WHJ3Ynp3Uno1NFQrQlVveUN4NzNtRXVpRENFajQwQ1FsCk9tMEhzSkx1VlhrUFlhUVNjQ0ZKL3dLQmdHU0xiTXlwOGp3aTFjcnh0Z3dUbTN2RHQ4cjV1S2s3SEFuYUdyQmIKSWpvMFRwcmZURk5IZ2ZMUFlKTUFuaEg5Yy9KbzVTc3J1TjhCbWIyVG5majREQzZOL1I4VjJIbWRGbzAxSUhFLwpVTnNGaFNRUnRHb1JwQlExbE9hNjBmd2hHOXVFcE5ZTFJldmhjUU5URFNoYW1xamhSZE5IZEs1SHJiaUdKbW1xCnoydUpBb0dCQUp2VmVIRmpKRkl2MFVHbzBIbGl2R3JOZWVJVzFGZjV0SmdUd2ZlQ1BtSEcxOUNJZDB4RFZEVVUKMlJEL2RMOXQ4MmdzUTFjS1JQVTNjQ08walpxck9pTGg1aWQ5aEpCMUg2MmtGa3IrNEpOK0IvcHNJM3VPWFlFTgo0b0k1NVl6NFJlTEtOTWZQSWNPVFpTRXFoTGdtVVNHZGhuUU9NWGNVMnFnK1FidzRYQ3ZRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=#切换上下文信息
kubectl config use-context kubernetes --kubeconfig=/opt/test.kubeconfig
[root@master .kube]# cat config
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdOVEF4TXpJek5Wb1hEVE15TURVd01qQXhNekl6TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTER6CkRhVG9IRVdpNzVnR002ZTU2SngzQlRHN3I4VWNrS3lIR2xiV2EvUHFyd0dlc2pFU0JZU2VkV1I3SGtiVWNjRGYKVmxSNStvczBISHFaZm80OEZBOXpQd1kra2k2M21jd015SFpXVXgvbkVLYmswTWZ1V3JwRG5DNFBIb09GdEFZVQpmSEhDL1YzOFJxN3EzMWpSdnp0eFdudXBPb3ZVVDYzaElDL0NpdnhSbTVhTlUxbFJDaUwyRXFkYW1jRVNGamY0CmZ2bmkyS283NlNnL3FrTXpxWTlDc2UxSkxUdkVKbmw1OXNnNHlGR3BLdnVacGVSbGROSGx1K2x2ZGJIWkpNQVoKSXE4c0NEbUVZdGlvL1lncmFxZXR4S25LQTdPU2k5U0M2OGMvRDJ5cndiWmtaSkVOSGNDRGpwRWdqQ3lLNk1pSQpxbFVKcEpNaWxNVE01SmxWaUZrQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFY3RMdDBES1MxNTBMQVlMQjd6Rmd0TmxmK1YKYmg5MjcvNEppbERzVFJBVkpBa3hpUDVsT1ZQTjRlUzZ0WlpBWlFvOFVqZTl2R282aUMrc1ZDUkJMcGo4QXBUYQovVFdOMUx4dG1rci9vK2pMS3BEelBob0ZrK3dITDJ4SXN3K1l0SWltTmFEb0R1Z0MwOS8xOENrSnNGdjBHNGxTClNZb1RaZkg4QXRlQWRLNTJYUmxrUXBMWTJ5SWtIc21WYzkzUVI1WmttcFBPcmROcFk1TXhHYnZ6Zm02cDVCcE0KZ1ZvakJMQUNURXlKcjlzbzlkTjRRb1FkVkd1WVQrYzIxUXFJMVNrTUc3cG1FY08xb3pOc1QzeFJadkZEb0FJVAorWVNXQ1YrWEt0Wks4blgyMDlKZi8xb2pxbVFWY0tFdTNBblpLVEZtL0cxZTdWbmZBTUw2R014WWhaVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=server: https://192.168.234.137:6443name: kubernetes
contexts:
- context:cluster: kubernetesnamespace: testnsuser: testname: kubernetes
#原先为空字符串,切换后变为kubernetes
#特别注意,必须先切换上下文后才能将文件拷贝到$HOME/.kube文件夹下,否则会报无法连接apiserver
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: testuser:client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTHpBZXZmQXBhd0xyNzFKN1Brb084MmxUTlRJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFV3TmpRMU1EQmFGdzB5TXpBMQpNRFV3TmpRMU1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0gvMkVpRwp5NUl2Y2lTcEJQT3ViM1lhL2JCNFlwaVM3d0kxRklDN1RkWDNPYTBmelE1Vk4rN0VYem1DZ1pEbjFYZStzcXRpCjFydWcxWDRqRGswN25kUXRpZkJ2bktWcExmUjM5alBRUzZJRjFPTndMb1hMaEVaWGFBMmVSMzZrWGtBOEtXaUEKRVM2UitONmFSd1RFNE5zODFHanhUanNJYlBvRGRnV0txaE81bVJJNUp3MkxBWXZxRTBWdUpRY0RNd0Z6Z0dZagovdWp4anBrTGhWSXloVm1ZSUlGU01KbGdoaE9BYXIyZHFYNzBqMEE3VzJ0d3ZtQWZXUmd0RktwMWh6QVRaUEliCkowb2FnM3dmMGwvbkNQMm5xeEJTNDNqQTFXdWdqOEpZSGVqZlJveTh1bDJrT3Zid2NPZGZNb0tNMFVuY2hxdDAKZTRpZncvdUY1RkJYT2Y4Q0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCU0RpZ3M5ClNxMGphOUVYSEF4L1JXL21qcGZpV1RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUZXbnJXSzRPSlJQQkxrUEgKK1ZiSXE2Z0wwUzhSZlptcjlnYmdnUTlYMXZ0MDNrUGQ5YzBiOG1EZDEwUDc4YUlGUitJazNBT1NSTkxXM2s5KwpxMCthTitwekcvVU50UGFMQWYxZzJXRVJyTVBCTWVITTNqcW1HWG42cVM0d1lrNWVWaHVhU29KSlA5cGlLaDhNCjBFZDRPcjNYakhtNlJLVFdFK05PSlpGWTExUzlIUXdzVzVIN1BGYXc0MWN4WW9XaFFTVWhub01sUDBMNngxdjAKRlZTaXlkMDM1VytZcDZVMEtDTVIzYlR6bEJLZ05DZlFSRzJuL003NENPOHg1Y25CT3ZTejJuY05HUExJZjBYUApDV000ZDBPSS95eWIyN1luckZxUEhnWjBsbzNURmFxVHBtU0lscVJENFFFaDRXZFZQQlQvbWNTMW1GT25EVlhOCjUzbUlDQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kclient-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNGYvWVNJYkxraTl5SktrRTg2NXZkaHI5c0hoaW1KTHZBalVVZ0x0TjFmYzVyUi9OCkRsVTM3c1JmT1lLQmtPZlZkNzZ5cTJMV3U2RFZmaU1PVFR1ZDFDMko4RytjcFdrdDlIZjJNOUJMb2dYVTQzQXUKaGN1RVJsZG9EWjVIZnFSZVFEd3BhSUFSTHBINDNwcEhCTVRnMnp6VWFQRk9Pd2hzK2dOMkJZcXFFN21aRWprbgpEWXNCaStvVFJXNGxCd016QVhPQVppUCs2UEdPbVF1RlVqS0ZXWmdnZ1ZJd21XQ0dFNEJxdloycGZ2U1BRRHRiCmEzQytZQjlaR0MwVXFuV0hNQk5rOGhzblNocURmQi9TWCtjSS9hZXJFRkxqZU1EVmE2Q1B3bGdkNk45R2pMeTYKWGFRNjl2Qnc1MTh5Z296UlNkeUdxM1I3aUovRCs0WGtVRmM1L3dJREFRQUJBb0lCQUV6L0ZYamdNOHNDVHlrZQpUSW1aREhCNGthWGwzZkdOWGRDcXRPbUc1dVhXN05lRzFoM2orc0ptTk9zckEybVRFcTlSVVI0QzlwWEdIZlp6Cml4UFZFOWlPQzBqWFBjODlIbU1EMitXYk9hbGh3ejRab2tBRExuV29vZExCOGltN1prRU1QaTlVTW9aalJSN1MKQVJBbTQxVE9USy9VUm9ybU8vcVI0MHZRQ2xIZGJkVVYrMCt3bnlIMXdUUGJndFhCcFV4dUVjNjdnWUVQQzBVZgpUV1JTcUZnZHdsc09jQVMxcGRoM2Y5S0NKdjcra0trbUFndFhQWUx0Z0NUb2pxNTZiL1BHOHNmbkVxTVRZdnljCnRFb2NBVERxOUZ6Y0ZVRDJ6SzlTQngrZjd1blg1NWppZkoxMkxvQXJOSGRtc3V4a3hkZndJVDZlR1BCT0FwQ2MKdFJLRjhRRUNnWUVBN0dka0RPVWgzMDVQbm5zWWwwS0NPbEFVMTVqVXliYXAzcUFUNHJDbUFWR1MzejlsbkFmQQpSaGZ5NzNjOVJOOThNaHRnb1dCcnM0VkFZTTh0TUpOMGNyTEhaNjJ2enZ0Qmc3ZU5yT1BHc1RwM0pWbGJ1d0dlClZsekNaUzB3NWx5Z2ZUclc0UlNhL2RJWjdCcDE0Z0dTUnpFTUg0OUliM2MzQU9yUVdHR0VvaEVDZ1lFQTlMdXEKY2owdjBmUDhNblN6eE1sL1NSQ0tQNHBLVi8rNzhXcE8xZHprc3p5eEJrVWdGL2p1NjFmeTFTUU1vZUdKK290cQptcWgrZVhMU2RkT3RZL2FjNzZNWmQxMUJUbmdOMnA2eFVuRmtMaWZET0I1c29hcDBFTHlEMWkyYnVQTDlNQXFEClhkT0JvRkRZZThnYkFIeE40KzZOaGRvTUNtOXdFU00rNGhIckN3OENnWUVBeXdYa0E3c0lRdm5ESU96QWFxN2cKbm1uRjdINUJTRmFLUGpvbHVjcFJWdEtTbXcyY0dzc0JVbkVnM296OTNsYzhGdUF5TllWVUdXRjNyMnhkZDlrNgo2WUltQkNGQzJqUW55SkhycHk0YXBudjZkT1h3QklOWVV2em9xZkdNakZuQ0xxcElmaGF2SVFxOTNtbS9FWENlCkNtdlI2SXlwL2FoWllYMUhubzlwVTdFQ2dZRUEwWFo5MytEMnVOLzJqc2pMeERZaHQwdHN5QTE0cS9DNXoxcUoKdHdta3hMUEJYL2h5QzVLSUN1M3ZiUFc1eWlQYmtKRWE0Tnd0dzR5L0RSSHJhWTk5cXEwUjh0UGlQV01MbUg0UwpqdGwyUVByUFg0ekt0V1BLaXppT0xoWkRIZno3THM4UXVKRjZkTmc5TVZTSHA5YThZOFdkWTE3SXgzV3htVGx0CmJOaWhMNGtDZ1lCN1NXRFp5VTlIcnBqTG5vblRUdWlnNEhaZ05UcFBaa3hpTVp6aUdjMWZ1TFBqaW8zTnVja2kKM3V6cUF2UEVsVFAxYndEcEZVMjZ1THNIVUdra3J4YVFHMm52WGFaL0JIU1h1MkdtcUVMZERjdmtkL2pYNm5MWApEbUhnVENtL3h0M3haeFMyN1IzbWFOYXRCbUN2RGlPREFxR0JpSndUaU1ldURLNEhBR1JBeWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=#创建testns的名称空间
kubectl create ns testns

#限制名称空间资源
apiVersion: v1
kind: ResourceQuota
metadata:name: limit-resourcesnamespace: testns
spec:hard:requests.cpu: "20"requests.memory: 100Gilimits.cpu: "40"limits.memory: 200Gi
#给test用户绑定管理员权限
kubectl create rolebinding test-admin-binding --clusterrole=admin --user=test --namespace=testns
$ kubectl get rolebinding -n testns
NAME                 ROLE                AGE
test-admin-binding   ClusterRole/admin   33s#linux随意创建用户,比如test1,将test.kubeconfig放入到test1家目录下.kube文件夹下,即可访问apiserver
useradd test1
passwd test1
mkdir -p /home/test1/.kube
cp /opt/test.kubeconfig /home/test1/.kube/config
chown -R test1.test1 /home/test1/.kube
#注意此时get pod的名称空间就为testns
[test1@master ~]$ kubectl get pod
No resources found in testns namespace
#如果想要获取其他名称空间下的pod会被拒绝
[test1@master ~]$ kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"

准入控制

准入控制是API Server的插件集合,通过添加不同的插件,实现额外的准入控制规则。甚至于API Server的一些主要的功能都需要通过 Admission Controllers 实现,比如 ServiceAccount,默认启用的插件

CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, LimitRanger, MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize, Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook
  • NamespaceLifecycle: 防止在不存在的 namespace 上创建对象,防止删除系统预置 namespace,删除namespace 时,连带删除它的所有资源对象。
  • LimitRanger:确保请求的资源不会超过资源所在 Namespace 的 LimitRange 的限制。
  • ServiceAccount: 实现了自动化添加 ServiceAccount。
    mespace 上创建对象,防止删除系统预置 namespace,删除namespace 时,连带删除它的所有资源对象。
  • LimitRanger:确保请求的资源不会超过资源所在 Namespace 的 LimitRange 的限制。
  • ServiceAccount: 实现了自动化添加 ServiceAccount。
  • ResourceQuota:确保请求的资源不会超过资源的 ResourceQuota 限制

kubernetes集群安全——认证、鉴权、准入控制相关推荐

  1. k8s安全 认证 鉴权 准入控制之二:授权(Authorization)

    系列文章链接 k8s安全 认证 鉴权 准入控制之一:认证(Authentication) k8s安全 认证 鉴权 准入控制之二:授权(Authorization) k8s安全 认证 鉴权 准入控制之三 ...

  2. k8s-身份认证与权限 认证鉴权准入控制- 各种方式带例子-推荐-2023

    # 认证 鉴权 准入控制 ACL 了解 原文:k8s认证.授权与准入控制 - 哪都通临时工 - 博客园 (cnblogs.com) 认证(Authentication):API Server 可以支持 ...

  3. k8s安全 认证 鉴权 准入控制之四:准入控制

    系列文章链接 k8s安全 认证 鉴权 准入控制之一:认证(Authentication) k8s安全 认证 鉴权 准入控制之二:授权(Authorization) k8s安全 认证 鉴权 准入控制之三 ...

  4. Kubernetes API Server 之集群安全认证

    文章目录 前言 一.为什么要有 api-server 集群安全认证? 二.安全机制的三个流程 三.HTTP Bearer Token 认证 四.HTTPS 双向证书认证 总结 前言 kubernete ...

  5. Kubernetes集群安全概述

    转自Kubernetes集群安全概述 - 我是程序员 - 博客园 (cnblogs.com) API的访问安全性 API Server的端口和地址 在默认情况下,API Server通过本地端口和安全 ...

  6. Kubernetes 集群安全机制详解

    本文主要介绍 Kubernetes 的安全机制,如何使用一系列概念.技术点.机制确保集群的访问是安全的,涉及到的关键词有:api-server,认证,授权,准入控制,RBAC,Service Acco ...

  7. EMR集群安全认证和授权管理

    简介:介绍EMR高安全集群如何使用Kerberos和Apache Ranger进行鉴权和访问授权管理 直达最佳实践:[EMR集群安全认证和授权管理] 最佳实践频道:[点击查看更多上云最佳实践] 这里有 ...

  8. 11、Kubernetes集群安全机制

    文章目录 一.概述 1.1 认证 1.2 鉴权 1.3 准入控制 二.RBAC介绍 三.RBAC实现鉴权 3.1 创建命名空间 3.2 命名空间创建Pod 3.3 创建角色 3.4 创建角色绑定 3. ...

  9. 一键运行CIS安全扫描,集群安全无忧!

    CIS安全扫描是Rancher 2.4推出的其中一个重磅功能,旨在帮助用户快速.有效地加强集群的安全性.本文将详细介绍CIS安全扫描这一功能,包含详细的操作demo. 本文来自Rancher Labs ...

最新文章

  1. vue父子组件写法,数据传递,顺便封装 element-ui的弹窗组建
  2. IntelliJ IDEA 2020.2 EAP 5 发布:完美支持Java 15
  3. ML《集成学习(一)Bagging 和 Random Forest》
  4. 通过零拷贝进行有效的数据传输(java、c)
  5. sql server 2008 数据结构及数据内容一起导出的方法(导出脚本形式)
  6. linux 命令之df持续更新中~
  7. 软件工程期末考试复习(二)
  8. DNSObserver检测DNS安全漏洞
  9. java计算机毕业设计评标专家管理信息系统源码+数据库+系统+lw文档+mybatis+运行部署
  10. 深度deepin文件管理上锁无法正常新建和保存文件的解决办法
  11. 如何在页面上动态实现浮动窗口?
  12. win10深度学习环境搭建
  13. 3dmax 计算机中丢失,3ds Max文件损坏或丢失怎么办?
  14. Android SQLite数据库导出/导入Excel
  15. RISC-V 中开发 Java 是一种什么体验? 让 Dragonwell JDK 来回答
  16. windows 11 使用 之 关闭全局快捷键
  17. E都市圈地 三维地图搜索的商业模式在哪里
  18. 基于Ubuntu20.04应用服务器的磁盘挂载与卸载
  19. KeepAlive+VIP
  20. c语言 单链表的增删查改

热门文章

  1. 微软校招面试题3-15
  2. 程序员的七夕浪漫时刻
  3. 冯诺依曼计算机主机,冯诺依曼结构计算机包括哪五大部分?
  4. 智慧树python第四章答案_知到智慧树Python程序设计基础答案章节单元测试答案
  5. 终端软件测试风险,浅谈三大终端测试 - 测试泡泡 - 51Testing软件测试网 51Testing软件测试网-软件测试人的精神家园...
  6. java dwg文件_Object java添加dwg文件问题
  7. 艾力奋RFID人脸识别闸机助力小鹏汽车发布会【回顾篇】
  8. 国产数据库--DM(达梦数据库)
  9. [收集整理]BT恶心诗全集
  10. 数据结构与算法-二叉排序树