授权练习

RBAC

获取配置用户

cat ~/.kube/config | grep "\- name"
- name: kubernetes-admin
- name: myuser
- name: static
- name: cjx

使用配置用户请求资源

k get pod --user kubernetes-admin
NAME    READY   STATUS    RESTARTS      AGE
nginx   1/1     Running   3 (19h ago)   9d

k get pod --user myuser
error: You must be logged in to the server (Unauthorized)

k get pod --user static
error: You must be logged in to the server (Unauthorized)

k get po --user cjx
Error from server (Forbidden): pods is forbidden: User "chenjinxin1124" cannot list resource "pods" in API group "" in the namespace "default"

以 cjx 用户为例

授权

命令行

kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
kubectl create rolebinding developer-binding-cjx --role=developer --user=cjx

文件

k apply -f cluster-admin-to-cjx.yaml

验证

k get pod --user cjx
NAME    READY   STATUS    RESTARTS      AGE
nginx   1/1     Running   3 (19h ago)   9d