k8s添加用户之serveraccount模式
添加一个用户stjr-user-read-2,该用户只有stjr下面的所有资源的只读权限。
配置
- 添加用户
apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: stjr-user-2 name: stjr-user-read-2 namespace: stjr
- 添加角色 ``` kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: stjr-user-read-2 namespace: stjr rules:
- apiGroups: [""] resources: [""] verbs: ["get", "list","watch"] ```
- 添加角色绑定 ``` kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: stjr-user-read-2-RoleBind namespace: stjr subjects:
- kind: ServiceAccount name: stjr-user-read-2 namespace: stjr roleRef: kind: Role name: stjr-user-read-2 apiGroup: rbac.authorization.k8s.io ```
验证
1,获取用户的token
[root@k8s-master-01.novalocal 12:14 ~/yaml/stjr-ceshi]
# kubectl get secret -n stjr
NAME TYPE DATA AGE
ceph-kubernetes-dynamic-user-5ab847ce-5c35-11e9-9663-128f26a7c4e5-secret Opaque 1 103d
default-token-sxnq7 kubernetes.io/service-account-token 3 194d
stjk-secret kubernetes.io/tls 2 35d
stjr-secret kubernetes.io/tls 2 36d
stjr-user-read-2-token-dxt7q kubernetes.io/service-account-token 3 117d
stnts-secret kubernetes.io/tls 2 104d
[root@k8s-master-01.novalocal 12:16 ~/yaml/stjr-ceshi]
# kubectl describe secret stjr-user-read-2-token-dxt7q -n stjr
Name: stjr-user-read-2-token-dxt7q
Namespace: stjr
Labels: <none>
Annotations: kubernetes.io/service-account.name: stjr-user-read-2
kubernetes.io/service-account.uid: ea724276-51d5-11e9-bc20-fa163e93898e
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 4 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.=ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJzdGpyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InN0anItdXNlci1yZWFkLTItdG9rZW4tZHh0N3EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic3Rqci11c2VyLXJlYWQtMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImVhNzI0Mjc2LTUxZDUtMTFlOS1iYzIwLWZhMTYzZTkzODk4ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpzdGpyOnN0anItdXNlci1yZWFkLTIifQ.q3vz3jWiM1OhQZNs5Qboo6q0aHvSpcve0xcVNCO0vypKa3ueKi7PszruBeW1bt01Kju2Qrjsj8GFJX7CtQ_-eRle5he6nhRogoXL6q-anc_DIEl7IlL-RBGINt1jgzHWwpdsh_L6pHYY-ex-16Fs3WY0zkStdc3S_GOaUgh5PR-OTSsTjqo55tDSsjiPTeolFUE_Phsj0HCxTu3_H5_nevbOQXpZ2U9hQDjxO75lW0Tr9_YjCZdLVWlkvBGTM4UDEqGBkKACc2VmOaX2AD1X8Ek_RpkQP9Bj-WZvakYb6_dp2gon0i3UQ-C_n_2NzhCmwXFl8qhZ0CtOMbm9eFDruQ
2,采用上述查询到token登录kubernetes下面的dashboard即可。