node节点执行kubectl

1.给dev节点查看权限

1. 下载cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

2. 赋予执行权限
chmod +x cfssl*

3.重命名
for x in cfssl*; do mv $x ${x%*_linux-amd64};  done

4.移动文件到目录 (/usr/bin)
mv cfssl* /usr/bin

2.生成证书

[root@k8s-matser01 rbac]# cat cert.sh 

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF

cat > dev-csr.json <<EOF
{
  "CN": "dev", ### username自己命名
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes dev-csr.json | cfssljson -bare dev

3.生成配置文件

[root@k8s-matser01 rbac]# cat kubeconfig.sh 

kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/pki/ca.crt \
  --embed-certs=true \
  --server=https://10.2.1.12:6443 \ # apiserver 
  --kubeconfig=dev.kubeconfig
 
# 设置客户端认证
kubectl config set-credentials aliang \
  --client-key=dev-key.pem \
  --client-certificate=dev.pem \
  --embed-certs=true \
  --kubeconfig=dev.kubeconfig

# 设置默认上下文
kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=dev \
  --kubeconfig=dev.kubeconfig

# 设置当前使用配置
kubectl config use-context kubernetes --kubeconfig=dev.kubeconfig

4.编程权限绑定

[root@k8s-matser01 rbac]# cat rbac.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: dev # 第二步指定的username
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

5.测试

1.master测试
[root@k8s-matser01 rbac]# kubectl  --kubeconfig=dev.kubeconfig get pod 
NAME                                      READY   STATUS    RESTARTS   AGE
nexus3-7b7598945f-t7j8k                   1/1     Running   0          7d4h
nfs-client-provisioner-5f6bbb4656-vmwpz   1/1     Running   1          19d
tomcat-994445b55-hkckq                    1/1     Running   0          176m
tomcat-994445b55-kkb7v                    1/1     Running   0          5d20h
tomcat-994445b55-q5wsw                    1/1     Running   0          5d20h
web-7846c464c8-4gldj                      1/1     Running   0          7d22h

2.传给node
[root@k8s-matser01 rbac]# !scp
scp dev.kubeconfig 10.2.1.14:/root/.kube/config

3.node查看
[root@k8s-work02 ~]# cat /root/.kube/c
cache/  config 

[root@k8s-work02 ~]# kubectl get pod
NAME                                      READY   STATUS    RESTARTS   AGE
nexus3-7b7598945f-t7j8k                   1/1     Running   0          7d4h
nfs-client-provisioner-5f6bbb4656-vmwpz   1/1     Running   1          19d
tomcat-994445b55-hkckq                    1/1     Running   0          3h
tomcat-994445b55-kkb7v                    1/1     Running   0          5d20h
tomcat-994445b55-q5wsw                    1/1     Running   0          5d20h
web-7846c464c8-4gldj                      1/1     Running   0          7d22h

[root@k8s-work02 ~]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "dev" cannot list resource "services" in API group "" in the namespace "default"