说明
在openshift环境中,可以通过oc project {project_name}命令来切换project,那么在k8s中式如何切换namespace的呢?(ocp的project即相当于k8s中的ns)
实例
创建ns
#创建dev 和 prod ns
kubectl create ns dev
kubectl create ns prod
查看默认上下文用于访问api的信息
#通过kubectl config view或者cat ~/.kube/config 查看默认上下文使用的cluster和user kc config view apiVersion: v1 clusters: - cluster: certificate-authority-data: REDACTED server: https://172.31.2.130:6443 name: kubernetes contexts: - context: cluster: kubernetes //默认上下文使用的cluster user: kubernetes-admin //默认上下文使用的user name: kubernetes-admin@kubernetes current-context: ctx-prod kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED
新增上下文
#定义Context kubectl config set-context ctx-dev --namespace=dev --cluster=kubernetes --user=kubernetes-admin kubectl config set-context ctx-prod --namespace=prod --cluster=kubernetes --user=kubernetes-admin
切换上下文
kubectl config use-context ctc-prod
#此时部署应用默认就会到prod ns中
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
上述配置之后可以实现切换ns(类似oc project xxx),但是都是使用的kubernetes-admin这个user,这个用户具有cluster-admin的权限
以下配置实现在prod这个ns中只允许对资源deployment、pod的list等操作,而不允许delete操作
参考链接:https://blog.csdn.net/hy9418/article/details/80268418
创建私钥文件
#使用openssl创建名为view.key的私钥文件 openssl genrsa -out view.key 2048
创建证书签名请求文件
#使用上述的私钥文件创建csr文件 openssl req -new -key view.key -out view.csr -subj "/CN=view/O=mypwd"
生成证书文件
#利用k8s集群证书文件(/etc/kubernetes/pki/下),生成证书view.crt openssl x509 -req -in view.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out view.crt -days 180
配置k8s context
#编辑~/.kube/config文件,新增user,name为view,其中client-certificate-data和client-key-data的值如下 client-certificate-data=`cat view.crt | base64 --wrap=0` client-key-data=`cat view.key | base64 --wrap=0`
#在prod这个context中指定user为view
- context:
cluster: kubernetes
namespace: prod
user: view
name: prod
由于未赋权限,报如下错误
[root@node1 manifests]# kc config use-context prod Switched to context "prod". [root@node1 manifests]# kc get pod No resources found. Error from server (Forbidden): pods is forbidden: User "view" cannot list pods in the namespace "prod"
权限赋值
#新建view_rbac.yaml文件,其中定义了Role对象和RoleBindind对象 kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: prod_user_role namespace: prod rules: # ""表示core这个apiGroups, pod就是在core - apiGroups: ["", "extensions", "apps"] resources: - pods verbs: - list --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: prod_user_rolebinding namespace: prod roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: prod_user_role subjects: - kind: User name: view namespace: prod
#通过kubectl create -f view_rbac.yaml,注:需要切回具有cluster-admin权限的context才能执行create动作
verbs 字段的全集:verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
验证
#切换到prod context kc config use-context prod #kc get pod,命令正常获取pod NAME READY STATUS RESTARTS AGE my-2048-game-789f4fb6b5-6nl8n 1/1 Running 0 12d my-2048-game-789f4fb6b5-j59hq 1/1 Running 0 12d my-2048-game-789f4fb6b5-xx2vb 1/1 Running 0 12d kc delete pod my-2048-game-789f4fb6b5-6nl8n Error from server (Forbidden): pods "my-2048-game-789f4fb6b5-6nl8n" is forbidden: User "view" cannot delete pods in the namespace "prod" kc get deployment No resources found. Error from server (Forbidden): deployments.extensions is forbidden: User "view" cannot list deployments.extensions in the namespace "prod"