kubernetes(七)--安全機制

一、安全機制說明

Kubernetes 作為一個分布式集群的管理工具，保證集群的安全性是其一個重要的任務。API Server 是集群內部各個組件通信的中介，也是外部控制的入口。所以 Kubernetes 的安全機制基本就是圍繞保護 API Server 來設計的。Kubernetes 使用了認證（Authentication）、鑒權（Authorization）、准入控制（AdmissionControl）三步來保證API Server的安全

二、認證--Authentication

2.1、認證的方式

1）HTTP Token 認證

通過一個 Token 來識別合法用戶

HTTP Token 的認證是用一個很長的特殊編碼方式的並且難以被模仿的字符串 - Token 來表達客戶的一種方式。Token 是一個很長的很復雜的字符串，每一個 Token 對應一個用戶名存儲在 API Server 能訪問的文件中。當客戶端發起 API 調用請求時，需要在 HTTP Header 里放入 Token

2）HTTP Base 認證

通過用戶名+密碼的方式認證

用戶名+密碼用 BASE64 算法進行編碼后的字符串放在 HTTP Request 中的 HeatherAuthorization 域里發送給服務端，服務端收到后進行編碼，獲取用戶名及密碼

3）HTTPS 證書認證

最嚴格，基於 CA 根證書簽名的客戶端身份認證方式

2.2、認證組件

2.2.1、兩種類型

Kubenetes 組件對 API Server 的訪問：kubectl、Controller Manager、Scheduler、kubelet、kube-proxy

Kubernetes 管理的 Pod 對容器的訪問：Pod（dashborad 也是以 Pod 形式運行）

2.2.2、安全性說明

Controller Manager、Scheduler 與 API Server 在同一台機器，所以直接使用 API Server 的非安全端口訪問，--insecure-bind-address=127.0.0.1

kubectl、kubelet、kube-proxy 訪問 API Server 就都需要證書進行 HTTPS 雙向認證

2.2.3、證書頒發

手動簽發：通過 k8s 集群的跟 ca 進行簽發 HTTPS 證書

自動簽發：kubelet 首次訪問 API Server 時，使用 token 做認證，通過后，Controller Manager 會為kubelet 生成一個證書，以后的訪問都是用證書做認證了

2.3、kubeconfig

kubeconfig 文件包含集群參數（CA證書、API Server地址），客戶端參數（上面生成的證書和私鑰），集群context 信息（集群名稱、用戶名）。Kubenetes 組件通過啟動時指定不同的 kubeconfig 文件可以切換到不同的集群

[root@k8s-master01 ~]# cd .kube/
[root@k8s-master01 .kube]# ls
cache  config  http-cache
[root@k8s-master01 .kube]# cat config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ESXdNakEyTVRjMU4xb1hEVE13TURFek1EQTJNVGMxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmVzCkFic2VOa1hjZzFuUzVFRFh3b1Q3RS9oTU9BL3JFUTZNSDJIQkM2VkhndG5mSmVJMkRqOFZ2cVVHTnI1ZGtGN1QKdmpxbDFRVDQ1bENKWElkdWhqK1FadVJjQk13RkdKd09KODQzRkd0QWdSemVBT1RPSHE4VXREc0hNU3NuOHRTdApaVFFEbEMxK1lwUUI1a0xDM2FRWnJpZzJpMlRURXYwTjk1RWU1T2FUOUkzRjdOWGR4d25SYTNSQjZyUnRwdlhLCkhEdnVUK2JBQmdJVUd5Rk1PNkdxRU44UnN6SnhYME5ha0N4ajlzMGNaUy9VTzF4UCtOcm9GcHdVSzI0dU1SeG8KSHhCRG1KaHZ1K2gzWjFMRzRJK1gzTy9vUXpMSGZFZEtmUkRKL083MTVMRWtrNzYwMVhLYTNBQXJmQzkvQllabQo1Q3pLL29uVFRTSjZESTJlcUlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFVmRpc0dwOUdGcHhZT2tMd2tCT2s5S2ZhaEsKWk1KdWdvSklFdnVTS0VqOTdiUkpCSE5pVmk0aHJjN2JXUWVxVlRxYlc0MGhFQkdjUXpKeUVySmlZVzJsSTVoawp4bWtXSSs5R3JsaHBtU1NGbC93SUxTbWRCaG9jcjdZMEU5THNoTHdPUmdzYm00U1BxSmVXNHNjNml1V08wTENkCjlhSzQ2VGh3RTYxM3JWblVvb2YzQUtyUENhaDBFc1ZJZFlEemFFamFTcHBHOWVzYVVsQjV4NjFWMTR5MkFvOS8KWUNtK3h4c29QamdBMHlHS0dMWHl1cE1CN25NWEhoK0pQWVpmUUFDeU5yVWVoM0RWa2hrMVJtb0wrUm81VEdaRApoUVd5aEM3N0w2T05kTm9takdEcVRnTktob3VxMEdNNVdGSEhhdENQSmNlcW8weEIzbWF1ZDd0dE9tUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://10.0.0.11:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJUkZmT05zRGdhUVV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBeU1ESXdOakUzTlRkYUZ3MHlNVEF5TURFd05qRTNOVGhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXZ1U1BGQTVObDgvWTNoT1YKMXorL3EzcElHRUs0V0JJRnJmRDhlV2xkNldOZzMzWFV3NE5YYlkwNDIyMlhrTThuOWhlYjhsL0tPdlVZSVg4SwpMTGhnQTEzTVZsa0grU0ZwYURIdVJnRVVKVFM5UVUzbFdFNXYwWjJQd2tOdzdVVmJYNzhFZzRUWWI1YUxzTThsClJJeFNDeWhBa2tmUkd2WXJQMXZpSFhrNWtiWVY1MkZiVVlUOXRmUGZreWFkTWRVNW83YkJiU3daeVNjK1FiQmcKR3l4OEVCeng4NEZycUpydXFXeTZaQlMveFBlc3czWVVpbDJhaDJzelNVOXJPY2xucVFoODN1ZzFUMFBVczhZMwpYanVOVmtveWpQcUFjMHRkSit1cXRzVUtFdTJmU0hScDFSL3YyKzV3QTNXdUsyeTIxZWROZVI5c2ZTeWY3SWsyCjZFKzZRd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKWTJDbzl4L0hOZmJQVVlwenBLOE0vaHI3SlRwODFNR0lnTQpOaWp0LzhpdGRNY0QxbTJFSkZwK3pyZDhmeGd6Zi9tWkd2ZWRWQzROVzVhZkJ6bDJEbXJnaWtlOXVwSzRqMHpyClduTFRaN003L3dBWFpjRW1lck1pYVFiRkRXVzZtaEJIK2tUckxieDYyZXFBWCsrQUNZZWU3TnQrQk5YOS8vNE4KMlNkT3pkbkw0NVl2QnFLNlAxb3VKUklBQSt6ZWdYa3hyKzBpMmVZL21ncGhmY3JreUhWY1RCcGVhU3lObkR1UwpuaGphNitNb3l5SGx3elRHTkI3L01aajlQOVVrUHRuKzR3S1pPRUxlN1NrNER6N0JMNVJVaGZ0MmZRL1I2bjczCkJRMVo1eWRQVHhIUTI5aUtabitxOXRWUjNiTUpWdVloQnhyaHhRK3o1MGhNdmxZbnpHYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdnVTUEZBNU5sOC9ZM2hPVjF6Ky9xM3BJR0VLNFdCSUZyZkQ4ZVdsZDZXTmczM1hVCnc0TlhiWTA0MjIyWGtNOG45aGViOGwvS092VVlJWDhLTExoZ0ExM01WbGtIK1NGcGFESHVSZ0VVSlRTOVFVM2wKV0U1djBaMlB3a053N1VWYlg3OEVnNFRZYjVhTHNNOGxSSXhTQ3loQWtrZlJHdllyUDF2aUhYazVrYllWNTJGYgpVWVQ5dGZQZmt5YWRNZFU1bzdiQmJTd1p5U2MrUWJCZ0d5eDhFQnp4ODRGcnFKcnVxV3k2WkJTL3hQZXN3M1lVCmlsMmFoMnN6U1U5ck9jbG5xUWg4M3VnMVQwUFVzOFkzWGp1TlZrb3lqUHFBYzB0ZEordXF0c1VLRXUyZlNIUnAKMVIvdjIrNXdBM1d1SzJ5MjFlZE5lUjlzZlN5ZjdJazI2RSs2UXdJREFRQUJBb0lCQUJoUmk3eTFXY00yVWwxdwpSMDJGckloTzZySlVoYUdLb2ppWGs4SnYzdXZsb2lpMW5TWlBMQ3NqcTVPZ3NZZGNMSzRZTWVDOXZVaW5ncXg1CnY3VVV3LzZKeTRkUWpraDVyakQ4ODJydHBrQmJLS1VTSkY2TWw0Z3Z0Mm03Sjc3Q2NES1JaaVRQSHJlUWlUazgKR25aU0hmMlg0aW9BaGk0V0lFcFJEVXhON2p5V3FrcmxBTGFBL1ZiSnR4UWowMlVnem0rNnd4ejUrNTlka0tDRgppV1F4eVdrV3FkRjQ3L05HcUFXVFFjbStPcmYwNmt1VTArV240cDVyK1kvTWgxdFJpbjFXMnhKUlB4dFN3MTFRCkE3Nm5mTDRGZnhuYkwvOEVHWE1zd0NucUZBVzhmZDhXKzRXSlo4c0dNTkYvVDZqZ3hxVWhERGl6S3RCendTT2gKWW9iMmdLRUNnWUVBOEpWdVNVaDh0MklGUm9pMVlXWENuNnltQzdCOTNtc3RvMmpxN3JGTEJRVXRFZDRDYXRzagpCa3dNL2xWbDIzK1FZVVljYUNhSU5YdHYyUy9aNUxKM3d6SytWWXdWcm9pRDlvck5RTjJBZ3NiejZFa1d6Ly8xClBXWUsrNXVxR1dlN3djbExvK3VGSXpuZUdpYmlOU2xQMmdONHhCc0FydU8zblAvWFRlbnBRQkVDZ1lFQXl4LzkKMEhhd3BZSzRtd0h6cDZOWXpRZzY1L2hRNEppSXpGMGl1SGR0a3N2Rk1qbG93bzB1ZGxNSVBtY3NsOXJWRnN2bgpTY1BZRmFjTng5RDRjdkNsc1o2eEtxRTNYS2pUdDBjaDlPc25EWFVOVnpHaTcxVXhRT3p6dnVCbytrMXAzZUNqCnJnSzRLZXpwUHVlejJPb1BZc0lSU0JoaHlJNjlETUZpTnI0cGFSTUNnWUVBNGxSUitwTTg4UEEvOGtrdUNjREgKeFp1UVlqTFpWdU1SZmtkM3JMSVIxMWsxT3pmV29sd2hxUXptdEdYMmV2YVpCMG9EODE4OGlNUGxSemNqRDJsdQpEYTZ4TEoycTBCVVJ3R0I0RSt2TnVEb2V2NG55OGg3andhMDc2OVJYdzZxNUVlZWpSMFNNYmNWRTB1bDlxWEdCCjg2R01mVURCOWNXNHVQUmV3cWVwaldFQ2dZRUFsMWZveHpBSUFlbmFIalJnRk9HU1FvSUZVZDBrZFpOeEtjT2oKSVFwcTY5dER2RjRsL2Y4dlJSNHNvRUpEYVltMUIxMDVvUzU0aS9tQ1BRVW9lSXR4Q1Z5UjZJOWlMbm5qOVVUYwp1aDJUWldWM1lTWXNubUk5Wm9DbVErdjBpN3F1VEpFWm80ZUhMRVhHckFYN2JIMUlwVzZ2YmFZdEJUL0ZBQUgrCmFZZGFWMTBDZ1lBNnhWbXdlcHZBckNiVDZFQUE1RVVJQ2RKZTAzRFd5a3VzMnVQRU5qSmtUS3RJM3lueHl1b0gKbkVQL3FleHZqZkpMckVFcXZNemxMTVhzdTdTSElXeWdSNWRxem41Z3pvOFBwV0d3VkJ2OTM2V1o3SnRTMGdEUAprUzlkUnpWYlZKREJwZWdQdHNFQ09aQUJrTzI5QzhzY2IvUnZFdnB4YkpJdkpvTWF4b3FHWEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

2.4、ServiceAccount

Pod中的容器訪問API Server。因為Pod的創建、銷毀是動態的，所以要為它手動生成證書就不可行了。Kubenetes使用了Service Account解決Pod 訪問API Server的認證問題

2.5、Secret 與 SA 的關系

Kubernetes 設計了一種資源對象叫做 Secret，分為兩類，一種是用於 ServiceAccount 的 service-account-token，另一種是用於保存用戶自定義保密信息的 Opaque。ServiceAccount 中用到包含三個部分：Token、ca.crt、namespace

• token是使用 API Server 私鑰簽名的 JWT。用於訪問API Server時，Server端認證
• ca.crt，根證書。用於Client端驗證API Server發送的證書
• namespace, 標識這個service-account-token的作用域名空間

[root@k8s-master01 ~]# kubectl get secret --all-namespaces
[root@k8s-master01 ~]# kubectl describe secret default-token-5gm9r --namespace=kube-system

默認情況下，每個 namespace 都會有一個 ServiceAccount，如果 Pod 在創建時沒有指定 ServiceAccount，就會使用 Pod 所屬的 namespace 的 ServiceAccount

2.6、總結

三、鑒權--Authorization

上面認證過程，只是確認通信的雙方都確認了對方是可信的，可以相互通信。而鑒權是確定請求方有哪些資源的權限。API Server 目前支持以下幾種授權策略（通過 API Server 的啟動參數 “--authorization-mode” 設置）

• AlwaysDeny：表示拒絕所有的請求，一般用於測試
• AlwaysAllow：允許接收所有請求，如果集群不需要授權流程，則可以采用該策略
• ABAC（Attribute-Based Access Control）：基於屬性的訪問控制，表示使用用戶配置的授權規則對用戶請求進行匹配和控制
• Webbook：通過調用外部 REST 服務對用戶進行授權
• RBAC（Role-Based Access Control）：基於角色的訪問控制，現行默認規則（常用）

3.1、RBAC 授權模式

RBAC（Role-Based Access Control）基於角色的訪問控制，在 Kubernetes 1.5 中引入，現行版本成為默認標准。相對其它訪問控制方式，擁有以下優勢：

• 對集群中的資源和非資源均擁有完整的覆蓋
• 整個 RBAC 完全由幾個 API 對象完成，同其它 API 對象一樣，可以用 kubectl 或 API 進行操作
• 可以在運行時進行調整，無需重啟 API Server

3.2、RBAC 的 API 資源對象說明

RBAC 引入了 4 個新的頂級資源對象：Role、ClusterRole、RoleBinding、ClusterRoleBinding，4 種對象類型均可以通過 kubectl 與 API 操作

需要注意的是 Kubenetes 並不會提供用戶管理，那么 User、Group、ServiceAccount 指定的用戶又是從哪里來的呢？ Kubenetes 組件（kubectl、kube-proxy）或是其他自定義的用戶在向 CA 申請證書時，需要提供一個證書請求文件

API Server會把客戶端證書的CN字段作為User，把names.O字段作為Group

kubelet 使用 TLS Bootstaping 認證時，API Server 可以使用 Bootstrap Tokens 或者 Token authenticationfile 驗證=token，無論哪一種，Kubenetes 都會為 token 綁定一個默認的 User 和 Group

Pod使用 ServiceAccount 認證時，service-account-token 中的 JWT 會保存 User 信息

有了用戶信息，再創建一對角色/角色綁定(集群角色/集群角色綁定)資源對象，就可以完成權限綁定了

3.3、Role and ClusterRole

在 RBAC API 中，Role 表示一組規則權限，權限只會增加(累加權限)，不存在一個資源一開始就有很多權限而通過RBAC 對其進行減少的操作；Role 可以定義在一個 namespace 中，如果想要跨 namespace 則可以創建ClusterRole

ClusterRole 具有與 Role 相同的權限角色控制能力，不同的是 ClusterRole 是集群級別的，ClusterRole 可以用於:

• 集群級別的資源控制( 例如 node 訪問權限 )
• 非資源型 endpoints( 例如/healthz訪問 )
• 所有命名空間資源控制(例如 pods )

3.4、RoleBinding and ClusterRoleBinding

RoloBinding 可以將角色中定義的權限授予用戶或用戶組，RoleBinding 包含一組權限列表(subjects)，權限列表中包含有不同形式的待授予權限資源類型(users, groups, or service accounts)；RoloBinding 同樣包含對被Bind 的 Role 引用；RoleBinding 適用於某個命名空間內授權，而 ClusterRoleBinding 適用於集群范圍內的授權

示例：將 default 命名空間的pod-reader Role 授予 jane 用戶，此后 jane 用戶在 default 命名空間中將具有pod-reader的權限

RoleBinding 同樣可以引用 ClusterRole 來對當前 namespace 內用戶、用戶組或 ServiceAccount 進行授權，這種操作允許集群管理員在整個集群內定義一些通用的 ClusterRole，然后在不同的 namespace 中使用RoleBinding 來引用

例如，以下 RoleBinding 引用了一個 ClusterRole，這個 ClusterRole 具有整個集群內對 secrets 的訪問權限；但是其授權用戶dave只能訪問 development 空間中的 secrets(因為 RoleBinding 定義在 development 命名空間)

使用 ClusterRoleBinding 可以對整個集群中的所有命名空間資源權限進行授權；以下 ClusterRoleBinding 樣例展示了授權 manager 組內所有用戶在全部命名空間中對 secrets 進行訪問

3.5、Resources

Kubernetes 集群內一些資源一般以其名稱字符串來表示，這些字符串一般會在 API 的 URL 地址中出現；同時某些資源也會包含子資源，例如 logs 資源就屬於 pods 的子資源，API 中 URL 樣例如下

GET /api/v1/namespaces/{namespace}/pods/{name}/log

如果要在 RBAC 授權模型中控制這些子資源的訪問權限，可以通過 / 分隔符來實現，以下是一個定義 pods 資資源logs 訪問權限的 Role 定義樣例

3.6、to Subjects

RoleBinding 和 ClusterRoleBinding 可以將 Role 綁定到 Subjects；Subjects 可以是 groups、users 或者service accounts

Subjects 中 Users 使用字符串表示，它可以是一個普通的名字字符串，如 “alice”；也可以是 email 格式的郵箱地址，如 “linux@163.com”；甚至是一組字符串形式的數字 ID 。但是 Users 的前綴 system: 是系統保留的，集群管理員應該確保普通用戶不會使用這個前綴格式

Groups 書寫格式與 Users 相同，都為一個字符串，並且沒有特定的格式要求；同樣 system: 前綴為系統保留

3.7、實踐：創建一個用戶只能管理 dev 空間

1）linux服務器創建用戶

[root@k8s-master01 ~]# useradd devuser
[root@k8s-master01 ~]# echo "123456"|passwd --stdin devuser
Changing password for user devuser.
passwd: all authentication tokens updated successfully.
[root@k8s-master01 ~]# su - devuser
[devuser@k8s-master01 ~]$ kubectl get pod
The connection to the server localhost:8080 was refused - did you specify the right host or port?

2）下載證書生成工具

[root@k8s-master01 k8s]# mkdir Authorization
[root@k8s-master01 k8s]# cd Authorization
[root@k8s-master01 Authorization]# pwd
/root/k8s/Authorization
[root@k8s-master01 Authorization]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@k8s-master01 Authorization]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@k8s-master01 Authorization]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@k8s-master01 Authorization]# chmod +x ./*
[root@k8s-master01 Authorization]# ls
cfssl-certinfo_linux-amd64  cfssljson_linux-amd64  cfssl_linux-amd64
[root@k8s-master01 Authorization]# cp cfssl_linux-amd64 /usr/local/bin/cfssl
[root@k8s-master01 Authorization]# cp cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@k8s-master01 Authorization]# cp cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

3）創建證書請求文件

[root@k8s-master01 k8s]# pwd
/root/k8s
[root@k8s-master01 k8s]# mkdir cert
[root@k8s-master01 k8s]# cd cert/
[root@k8s-master01 cert]# vim devuser-csr.json
{
  "CN": "devuser",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048  
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"    
    }  
  ]
}

4 ）創建證書

[root@k8s-master01 pki]# cfssl gencert -ca=ca.crt -ca-key=ca.key  -profile=kubernetes /root/k8s/cert/devuser-csr.json | cfssljson -bare devuser
2020/02/06 10:22:57 [INFO] generate received request
2020/02/06 10:22:57 [INFO] received CSR
2020/02/06 10:22:57 [INFO] generating key: rsa-2048
2020/02/06 10:22:57 [INFO] encoded CSR
2020/02/06 10:22:57 [INFO] signed certificate with serial number 240797140666079034092581066556520895112609035699
2020/02/06 10:22:57 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master01 pki]# ls devuser*
devuser.csr  devuser-key.pem  devuser.pem

5）設置集群參數

[root@k8s-master01 cert]# export KUBE_APISERVER="https://10.0.0.11:6443"
[root@k8s-master01 cert]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=devuser.kubeconfig
Cluster "kubernetes" set.
[root@k8s-master01 cert]# cat devuser.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ESXdNakEyTVRjMU4xb1hEVE13TURFek1EQTJNVGMxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmVzCkFic2VOa1hjZzFuUzVFRFh3b1Q3RS9oTU9BL3JFUTZNSDJIQkM2VkhndG5mSmVJMkRqOFZ2cVVHTnI1ZGtGN1QKdmpxbDFRVDQ1bENKWElkdWhqK1FadVJjQk13RkdKd09KODQzRkd0QWdSemVBT1RPSHE4VXREc0hNU3NuOHRTdApaVFFEbEMxK1lwUUI1a0xDM2FRWnJpZzJpMlRURXYwTjk1RWU1T2FUOUkzRjdOWGR4d25SYTNSQjZyUnRwdlhLCkhEdnVUK2JBQmdJVUd5Rk1PNkdxRU44UnN6SnhYME5ha0N4ajlzMGNaUy9VTzF4UCtOcm9GcHdVSzI0dU1SeG8KSHhCRG1KaHZ1K2gzWjFMRzRJK1gzTy9vUXpMSGZFZEtmUkRKL083MTVMRWtrNzYwMVhLYTNBQXJmQzkvQllabQo1Q3pLL29uVFRTSjZESTJlcUlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFVmRpc0dwOUdGcHhZT2tMd2tCT2s5S2ZhaEsKWk1KdWdvSklFdnVTS0VqOTdiUkpCSE5pVmk0aHJjN2JXUWVxVlRxYlc0MGhFQkdjUXpKeUVySmlZVzJsSTVoawp4bWtXSSs5R3JsaHBtU1NGbC93SUxTbWRCaG9jcjdZMEU5THNoTHdPUmdzYm00U1BxSmVXNHNjNml1V08wTENkCjlhSzQ2VGh3RTYxM3JWblVvb2YzQUtyUENhaDBFc1ZJZFlEemFFamFTcHBHOWVzYVVsQjV4NjFWMTR5MkFvOS8KWUNtK3h4c29QamdBMHlHS0dMWHl1cE1CN25NWEhoK0pQWVpmUUFDeU5yVWVoM0RWa2hrMVJtb0wrUm81VEdaRApoUVd5aEM3N0w2T05kTm9takdEcVRnTktob3VxMEdNNVdGSEhhdENQSmNlcW8weEIzbWF1ZDd0dE9tUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://10.0.0.11:6443
  name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

6）設置客戶端認證參數

[root@k8s-master01 cert]# kubectl config set-credentials devuser --client-certificate=/etc/kubernetes/pki/devuser.pem --client-key=/etc/kubernetes/pki/devuser-key.pem --embed-certs=true --kubeconfig=devuser.kubeconfig
User "devuser" set.
[root@k8s-master01 cert]# cat devuser.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ESXdNakEyTVRjMU4xb1hEVE13TURFek1EQTJNVGMxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmVzCkFic2VOa1hjZzFuUzVFRFh3b1Q3RS9oTU9BL3JFUTZNSDJIQkM2VkhndG5mSmVJMkRqOFZ2cVVHTnI1ZGtGN1QKdmpxbDFRVDQ1bENKWElkdWhqK1FadVJjQk13RkdKd09KODQzRkd0QWdSemVBT1RPSHE4VXREc0hNU3NuOHRTdApaVFFEbEMxK1lwUUI1a0xDM2FRWnJpZzJpMlRURXYwTjk1RWU1T2FUOUkzRjdOWGR4d25SYTNSQjZyUnRwdlhLCkhEdnVUK2JBQmdJVUd5Rk1PNkdxRU44UnN6SnhYME5ha0N4ajlzMGNaUy9VTzF4UCtOcm9GcHdVSzI0dU1SeG8KSHhCRG1KaHZ1K2gzWjFMRzRJK1gzTy9vUXpMSGZFZEtmUkRKL083MTVMRWtrNzYwMVhLYTNBQXJmQzkvQllabQo1Q3pLL29uVFRTSjZESTJlcUlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFVmRpc0dwOUdGcHhZT2tMd2tCT2s5S2ZhaEsKWk1KdWdvSklFdnVTS0VqOTdiUkpCSE5pVmk0aHJjN2JXUWVxVlRxYlc0MGhFQkdjUXpKeUVySmlZVzJsSTVoawp4bWtXSSs5R3JsaHBtU1NGbC93SUxTbWRCaG9jcjdZMEU5THNoTHdPUmdzYm00U1BxSmVXNHNjNml1V08wTENkCjlhSzQ2VGh3RTYxM3JWblVvb2YzQUtyUENhaDBFc1ZJZFlEemFFamFTcHBHOWVzYVVsQjV4NjFWMTR5MkFvOS8KWUNtK3h4c29QamdBMHlHS0dMWHl1cE1CN25NWEhoK0pQWVpmUUFDeU5yVWVoM0RWa2hrMVJtb0wrUm81VEdaRApoUVd5aEM3N0w2T05kTm9takdEcVRnTktob3VxMEdNNVdGSEhhdENQSmNlcW8weEIzbWF1ZDd0dE9tUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://10.0.0.11:6443
  name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: devuser
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lVS2kyM25GNHFzMGJyRTBxbm43WUNqNCs4ZGJNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1EQXlNRFl3TWpFNE1EQmFGdzB5TVRBeQpNRFV3TWpFNE1EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhaR1YyZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwwRgp5NWMxQ2FmY3orcGlLSnovcXpBZGJ5TnVSa1daMWptVXZsMTNGRjZRbXkxUklPSDRtdlc0UXRibmlTZ3ljOTJ4ClAxVmVUdlZSWUZZbkVtVjRqdC81VTZZRE11RVlYNWlQUVh4dlBRbktlSnVVMmtjUWhDY3RaRkUvaGNocUtwUjEKclFYZ3ZPUTVpaHNWdGY2eTlJclM1eXVoWmZsRUpITG5lczFORzM0bFlxRjJvV1NqQzArN051bzZ2ZEtwaEpsTworajEwMmRQM0c0VSt0MzZXc3lra2lFMmRhVkxHN2hLWjBtNWZzcUdxQmpOdDFFUXdtd0YwZWZLUlAzVHRZY2M4CkF5dkxObDYyM2hGTDg3RE5PbVRjU3FPR2duRTB1dW1jQ3Zqa1poaFF5YTNsMkh5dDQyRkhLczdkSHlFTlhMVEMKUFJYQVkyMTVSNE9PdG5LM01CY0NBd0VBQWFOZU1Gd3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlRBCjlINTR4UEZGSEFnclVhTzNURXp0akZaWnZUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFDUnRKa0dYaGplQ0kKMllKcWZCZTAzdDN4NytJalgrQk1abDc5UENuQnVTWUZZaERGQVIxWUpsU2w0cnZidTc2VlpFalRmL0tySHBOZQpjZEk5R3loUlZjT2QyNkpMd3lReGxzTEl2M3ZXb2lNZGQ1TnIxSXp3T2Y0dzZDazNybk1VK3VadDd3enRSUU02CmpKY1hVUktOVXhhay9xc21uRkFWNHVKQkRVeUNvZUZqcFJnMGQ0dEVHelk4eWRLN3RJZmQvbU8zWUZWSWNiOW4KTGg4cGZpSWVMY1lpbWJ5eEpZeTRaTHVNdnE4c21WYmJaQTZGZkh4NnVLSm41aWJ2T2N1cUxuOGJCUllZTFdUUgpma1A0OHdJNTdvUC9CWnlxVGhNMDRqZ05nVlFmU0NNZWdlK0lINjAvMDhuSzFnZzJEQ215TzdHdVlVTzluZ0hKCm5jdFp0WGpmVFE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdlFYTGx6VUpwOXpQNm1Jb25QK3JNQjF2STI1R1JabldPWlMrWFhjVVhwQ2JMVkVnCjRmaWE5YmhDMXVlSktESnozYkUvVlY1TzlWRmdWaWNTWlhpTzMvbFRwZ015NFJoZm1JOUJmRzg5Q2NwNG01VGEKUnhDRUp5MWtVVCtGeUdvcWxIV3RCZUM4NURtS0d4VzEvckwwaXRMbks2RmwrVVFrY3VkNnpVMGJmaVZpb1hhaApaS01MVDdzMjZqcTkwcW1FbVU3NlBYVFowL2NiaFQ2M2ZwYXpLU1NJVFoxcFVzYnVFcG5TYmwreW9hb0dNMjNVClJEQ2JBWFI1OHBFL2RPMWh4endESzhzMlhyYmVFVXZ6c00wNlpOeEtvNGFDY1RTNjZad0srT1JtR0ZESnJlWFkKZkszallVY3F6dDBmSVExY3RNSTlGY0JqYlhsSGc0NjJjcmN3RndJREFRQUJBb0lCQUMxUkZsNUorT2FscWJNbgpsVlVPZHB3eWNsS3NQV3l5VlFtNC8ycXBBZGtxRWduclNWYmpvME1GeWdCN3dnWkJFa1kwR0ZyL0lTN3ZNNGwwCkZKVC9Na0hBSkszSVZvcGdyWXFGemMxblhkcmJEODg5QUpmSS9lWG1uQVplbEZSWUg1MDRHU012bmhtWk1lTU0KY1hWK3NlSVdiaFdudkNybWkxYUE2SkFQekdlUlpXYkd0YUprdVl3YUlJWlhXY1hydUJldWdkSW1MSTlXUDFnMwpjMXg2aXVZUGhnUkI3ZStoeGtPL0NraUZVcmdGMnJaM1dObUtrZ0hJb29uV1ZxV2lSMklpNFpkSVZrQnFBbCs0Cnd5Z2V4S21CRVNNdVpVSDVieCtTK0tGWTZEazgyVjBHSnhTZ1pJL2NDam12YW01NGEvN1AwOTBBNlpKSFNpVlgKWXdHcGdRRUNnWUVBNUdwbFE1bEF1UGowWWdUSVpDR1NaczNqNCtFQUlaekN1OU52VXE1Wm9XOUVLYU4vR0dZUQpqcTRoQkpQeEhoNzArbnN1YnhrTnNXV2lnQkhuV3ZjaFJrd2wvazl0cWgvV0JyMHp3ZE5iRGRQeks3dWJCN3BYCkpNUHd1VlUwQVI2Vm0zVXo4UklDMGZGMEQ2Zm1ZL0FTeEE2VzcvK3QwQlFYcllHVGRxejRxdE1DZ1lFQTA5bUsKNkZXa21vbU5SZ2Q0Rlc5T2FtSDlzODhIeFd2Umw4UzYzd09oRGhFSjRrQ3JVS04yYUNxREFOTm1VTVlXUFUrdApLR21sbDR6SmtFSEIza3puQWR4cThhb21sUGR4dlo5QTBOK0FDeEFKQXpRTXRlS3U1NWpjZE1NMU1SQVJiV2lyCmxKbitGRXpoelJ5anc1RmpmQjJpWk54aHVBNEc4Rm9TRGRVdWt5MENnWUFCZDZHQTVxb2d4aENqMUk0SS9xSTMKSU5sMjdFb1k3UzNmRVFPbEQxT3FFdEhvUnBHWmNZWm50RHlvRDk4N3AwMUJrcXNBc2JPQjBUcFRBa3B2TGlrNwpqMStyRzQyRHkwS1B0b1Z2bUZEOGJNRWlKY2xnS2xWRytpOUFzWWhzL1dwT25sa2dFbEtNVUxYREovdjE1bVBvCmVJT0Z0U25EclcxZGd2aVVpWlhyV3dLQmdRRFJ0MkF3WVYvQ2IvcS9ZWE41M0tjRzN4eVVuSlUzMVdVMTFkV2MKSWU2VWl6OTZqOFJIM3BtL3dwM08rbmNsN1FKbERYUUFOcDFycWo1N0pPMXpVRE82L3VXTGVJSWJJOTJmOW4vbQpoZW91aVdBeW9Kc1lqMS9QK3QzNlpLaEtlbnFXRVhFUmVXUXgybTRKYTVtZVoxWFJyMUJzZ2xIbUwxU2xLTFVJCnBvb2x2UUtCZ1FDZnltODg2VE5oYVQxRWhnYmtWVHdqMUNZQlNVM2Y3REpmVTN2UzlqYkFaekhvRXFkMkwxOGcKWjFDMlVURklaS2pHaXI2N3NXZ3ZVdG1jVDVRWTVtWmswSllLTC9INjQ0YTVMVjg3QThkUUo2dE5wczhyNlE2ZApKOGFjRVFCOURrQmFHekF6U1ZuK0RiTWQvSzdjcGlXdk1pT2tUNU5FMjdMQVplNFhWR3lid1E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

7）設置上下文參數

#創建dev的namespace
[root@k8s-master01 cert]# kubectl create namespace dev
namespace/dev created

#設置上下文參數
[root@k8s-master01 cert]# kubectl config set-context kubernetes --cluster=kubernetes --user=devuser --namespace=dev --kubeconfig=devuser.kubeconfig
Context "kubernetes" created.
[root@k8s-master01 cert]# cat devuser.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ESXdNakEyTVRjMU4xb1hEVE13TURFek1EQTJNVGMxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmVzCkFic2VOa1hjZzFuUzVFRFh3b1Q3RS9oTU9BL3JFUTZNSDJIQkM2VkhndG5mSmVJMkRqOFZ2cVVHTnI1ZGtGN1QKdmpxbDFRVDQ1bENKWElkdWhqK1FadVJjQk13RkdKd09KODQzRkd0QWdSemVBT1RPSHE4VXREc0hNU3NuOHRTdApaVFFEbEMxK1lwUUI1a0xDM2FRWnJpZzJpMlRURXYwTjk1RWU1T2FUOUkzRjdOWGR4d25SYTNSQjZyUnRwdlhLCkhEdnVUK2JBQmdJVUd5Rk1PNkdxRU44UnN6SnhYME5ha0N4ajlzMGNaUy9VTzF4UCtOcm9GcHdVSzI0dU1SeG8KSHhCRG1KaHZ1K2gzWjFMRzRJK1gzTy9vUXpMSGZFZEtmUkRKL083MTVMRWtrNzYwMVhLYTNBQXJmQzkvQllabQo1Q3pLL29uVFRTSjZESTJlcUlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFVmRpc0dwOUdGcHhZT2tMd2tCT2s5S2ZhaEsKWk1KdWdvSklFdnVTS0VqOTdiUkpCSE5pVmk0aHJjN2JXUWVxVlRxYlc0MGhFQkdjUXpKeUVySmlZVzJsSTVoawp4bWtXSSs5R3JsaHBtU1NGbC93SUxTbWRCaG9jcjdZMEU5THNoTHdPUmdzYm00U1BxSmVXNHNjNml1V08wTENkCjlhSzQ2VGh3RTYxM3JWblVvb2YzQUtyUENhaDBFc1ZJZFlEemFFamFTcHBHOWVzYVVsQjV4NjFWMTR5MkFvOS8KWUNtK3h4c29QamdBMHlHS0dMWHl1cE1CN25NWEhoK0pQWVpmUUFDeU5yVWVoM0RWa2hrMVJtb0wrUm81VEdaRApoUVd5aEM3N0w2T05kTm9takdEcVRnTktob3VxMEdNNVdGSEhhdENQSmNlcW8weEIzbWF1ZDd0dE9tUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://10.0.0.11:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: dev
    user: devuser
  name: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: devuser
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lVS2kyM25GNHFzMGJyRTBxbm43WUNqNCs4ZGJNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1EQXlNRFl3TWpFNE1EQmFGdzB5TVRBeQpNRFV3TWpFNE1EQmFNR0l4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFUU1BNEcKQTFVRUF4TUhaR1YyZFhObGNqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwwRgp5NWMxQ2FmY3orcGlLSnovcXpBZGJ5TnVSa1daMWptVXZsMTNGRjZRbXkxUklPSDRtdlc0UXRibmlTZ3ljOTJ4ClAxVmVUdlZSWUZZbkVtVjRqdC81VTZZRE11RVlYNWlQUVh4dlBRbktlSnVVMmtjUWhDY3RaRkUvaGNocUtwUjEKclFYZ3ZPUTVpaHNWdGY2eTlJclM1eXVoWmZsRUpITG5lczFORzM0bFlxRjJvV1NqQzArN051bzZ2ZEtwaEpsTworajEwMmRQM0c0VSt0MzZXc3lra2lFMmRhVkxHN2hLWjBtNWZzcUdxQmpOdDFFUXdtd0YwZWZLUlAzVHRZY2M4CkF5dkxObDYyM2hGTDg3RE5PbVRjU3FPR2duRTB1dW1jQ3Zqa1poaFF5YTNsMkh5dDQyRkhLczdkSHlFTlhMVEMKUFJYQVkyMTVSNE9PdG5LM01CY0NBd0VBQWFOZU1Gd3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlRBCjlINTR4UEZGSEFnclVhTzNURXp0akZaWnZUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFDUnRKa0dYaGplQ0kKMllKcWZCZTAzdDN4NytJalgrQk1abDc5UENuQnVTWUZZaERGQVIxWUpsU2w0cnZidTc2VlpFalRmL0tySHBOZQpjZEk5R3loUlZjT2QyNkpMd3lReGxzTEl2M3ZXb2lNZGQ1TnIxSXp3T2Y0dzZDazNybk1VK3VadDd3enRSUU02CmpKY1hVUktOVXhhay9xc21uRkFWNHVKQkRVeUNvZUZqcFJnMGQ0dEVHelk4eWRLN3RJZmQvbU8zWUZWSWNiOW4KTGg4cGZpSWVMY1lpbWJ5eEpZeTRaTHVNdnE4c21WYmJaQTZGZkh4NnVLSm41aWJ2T2N1cUxuOGJCUllZTFdUUgpma1A0OHdJNTdvUC9CWnlxVGhNMDRqZ05nVlFmU0NNZWdlK0lINjAvMDhuSzFnZzJEQ215TzdHdVlVTzluZ0hKCm5jdFp0WGpmVFE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdlFYTGx6VUpwOXpQNm1Jb25QK3JNQjF2STI1R1JabldPWlMrWFhjVVhwQ2JMVkVnCjRmaWE5YmhDMXVlSktESnozYkUvVlY1TzlWRmdWaWNTWlhpTzMvbFRwZ015NFJoZm1JOUJmRzg5Q2NwNG01VGEKUnhDRUp5MWtVVCtGeUdvcWxIV3RCZUM4NURtS0d4VzEvckwwaXRMbks2RmwrVVFrY3VkNnpVMGJmaVZpb1hhaApaS01MVDdzMjZqcTkwcW1FbVU3NlBYVFowL2NiaFQ2M2ZwYXpLU1NJVFoxcFVzYnVFcG5TYmwreW9hb0dNMjNVClJEQ2JBWFI1OHBFL2RPMWh4endESzhzMlhyYmVFVXZ6c00wNlpOeEtvNGFDY1RTNjZad0srT1JtR0ZESnJlWFkKZkszallVY3F6dDBmSVExY3RNSTlGY0JqYlhsSGc0NjJjcmN3RndJREFRQUJBb0lCQUMxUkZsNUorT2FscWJNbgpsVlVPZHB3eWNsS3NQV3l5VlFtNC8ycXBBZGtxRWduclNWYmpvME1GeWdCN3dnWkJFa1kwR0ZyL0lTN3ZNNGwwCkZKVC9Na0hBSkszSVZvcGdyWXFGemMxblhkcmJEODg5QUpmSS9lWG1uQVplbEZSWUg1MDRHU012bmhtWk1lTU0KY1hWK3NlSVdiaFdudkNybWkxYUE2SkFQekdlUlpXYkd0YUprdVl3YUlJWlhXY1hydUJldWdkSW1MSTlXUDFnMwpjMXg2aXVZUGhnUkI3ZStoeGtPL0NraUZVcmdGMnJaM1dObUtrZ0hJb29uV1ZxV2lSMklpNFpkSVZrQnFBbCs0Cnd5Z2V4S21CRVNNdVpVSDVieCtTK0tGWTZEazgyVjBHSnhTZ1pJL2NDam12YW01NGEvN1AwOTBBNlpKSFNpVlgKWXdHcGdRRUNnWUVBNUdwbFE1bEF1UGowWWdUSVpDR1NaczNqNCtFQUlaekN1OU52VXE1Wm9XOUVLYU4vR0dZUQpqcTRoQkpQeEhoNzArbnN1YnhrTnNXV2lnQkhuV3ZjaFJrd2wvazl0cWgvV0JyMHp3ZE5iRGRQeks3dWJCN3BYCkpNUHd1VlUwQVI2Vm0zVXo4UklDMGZGMEQ2Zm1ZL0FTeEE2VzcvK3QwQlFYcllHVGRxejRxdE1DZ1lFQTA5bUsKNkZXa21vbU5SZ2Q0Rlc5T2FtSDlzODhIeFd2Umw4UzYzd09oRGhFSjRrQ3JVS04yYUNxREFOTm1VTVlXUFUrdApLR21sbDR6SmtFSEIza3puQWR4cThhb21sUGR4dlo5QTBOK0FDeEFKQXpRTXRlS3U1NWpjZE1NMU1SQVJiV2lyCmxKbitGRXpoelJ5anc1RmpmQjJpWk54aHVBNEc4Rm9TRGRVdWt5MENnWUFCZDZHQTVxb2d4aENqMUk0SS9xSTMKSU5sMjdFb1k3UzNmRVFPbEQxT3FFdEhvUnBHWmNZWm50RHlvRDk4N3AwMUJrcXNBc2JPQjBUcFRBa3B2TGlrNwpqMStyRzQyRHkwS1B0b1Z2bUZEOGJNRWlKY2xnS2xWRytpOUFzWWhzL1dwT25sa2dFbEtNVUxYREovdjE1bVBvCmVJT0Z0U25EclcxZGd2aVVpWlhyV3dLQmdRRFJ0MkF3WVYvQ2IvcS9ZWE41M0tjRzN4eVVuSlUzMVdVMTFkV2MKSWU2VWl6OTZqOFJIM3BtL3dwM08rbmNsN1FKbERYUUFOcDFycWo1N0pPMXpVRE82L3VXTGVJSWJJOTJmOW4vbQpoZW91aVdBeW9Kc1lqMS9QK3QzNlpLaEtlbnFXRVhFUmVXUXgybTRKYTVtZVoxWFJyMUJzZ2xIbUwxU2xLTFVJCnBvb2x2UUtCZ1FDZnltODg2VE5oYVQxRWhnYmtWVHdqMUNZQlNVM2Y3REpmVTN2UzlqYkFaekhvRXFkMkwxOGcKWjFDMlVURklaS2pHaXI2N3NXZ3ZVdG1jVDVRWTVtWmswSllLTC9INjQ0YTVMVjg3QThkUUo2dE5wczhyNlE2ZApKOGFjRVFCOURrQmFHekF6U1ZuK0RiTWQvSzdjcGlXdk1pT2tUNU5FMjdMQVplNFhWR3lid1E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

8）創建rolebinding角色綁定

#創建角色綁定
[root@k8s-master01 cert]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=dev
rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created

#將配置文件拷貝置devuser用戶家目錄並授權
[root@k8s-master01 cert]# mkdir /home/devuser/.kube
[root@k8s-master01 cert]# cp devuser.kubeconfig /home/devuser/.kube
[root@k8s-master01 cert]# chown devuser:devuser /home/devuser/.kube/devuser.kubeconfig

#重命名
[root@k8s-master01 cert]# cp /home/devuser/.kube/{devuser.kubeconfig,config}
[root@k8s-master01 cert]# ls /home/devuser/.kube/
config  devuser.kubeconfig
[root@k8s-master01 cert]# chown -R devuser:devuser /home/devuser/.kube  #特別注意要授權，報錯error: open /home/devuser/.kube/config.lock: permission denied

9）devuser用戶切換上下文

[devuser@k8s-master01 ~]$ cd .kube/
[devuser@k8s-master01 .kube]$ kubectl config use-context kubernetes --kubeconfig=config
Switched to context "kubernetes".
[devuser@k8s-master01 .kube]$ kubectl get pod
No resources found.

10）測試

[devuser@k8s-master01 ~]$ kubectl run nginx --image=hub.dianchou.com/library/myapp:v1
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
deployment.apps/nginx created
[devuser@k8s-master01 ~]$ kubectl get pod
NAME                     READY   STATUS    RESTARTS   AGE
nginx-7f5f6bd68c-xj4lb   1/1     Running   0          11s

[root@k8s-master01 ~]# kubectl get pod --all-namespaces -o wide|grep nginx
dev             nginx-7f5f6bd68c-xj4lb                      1/1     Running   0          90s     10.244.1.238   k8s-node01     <none>           <none>
ingress-nginx   nginx-ingress-controller-5876d56d4c-d7gb8   1/1     Running   0          18h     10.244.2.174   k8s-node02     <none>           <none>

[devuser@k8s-master01 ~]$ kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "devuser" cannot list resource "pods" in API group "" in the namespace "default"

四、准入控制

准入控制是API Server的插件集合，通過添加不同的插件，實現額外的准入控制規則。甚至於API Server的一些主要的功能都需要通過 Admission Controllers 實現，比如 ServiceAccount

官方文檔上有一份針對不同版本的准入控制器推薦列表，其中最新的 1.14 的推薦列表是：

列舉幾個插件的功能：

• NamespaceLifecycle：防止在不存在的 namespace 上創建對象，防止刪除系統預置 namespace，刪除namespace 時，連帶刪除它的所有資源對象。
• LimitRanger：確保請求的資源不會超過資源所在 Namespace 的 LimitRange 的限制。
• ServiceAccount：實現了自動化添加 ServiceAccount。
• ResourceQuota：確保請求的資源不會超過資源的 ResourceQuota 限制。