创建一个用户只能管理
dev
空间
|
vim /etc/kubernetes/pki/devuser-csr.json
{ “CN”: “devuser”, “hosts”: [],
“key”: { “algo”: “rsa”, “size”: 2048 }, “names”: [
{ “C”: “CN”, “ST”: “BeiJing”, “L”: “BeiJing”, “O”: “k8s”, “OU”: “System” } ] } |
创建一个json |
|
wget mv cfssl_linux-amd64 /usr/local/bin/cfssl |
下载证书生成工具 |
|
wget mv cfssljson_linux-amd64 /usr/local/bin/cfssljson |
|
|
wget mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo |
|
|
cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /etc/kubernetes/pki/devuser-csr.json | cfssljson -bare devuser |
|
|
export KUBE_APISERVER=”https://10.0.0.101:6443″ |
配置环境变量改成自己的IP |
|
vim /etc/profile export KUBE_APISERVER=”https://10.0.0.101:6443″ |
|
|
kubectl config set-cluster kubernetes \ –certificate-authority=/etc/kubernetes/ssl/ca.crt \ –embed-certs=true \ –server=${KUBE_APISERVER} \ –kubeconfig=devuser.kubeconfig |
# 设置集群参数 |
|
kubectl config set-credentials devuser \ –client-certificate=/etc/kubernetes/pki/devuser.pem \ –client-key=/etc/kubernetes/pki/devuser-key.pem \ –embed-certs=true \ –kubeconfig=devuser.kubeconfig |
# 设置客户端认证参数 |
|
kubectl config set-context kubernetes \ –cluster=kubernetes \ –user=devuser \ –namespace=dev \ –kubeconfig=devuser.kubeconfig |
# 设置上下文参数 |
|
kubectl config use-context kubernetes –kubeconfig=devuser.kubeconfig |
# 设置默认上下文 |
|
kubectl create namespace dev |
|
|
useradd ly01 passwd ly01 mkdir /home/ly01/.kube mv devuser.kubeconfig /home/ly01/.kube/config chown -R ly01.ly01 /home/ly01/.kube/ |
#创建用户名,并把devuser.kubeconfig文件放到用户家目录并更改属主和文件名称 |
|
kubectl get rolebinding -n dev |
查看是否生成rolebinding资源 |