创建namespace级别权限
一、账户创建
1.创建一个serviceaccount
2.创建一个role
3.将serviceaccount绑定至role
# serviceaccount
apiVersion: v1
kind: ServiceAccount
metadata:name: hadoop-adminnamespace: hadoop
---# role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: adminnamespace: hadoop
rules:- apiGroups: ["*"]resources: ["*"]verbs: ["*"]- apiGroups: ["*"]resources: ["*"]verbs: ["*"]---
# rolebinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: hadoop-admin-rolebindingnamespace: hadoop
subjects:- kind: ServiceAccountname: hadoop-admin # serviceaccount的名称namespace: hadoop
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: admin #role的名称
二、检查创建情况并获取token
~]# kubectl get sa -n hadoop
~]# kubectl get role -n hadoop
~]# kubectl get rolebinding -n hadoop
~]# kubectl get secret -n hadoop # 获取secret里面的token字段,并且base64 -d解码
三、注册配置
在相应节点上执行,即某个单独授权kubectl执行权限的机器
# 指定cluster,名称可自定义
kubectl config --kubeconfig=hadoop-config set-cluster hadoop --server=https://apiserver.cluster.local:6443 --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true# 生成凭据
kubectl config --kubeconfig=hadoop-config set-credentials hadoop-admin --user=hadoop-admin --token=<刚刚生成的token># 配置上下文
kubectl config --kubeconfig=hadoop-config set-context hadoop-admin --cluster=hadoop --user=hadoop-admin --namespace=hadoop# 使用刚刚配置的上下文
kubectl config --kubeconfig=hadoop-config use-context hadoop-admin
四、环境变量配置
(1)以上步骤执行完后,会在当前目录生成一个文件(就是上面--kubeconfig指定的名称)(2)修改/etc/profile,把这个文件路径配置到环境变量export KUBECONFIG=/root/.kube/blockchain(`路径根据实际情况修改`)(3)source /etc/profile
五、授权serviceaccount至多个namespace
说明: 此步骤需要基于步骤一至步骤四
原理: 将sa绑定至多个namespace的role(因此需要在每个namespace创建相同role,需要在每个namespace创建相同rolebinding)
示例:授权blockchain-admin这个sa到额外的spark命名空间
1.创建额外的role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: adminnamespace: spark
rules:- apiGroups: ["*"]resources: ["*"]verbs: ["*"]- apiGroups: ["*"]resources: ["*"]verbs: ["*"]
2.创建额外的rolebinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: hadoop-admin-rolebindingnamespace: spark
subjects:- kind: ServiceAccountname: hadoop-admin # sa的名称namespace: hadoop # sa所在的namespace
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: admin #role的名称
3.执行以上两步之后,直接用步骤一中的token即可获得spark和blockchain命名空间的管理员权限。如果想对权限细分,可以修改各个namespace中的role