kubernetes集群安全——认证、鉴权、准入控制_认证鉴权 英文呢

机制说明

Kubernetes 作为一个分布式集群的管理工具，保证集群的安全性是其一个重要的任务。API Server 是集群内部各个组件通信的中介，也是外部控制的入口。所以 Kubernetes 的安全机制基本就是围绕保护 API Server 来设计的。Kubernetes 使用了认证（Authentication）、鉴权（Authorization）、准入控制（AdmissionControl)三步来保证API Server的安全。

认证(Authentication)

• HTTP Token 认证：通过一个 Token 来识别合法用户
• HTTP Base 认证：通过 用户名+密码 的方式认证
• 最严格的 HTTPS 证书认证：基于 CA 根证书签名的客户端身份认证方式

HTTPS:双向认证（颁发证书）-集群组件
      ETCD
	      服务端：ETCD
		  客户端：ApiServer
      ApiServer
	      服务端：ApiServer
	      客户端：
		        需要加密:
				    集群颁发:kubelet
					手动颁发：kubectl、kube-proxy
			    非加密:都运行在master节点
				   Controller Manager、Scheduler
				   
       SA(ServiceAccount)-POD认证
	      ca.crt:用户Pod验证apiserver发来的证书
		  token:用户单点认证apiserer验证pod是否合法
		  namespace:标识作用域
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

鉴权(Authorization)

上面认证过程，只是确认通信的双方都确认了对方是可信的，可以相互通信。而鉴权是确定请求方有哪些资源的权限。API Server 目前支持以下几种授权策略 （通过 API Server 的启动参数 “–authorization-mode” 设置）

• AlwaysDeny：表示拒绝所有的请求，一般用于测试
• AlwaysAllow：允许接收所有请求，如果集群不需要授权流程，则可以采用该策略
• ABAC（Attribute-Based Access Control）：基于属性的访问控制，表示使用用户配置的授权规则对用户请求进行匹配控制
• Webbook：通过调用外部 REST 服务对用户进行授权
• RBAC（Role-Based Access Control）：基于角色的访问控制，现行默认规则

RBAC 授权模式

RBAC（Role-Based Access Control）基于角色的访问控制，在 Kubernetes 1.5 中引入，现行版本成为默认标准。相对其它访问控制方式，拥有以下优势：

• 对集群中的资源和非资源均拥有完整的覆盖

• 整个 RBAC 完全由几个 API 对象完成，同其它 API 对象一样，可以用 kubectl 或 API 进行操作

• 可以在运行时进行调整，无需重启 API Server

RBAC 的 API 资源对象说明

RBAC 引入了 4 个新的顶级资源对象：Role(角色)、ClusterRole(集群角色)、RoleBinding(角色绑定)、ClusterRoleBinding(集群角色绑定)，4 种对象类型均可以通过 kubectl 与 API 操作

Role and ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
  - apiGroups: [""] # "" indicates the core API group
  #对象是pod类型,可以通过/分隔符控制子资源的访问权限,例如: resources: ["pods","pods/logs"]，
  #如果为resources：["pods/logs"]表明只能访问pod下的logs
    resources: ["pods"] 
    verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

RoleBinding and ClusterRoleBinding

RoleBinding 包含一组权限列表(subjects)，权限列表中包含有不同形式的待授予权限资源类型(User、Group、ServiceAcount)

RoleBinding 可以绑定Role也可以绑定ClusterRole，而 ClusterRoleBinding 只能绑定ClusterRole
RoleBinding绑定Role

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: jane
    #Defaults to "" for ServiceAccount subjects. 
    #Defaults to "rbac.authorization.k8s.io" for User and Group subjects
    apiGroup: rbac.auorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

RoleBinding绑定ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: read-secrets
  namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
  name: dave
  apiGroup: rbac.authization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io
1
2
3
4
5
6
7
8
9
10
11
12
13

ClusterRoleBinding绑定ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
  - kind: Group
    name: manager
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io
1
2
3
4
5
6
7
8
9
10
11
12

实例：创建用户作为某个名称空间下的管理员

#在opt目录下创建test.json文件
{
  #用户为test
  "CN": "test",
  #当前证书可以在任意节点被调用，即任意节点可以通过证书访问apiserver
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      #所属组为k8s自定义的组，系统组为system:
      "O": "k8s",
      "OU": "System"
    }
  ]
}

# 下载证书生成工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

#授予可执行权限
chmod a+x /usr/local/bin/cfssl
chmod a+x /usr/local/bin/cfssljson
chmod a+x /usr/local/bin/cfssl-certinfo

#签发证书
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -profile=kubernetes /opt/test.json | cfssljson -bare test 
[root@master opt]# ll test*
-rw-r--r--. 1 root root  993 5月   4 15:52 test.csr
-rw-r--r--. 1 root root  217 5月   4 15:28 test.json
-rw-------. 1 root root 1675 5月   4 15:52 test-key.pem
-rw-r--r--. 1 root root 1233 5月   4 15:52 test.pem

# 设置集群参数(即服务端)
[root@master opt]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.116.128 master k8s-api registry
192.168.116.129 node1
#设置KUBE_APISERVER变量
export KUBE_APISERVER="https://k8s-api:6443"

kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=/opt/test.kubeconfig

[root@master opt]# cat test.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8s-api:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

# 设置客户端认证参数
kubectl config set-credentials test \
--client-certificate=/opt/test.pem \
--client-key=/opt/test-key.pem \
--embed-certs=true \
--kubeconfig=/opt/test.kubeconfig

[root@master opt]# cat test.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8s-api:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTURUb3ZweHVUajk0VUZrNDM3N1RRNDZFQmljd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFF3TnpRNE1EQmFGdzB5TXpBMQpNRFF3TnpRNE1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0o1RS9VRgo0TEVvMW5naUNrazJ4ZENTQVQ2cUpSMWo5ODVjNm0yZXFDdURleUIrVDREWXlCOXA3RmZxUnRVdTRyQ1hxWTJ4CmhVRXZyOFNDUUtPd1hXUDgxcXhURzZkRVB5ejMrV2h5dTJGcHJSZWhoL3NwRHZVdmJ2QUFPMmx6U3VJVFQ3WWYKUVdhRk95NzdldHR5bm95bjNZa1FMbE9xeGRmV2hMeUJFTHkvdElDSW14L0UyYmlzNGNRelVSeGIwQisva0kwegpoN0Z0YzZQNXQzc0dzVjdVL3hYY0NIb211Q1RoZC9JVjVTNjYvWjFFbTVUSEM3blgwSENaOWJZeWxvSmZJZzliCkpEOTNtQVB0WXR2VHdNQVI3LzB5Q1pka0RkV0l3N2NoUUF0UzBqNFBUSWRVZlVwZmwwMkNXRFRteHlSSUFYTUkKYjVnblg1SGl2VlBIRU5jQ0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVFdxZ0VRClNBSjdxN0dEZFlMQy82WkN5LzQ1bURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUxjVHJYRnUwWjBhMlNtUHgKaVU1WEk0S1dWSXp6QnBaSzJ3ei9xZGh5ZGc4bTFlRzBaZWRGejFPME9tMHVUV3Zpa24xa1IreUpqeE5RMmgrUgpncmtQUUEwQUpvUkhZR1RBckltOSszQkFKNGswNGgwUWpJaVIzdmk0Nklwdm1keTBibGU4ejNqUTlvazZlMUJLCmh6VzdpS2JDVzZrdkI5Q0JlaWxldGdaYTcvQmJPM0xlaDkwZUFOQ3FJWVFSSEZsbXpKMnVBTDdkN2MxdWtlUGIKUTdEdXRDRjdaV1dTczloOGRXT3pUVkRxZTU3a3l1MFB6aWQ0RkRkdHhuK0RCSVdXVEt5OCtnem1tanZnaVladgpvZk0yTzRtSnM2a1BabERzaW5iV0VveVl6NzBUeUdPcFQ5UDFJUDB6cTBkKzYvUVowSi9XdXhWd2YzMUpVUVBCCldFay9qUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNG5rVDlRWGdzU2pXZUNJS1NUYkYwSklCUHFvbEhXUDN6bHpxYlo2b0s0TjdJSDVQCmdOaklIMm5zVitwRzFTN2lzSmVwamJHRlFTK3Z4SUpBbzdCZFkveldyRk1icDBRL0xQZjVhSEs3WVdtdEY2R0gKK3lrTzlTOXU4QUE3YVhOSzRoTlB0aDlCWm9VN0x2dDYyM0tlaktmZGlSQXVVNnJGMTlhRXZJRVF2TCswZ0lpYgpIOFRadUt6aHhETlJIRnZRSDcrUWpUT0hzVzF6by9tM2V3YXhYdFQvRmR3SWVpYTRKT0YzOGhYbExycjluVVNiCmxNY0x1ZGZRY0puMXRqS1dnbDhpRDFza1AzZVlBKzFpMjlQQXdCSHYvVElKbDJRTjFZakR0eUZBQzFMU1BnOU0KaDFSOVNsK1hUWUpZTk9iSEpFZ0Jjd2h2bUNkZmtlSzlVOGNRMXdJREFRQUJBb0lCQUNtR3pBc0VyZU91T2sxQwo2S0h1SWkyUmFCc0dkZEhDeitDT0Z3cE1xa2Q0VDI1dzJzRWtmdVdMdGFPVk9MSEViQnEzWklhdncyQmxqeFE0ClVnUHh4ZDRjc1h4ZHJOZHA0eStxdEpmYldkS04zd2hUUFN6bnBXOTk2QmluNGp6K3YvOWVUU0oyN3JZT3ZnQnEKYW1lc3g3ZkEzQlZTMnp2S040YlJOZnVlcXVRQTVuQ0J2UUhrNVpISk4vNW9MVS9tNjJOMnZyck1jYkw2UC9mcwpBUVlkWDZOTjdUemZDN01lUFBOQmhyeVFTbHBBMXhnZWtyWlVaOXVnb2ZTWWhacWtDNDllMlFCeGhrR2dxdnAvCjg1bmljZ1hkQnl4ZWpsb1g5SUNFSGhxNHpVTDlidHJpdnZES1Jsa0FFUVh5Y08zS0hFL1g3SVhMRkp3c0NrdHEKeHdoK0pURUNnWUVBNHJITWxWUWMvVzNGNWJ5M2dVckhmWVh2Zk0wVlBaNGpaL05Zd0pBcm0vejRaeUFBMEJGbAp6TlhNSzZDLzkya3FnRDdrd1lvdWRGMGRQOEF6WE9SUDU3dzQ5bS9SUnBKdTN3YWVPc0VaejVKUXpkb0UvSVlxCmRJMlFRa245S29OblNkdG9QNUhWWVdvV1BLWGNQZUQ0c2lYaktrYWMvMExmN1hIZG85S211YjhDZ1lFQS83L3kKUCtBeHFTYUZZTTBXaXVhNmZlRnoxSk0xSXhUaldDU3dYaXZYM3p5TVAzTTRKMkp0aVlSVXQ3OWpIZ01GR0lVMwpsNlE3WFZwZi9qbWFyY3pOTHYwbEtVWU4yR2twOFUrN2k0SW04OHJkTmNxd1BlYk55c2VWc0RZallhYkxlWTAwCkZNbUFQQ3Awam5GTGF2OTd4R0l4dElUeFY0SnpBRFVXVXdSa2Z1a0NnWUFZcitZb3FQVlRQLzRhSzdnTU0zbVEKR09MZ3czQzV1aHYrK1FoRVNDOEhtTC93Y3hMRGxmRnhJaU5PNlAyZTB1d1c5VUp5TlRzajN2UU5lai9kc050bQowQitmN3NOcW5RM0g2ZStYVkdvY0tjSDArUFlzRGV4WHJ3Ynp3Uno1NFQrQlVveUN4NzNtRXVpRENFajQwQ1FsCk9tMEhzSkx1VlhrUFlhUVNjQ0ZKL3dLQmdHU0xiTXlwOGp3aTFjcnh0Z3dUbTN2RHQ4cjV1S2s3SEFuYUdyQmIKSWpvMFRwcmZURk5IZ2ZMUFlKTUFuaEg5Yy9KbzVTc3J1TjhCbWIyVG5majREQzZOL1I4VjJIbWRGbzAxSUhFLwpVTnNGaFNRUnRHb1JwQlExbE9hNjBmd2hHOXVFcE5ZTFJldmhjUU5URFNoYW1xamhSZE5IZEs1SHJiaUdKbW1xCnoydUpBb0dCQUp2VmVIRmpKRkl2MFVHbzBIbGl2R3JOZWVJVzFGZjV0SmdUd2ZlQ1BtSEcxOUNJZDB4RFZEVVUKMlJEL2RMOXQ4MmdzUTFjS1JQVTNjQ08walpxck9pTGg1aWQ5aEpCMUg2MmtGa3IrNEpOK0IvcHNJM3VPWFlFTgo0b0k1NVl6NFJlTEtOTWZQSWNPVFpTRXFoTGdtVVNHZGhuUU9NWGNVMnFnK1FidzRYQ3ZRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
    
# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=test \
--namespace=testns \
--kubeconfig=/opt/test.kubeconfig

[root@master opt]# cat test.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8s-api:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: testns
    user: test
  name: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTURUb3ZweHVUajk0VUZrNDM3N1RRNDZFQmljd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFF3TnpRNE1EQmFGdzB5TXpBMQpNRFF3TnpRNE1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0o1RS9VRgo0TEVvMW5naUNrazJ4ZENTQVQ2cUpSMWo5ODVjNm0yZXFDdURleUIrVDREWXlCOXA3RmZxUnRVdTRyQ1hxWTJ4CmhVRXZyOFNDUUtPd1hXUDgxcXhURzZkRVB5ejMrV2h5dTJGcHJSZWhoL3NwRHZVdmJ2QUFPMmx6U3VJVFQ3WWYKUVdhRk95NzdldHR5bm95bjNZa1FMbE9xeGRmV2hMeUJFTHkvdElDSW14L0UyYmlzNGNRelVSeGIwQisva0kwegpoN0Z0YzZQNXQzc0dzVjdVL3hYY0NIb211Q1RoZC9JVjVTNjYvWjFFbTVUSEM3blgwSENaOWJZeWxvSmZJZzliCkpEOTNtQVB0WXR2VHdNQVI3LzB5Q1pka0RkV0l3N2NoUUF0UzBqNFBUSWRVZlVwZmwwMkNXRFRteHlSSUFYTUkKYjVnblg1SGl2VlBIRU5jQ0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVFdxZ0VRClNBSjdxN0dEZFlMQy82WkN5LzQ1bURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUxjVHJYRnUwWjBhMlNtUHgKaVU1WEk0S1dWSXp6QnBaSzJ3ei9xZGh5ZGc4bTFlRzBaZWRGejFPME9tMHVUV3Zpa24xa1IreUpqeE5RMmgrUgpncmtQUUEwQUpvUkhZR1RBckltOSszQkFKNGswNGgwUWpJaVIzdmk0Nklwdm1keTBibGU4ejNqUTlvazZlMUJLCmh6VzdpS2JDVzZrdkI5Q0JlaWxldGdaYTcvQmJPM0xlaDkwZUFOQ3FJWVFSSEZsbXpKMnVBTDdkN2MxdWtlUGIKUTdEdXRDRjdaV1dTczloOGRXT3pUVkRxZTU3a3l1MFB6aWQ0RkRkdHhuK0RCSVdXVEt5OCtnem1tanZnaVladgpvZk0yTzRtSnM2a1BabERzaW5iV0VveVl6NzBUeUdPcFQ5UDFJUDB6cTBkKzYvUVowSi9XdXhWd2YzMUpVUVBCCldFay9qUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNG5rVDlRWGdzU2pXZUNJS1NUYkYwSklCUHFvbEhXUDN6bHpxYlo2b0s0TjdJSDVQCmdOaklIMm5zVitwRzFTN2lzSmVwamJHRlFTK3Z4SUpBbzdCZFkveldyRk1icDBRL0xQZjVhSEs3WVdtdEY2R0gKK3lrTzlTOXU4QUE3YVhOSzRoTlB0aDlCWm9VN0x2dDYyM0tlaktmZGlSQXVVNnJGMTlhRXZJRVF2TCswZ0lpYgpIOFRadUt6aHhETlJIRnZRSDcrUWpUT0hzVzF6by9tM2V3YXhYdFQvRmR3SWVpYTRKT0YzOGhYbExycjluVVNiCmxNY0x1ZGZRY0puMXRqS1dnbDhpRDFza1AzZVlBKzFpMjlQQXdCSHYvVElKbDJRTjFZakR0eUZBQzFMU1BnOU0KaDFSOVNsK1hUWUpZTk9iSEpFZ0Jjd2h2bUNkZmtlSzlVOGNRMXdJREFRQUJBb0lCQUNtR3pBc0VyZU91T2sxQwo2S0h1SWkyUmFCc0dkZEhDeitDT0Z3cE1xa2Q0VDI1dzJzRWtmdVdMdGFPVk9MSEViQnEzWklhdncyQmxqeFE0ClVnUHh4ZDRjc1h4ZHJOZHA0eStxdEpmYldkS04zd2hUUFN6bnBXOTk2QmluNGp6K3YvOWVUU0oyN3JZT3ZnQnEKYW1lc3g3ZkEzQlZTMnp2S040YlJOZnVlcXVRQTVuQ0J2UUhrNVpISk4vNW9MVS9tNjJOMnZyck1jYkw2UC9mcwpBUVlkWDZOTjdUemZDN01lUFBOQmhyeVFTbHBBMXhnZWtyWlVaOXVnb2ZTWWhacWtDNDllMlFCeGhrR2dxdnAvCjg1bmljZ1hkQnl4ZWpsb1g5SUNFSGhxNHpVTDlidHJpdnZES1Jsa0FFUVh5Y08zS0hFL1g3SVhMRkp3c0NrdHEKeHdoK0pURUNnWUVBNHJITWxWUWMvVzNGNWJ5M2dVckhmWVh2Zk0wVlBaNGpaL05Zd0pBcm0vejRaeUFBMEJGbAp6TlhNSzZDLzkya3FnRDdrd1lvdWRGMGRQOEF6WE9SUDU3dzQ5bS9SUnBKdTN3YWVPc0VaejVKUXpkb0UvSVlxCmRJMlFRa245S29OblNkdG9QNUhWWVdvV1BLWGNQZUQ0c2lYaktrYWMvMExmN1hIZG85S211YjhDZ1lFQS83L3kKUCtBeHFTYUZZTTBXaXVhNmZlRnoxSk0xSXhUaldDU3dYaXZYM3p5TVAzTTRKMkp0aVlSVXQ3OWpIZ01GR0lVMwpsNlE3WFZwZi9qbWFyY3pOTHYwbEtVWU4yR2twOFUrN2k0SW04OHJkTmNxd1BlYk55c2VWc0RZallhYkxlWTAwCkZNbUFQQ3Awam5GTGF2OTd4R0l4dElUeFY0SnpBRFVXVXdSa2Z1a0NnWUFZcitZb3FQVlRQLzRhSzdnTU0zbVEKR09MZ3czQzV1aHYrK1FoRVNDOEhtTC93Y3hMRGxmRnhJaU5PNlAyZTB1d1c5VUp5TlRzajN2UU5lai9kc050bQowQitmN3NOcW5RM0g2ZStYVkdvY0tjSDArUFlzRGV4WHJ3Ynp3Uno1NFQrQlVveUN4NzNtRXVpRENFajQwQ1FsCk9tMEhzSkx1VlhrUFlhUVNjQ0ZKL3dLQmdHU0xiTXlwOGp3aTFjcnh0Z3dUbTN2RHQ4cjV1S2s3SEFuYUdyQmIKSWpvMFRwcmZURk5IZ2ZMUFlKTUFuaEg5Yy9KbzVTc3J1TjhCbWIyVG5majREQzZOL1I4VjJIbWRGbzAxSUhFLwpVTnNGaFNRUnRHb1JwQlExbE9hNjBmd2hHOXVFcE5ZTFJldmhjUU5URFNoYW1xamhSZE5IZEs1SHJiaUdKbW1xCnoydUpBb0dCQUp2VmVIRmpKRkl2MFVHbzBIbGl2R3JOZWVJVzFGZjV0SmdUd2ZlQ1BtSEcxOUNJZDB4RFZEVVUKMlJEL2RMOXQ4MmdzUTFjS1JQVTNjQ08walpxck9pTGg1aWQ5aEpCMUg2MmtGa3IrNEpOK0IvcHNJM3VPWFlFTgo0b0k1NVl6NFJlTEtOTWZQSWNPVFpTRXFoTGdtVVNHZGhuUU9NWGNVMnFnK1FidzRYQ3ZRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=

#切换上下文信息
kubectl config use-context kubernetes --kubeconfig=/opt/test.kubeconfig
[root@master .kube]# cat config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdOVEF4TXpJek5Wb1hEVE15TURVd01qQXhNekl6TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTER6CkRhVG9IRVdpNzVnR002ZTU2SngzQlRHN3I4VWNrS3lIR2xiV2EvUHFyd0dlc2pFU0JZU2VkV1I3SGtiVWNjRGYKVmxSNStvczBISHFaZm80OEZBOXpQd1kra2k2M21jd015SFpXVXgvbkVLYmswTWZ1V3JwRG5DNFBIb09GdEFZVQpmSEhDL1YzOFJxN3EzMWpSdnp0eFdudXBPb3ZVVDYzaElDL0NpdnhSbTVhTlUxbFJDaUwyRXFkYW1jRVNGamY0CmZ2bmkyS283NlNnL3FrTXpxWTlDc2UxSkxUdkVKbmw1OXNnNHlGR3BLdnVacGVSbGROSGx1K2x2ZGJIWkpNQVoKSXE4c0NEbUVZdGlvL1lncmFxZXR4S25LQTdPU2k5U0M2OGMvRDJ5cndiWmtaSkVOSGNDRGpwRWdqQ3lLNk1pSQpxbFVKcEpNaWxNVE01SmxWaUZrQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFY3RMdDBES1MxNTBMQVlMQjd6Rmd0TmxmK1YKYmg5MjcvNEppbERzVFJBVkpBa3hpUDVsT1ZQTjRlUzZ0WlpBWlFvOFVqZTl2R282aUMrc1ZDUkJMcGo4QXBUYQovVFdOMUx4dG1rci9vK2pMS3BEelBob0ZrK3dITDJ4SXN3K1l0SWltTmFEb0R1Z0MwOS8xOENrSnNGdjBHNGxTClNZb1RaZkg4QXRlQWRLNTJYUmxrUXBMWTJ5SWtIc21WYzkzUVI1WmttcFBPcmROcFk1TXhHYnZ6Zm02cDVCcE0KZ1ZvakJMQUNURXlKcjlzbzlkTjRRb1FkVkd1WVQrYzIxUXFJMVNrTUc3cG1FY08xb3pOc1QzeFJadkZEb0FJVAorWVNXQ1YrWEt0Wks4blgyMDlKZi8xb2pxbVFWY0tFdTNBblpLVEZtL0cxZTdWbmZBTUw2R014WWhaVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.234.137:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: testns
    user: test
  name: kubernetes
#原先为空字符串，切换后变为kubernetes
#特别注意，必须先切换上下文后才能将文件拷贝到$HOME/.kube文件夹下,否则会报无法连接apiserver
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTHpBZXZmQXBhd0xyNzFKN1Brb084MmxUTlRJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFV3TmpRMU1EQmFGdzB5TXpBMQpNRFV3TmpRMU1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0gvMkVpRwp5NUl2Y2lTcEJQT3ViM1lhL2JCNFlwaVM3d0kxRklDN1RkWDNPYTBmelE1Vk4rN0VYem1DZ1pEbjFYZStzcXRpCjFydWcxWDRqRGswN25kUXRpZkJ2bktWcExmUjM5alBRUzZJRjFPTndMb1hMaEVaWGFBMmVSMzZrWGtBOEtXaUEKRVM2UitONmFSd1RFNE5zODFHanhUanNJYlBvRGRnV0txaE81bVJJNUp3MkxBWXZxRTBWdUpRY0RNd0Z6Z0dZagovdWp4anBrTGhWSXloVm1ZSUlGU01KbGdoaE9BYXIyZHFYNzBqMEE3VzJ0d3ZtQWZXUmd0RktwMWh6QVRaUEliCkowb2FnM3dmMGwvbkNQMm5xeEJTNDNqQTFXdWdqOEpZSGVqZlJveTh1bDJrT3Zid2NPZGZNb0tNMFVuY2hxdDAKZTRpZncvdUY1RkJYT2Y4Q0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCU0RpZ3M5ClNxMGphOUVYSEF4L1JXL21qcGZpV1RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUZXbnJXSzRPSlJQQkxrUEgKK1ZiSXE2Z0wwUzhSZlptcjlnYmdnUTlYMXZ0MDNrUGQ5YzBiOG1EZDEwUDc4YUlGUitJazNBT1NSTkxXM2s5KwpxMCthTitwekcvVU50UGFMQWYxZzJXRVJyTVBCTWVITTNqcW1HWG42cVM0d1lrNWVWaHVhU29KSlA5cGlLaDhNCjBFZDRPcjNYakhtNlJLVFdFK05PSlpGWTExUzlIUXdzVzVIN1BGYXc0MWN4WW9XaFFTVWhub01sUDBMNngxdjAKRlZTaXlkMDM1VytZcDZVMEtDTVIzYlR6bEJLZ05DZlFSRzJuL003NENPOHg1Y25CT3ZTejJuY05HUExJZjBYUApDV000ZDBPSS95eWIyN1luckZxUEhnWjBsbzNURmFxVHBtU0lscVJENFFFaDRXZFZQQlQvbWNTMW1GT25EVlhOCjUzbUlDQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNGYvWVNJYkxraTl5SktrRTg2NXZkaHI5c0hoaW1KTHZBalVVZ0x0TjFmYzVyUi9OCkRsVTM3c1JmT1lLQmtPZlZkNzZ5cTJMV3U2RFZmaU1PVFR1ZDFDMko4RytjcFdrdDlIZjJNOUJMb2dYVTQzQXUKaGN1RVJsZG9EWjVIZnFSZVFEd3BhSUFSTHBINDNwcEhCTVRnMnp6VWFQRk9Pd2hzK2dOMkJZcXFFN21aRWprbgpEWXNCaStvVFJXNGxCd016QVhPQVppUCs2UEdPbVF1RlVqS0ZXWmdnZ1ZJd21XQ0dFNEJxdloycGZ2U1BRRHRiCmEzQytZQjlaR0MwVXFuV0hNQk5rOGhzblNocURmQi9TWCtjSS9hZXJFRkxqZU1EVmE2Q1B3bGdkNk45R2pMeTYKWGFRNjl2Qnc1MTh5Z296UlNkeUdxM1I3aUovRCs0WGtVRmM1L3dJREFRQUJBb0lCQUV6L0ZYamdNOHNDVHlrZQpUSW1aREhCNGthWGwzZkdOWGRDcXRPbUc1dVhXN05lRzFoM2orc0ptTk9zckEybVRFcTlSVVI0QzlwWEdIZlp6Cml4UFZFOWlPQzBqWFBjODlIbU1EMitXYk9hbGh3ejRab2tBRExuV29vZExCOGltN1prRU1QaTlVTW9aalJSN1MKQVJBbTQxVE9USy9VUm9ybU8vcVI0MHZRQ2xIZGJkVVYrMCt3bnlIMXdUUGJndFhCcFV4dUVjNjdnWUVQQzBVZgpUV1JTcUZnZHdsc09jQVMxcGRoM2Y5S0NKdjcra0trbUFndFhQWUx0Z0NUb2pxNTZiL1BHOHNmbkVxTVRZdnljCnRFb2NBVERxOUZ6Y0ZVRDJ6SzlTQngrZjd1blg1NWppZkoxMkxvQXJOSGRtc3V4a3hkZndJVDZlR1BCT0FwQ2MKdFJLRjhRRUNnWUVBN0dka0RPVWgzMDVQbm5zWWwwS0NPbEFVMTVqVXliYXAzcUFUNHJDbUFWR1MzejlsbkFmQQpSaGZ5NzNjOVJOOThNaHRnb1dCcnM0VkFZTTh0TUpOMGNyTEhaNjJ2enZ0Qmc3ZU5yT1BHc1RwM0pWbGJ1d0dlClZsekNaUzB3NWx5Z2ZUclc0UlNhL2RJWjdCcDE0Z0dTUnpFTUg0OUliM2MzQU9yUVdHR0VvaEVDZ1lFQTlMdXEKY2owdjBmUDhNblN6eE1sL1NSQ0tQNHBLVi8rNzhXcE8xZHprc3p5eEJrVWdGL2p1NjFmeTFTUU1vZUdKK290cQptcWgrZVhMU2RkT3RZL2FjNzZNWmQxMUJUbmdOMnA2eFVuRmtMaWZET0I1c29hcDBFTHlEMWkyYnVQTDlNQXFEClhkT0JvRkRZZThnYkFIeE40KzZOaGRvTUNtOXdFU00rNGhIckN3OENnWUVBeXdYa0E3c0lRdm5ESU96QWFxN2cKbm1uRjdINUJTRmFLUGpvbHVjcFJWdEtTbXcyY0dzc0JVbkVnM296OTNsYzhGdUF5TllWVUdXRjNyMnhkZDlrNgo2WUltQkNGQzJqUW55SkhycHk0YXBudjZkT1h3QklOWVV2em9xZkdNakZuQ0xxcElmaGF2SVFxOTNtbS9FWENlCkNtdlI2SXlwL2FoWllYMUhubzlwVTdFQ2dZRUEwWFo5MytEMnVOLzJqc2pMeERZaHQwdHN5QTE0cS9DNXoxcUoKdHdta3hMUEJYL2h5QzVLSUN1M3ZiUFc1eWlQYmtKRWE0Tnd0dzR5L0RSSHJhWTk5cXEwUjh0UGlQV01MbUg0UwpqdGwyUVByUFg0ekt0V1BLaXppT0xoWkRIZno3THM4UXVKRjZkTmc5TVZTSHA5YThZOFdkWTE3SXgzV3htVGx0CmJOaWhMNGtDZ1lCN1NXRFp5VTlIcnBqTG5vblRUdWlnNEhaZ05UcFBaa3hpTVp6aUdjMWZ1TFBqaW8zTnVja2kKM3V6cUF2UEVsVFAxYndEcEZVMjZ1THNIVUdra3J4YVFHMm52WGFaL0JIU1h1MkdtcUVMZERjdmtkL2pYNm5MWApEbUhnVENtL3h0M3haeFMyN1IzbWFOYXRCbUN2RGlPREFxR0JpSndUaU1ldURLNEhBR1JBeWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
    
#创建testns的名称空间
kubectl create ns testns
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

#限制名称空间资源
apiVersion: v1
kind: ResourceQuota
metadata:
  name: limit-resources
  namespace: testns
spec:
  hard:
    requests.cpu: "20"
    requests.memory: 100Gi
    limits.cpu: "40"
    limits.memory: 200Gi

1
2
3
4
5
6
7
8
9
10
11
12
13

#给test用户绑定管理员权限
kubectl create rolebinding test-admin-binding --clusterrole=admin --user=test --namespace=testns
$ kubectl get rolebinding -n testns
NAME                 ROLE                AGE
test-admin-binding   ClusterRole/admin   33s

#linux随意创建用户，比如test1,将test.kubeconfig放入到test1家目录下.kube文件夹下，即可访问apiserver
useradd test1
passwd test1
mkdir -p /home/test1/.kube
cp /opt/test.kubeconfig /home/test1/.kube/config
chown -R test1.test1 /home/test1/.kube
#注意此时get pod的名称空间就为testns 
[test1@master ~]$ kubectl get pod
No resources found in testns namespace
#如果想要获取其他名称空间下的pod会被拒绝
[test1@master ~]$ kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

准入控制

准入控制是API Server的插件集合，通过添加不同的插件，实现额外的准入控制规则。甚至于API Server的一些主要的功能都需要通过 Admission Controllers 实现，比如 ServiceAccount，默认启用的插件

CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, LimitRanger, MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize, Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook
1

• NamespaceLifecycle： 防止在不存在的 namespace 上创建对象，防止删除系统预置 namespace，删除namespace 时，连带删除它的所有资源对象。
• LimitRanger：确保请求的资源不会超过资源所在 Namespace 的 LimitRange 的限制。
• ServiceAccount： 实现了自动化添加 ServiceAccount。
  mespace 上创建对象，防止删除系统预置 namespace，删除namespace 时，连带删除它的所有资源对象。
• LimitRanger：确保请求的资源不会超过资源所在 Namespace 的 LimitRange 的限制。
• ServiceAccount： 实现了自动化添加 ServiceAccount。
• ResourceQuota：确保请求的资源不会超过资源的 ResourceQuota 限制