RBAC
基於角色(Role)的訪問控制(RBAC)是一種基於組織中使用者的角色來調節控制對計算機或網路資源的訪問的方法。
RBAC 鑑權機制使用 rbac.authorization.k8s.io API 組來驅動鑑權決定, 允許你通過 Kubernetes API 動態配置策略
要啟用 RBAC,在啟動 API 伺服器時將 --authorization-mode 引數設定為一個逗號分隔的列表並確保其中包含 RBAC。
Role 和 ClusterRole
RBAC 的 Role 或 ClusterRole 中包含一組代表相關許可權的規則。 這些許可權是純粹累加的(不存在拒絕某操作的規則), Role 總是用來在某個名稱空間內設定訪問許可權; 在你建立 Role 時,你必須指定該 Role 所屬的名稱空間。與之相對,ClusterRole 則是一個叢集作用域的資源。這兩種資源的名字不同(Role 和 ClusterRole) 是因為 Kubernetes 物件要麼是名稱空間作用域的,要麼是叢集作用域的,不可兩者兼具。
role示例
下面是一個位於 "default" 名字空間的 Role 的示例,可用來授予對 pods 的讀訪問許可權:
$ cat > role-simple.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" 標明 core API 組
resources: ["pods"]
verbs: ["get", "watch", "list"]
EOF
ClusterRole示例
ClusterRole 可以和 Role 相同完成授權。 因為 ClusterRole 屬於叢集範圍,所以它也可以為以下資源授予訪問許可權:
- 叢集範圍資源(比如節點(Node))
- 跨名稱空間訪問的名稱空間作用域的資源(如 Pod)
比如,你可以使用 ClusterRole 來允許某特定使用者執行 kubectl get pods --all-namespaces
下面是一個 ClusterRole 的示例,可用來為任一特定名稱空間中的 Secret 授予讀訪問許可權, 或者跨名稱空間的訪問許可權(取決於該角色是如何繫結的):
$ cat > cluster-role-simple.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" 被忽略,因為 ClusterRoles 不受名稱空間限制
name: secret-reader
rules:
- apiGroups: [""]
# 在 HTTP 層面,用來訪問 Secret 資源的名稱為 "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]
EOF
RoleBinding 和 ClusterRoleBinding
角色繫結(Role Binding)是將角色中定義的許可權賦予一個或者一組使用者。 它包含若干 主體(使用者、組或服務賬戶)的列表和對這些主體所獲得的角色的引用。 RoleBinding 在指定的名稱空間中執行授權,而 ClusterRoleBinding 在叢集範圍執行授權。
一個 RoleBinding 可以引用同一的名稱空間中的任何 Role。 或者,一個 RoleBinding 可以引用某 ClusterRole 並將該 ClusterRole 繫結到 RoleBinding 所在的名稱空間。 如果你希望將某 ClusterRole 繫結到叢集中所有名稱空間,你要使用 ClusterRoleBinding。
RoleBinding 示例
下面的例子中的 RoleBinding 將 "pod-reader" Role 授予在 "default" 名稱空間中的使用者 "jane"。 這樣,使用者 "jane" 就具有了讀取 "default" 名稱空間中 pods 的許可權。
$ cat > rolebinding-simple.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1。
# 此角色繫結允許 "jane" 讀取 "default" 名稱空間中的 Pod
# 你需要在該名稱空間中有一個名為 “pod-reader” 的 Role
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
# 你可以指定不止一個“subject(主體)”
- kind: User
name: jane # "name" 是區分大小寫的
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" 指定與某 Role 或 ClusterRole 的繫結關係
kind: Role # 此欄位必須是 Role 或 ClusterRole
name: pod-reader # 此欄位必須與你要繫結的 Role 或 ClusterRole 的名稱匹配
apiGroup: rbac.authorization.k8s.io
EOF
RoleBinding 也可以引用 ClusterRole,以將對應 ClusterRole 中定義的訪問許可權授予 RoleBinding 所在名稱空間的資源。這種引用使得你可以跨整個叢集定義一組通用的角色,之後在多個名稱空間中複用。
儘管下面的 RoleBinding 引用的是一個 ClusterRole,"dave"(這裡的主體, 區分大小寫)只能訪問 "development" 名稱空間中的 Secrets 物件,因為 RoleBinding 所在的名稱空間(由其 metadata 決定)是 "development"。
$ cat > olebinding-clusterrole-simple.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
# 此角色繫結使得使用者 "dave" 能夠讀取 "development" 名稱空間中的 Secrets
# 你需要一個名為 "secret-reader" 的 ClusterRole
kind: RoleBinding
metadata:
name: read-secrets
# RoleBinding 的名稱空間決定了訪問許可權的授予範圍。
# 這裡隱含授權僅在 "development" 名稱空間內的訪問許可權。
namespace: development
subjects:
- kind: User
name: dave # 'name' 是區分大小寫的
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
EOF
ClusterRoleBinding示例
要跨整個叢集完成訪問許可權的授予,你可以使用一個 ClusterRoleBinding。 下面的 ClusterRoleBinding 允許 "manager" 組內的所有使用者訪問任何名稱空間中的 Secrets。
cat > clusterrolebinding.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
# 此叢集角色繫結允許 “manager” 組中的任何人訪問任何名字空間中的 Secret 資源
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager # 'name' 是區分大小寫的
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
EOF
kubernetes RBAC鑑權實戰
一、建立普通使用者,並使用kubectl工具
目標:Linux下建立一個新的普通使用者(Normal User),k8s叢集建立 2 個新的 namespace,然後把新的使用者設定到其中一個 namespace 當中,讓使用者只能在一個namespace 中操作。
# 在k8s叢集下建立user1和user2 namespce
$ kubectl create ns user1
$ kubectl create ns user2
# 建立user1使用者並切換到使用者家目錄下(當然也可以不需要建立使用者,可以通過k8s來切換use-contexts來實現)
$ useradd -m -d /home/user1 -s /bin/bash user1
$ passwd user1
$ cd /home/user1/
# 建立使用者私鑰
$ openssl genrsa -out user1.key 2048
# 生成一個待簽名檔案(user1.csr),注意 O=user代表的是它的組,而不是 namespace。
$ openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=user"
# 用 k8s 的 ca 檔案來簽名這個 user1.csr, 最終產生一個有效期為 3600 天的證書檔案。
$ openssl x509 -req -in user1.csr -CA /opt/kubelw/cfssl/ca.pem -CAkey /opt/kubelw/cfssl/ca-key.pem -CAcreateserial -out user1.crt -days 3600
注意:/opt/kubelw/cfssl/ca.pem 、/opt/kubelw/cfssl/ca-key.pem 根據自身叢集實際路徑填寫(多數情況下是在 /etc/kubernetes/pki/路徑下)。
$ cat /opt/kubelw/cfssl/ca.pem
-----BEGIN CERTIFICATE-----
MIIDxjCCAq6gAwIBAgIUFJFR4wlmMYvYMzfVcmfL+K2VLDowDQYJKoZIhvcNAQEL
BQAwaTELMAkGA1UEBhMCQ04xEjAQBgNVBAgTCUdVQU5HRE9ORzESMBAGA1UEBxMJ
R1VBTkdaSE9VMQwwCgYDVQQKEwNrOHMxDzANBgNVBAsTBnN5c3RlbTETMBEGA1UE
AxMKa3ViZXJuZXRlczAeFw0yMjA2MjgwNjUyMDBaFw0zMjA2MjUwNjUyMDBaMGkx
CzAJBgNVBAYTAkNOMRIwEAYDVQQIEwlHVUFOR0RPTkcxEjAQBgNVBAcTCUdVQU5H
WkhPVTEMMAoGA1UEChMDazhzMQ8wDQYDVQQLEwZzeXN0ZW0xEzARBgNVBAMTCmt1
YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwbY5jGqc0
uupFuPB3lWtoCXr3UciqfISbGcR+ZzoqRqGOvwp0OLzqsW6zEMvXvJZpTJjrcc+x
SJtHC3eccTrGGM24RsLxgzz++MJFM5Rzr2gDDAspt/5wox6wRK0iLBa07EXztMJR
Tzq5VBqCiLQ8Spte5s9Ghy+MwOWajJojQFHgD7y93QFQMmmyz5Az9GQtL5sIJoIg
vGNUfO++stniceBuhRrpVYWOwNd/ZidHlus7rqtpFKEedOAHFzAUPlZrHf7wQ9QL
9KMYGnaea3uuhEzx/EuuHhozSdR7/lDRNKaQ+8u2e+WeDvXjABhZLgORIqfSOnQq
ncuaBp9svl03AgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
AQH/AgECMB0GA1UdDgQWBBQcgKUPl6v2oiZcLVJWKaIZGn1I1jAfBgNVHSMEGDAW
gBQcgKUPl6v2oiZcLVJWKaIZGn1I1jANBgkqhkiG9w0BAQsFAAOCAQEAhc8gjihU
8RUyxHwnY0UWReJ7BtBIk+UZqbphKKIbtCeIHMgl/I2aSNIpmZsxFhlccnoDRu4S
K8lVI1ck+agUwdDw1BOih5e35bN+ooNWNO6rpywEU8r4kqc9ghUb69QZF5eK6UZU
fxYUf5c78QsZGcvL7iYRGQ/LiNMfdkdzvADBJXy50Li+d+RIZZk7DMCSki8KoRqg
fsC/IzKCV5mvXqEOuXCUK+EjDjdHxeyRA1wyTmQyxfu2kF4M9BKY/Y/mRR54ARvU
6J/xQtkRXw2xn6/e5H2fAFKjPEDRyrXWsfV6Okgl55UAx3Pa+E89lcmMRnVLLFkq
n7hXQuAz4zImXA==
-----END CERTIFICATE-----
$ cat /opt/kubelw/cfssl/ca-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsG2OYxqnNLrqRbjwd5VraAl691HIqnyEmxnEfmc6Kkahjr8K
dDi86rFusxDL17yWaUyY63HPsUibRwt3nHE6xhjNuEbC8YM8/vjCRTOUc69oAwwL
Kbf+cKMesEStIiwWtOxF87TCUU86uVQagoi0PEqbXubPRocvjMDlmoyaI0BR4A+8
vd0BUDJpss+QM/RkLS+bCCaCILxjVHzvvrLZ4nHgboUa6VWFjsDXf2YnR5brO66r
aRShHnTgBxcwFD5Wax3+8EPUC/SjGBp2nmt7roRM8fxLrh4aM0nUe/5Q0TSmkPvL
tnvlng714wAYWS4DkSKn0jp0Kp3LmgafbL5dNwIDAQABAoIBAQCHt18m4WPqbja0
97UTaH+9Aj3zbpg8fZjMbx/2VJYr2zWAR3lVOigpKeCMIsmL5WiXC/M+eshYChBY
sHuMfpXFuWLW9KgVfO04/kcDUNBLxYzvex5DM2SpZPHAirPca6nz9yVAebZZMeds
lUPnUh3Dm2i1sjuUd32eeuyk3K/dmN862G+wigqlkKtjihp0sNbdB1ucFsEVUkAt
eQ3dq0YwL1f7nCg9ZY7PMQ2eh/2JkG0jwTsZA41odyA1OkZBAPBevdgH8hdxV2/y
YNnDWAoxDhOhD4q7tCg862z3F1/55oj9w24Rsm38hJYLl1D0/zHzkmeX1lgkpMQD
LGFK7gsxAoGBAMcsF2yRl7GZfmmiILJPvjua3PQv+YCUIaqr/xFIRMhOBD0dUw67
pAPOxTgEH81hqyY9/CkTH/ZCKLgGz35OPYaJYsTZVM5aSoWkWNJfOqeYNCzaZJwT
O9vVa7KHr0QcfymN8yRLlT4J9f2oPknQt2QqmvwoPDvlsHJhcBzCTWOFAoGBAOLE
LjU21ZHupTVaJ0uposc3uySENw3wZlRcHOyOKy69exf7wMy/N+tTs4g/NvmKhzO9
gpQ9SKJj8n8YrA7I8TxuA4sQT7hCESFKw1tyw3EH8OZrzz1lPvJyHsu/k9xTqqhY
eSwRfvl7KXCOSus+Anb3R8N/rHb/TcPwjNG+QkSLAoGBAI4IDEA45vMYYYRUwHpH
0YHR4sUjvQoLGKML+l3Jqnso327xjXxRJRouBof2sPMWNiWUSFDGOaGz9jOdb7RD
eS6KpGt6DDcHPmNlGo4SqNJBANwHdX2zXZlb7WwnxD2PEMOCXaRBXhEaq1gS9TBQ
bac5lsJAswuHtTcr8vYfPW69AoGADS37xYn/VbD6FyS7PfGJDW0WymOI052SRPrp
j3If3mKS4ez24q+Gb3345EVQS6aafw5XpYf+TbnjYTGs5lsVcj6upAl5qKrmVfoD
arA73bjpbmr7q4TT6MFrOspSrK6ML6acvEv0Bkn7OZh7kDqVaBatLBaijnP+MBIu
DQ6yyUsCgYEAgzBdL2bu6/lHNykHIYlsAECVePAoDRwSNkyDBblhyJgdE/qw1+8c
6qKKm5KhHAOOsfhxCKLUgDxnNJyk17Hu9NKMDHS9HBK8DZSZLR97D1aNETBZzs3R
Aj1/DdFQKYkvG7Tj4S4kTv7OwZ/Z+yMOQO7usgAGUpMJgBs1Wo7l9F4=
-----END RSA PRIVATE KEY-----
# 賦予所有許可權
$ chmod 777 -R /home/user1/*
# 修改/root/.kube/config 檔案,會自動新增一個user1使用者的配置項在/root/.kube/config 檔案中。
$ kubectl config set-credentials user1 --client-certificate=/home/user1/user1.crt --client-key=/home/user1/user1.key
$ cat /root/.kube/config
............
- name: user1
user:
client-certificate: /home/user1/user1.crt
client-key: /home/user1/user1.key
# 複製/root.kube/config 檔案到/home/user1/.kube
$ mkdir /home/user1/.kube && cp -r /root/.kube/config /home/user1/.kube/
$ chown user1:user1 /home/user1/.kube/*
# 切換到user1使用者。
$ su user1
# 修改/home/user1/.kube/config檔案。
# 修改前/home/user1/.kube/config 檔案。
$ cat /home/user1/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4akNDQXE2Z0F3SUJBZ0lVRkpGUjR3bG1NWXZZTXpmVmNtZkwrSzJWTERvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FURUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkVlFVNUhSRTlPUnpFU01CQUdBMVVFQnhNSgpSMVZCVGtkYVNFOVZNUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFVE1CRUdBMVVFCkF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTJNamd3TmpVeU1EQmFGdzB6TWpBMk1qVXdOalV5TURCYU1Ha3gKQ3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhWVUZPUjBSUFRrY3hFakFRQmdOVkJBY1RDVWRWUVU1SApXa2hQVlRFTU1Bb0dBMVVFQ2hNRGF6aHpNUTh3RFFZRFZRUUxFd1p6ZVhOMFpXMHhFekFSQmdOVkJBTVRDbXQxClltVnlibVYwWlhNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN3Ylk1akdxYzAKdXVwRnVQQjNsV3RvQ1hyM1VjaXFmSVNiR2NSK1p6b3FScUdPdndwME9MenFzVzZ6RU12WHZKWnBUSmpyY2MreApTSnRIQzNlY2NUckdHTTI0UnNMeGd6eisrTUpGTTVSenIyZ0REQXNwdC81d294NndSSzBpTEJhMDdFWHp0TUpSClR6cTVWQnFDaUxROFNwdGU1czlHaHkrTXdPV2FqSm9qUUZIZ0Q3eTkzUUZRTW1teXo1QXo5R1F0TDVzSUpvSWcKdkdOVWZPKytzdG5pY2VCdWhScnBWWVdPd05kL1ppZEhsdXM3cnF0cEZLRWVkT0FIRnpBVVBsWnJIZjd3UTlRTAo5S01ZR25hZWEzdXVoRXp4L0V1dUhob3pTZFI3L2xEUk5LYVErOHUyZStXZUR2WGpBQmhaTGdPUklxZlNPblFxCm5jdWFCcDlzdmwwM0FnTUJBQUdqWmpCa01BNEdBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUcKQVFIL0FnRUNNQjBHQTFVZERnUVdCQlFjZ0tVUGw2djJvaVpjTFZKV0thSVpHbjFJMWpBZkJnTlZIU01FR0RBVwpnQlFjZ0tVUGw2djJvaVpjTFZKV0thSVpHbjFJMWpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWhjOGdqaWhVCjhSVXl4SHduWTBVV1JlSjdCdEJJaytVWnFicGhLS0lidENlSUhNZ2wvSTJhU05JcG1ac3hGaGxjY25vRFJ1NFMKSzhsVkkxY2srYWdVd2REdzFCT2loNWUzNWJOK29vTldOTzZycHl3RVU4cjRrcWM5Z2hVYjY5UVpGNWVLNlVaVQpmeFlVZjVjNzhRc1pHY3ZMN2lZUkdRL0xpTk1mZGtkenZBREJKWHk1MExpK2QrUklaWms3RE1DU2tpOEtvUnFnCmZzQy9JektDVjVtdlhxRU91WENVSytFakRqZEh4ZXlSQTF3eVRtUXl4ZnUya0Y0TTlCS1kvWS9tUlI1NEFSdlUKNkoveFF0a1JYdzJ4bjYvZTVIMmZBRktqUEVEUnlyWFdzZlY2T2tnbDU1VUF4M1BhK0U4OWxjbU1SblZMTEZrcQpuN2hYUXVBejR6SW1YQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://10.20.43.147:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: admin
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1VENDQXMyZ0F3SUJBZ0lVREozRTY0NDRKVXlEdWh5dEg4czVwWXR5eTZRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FURUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkVlFVNUhSRTlPUnpFU01CQUdBMVVFQnhNSgpSMVZCVGtkYVNFOVZNUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFVE1CRUdBMVVFCkF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTJNamd3TmpVek1EQmFGdzB6TWpBMk1qVXdOalV6TURCYU1HOHgKQ3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhWVUZPUjBSUFRrY3hFakFRQmdOVkJBY1RDVWRWUVU1SApXa2hQVlRFWE1CVUdBMVVFQ2hNT2MzbHpkR1Z0T20xaGMzUmxjbk14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVPCk1Bd0dBMVVFQXhNRllXUnRhVzR3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRHgKT0c3a3psd1hTc243dS9GV2JNWGMyRlEyTS9SWDliSjhDNW5ER3ZpMHRRc096RndhcUZwSkx4cCtZakk4K2Z0cwpZU3c1STNpNk5vcEdzNk5yNkhhV0VpVkZHdkFjREdORUhZYTVFNkRXNkNjN1NiSDVvOS8zdmVPZTNZQTF6V3h5CnAxejNGQjl4Tll0dmkyUkpJenZPdnpWRDI4MUdJQ1lSN1ZnZXM3VDJGQUp2V2t5SzRDT0NMbWppRjlRTkNKKzcKVGtYVFZVZjFuRThjZ0lCWHMyVllxNjhFQzlCTDlzUjBJaGFNa05MTHRZcFVVV040UVNGN3hscTZLT0tTUlZXKwpqRXozR3hjK0NsaVNIL2kwSDZ4ZnZYbVBXMWhDQXNqWVhvT3dKWWxpRlYreVFLSktYd241dHVFRVRaTEFPbmJZCjQyNC9MQi9JL2hjK0JXSXBza1piQWdNQkFBR2pmekI5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUUKRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFRmdRVQpDMjVOZU4zQmFVV3ZYRWlFallqSHI5WkJybVV3SHdZRFZSMGpCQmd3Rm9BVUhJQ2xENWVyOXFJbVhDMVNWaW1pCkdScDlTTll3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUZsclFaZW9XVUU5VjJMUUM5Tnl5Ynp1NkdsN3dsdVYKd3YwTW9HcWZnNVIwbnJFRDdrbUl5cy9zd0FXQ3FCYkRETjhldU5KUDFWZXp1QnpNUWVQWm9OdXU2ZzhhbEtYVwp0eW92M25EOU1TTTdIc3hvbXM4cjVvOVN2eTNoRHNCTVplUDlMWUlIbzJhUHp4enpzMEhjNGR0Zy9KS1JraCswCm8xbm9lSVBldTNpSXpLeXZDWnZJUk5hd1Y4TzhFVThTL3VRWmhrcXR3d1dCTFVZanF2MTF0WkxYVEdicmMybkoKRTc1TW0zb3B1NTNkR1RjeVFRT0NGOXhuZ09GS0VHNnVjSDNSMHpibnNXNmlySzlDWnFLV0dZZnk3c0NlRGlzeApQbGI1YWZlTkErTGc0dnF1ZENlZi8ycjdBZjNaQXZVNUFzTzFMY3NhMW1URUxnb1ZkaDdEMm44PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBOFRodTVNNWNGMHJKKzd2eFZtekYzTmhVTmpQMFYvV3lmQXVad3hyNHRMVUxEc3hjCkdxaGFTUzhhZm1JeVBQbjdiR0VzT1NONHVqYUtSck9qYStoMmxoSWxSUnJ3SEF4alJCMkd1Uk9nMXVnbk8wbXgKK2FQZjk3M2pudDJBTmMxc2NxZGM5eFFmY1RXTGI0dGtTU003enI4MVE5dk5SaUFtRWUxWUhyTzA5aFFDYjFwTQppdUFqZ2k1bzRoZlVEUWlmdTA1RjAxVkg5WnhQSElDQVY3TmxXS3V2QkF2UVMvYkVkQ0lXakpEU3k3V0tWRkZqCmVFRWhlOFphdWlqaWtrVlZ2b3hNOXhzWFBncFlraC80dEIrc1g3MTVqMXRZUWdMSTJGNkRzQ1dKWWhWZnNrQ2kKU2w4SitiYmhCRTJTd0RwMjJPTnVQeXdmeVA0WFBnVmlLYkpHV3dJREFRQUJBb0lCQVFEYWxLS1lIdzUvNUx0bQpxd1dqcE9rZWw4Q25aU2pTMDhjcWRIQ2V4VC84cjlrWFRjTmdQSkdqbzFWRWxNS2xVbmlyMnRueDVOeXZFR0Q0CmRDdHZ5clE2aExMVkRmWHAxS2ZXdjFLblBzd09NVXZyZzNvTWxweUtwNzBzNWRZWjZzMk1qMi9FVEsyNUxpWHQKcThmeUprVTVzVFlaQ1lIWE82YUR0Q2lYbVl3dk5td21ra3Y1TjBSQ3YyZmdlQVZ2aCtKV1R2eDE3ZDkwNnMwdgo5aUpXYkhhbXk1QUhYK3JLUDc1K3FlR25ja1IvaDN4R3hWZkFIYXFYaTVZWXBWMFo3OE43eGtwRlZEMWg2OVlPCm00emNCUUVWZi80RFhXWnpHYmQrdmpqOWtmUVYrMi9zd1MwRWJOOVRha2I3VVZKcDVmYy9vcFNKNlpKWW9ZcFMKa280M2ZGUnhBb0dCQVBwbUtiRXoyWXowT2dIdjRWaU15TUlkVWQ0L1V4bldRVnM3RURaMTQ5bStwdXhmaFRxNApSSStMOGpZNzhBNWVZYTh5L1I4T1VnR0EvdFpjV015SVdnV1VtQkVWNW9BWXBDVjZRVU0xTjRiYmxGNzNzc0pDClpTZWRQZWN2YVlVK1lYamxZVW9HZzhyeE1iYmdlV3gzOGhNRFdFdGhTcTg2V0NSSjVVdk5pL1l2QW9HQkFQYWQKdGlrNklTbDVkbkp5cGczd3F6OXZ3RjZPV2ZFUjNydVdVREtuTnhPMm9mUWt4WXY5TWlPSVpDZnY2V01PV0FuTQpMeXpQY0MvSEY2T0dGaU1wN1dTNFBKUEZBSW42OHpTT2x5MmMrSVhUVmhvV0plSkZjeDFFY3RHdWVmTmN1QnY2CkxJc1FwUlA1MlJYTnJrYXo2YWE5T3orQlkxYnhFb3o4WmZQOFVaT1ZBb0dBRU9ja21WbXVyZDB1clVMTUszWVYKZDBVVGFiVk1uc25mejVERkgyZ0Y0WVVGTDUrakZydXBwU2NGU3JQeEdJYzJnT1VvUVJodVlMdWNlRXZ6a3BzQgp1SzYzTlRBTlIwaGlqRVVjY3JUODhwV1FCbmtpRUFyN1dSazhQSWJ1MEpmTmJLUFBWWGZySFovNmd5WFVESVpzClNPeEk0WTNIeE54alpzKzJNcy9GU3ZFQ2dZRUF0Z05HTzMxRWxtaW42K1lEK292aXgrb0JqNGYraDdhSnJlZE4KZjJUOGVGYzFob3hSSkhXVnVMWGtQYm1LaGVwRFBjL3VEV040U0RybmptL2JETTdYLzVzZVVtMTJiVi9DZWNxMwpkeG5BTG4wQXNqWWdkYlNPTms2YmMzZ1RWM0xhQ3dRRU5ncnQyeVZ1ZS9JV3F1WUVEMlRnUW9tTE9OS3B2MVpWCkpOTFhubFVDZ1lCY0pTRTgyeEZ0Z1VmanpDdmxXNlVaK0laeE1QNXRFWEpuVDZ0eG42anRQb3VESUU2bTNqdVgKYW1wbEJwZmEyYnA5TExncTRIMWMrSUhRL0E2dGptU1pJaDN1NEFIT3FDcjMwaHptR0NOaTZSU2RGeVdJMWZDSQp0R244QWViUUdxVzVSMjg0amlpWFBROER6d2ZGUWF3UHpyZE5PRUo0Vzc2S3hWTVp0cEpvWGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
- name: user1
user:
client-certificate: /home/user1/user1.crt
client-key: /home/user1/user1.key
# 修改內容一:修改使用者
- context:
cluster: kubernetes
user: admin # 此處修改為:user1
name: kubernetes # 此處修改為:user1
current-context: kubernetes # 此處修改為:user1
# 修改內容二:admin使用者資料刪除掉。
- name: admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1VENDQXMyZ0F3SUJBZ0lVREozRTY0NDRKVXlEdWh5dEg4czVwWXR5eTZRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FURUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkVlFVNUhSRTlPUnpFU01CQUdBMVVFQnhNSgpSMVZCVGtkYVNFOVZNUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFVE1CRUdBMVVFCkF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTJNamd3TmpVek1EQmFGdzB6TWpBMk1qVXdOalV6TURCYU1HOHgKQ3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhWVUZPUjBSUFRrY3hFakFRQmdOVkJBY1RDVWRWUVU1SApXa2hQVlRFWE1CVUdBMVVFQ2hNT2MzbHpkR1Z0T20xaGMzUmxjbk14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVPCk1Bd0dBMVVFQXhNRllXUnRhVzR3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRHgKT0c3a3psd1hTc243dS9GV2JNWGMyRlEyTS9SWDliSjhDNW5ER3ZpMHRRc096RndhcUZwSkx4cCtZakk4K2Z0cwpZU3c1STNpNk5vcEdzNk5yNkhhV0VpVkZHdkFjREdORUhZYTVFNkRXNkNjN1NiSDVvOS8zdmVPZTNZQTF6V3h5CnAxejNGQjl4Tll0dmkyUkpJenZPdnpWRDI4MUdJQ1lSN1ZnZXM3VDJGQUp2V2t5SzRDT0NMbWppRjlRTkNKKzcKVGtYVFZVZjFuRThjZ0lCWHMyVllxNjhFQzlCTDlzUjBJaGFNa05MTHRZcFVVV040UVNGN3hscTZLT0tTUlZXKwpqRXozR3hjK0NsaVNIL2kwSDZ4ZnZYbVBXMWhDQXNqWVhvT3dKWWxpRlYreVFLSktYd241dHVFRVRaTEFPbmJZCjQyNC9MQi9JL2hjK0JXSXBza1piQWdNQkFBR2pmekI5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUUKRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFRmdRVQpDMjVOZU4zQmFVV3ZYRWlFallqSHI5WkJybVV3SHdZRFZSMGpCQmd3Rm9BVUhJQ2xENWVyOXFJbVhDMVNWaW1pCkdScDlTTll3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUZsclFaZW9XVUU5VjJMUUM5Tnl5Ynp1NkdsN3dsdVYKd3YwTW9HcWZnNVIwbnJFRDdrbUl5cy9zd0FXQ3FCYkRETjhldU5KUDFWZXp1QnpNUWVQWm9OdXU2ZzhhbEtYVwp0eW92M25EOU1TTTdIc3hvbXM4cjVvOVN2eTNoRHNCTVplUDlMWUlIbzJhUHp4enpzMEhjNGR0Zy9KS1JraCswCm8xbm9lSVBldTNpSXpLeXZDWnZJUk5hd1Y4TzhFVThTL3VRWmhrcXR3d1dCTFVZanF2MTF0WkxYVEdicmMybkoKRTc1TW0zb3B1NTNkR1RjeVFRT0NGOXhuZ09GS0VHNnVjSDNSMHpibnNXNmlySzlDWnFLV0dZZnk3c0NlRGlzeApQbGI1YWZlTkErTGc0dnF1ZENlZi8ycjdBZjNaQXZVNUFzTzFMY3NhMW1URUxnb1ZkaDdEMm44PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBOFRodTVNNWNGMHJKKzd2eFZtekYzTmhVTmpQMFYvV3lmQXVad3hyNHRMVUxEc3hjCkdxaGFTUzhhZm1JeVBQbjdiR0VzT1NONHVqYUtSck9qYStoMmxoSWxSUnJ3SEF4alJCMkd1Uk9nMXVnbk8wbXgKK2FQZjk3M2pudDJBTmMxc2NxZGM5eFFmY1RXTGI0dGtTU003enI4MVE5dk5SaUFtRWUxWUhyTzA5aFFDYjFwTQppdUFqZ2k1bzRoZlVEUWlmdTA1RjAxVkg5WnhQSElDQVY3TmxXS3V2QkF2UVMvYkVkQ0lXakpEU3k3V0tWRkZqCmVFRWhlOFphdWlqaWtrVlZ2b3hNOXhzWFBncFlraC80dEIrc1g3MTVqMXRZUWdMSTJGNkRzQ1dKWWhWZnNrQ2kKU2w4SitiYmhCRTJTd0RwMjJPTnVQeXdmeVA0WFBnVmlLYkpHV3dJREFRQUJBb0lCQVFEYWxLS1lIdzUvNUx0bQpxd1dqcE9rZWw4Q25aU2pTMDhjcWRIQ2V4VC84cjlrWFRjTmdQSkdqbzFWRWxNS2xVbmlyMnRueDVOeXZFR0Q0CmRDdHZ5clE2aExMVkRmWHAxS2ZXdjFLblBzd09NVXZyZzNvTWxweUtwNzBzNWRZWjZzMk1qMi9FVEsyNUxpWHQKcThmeUprVTVzVFlaQ1lIWE82YUR0Q2lYbVl3dk5td21ra3Y1TjBSQ3YyZmdlQVZ2aCtKV1R2eDE3ZDkwNnMwdgo5aUpXYkhhbXk1QUhYK3JLUDc1K3FlR25ja1IvaDN4R3hWZkFIYXFYaTVZWXBWMFo3OE43eGtwRlZEMWg2OVlPCm00emNCUUVWZi80RFhXWnpHYmQrdmpqOWtmUVYrMi9zd1MwRWJOOVRha2I3VVZKcDVmYy9vcFNKNlpKWW9ZcFMKa280M2ZGUnhBb0dCQVBwbUtiRXoyWXowT2dIdjRWaU15TUlkVWQ0L1V4bldRVnM3RURaMTQ5bStwdXhmaFRxNApSSStMOGpZNzhBNWVZYTh5L1I4T1VnR0EvdFpjV015SVdnV1VtQkVWNW9BWXBDVjZRVU0xTjRiYmxGNzNzc0pDClpTZWRQZWN2YVlVK1lYamxZVW9HZzhyeE1iYmdlV3gzOGhNRFdFdGhTcTg2V0NSSjVVdk5pL1l2QW9HQkFQYWQKdGlrNklTbDVkbkp5cGczd3F6OXZ3RjZPV2ZFUjNydVdVREtuTnhPMm9mUWt4WXY5TWlPSVpDZnY2V01PV0FuTQpMeXpQY0MvSEY2T0dGaU1wN1dTNFBKUEZBSW42OHpTT2x5MmMrSVhUVmhvV0plSkZjeDFFY3RHdWVmTmN1QnY2CkxJc1FwUlA1MlJYTnJrYXo2YWE5T3orQlkxYnhFb3o4WmZQOFVaT1ZBb0dBRU9ja21WbXVyZDB1clVMTUszWVYKZDBVVGFiVk1uc25mejVERkgyZ0Y0WVVGTDUrakZydXBwU2NGU3JQeEdJYzJnT1VvUVJodVlMdWNlRXZ6a3BzQgp1SzYzTlRBTlIwaGlqRVVjY3JUODhwV1FCbmtpRUFyN1dSazhQSWJ1MEpmTmJLUFBWWGZySFovNmd5WFVESVpzClNPeEk0WTNIeE54alpzKzJNcy9GU3ZFQ2dZRUF0Z05HTzMxRWxtaW42K1lEK292aXgrb0JqNGYraDdhSnJlZE4KZjJUOGVGYzFob3hSSkhXVnVMWGtQYm1LaGVwRFBjL3VEV040U0RybmptL2JETTdYLzVzZVVtMTJiVi9DZWNxMwpkeG5BTG4wQXNqWWdkYlNPTms2YmMzZ1RWM0xhQ3dRRU5ncnQyeVZ1ZS9JV3F1WUVEMlRnUW9tTE9OS3B2MVpWCkpOTFhubFVDZ1lCY0pTRTgyeEZ0Z1VmanpDdmxXNlVaK0laeE1QNXRFWEpuVDZ0eG42anRQb3VESUU2bTNqdVgKYW1wbEJwZmEyYnA5TExncTRIMWMrSUhRL0E2dGptU1pJaDN1NEFIT3FDcjMwaHptR0NOaTZSU2RGeVdJMWZDSQp0R244QWViUUdxVzVSMjg0amlpWFBROER6d2ZGUWF3UHpyZE5PRUo0Vzc2S3hWTVp0cEpvWGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
# 修改後/home/user1/.kube/config檔案。
$ cat /home/user1/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4akNDQXE2Z0F3SUJBZ0lVRkpGUjR3bG1NWXZZTXpmVmNtZkwrSzJWTERvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FURUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkVlFVNUhSRTlPUnpFU01CQUdBMVVFQnhNSgpSMVZCVGtkYVNFOVZNUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJuTjVjM1JsYlRFVE1CRUdBMVVFCkF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTJNamd3TmpVeU1EQmFGdzB6TWpBMk1qVXdOalV5TURCYU1Ha3gKQ3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhWVUZPUjBSUFRrY3hFakFRQmdOVkJBY1RDVWRWUVU1SApXa2hQVlRFTU1Bb0dBMVVFQ2hNRGF6aHpNUTh3RFFZRFZRUUxFd1p6ZVhOMFpXMHhFekFSQmdOVkJBTVRDbXQxClltVnlibVYwWlhNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN3Ylk1akdxYzAKdXVwRnVQQjNsV3RvQ1hyM1VjaXFmSVNiR2NSK1p6b3FScUdPdndwME9MenFzVzZ6RU12WHZKWnBUSmpyY2MreApTSnRIQzNlY2NUckdHTTI0UnNMeGd6eisrTUpGTTVSenIyZ0REQXNwdC81d294NndSSzBpTEJhMDdFWHp0TUpSClR6cTVWQnFDaUxROFNwdGU1czlHaHkrTXdPV2FqSm9qUUZIZ0Q3eTkzUUZRTW1teXo1QXo5R1F0TDVzSUpvSWcKdkdOVWZPKytzdG5pY2VCdWhScnBWWVdPd05kL1ppZEhsdXM3cnF0cEZLRWVkT0FIRnpBVVBsWnJIZjd3UTlRTAo5S01ZR25hZWEzdXVoRXp4L0V1dUhob3pTZFI3L2xEUk5LYVErOHUyZStXZUR2WGpBQmhaTGdPUklxZlNPblFxCm5jdWFCcDlzdmwwM0FnTUJBQUdqWmpCa01BNEdBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUcKQVFIL0FnRUNNQjBHQTFVZERnUVdCQlFjZ0tVUGw2djJvaVpjTFZKV0thSVpHbjFJMWpBZkJnTlZIU01FR0RBVwpnQlFjZ0tVUGw2djJvaVpjTFZKV0thSVpHbjFJMWpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWhjOGdqaWhVCjhSVXl4SHduWTBVV1JlSjdCdEJJaytVWnFicGhLS0lidENlSUhNZ2wvSTJhU05JcG1ac3hGaGxjY25vRFJ1NFMKSzhsVkkxY2srYWdVd2REdzFCT2loNWUzNWJOK29vTldOTzZycHl3RVU4cjRrcWM5Z2hVYjY5UVpGNWVLNlVaVQpmeFlVZjVjNzhRc1pHY3ZMN2lZUkdRL0xpTk1mZGtkenZBREJKWHk1MExpK2QrUklaWms3RE1DU2tpOEtvUnFnCmZzQy9JektDVjVtdlhxRU91WENVSytFakRqZEh4ZXlSQTF3eVRtUXl4ZnUya0Y0TTlCS1kvWS9tUlI1NEFSdlUKNkoveFF0a1JYdzJ4bjYvZTVIMmZBRktqUEVEUnlyWFdzZlY2T2tnbDU1VUF4M1BhK0U4OWxjbU1SblZMTEZrcQpuN2hYUXVBejR6SW1YQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://10.20.43.147:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: user1
name: user1
current-context: user1
kind: Config
preferences: {}
users:
- name: user1
user:
client-certificate: /home/user1/user1.crt
client-key: /home/user1/user1.key
# 切換到root使用者,建立role,並通過rolebinding與使用者繫結,賦予user1使用者操作許可權
$ cat > user1_role.yaml<< EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: user1 # 通過此角色繫結,"user1"可以讀取"user1"名稱空間中的Pod、replicasets、deployments。
name: user1Role
rules:
- apiGroups: ["apps"] #目標api群組
resources: ["replicasets", "deployments"] #目標資源的操作許可權
verbs: ["get", "watch", "list", "create", "delete", "edit", "exec"]
- apiGroups: [""]
resources: ["pods"] #目標資源的操作許可權
verbs: ["get", "watch", "list", "create", "delete", "edit", "exec"]
EOF
$ kubectl create -f user1_role.yaml
$ cat > user1Rolebinding.yaml << EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rolebind-user1
namespace: user1 # 修改user需要訪問的namespace
subjects:
- kind: User
name: user1 # 修改自己定義的user1,user1根role進行繫結。
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: user1Role # 修改自己定義的role名字
apiGroup: rbac.authorization.k8s.io
EOF
$ kubectl create -f user1Rolebinding.yaml
# 進行測試
$ su user1
$ kubectl get deployments -n user1
NAME READY UP-TO-DATE AVAILABLE AGE
deploy-web-user1 3/3 3 3 4h2m
$ kubectl get rs -n user1
NAME DESIRED CURRENT READY AGE
deploy-web-user1-7797f778bd 3 3 3 4h2m
$ kubectl get pod -n user1
NAME READY STATUS RESTARTS AGE
deploy-web-user1-7797f778bd-7sf6g 1/1 Running 0 4h2m
deploy-web-user1-7797f778bd-bhrjj 1/1 Running 0 4h2m
deploy-web-user1-7797f778bd-hrsw4 1/1 Running 0 4h2m
nginx 1/1 Running 0 4h31m
# 如果你試圖訪問其它namespace你會發現報了許可權錯誤。因為user1沒有訪問名為user2 namespace資源的許可權。
$ kubectl get pod -n user2
Error from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" in the namespace "user2"
二、建立普通使用者賦予超級許可權
目的:建立kubenetes叢集內一個普通使用者,然後直接通過Group(組)來繫結它的許可權,我們的目標是要繫結預設的超級角色 cluster-admin
# 這次我們為了省時間,就不會在linux建立一個使用者了,直接建立一個k8s叢集普通使用者。
$ mkdir /root/superuser
# 生成私鑰
$ openssl genrsa -out superuser.key 2048
# 生成一個待簽名檔案(superuser.csr),注意 O= system:masters 代表它的超管許可權組, 直接代表了superuser使用者加入後擁有超管許可權。
$ openssl req -new -key superuser.key -out superuser.csr -subj "/CN= superuser /O=system:masters"
# 用 k8s 的 ca 檔案來簽名這個superuser.csr,最終產生一個有效期為 3600 天的證書檔案。
$ openssl x509 -req -in superuser.csr -CA /opt/kubelw/cfssl/ca.pem -CAkey /opt/kubelw/cfssl/ca-key.pem -CAcreateserial -out superuser.crt -days 3600
注意:/opt/kubelw/cfssl/ca.pem 、/opt/kubelw/cfssl/ca-key.pem 根據自身叢集實際路徑填寫(多數情況下是在 /etc/kubernetes/pki/路徑下)。
# 修改/root/.kube/config 檔案,會自動新增一個用的配置項在/root/.kube/config 檔案中。
$ kubectl config set-credentials superuser \
--client-certificate=/root/superuser/superuser.crt \
--client-key=/root/superuser/superuser.key
$ cat /root/.kube/config
..........
- name: superuser
user:
client-certificate: /root/superuser/superuser.crt
client-key: /root/superuser/superuser.key
# 建立一個superuser context
$ kubectl config set-context superuser-context --cluster=kubernetes --user=superuser
# 該命令列在/root/.kube/config 檔案中新增了以下文字。
- context:
cluster: kubernetes
user: superuser
name: superuser-context
# 獲取當前contexts 環境資訊。
$ kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes kubernetes admin
superuser-context kubernetes superuser
user1 kubernetes user1
# 設定 superuser 為當前使用的 context(環境身份檔案), 切換後superuser可以操作任意資源。
$ kubectl config use-context superuser-context
$ kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default daemon-web-4z9xk 1/1 Running 0 13h
default daemon-web-bh5pc 1/1 Running 0 13h
default daemon-web-t5zb9 1/1 Running 0 13h
default deploy-web-7797f778bd-lzzkg 1/1 Running 0 14h
default deploy-web-7797f778bd-qwh9r 1/1 Running 0 14h
default deploy-web-7797f778bd-xgpmg 1/1 Running 0 14h
ingress-nginx ingress-nginx-admission-create-2fknd 0/1 Completed 0 14d
ingress-nginx ingress-nginx-admission-patch-l5lbm 0/1 Completed 1 14d
ingress-nginx ingress-nginx-controller-559fb9c8bd-7vzxs 1/1 Running 2 14d
ingress-nginx ingress-nginx-controller-559fb9c8bd-plz4c 1/1 Running 2 14d
ingress-nginx ingress-nginx-controller-559fb9c8bd-wkcnt 1/1 Running 4 14d
kube-system coredns-75674bbdf4-h4p24 1/1 Running 2 14d
kube-system kube-flannel-ds-gkxfr 1/1 Running 2 14d
kube-system kube-flannel-ds-scpxh 1/1 Running 4 14d
kube-system kube-flannel-ds-vgnp4 1/1 Running 3 14d
quota-mem-cpu-example quota-mem-cpu-demo 1/1 Running 0 37h
quota-mem-cpu-example quota-mem-cpu-demo2 1/1 Running 0 37h
user1 deploy-web-user1-7797f778bd-7sf6g 1/1 Running 0 5h1m
user1 deploy-web-user1-7797f778bd-bhrjj 1/1 Running 0 5h1m
user1 deploy-web-user1-7797f778bd-hrsw4 1/1 Running 0 5h1m
user1 nginx 1/1 Running 0 5h29m