[k8s] User Management ============ ###### tags: `kubernetes` `tls` ```shell= openssl genrsa -out bruce.key 2048 openssl req -new -key bruce.key -out bruce.csr -subj "/CN=bruce/O=myteam" openssl x509 -req -in bruce.csr \ -CA /Users/brucehsu/.minikube/ca.crt \ -CAkey /Users/brucehsu/.minikube/ca.key \ -CAcreateserial -days 1000 \ -out bruce.crt openssl x509 -in /Users/brucehsu/test/bruce/bruce.crt -text -noout ``` ```shell= kubectl config set-credentials bruce \ --client-certificate /Users/brucehsu/test/bruce/bruce.crt \ --client-key /Users/brucehsu/test/bruce/bruce.key kubectl config set-context bruce-context \ --cluster=minikube \ --user=bruce ``` ```yaml= # role-definition.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"] ``` ```yaml= # rolebinding-definition.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: bruce # Name is case sensitive apiGroup: rbac.authorization.k8s.io roleRef: kind: Role #this must be Role or ClusterRole name: pod-reader # must match the name of the Role apiGroup: rbac.authorization.k8s.io ``` ## references + [[Day17] k8s管理篇（三）：User Management、RBAC、Node Ｍaintenance](https://ithelp.ithome.com.tw/articles/10223717)