kubernetes集群安全——认证、鉴权、准入控制

Kubernetes 保证集群安全是分布式集群管理工具的重要任务。API Server 它是集群内各组件通信的中介，也是外部控制的入口。 Kubernetes 安全机制基本围绕保护 API Server 来设计的。Kubernetes 使用了认证（Authentication）、鉴权（Authorization）、准入控制（AdmissionControl)三步来保证API Server的安全。

• HTTP Token 认证：通过一个 Token 识别合法用户
• HTTP Base 认证：通过 用户名 密码 的方式认证
• 最严格的 HTTPS 证书认证：基础 CA 根据证书签名的客户端身份认证方式

HTTPS:双向认证(颁发证书)-集群组件       ETCD        服务端：ETCD     客户端：ApiServer       ApiServer        服务端：ApiServer        客户端：           需要加密:         集群颁发:kubelet      手动颁发：kubectl、kube-proxy        非加密：全部运行master节点        Controller Manager、Scheduler                SA(ServiceAccount)-POD认证        ca.crt:用户Pod验证apiserver发来的证书     token:用户单点认证apiserer验证pod是否合法     namespace:标识作用域 

在上述认证过程中，确认通信的双方都确认对方可信，可以相互通信。权利鉴定是确定申请人有哪些资源的权限。API Server 目前支持以下授权策略 （通过 API Server 的启动参数 “–authorization-mode” 设置）

• AlwaysDeny：拒绝所有请求通常用于测试
• AlwaysAllow：如果集群不需要授权流程，则允许接收所有请求
• ABAC（Attribute-Based Access Control）：基于属性的访问控制意味着用户配置的授权规则匹配和控制用户请求
• Webbook：调用外部 REST 授权用户服务
• RBAC（Role-Based Access Control）：基于角色访问控制，现行默认规则

RBAC（Role-Based Access Control）在 Kubernetes 1.5 当前版本已成为默认标准。与其他访问控制方法相比，它具有以下优点：

• 完全覆盖集群中的资源和非资源

• 整个 RBAC 完全由几个 API 与其他对象完成 API 对象相同，可以使用 kubectl 或 API 进行操作

• 运行时可调整，无需重启 API Server

RBAC 引入了 4 新的顶级资源对象：Role(角色)、ClusterRole(集群角色)，RoleBinding(角色绑定)，ClusterRoleBinding(绑定集群角色)，4 所有对象类型都可以通过 kubectl 与 API 操作

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:   namespace: default   name: pod-reader rules:   - apiGroups: [""] # "" indicates the core API group   #对象是pod类型,可以通过/分隔符控制子资源的访问权限,例如: resources: ["pods","pods/logs"]，   #如果为resources：["pods/logs"]表示只能访问pod下的logs     resources: ["pods"]      verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   # "namespace" omitted since ClusterRoles are not namespaced   name: secret-reader rules:    apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]

RoleBinding 包含一组权限列表(subjects)，权限列表中包含有不同形式的待授予权限资源类型(User、Group、ServiceAcount)

RoleBinding 可以绑定Role也可以绑定ClusterRole，而 ClusterRoleBinding 只能绑定ClusterRole RoleBinding绑定Role

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
  - kind: User
    name: jane
    #Defaults to "" for ServiceAccount subjects. 
    #Defaults to "rbac.authorization.k8s.io" for User and Group subjects
    apiGroup: rbac.auorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

RoleBinding绑定ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: read-secrets
  namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: User
  name: dave
  apiGroup: rbac.authization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

ClusterRoleBinding绑定ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
  - kind: Group
    name: manager
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

#在opt目录下创建test.json文件
{ 
        
  #用户为test
  "CN": "test",
  #当前证书可以在任意节点被调用，即任意节点可以通过证书访问apiserver
  "hosts": [],
  "key": { 
        
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    { 
        
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      #所属组为k8s自定义的组，系统组为system:
      "O": "k8s",
      "OU": "System"
    }
  ]
}

# 下载证书生成工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

#授予可执行权限
chmod a+x /usr/local/bin/cfssl
chmod a+x /usr/local/bin/cfssljson
chmod a+x /usr/local/bin/cfssl-certinfo

#签发证书
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -profile=kubernetes /opt/test.json | cfssljson -bare test 
[root@master opt]# ll test*
-rw-r--r--. 1 root root  993 5月   4 15:52 test.csr
-rw-r--r--. 1 root root  217 5月   4 15:28 test.json
-rw-------. 1 root root 1675 5月   4 15:52 test-key.pem
-rw-r--r--. 1 root root 1233 5月   4 15:52 test.pem

# 设置集群参数(即服务端)
[root@master opt]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.116.128 master k8s-api registry
192.168.116.129 node1
#设置KUBE_APISERVER变量
export KUBE_APISERVER="https://k8s-api:6443"

kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=/opt/test.kubeconfig

[root@master opt]# cat test.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8s-api:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: { 
        }
users: null

# 设置客户端认证参数
kubectl config set-credentials test \
--client-certificate=/opt/test.pem \
--client-key=/opt/test-key.pem \
--embed-certs=true \
--kubeconfig=/opt/test.kubeconfig

[root@master opt]# cat test.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8s-api:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: { 
        }
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTURUb3ZweHVUajk0VUZrNDM3N1RRNDZFQmljd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFF3TnpRNE1EQmFGdzB5TXpBMQpNRFF3TnpRNE1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0o1RS9VRgo0TEVvMW5naUNrazJ4ZENTQVQ2cUpSMWo5ODVjNm0yZXFDdURleUIrVDREWXlCOXA3RmZxUnRVdTRyQ1hxWTJ4CmhVRXZyOFNDUUtPd1hXUDgxcXhURzZkRVB5ejMrV2h5dTJGcHJSZWhoL3NwRHZVdmJ2QUFPMmx6U3VJVFQ3WWYKUVdhRk95NzdldHR5bm95bjNZa1FMbE9xeGRmV2hMeUJFTHkvdElDSW14L0UyYmlzNGNRelVSeGIwQisva0kwegpoN0Z0YzZQNXQzc0dzVjdVL3hYY0NIb211Q1RoZC9JVjVTNjYvWjFFbTVUSEM3blgwSENaOWJZeWxvSmZJZzliCkpEOTNtQVB0WXR2VHdNQVI3LzB5Q1pka0RkV0l3N2NoUUF0UzBqNFBUSWRVZlVwZmwwMkNXRFRteHlSSUFYTUkKYjVnblg1SGl2VlBIRU5jQ0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVFdxZ0VRClNBSjdxN0dEZFlMQy82WkN5LzQ1bURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUxjVHJYRnUwWjBhMlNtUHgKaVU1WEk0S1dWSXp6QnBaSzJ3ei9xZGh5ZGc4bTFlRzBaZWRGejFPME9tMHVUV3Zpa24xa1IreUpqeE5RMmgrUgpncmtQUUEwQUpvUkhZR1RBckltOSszQkFKNGswNGgwUWpJaVIzdmk0Nklwdm1keTBibGU4ejNqUTlvazZlMUJLCmh6VzdpS2JDVzZrdkI5Q0JlaWxldGdaYTcvQmJPM0xlaDkwZUFOQ3FJWVFSSEZsbXpKMnVBTDdkN2MxdWtlUGIKUTdEdXRDRjdaV1dTczloOGRXT3pUVkRxZTU3a3l1MFB6aWQ0RkRkdHhuK0RCSVdXVEt5OCtnem1tanZnaVladgpvZk0yTzRtSnM2a1BabERzaW5iV0VveVl6NzBUeUdPcFQ5UDFJUDB6cTBkKzYvUVowSi9XdXhWd2YzMUpVUVBCCldFay9qUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNG5rVDlRWGdzU2pXZUNJS1NUYkYwSklCUHFvbEhXUDN6bHpxYlo2b0s0TjdJSDVQCmdOaklIMm5zVitwRzFTN2lzSmVwamJHRlFTK3Z4SUpBbzdCZFkveldyRk1icDBRL0xQZjVhSEs3WVdtdEY2R0gKK3lrTzlTOXU4QUE3YVhOSzRoTlB0aDlCWm9VN0x2dDYyM0tlaktmZGlSQXVVNnJGMTlhRXZJRVF2TCswZ0lpYgpIOFRadUt6aHhETlJIRnZRSDcrUWpUT0hzVzF6by9tM2V3YXhYdFQvRmR3SWVpYTRKT0YzOGhYbExycjluVVNiCmxNY0x1ZGZRY0puMXRqS1dnbDhpRDFza1AzZVlBKzFpMjlQQXdCSHYvVElKbDJRTjFZakR0eUZBQzFMU1BnOU0KaDFSOVNsK1hUWUpZTk9iSEpFZ0Jjd2h2bUNkZmtlSzlVOGNRMXdJREFRQUJBb0lCQUNtR3pBc0VyZU91T2sxQwo2S0h1SWkyUmFCc0dkZEhDeitDT0Z3cE1xa2Q0VDI1dzJzRWtmdVdMdGFPVk9MSEViQnEzWklhdncyQmxqeFE0ClVnUHh4ZDRjc1h4ZHJOZHA0eStxdEpmYldkS04zd2hUUFN6bnBXOTk2QmluNGp6K3YvOWVUU0oyN3JZT3ZnQnEKYW1lc3g3ZkEzQlZTMnp2S040YlJOZnVlcXVRQTVuQ0J2UUhrNVpISk4vNW9MVS9tNjJOMnZyck1jYkw2UC9mcwpBUVlkWDZOTjdUemZDN01lUFBOQmhyeVFTbHBBMXhnZWtyWlVaOXVnb2ZTWWhacWtDNDllMlFCeGhrR2dxdnAvCjg1bmljZ1hkQnl4ZWpsb1g5SUNFSGhxNHpVTDlidHJpdnZES1Jsa0FFUVh5Y08zS0hFL1g3SVhMRkp3c0NrdHEKeHdoK0pURUNnWUVBNHJITWxWUWMvVzNGNWJ5M2dVckhmWVh2Zk0wVlBaNGpaL05Zd0pBcm0vejRaeUFBMEJGbAp6TlhNSzZDLzkya3FnRDdrd1lvdWRGMGRQOEF6WE9SUDU3dzQ5bS9SUnBKdTN3YWVPc0VaejVKUXpkb0UvSVlxCmRJMlFRa245S29OblNkdG9QNUhWWVdvV1BLWGNQZUQ0c2lYaktrYWMvMExmN1hIZG85S211YjhDZ1lFQS83L3kKUCtBeHFTYUZZTTBXaXVhNmZlRnoxSk0xSXhUaldDU3dYaXZYM3p5TVAzTTRKMkp0aVlSVXQ3OWpIZ01GR0lVMwpsNlE3WFZwZi9qbWFyY3pOTHYwbEtVWU4yR2twOFUrN2k0SW04OHJkTmNxd1BlYk55c2VWc0RZallhYkxlWTAwCkZNbUFQQ3Awam5GTGF2OTd4R0l4dElUeFY0SnpBRFVXVXdSa2Z1a0NnWUFZcitZb3FQVlRQLzRhSzdnTU0zbVEKR09MZ3czQzV1aHYrK1FoRVNDOEhtTC93Y3hMRGxmRnhJaU5PNlAyZTB1d1c5VUp5TlRzajN2UU5lai9kc050bQowQitmN3NOcW5RM0g2ZStYVkdvY0tjSDArUFlzRGV4WHJ3Ynp3Uno1NFQrQlVveUN4NzNtRXVpRENFajQwQ1FsCk9tMEhzSkx1VlhrUFlhUVNjQ0ZKL3dLQmdHU0xiTXlwOGp3aTFjcnh0Z3dUbTN2RHQ4cjV1S2s3SEFuYUdyQmIKSWpvMFRwcmZURk5IZ2ZMUFlKTUFuaEg5Yy9KbzVTc3J1TjhCbWIyVG5majREQzZOL1I4VjJIbWRGbzAxSUhFLwpVTnNGaFNRUnRHb1JwQlExbE9hNjBmd2hHOXVFcE5ZTFJldmhjUU5URFNoYW1xamhSZE5IZEs1SHJiaUdKbW1xCnoydUpBb0dCQUp2VmVIRmpKRkl2MFVHbzBIbGl2R3JOZWVJVzFGZjV0SmdUd2ZlQ1BtSEcxOUNJZDB4RFZEVVUKMlJEL2RMOXQ4MmdzUTFjS1JQVTNjQ08walpxck9pTGg1aWQ5aEpCMUg2MmtGa3IrNEpOK0IvcHNJM3VPWFlFTgo0b0k1NVl6NFJlTEtOTWZQSWNPVFpTRXFoTGdtVVNHZGhuUU9NWGNVMnFnK1FidzRYQ3ZRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
    
# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=test \
--namespace=testns \
--kubeconfig=/opt/test.kubeconfig

[root@master opt]# cat test.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNekV6TURjd01sb1hEVE15TURRek1ERXpNRGN3TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEdsCklpUDAyWlRDc240S0dwY25TT1pQUnUzTlhPemhMREo3S3B2eXViSEt6MWxhQVN0cVFmZi96eVNrWjFHbS95UzcKbS9EVVBXcVBPYVVRT1BMcFMrT2I0OGNOMGVqZldNazNHUkl2b080NDNoTHVDUk1hRVdYam8yakd4bVlUNjR4QgpKbGRhS2hQMjZNblBSNWxTOEs5cGdxa2JHaVhCMU1xcENtbXMrdWhaUWVkZ1I5RkVjSjczSXNRNENySjgyRkNZClFzeGFWN1p5ek1qcVBLTzNLNWpxY0Z0QjJJZFI3UXJaWDljTWFXakJZRjFkL2J5WnZSVjRmUjhqOG94VDlIalIKY1ZpSWxORFhzbVRLcEU3THF2Mll3OUZoOEE0cXdIOWhISmpqbTN5RkdHeS9RL0VRNStRZXJ2aFEwSHBXSlpRNQpGcHJWTDhncFp2QTdnMTVkcHlVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBblZIR1lOa0tPS1ZzN2xFbkZBT0JUN05Lc0sKTVIvVnNuTUpnbU9iSjRqam1hMkk2cG0vUFd1OUJIeFNteTcwbFE1WnYyZ1Rudm9wYnorVFhDMmdteTlneFBsaQo5UUxxZW5ITEtXam1zandQWFhaM2xaanJjYVluZDBHQnI4YXVORTNwNzZLbWZ5MHpLMEUvVDN2WW8vckIzTHlRCkRhalRsb1R4MllJZWQxRXBIVnFCOXg1M0E4SXR2Mi81azlnSUVMcnJSWTZkZG9icE5NYUNiLzFWWmFzSTNYaWMKQ1hZMi9mM0FmYTZDRm55dmFJWFh1SnIyVmkwcXpBV3VsNE5zcDdvRWxZVGdGcDlsNUtTUjV3UWVFakF6QXVLaAo1K3NQUzBmK1JyRGlnMTJyM2wwRFJCd1dtKzJnOGVlUHlrclNmL3NZaldQM2xWeFlTbHpnNFZDUElrTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8s-api:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: testns
    user: test
  name: kubernetes
current-context: ""
kind: Config
preferences: { 
        }
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTURUb3ZweHVUajk0VUZrNDM3N1RRNDZFQmljd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFF3TnpRNE1EQmFGdzB5TXpBMQpNRFF3TnpRNE1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0o1RS9VRgo0TEVvMW5naUNrazJ4ZENTQVQ2cUpSMWo5ODVjNm0yZXFDdURleUIrVDREWXlCOXA3RmZxUnRVdTRyQ1hxWTJ4CmhVRXZyOFNDUUtPd1hXUDgxcXhURzZkRVB5ejMrV2h5dTJGcHJSZWhoL3NwRHZVdmJ2QUFPMmx6U3VJVFQ3WWYKUVdhRk95NzdldHR5bm95bjNZa1FMbE9xeGRmV2hMeUJFTHkvdElDSW14L0UyYmlzNGNRelVSeGIwQisva0kwegpoN0Z0YzZQNXQzc0dzVjdVL3hYY0NIb211Q1RoZC9JVjVTNjYvWjFFbTVUSEM3blgwSENaOWJZeWxvSmZJZzliCkpEOTNtQVB0WXR2VHdNQVI3LzB5Q1pka0RkV0l3N2NoUUF0UzBqNFBUSWRVZlVwZmwwMkNXRFRteHlSSUFYTUkKYjVnblg1SGl2VlBIRU5jQ0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVFdxZ0VRClNBSjdxN0dEZFlMQy82WkN5LzQ1bURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUxjVHJYRnUwWjBhMlNtUHgKaVU1WEk0S1dWSXp6QnBaSzJ3ei9xZGh5ZGc4bTFlRzBaZWRGejFPME9tMHVUV3Zpa24xa1IreUpqeE5RMmgrUgpncmtQUUEwQUpvUkhZR1RBckltOSszQkFKNGswNGgwUWpJaVIzdmk0Nklwdm1keTBibGU4ejNqUTlvazZlMUJLCmh6VzdpS2JDVzZrdkI5Q0JlaWxldGdaYTcvQmJPM0xlaDkwZUFOQ3FJWVFSSEZsbXpKMnVBTDdkN2MxdWtlUGIKUTdEdXRDRjdaV1dTczloOGRXT3pUVkRxZTU3a3l1MFB6aWQ0RkRkdHhuK0RCSVdXVEt5OCtnem1tanZnaVladgpvZk0yTzRtSnM2a1BabERzaW5iV0VveVl6NzBUeUdPcFQ5UDFJUDB6cTBkKzYvUVowSi9XdXhWd2YzMUpVUVBCCldFay9qUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNG5rVDlRWGdzU2pXZUNJS1NUYkYwSklCUHFvbEhXUDN6bHpxYlo2b0s0TjdJSDVQCmdOaklIMm5zVitwRzFTN2lzSmVwamJHRlFTK3Z4SUpBbzdCZFkveldyRk1icDBRL0xQZjVhSEs3WVdtdEY2R0gKK3lrTzlTOXU4QUE3YVhOSzRoTlB0aDlCWm9VN0x2dDYyM0tlaktmZGlSQXVVNnJGMTlhRXZJRVF2TCswZ0lpYgpIOFRadUt6aHhETlJIRnZRSDcrUWpUT0hzVzF6by9tM2V3YXhYdFQvRmR3SWVpYTRKT0YzOGhYbExycjluVVNiCmxNY0x1ZGZRY0puMXRqS1dnbDhpRDFza1AzZVlBKzFpMjlQQXdCSHYvVElKbDJRTjFZakR0eUZBQzFMU1BnOU0KaDFSOVNsK1hUWUpZTk9iSEpFZ0Jjd2h2bUNkZmtlSzlVOGNRMXdJREFRQUJBb0lCQUNtR3pBc0VyZU91T2sxQwo2S0h1SWkyUmFCc0dkZEhDeitDT0Z3cE1xa2Q0VDI1dzJzRWtmdVdMdGFPVk9MSEViQnEzWklhdncyQmxqeFE0ClVnUHh4ZDRjc1h4ZHJOZHA0eStxdEpmYldkS04zd2hUUFN6bnBXOTk2QmluNGp6K3YvOWVUU0oyN3JZT3ZnQnEKYW1lc3g3ZkEzQlZTMnp2S040YlJOZnVlcXVRQTVuQ0J2UUhrNVpISk4vNW9MVS9tNjJOMnZyck1jYkw2UC9mcwpBUVlkWDZOTjdUemZDN01lUFBOQmhyeVFTbHBBMXhnZWtyWlVaOXVnb2ZTWWhacWtDNDllMlFCeGhrR2dxdnAvCjg1bmljZ1hkQnl4ZWpsb1g5SUNFSGhxNHpVTDlidHJpdnZES1Jsa0FFUVh5Y08zS0hFL1g3SVhMRkp3c0NrdHEKeHdoK0pURUNnWUVBNHJITWxWUWMvVzNGNWJ5M2dVckhmWVh2Zk0wVlBaNGpaL05Zd0pBcm0vejRaeUFBMEJGbAp6TlhNSzZDLzkya3FnRDdrd1lvdWRGMGRQOEF6WE9SUDU3dzQ5bS9SUnBKdTN3YWVPc0VaejVKUXpkb0UvSVlxCmRJMlFRa245S29OblNkdG9QNUhWWVdvV1BLWGNQZUQ0c2lYaktrYWMvMExmN1hIZG85S211YjhDZ1lFQS83L3kKUCtBeHFTYUZZTTBXaXVhNmZlRnoxSk0xSXhUaldDU3dYaXZYM3p5TVAzTTRKMkp0aVlSVXQ3OWpIZ01GR0lVMwpsNlE3WFZwZi9qbWFyY3pOTHYwbEtVWU4yR2twOFUrN2k0SW04OHJkTmNxd1BlYk55c2VWc0RZallhYkxlWTAwCkZNbUFQQ3Awam5GTGF2OTd4R0l4dElUeFY0SnpBRFVXVXdSa2Z1a0NnWUFZcitZb3FQVlRQLzRhSzdnTU0zbVEKR09MZ3czQzV1aHYrK1FoRVNDOEhtTC93Y3hMRGxmRnhJaU5PNlAyZTB1d1c5VUp5TlRzajN2UU5lai9kc050bQowQitmN3NOcW5RM0g2ZStYVkdvY0tjSDArUFlzRGV4WHJ3Ynp3Uno1NFQrQlVveUN4NzNtRXVpRENFajQwQ1FsCk9tMEhzSkx1VlhrUFlhUVNjQ0ZKL3dLQmdHU0xiTXlwOGp3aTFjcnh0Z3dUbTN2RHQ4cjV1S2s3SEFuYUdyQmIKSWpvMFRwcmZURk5IZ2ZMUFlKTUFuaEg5Yy9KbzVTc3J1TjhCbWIyVG5majREQzZOL1I4VjJIbWRGbzAxSUhFLwpVTnNGaFNRUnRHb1JwQlExbE9hNjBmd2hHOXVFcE5ZTFJldmhjUU5URFNoYW1xamhSZE5IZEs1SHJiaUdKbW1xCnoydUpBb0dCQUp2VmVIRmpKRkl2MFVHbzBIbGl2R3JOZWVJVzFGZjV0SmdUd2ZlQ1BtSEcxOUNJZDB4RFZEVVUKMlJEL2RMOXQ4MmdzUTFjS1JQVTNjQ08walpxck9pTGg1aWQ5aEpCMUg2MmtGa3IrNEpOK0IvcHNJM3VPWFlFTgo0b0k1NVl6NFJlTEtOTWZQSWNPVFpTRXFoTGdtVVNHZGhuUU9NWGNVMnFnK1FidzRYQ3ZRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=

#切换上下文信息
kubectl config use-context kubernetes --kubeconfig=/opt/test.kubeconfig
[root@master .kube]# cat config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdOVEF4TXpJek5Wb1hEVE15TURVd01qQXhNekl6TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTER6CkRhVG9IRVdpNzVnR002ZTU2SngzQlRHN3I4VWNrS3lIR2xiV2EvUHFyd0dlc2pFU0JZU2VkV1I3SGtiVWNjRGYKVmxSNStvczBISHFaZm80OEZBOXpQd1kra2k2M21jd015SFpXVXgvbkVLYmswTWZ1V3JwRG5DNFBIb09GdEFZVQpmSEhDL1YzOFJxN3EzMWpSdnp0eFdudXBPb3ZVVDYzaElDL0NpdnhSbTVhTlUxbFJDaUwyRXFkYW1jRVNGamY0CmZ2bmkyS283NlNnL3FrTXpxWTlDc2UxSkxUdkVKbmw1OXNnNHlGR3BLdnVacGVSbGROSGx1K2x2ZGJIWkpNQVoKSXE4c0NEbUVZdGlvL1lncmFxZXR4S25LQTdPU2k5U0M2OGMvRDJ5cndiWmtaSkVOSGNDRGpwRWdqQ3lLNk1pSQpxbFVKcEpNaWxNVE01SmxWaUZrQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFY3RMdDBES1MxNTBMQVlMQjd6Rmd0TmxmK1YKYmg5MjcvNEppbERzVFJBVkpBa3hpUDVsT1ZQTjRlUzZ0WlpBWlFvOFVqZTl2R282aUMrc1ZDUkJMcGo4QXBUYQovVFdOMUx4dG1rci9vK2pMS3BEelBob0ZrK3dITDJ4SXN3K1l0SWltTmFEb0R1Z0MwOS8xOENrSnNGdjBHNGxTClNZb1RaZkg4QXRlQWRLNTJYUmxrUXBMWTJ5SWtIc21WYzkzUVI1WmttcFBPcmROcFk1TXhHYnZ6Zm02cDVCcE0KZ1ZvakJMQUNURXlKcjlzbzlkTjRRb1FkVkd1WVQrYzIxUXFJMVNrTUc3cG1FY08xb3pOc1QzeFJadkZEb0FJVAorWVNXQ1YrWEt0Wks4blgyMDlKZi8xb2pxbVFWY0tFdTNBblpLVEZtL0cxZTdWbmZBTUw2R014WWhaVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.234.137:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: testns
    user: test
  name: kubernetes
#原先为空字符串，切换后变为kubernetes
#特别注意，必须先切换上下文后才能将文件拷贝到$HOME/.kube文件夹下,否则会报无法连接apiserver
current-context: kubernetes
kind: Config
preferences: { 
        }
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtpZ0F3SUJBZ0lVTHpBZXZmQXBhd0xyNzFKN1Brb084MmxUTlRJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTFNRFV3TmpRMU1EQmFGdzB5TXpBMQpNRFV3TmpRMU1EQmFNRjh4Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xLYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldsS2FXNW5NUXd3Q2dZRFZRUUtFd05yT0hNeER6QU5CZ05WQkFzVEJsTjVjM1JsYlRFTk1Bc0cKQTFVRUF4TUVkR1Z6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT0gvMkVpRwp5NUl2Y2lTcEJQT3ViM1lhL2JCNFlwaVM3d0kxRklDN1RkWDNPYTBmelE1Vk4rN0VYem1DZ1pEbjFYZStzcXRpCjFydWcxWDRqRGswN25kUXRpZkJ2bktWcExmUjM5alBRUzZJRjFPTndMb1hMaEVaWGFBMmVSMzZrWGtBOEtXaUEKRVM2UitONmFSd1RFNE5zODFHanhUanNJYlBvRGRnV0txaE81bVJJNUp3MkxBWXZxRTBWdUpRY0RNd0Z6Z0dZagovdWp4anBrTGhWSXloVm1ZSUlGU01KbGdoaE9BYXIyZHFYNzBqMEE3VzJ0d3ZtQWZXUmd0RktwMWh6QVRaUEliCkowb2FnM3dmMGwvbkNQMm5xeEJTNDNqQTFXdWdqOEpZSGVqZlJveTh1bDJrT3Zid2NPZGZNb0tNMFVuY2hxdDAKZTRpZncvdUY1RkJYT2Y4Q0F3RUFBYU5lTUZ3d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRRwpDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCU0RpZ3M5ClNxMGphOUVYSEF4L1JXL21qcGZpV1RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUZXbnJXSzRPSlJQQkxrUEgKK1ZiSXE2Z0wwUzhSZlptcjlnYmdnUTlYMXZ0MDNrUGQ5YzBiOG1EZDEwUDc4YUlGUitJazNBT1NSTkxXM2s5KwpxMCthTitwekcvVU50UGFMQWYxZzJXRVJyTVBCTWVITTNqcW1HWG42cVM0d1lrNWVWaHVhU29KSlA5cGlLaDhNCjBFZDRPcjNYakhtNlJLVFdFK05PSlpGWTExUzlIUXdzVzVIN1BGYXc0MWN4WW9XaFFTVWhub01sUDBMNngxdjAKRlZTaXlkMDM1VytZcDZVMEtDTVIzYlR6bEJLZ05DZlFSRzJuL003NENPOHg1Y25CT3ZTejJuY05HUExJZjBYUApDV000ZDBPSS95eWIyN1luckZxUEhnWjBsbzNURmFxVHBtU0lscVJENFFFaDRXZFZQQlQvbWNTMW1GT25EVlhOCjUzbUlDQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNGYvWVNJYkxraTl5SktrRTg2NXZkaHI5c0hoaW1KTHZBalVVZ0x0TjFmYzVyUi9OCkRsVTM3c1JmT1lLQmtPZlZkNzZ5cTJMV3U2RFZmaU1PVFR1ZDFDMko4RytjcFdrdDlIZjJNOUJMb2dYVTQzQXUKaGN1RVJsZG9EWjVIZnFSZVFEd3BhSUFSTHBINDNwcEhCTVRnMnp6VWFQRk9Pd2hzK2dOMkJZcXFFN21aRWprbgpEWXNCaStvVFJXNGxCd016QVhPQVppUCs2UEdPbVF1RlVqS0ZXWmdnZ1ZJd21XQ0dFNEJxdloycGZ2U1BRRHRiCmEzQytZQjlaR0MwVXFuV0hNQk5rOGhzblNocURmQi9TWCtjSS9hZXJFRkxqZU1EVmE2Q1B3bGdkNk45R2pMeTYKWGFRNjl2Qnc1MTh5Z296UlNkeUdxM1I3aUovRCs0WGtVRmM1L3dJREFRQUJBb0lCQUV6L0ZYamdNOHNDVHlrZQpUSW1aREhCNGthWGwzZkdOWGRDcXRPbUc1dVhXN05lRzFoM2orc0ptTk9zckEybVRFcTlSVVI0QzlwWEdIZlp6Cml4UFZFOWlPQzBqWFBjODlIbU1EMitXYk9hbGh3ejRab2tBRExuV29vZExCOGltN1prRU1QaTlVTW9aalJSN1MKQVJBbTQxVE9USy9VUm9ybU8vcVI0MHZRQ2xIZGJkVVYrMCt3bnlIMXdUUGJndFhCcFV4dUVjNjdnWUVQQzBVZgpUV1JTcUZnZHdsc09jQVMxcGRoM2Y5S0NKdjcra0trbUFndFhQWUx0Z0NUb2pxNTZiL1BHOHNmbkVxTVRZdnljCnRFb2NBVERxOUZ6Y0ZVRDJ6SzlTQngrZjd1blg1NWppZkoxMkxvQXJOSGRtc3V4a3hkZndJVDZlR1BCT0FwQ2MKdFJLRjhRRUNnWUVBN0dka0RPVWgzMDVQbm5zWWwwS0NPbEFVMTVqVXliYXAzcUFUNHJDbUFWR1MzejlsbkFmQQpSaGZ5NzNjOVJOOThNaHRnb1dCcnM0VkFZTTh0TUpOMGNyTEhaNjJ2enZ0Qmc3ZU5yT1BHc1RwM0pWbGJ1d0dlClZsekNaUzB3NWx5Z2ZUclc0UlNhL2RJWjdCcDE0Z0dTUnpFTUg0OUliM2MzQU9yUVdHR0VvaEVDZ1lFQTlMdXEKY2owdjBmUDhNblN6eE1sL1NSQ0tQNHBLVi8rNzhXcE8xZHprc3p5eEJrVWdGL2p1NjFmeTFTUU1vZUdKK290cQptcWgrZVhMU2RkT3RZL2FjNzZNWmQxMUJUbmdOMnA2eFVuRmtMaWZET0I1c29hcDBFTHlEMWkyYnVQTDlNQXFEClhkT0JvRkRZZThnYkFIeE40KzZOaGRvTUNtOXdFU00rNGhIckN3OENnWUVBeXdYa0E3c0lRdm5ESU96QWFxN2cKbm1uRjdINUJTRmFLUGpvbHVjcFJWdEtTbXcyY0dzc0JVbkVnM296OTNsYzhGdUF5TllWVUdXRjNyMnhkZDlrNgo2WUltQkNGQzJqUW55SkhycHk0YXBudjZkT1h3QklOWVV2em9xZkdNakZuQ0xxcElmaGF2SVFxOTNtbS9FWENlCkNtdlI2SXlwL2FoWllYMUhubzlwVTdFQ2dZRUEwWFo5MytEMnVOLzJqc2pMeERZaHQwdHN5QTE0cS9DNXoxcUoKdHdta3hMUEJYL2h5QzVLSUN1M3ZiUFc1eWlQYmtKRWE0Tnd0dzR5L0RSSHJhWTk5cXEwUjh0UGlQV01MbUg0UwpqdGwyUVByUFg0ekt0V1BLaXppT0xoWkRIZno3THM4UXVKRjZkTmc5TVZTSHA5YThZOFdkWTE3SXgzV3htVGx0CmJOaWhMNGtDZ1lCN1NXRFp5VTlIcnBqTG5vblRUdWlnNEhaZ05UcFBaa3hpTVp6aUdjMWZ1TFBqaW8zTnVja2kKM3V6cUF2UEVsVFAxYndEcEZVMjZ1THNIVUdra3J4YVFHMm52WGFaL0JIU1h1MkdtcUVMZERjdmtkL2pYNm5MWApEbUhnVENtL3h0M3haeFMyN1IzbWFOYXRCbUN2RGlPREFxR0JpSndUaU1ldURLNEhBR1JBeWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
    
#创建testns的名称空间
kubectl create ns testns

#限制名称空间资源
apiVersion: v1
kind: ResourceQuota
metadata:
  name: limit-resources
  namespace: testns
spec:
  hard:
    requests.cpu: "20"
    requests.memory: 100Gi
    limits.cpu: "40"
    limits.memory: 200Gi

#给test用户绑定管理员权限
kubectl create rolebinding test-admin-binding --clusterrole=admin --user=test --namespace=testns
$ kubectl get rolebinding -n testns
NAME                 ROLE                AGE
test-admin-binding   ClusterRole/admin   33s

#linux随意创建用户，比如test1,将test.kubeconfig放入到test1家目录下.kube文件夹下，即可访问apiserver
useradd test1
passwd test1
mkdir -p /home/test1/.kube
cp /opt/test.kubeconfig /home/test1/.kube/config
chown -R test1.test1 /home/test1/.kube
#注意此时get pod的名称空间就为testns 
[test1@master ~]$ kubectl get pod
No resources found in testns namespace
#如果想要获取其他名称空间下的pod会被拒绝
[test1@master ~]$ kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"

准入控制是API Server的插件集合，通过添加不同的插件，实现额外的准入控制规则。甚至于API Server的一些主要的功能都需要通过 Admission Controllers 实现，比如 ServiceAccount，默认启用的插件

CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, LimitRanger, MutatingAdmissionWebhook, NamespaceLifecycle, PersistentVolumeClaimResize, Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook

• NamespaceLifecycle： 防止在不存在的 namespace 上创建对象，防止删除系统预置 namespace，删除namespace 时，连带删除它的所有资源对象。
• LimitRanger：确保请求的资源不会超过资源所在 Namespace 的 LimitRange 的限制。
• ServiceAccount： 实现了自动化添加 ServiceAccount。 mespace 上创建对象，防止删除系统预置 namespace，删除namespace 时，连带删除它的所有资源对象。
• LimitRanger：确保请求的资源不会超过资源所在 Namespace 的 LimitRange 的限制。
• ServiceAccount： 实现了自动化添加 ServiceAccount。
• ResourceQuota：确保请求的资源不会超过资源的 ResourceQuota 限制