## 生成私钥
(umask 077;openssl genrsa -out devops.key 2048)
## 证书生成签署请求 CN=用户账号名称
openssl req -new -key devops.key -out devops.csr -subj "/CN=devops"
## 签证由ca 签署
openssl x509 -req -in devops.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out devops.crt -days 7200
## 查看证书
openssl x509 -in devops.crt -text -noout

//客户端证书
# kubectl config set-credentials devops --client-certificate=/etc/kubernetes/pki/devops.crt --client-key=/etc/kubernetes/pki/devops.key --embed-certs=true --kubeconfig=devops.kubeconfig

// 配置上下文
# kubectl config set-context devops@kubernetes --cluster=kubernetes --user=devops --namespace=devops --kubeconfig=devops.kubeconfig


// 默认上下文
# kubectl config use-context devops@kubernetes --kubeconfig=devops.kubeconfig

# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
  ## 定义名称空间
  namespace: devops
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
   - create
#  - delete
#  - deletecollection
  - get
  - list
  - watch
#  - update

# kubectl create rolebinding devops-podsreader --role=pods-reader --user=devops --dry-run -o yaml >> role-demo2.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: devops-podsreader
  ## 定义名称空间
  namespace: devops
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: devops

kubectl create -f role-demo.yaml
kubectl create -f role-demo2.yaml

mkdir -p ~/.kuber
cp devops.kubeconfig ~/.kube/config

kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods,pods/exec,pods/attach,svc --dry-run -o yaml > clusterrole-demo.yaml

kubectl create clusterrolebinding devops-readallpods --clusterrole=cluster-reader --user=devops --dry-run -o yaml >> clusterrole-demo.yaml