非root用戶管理k8s和docker容器詳解

更新時(shí)間：2025年09月24日 09:25:06 作者：CN-FuWei

文章介紹了如何通過(guò)創(chuàng)建非root用戶（如ops用戶）并配置kubectl權(quán)限,結(jié)合RBAC限制訪問(wèn)范圍,實(shí)現(xiàn)安全管理K8s集群；同時(shí)通過(guò)將用戶加入docker組,無(wú)需root權(quán)限即可操作Docker容器

一、非root用戶管理k8s集群

1.1 創(chuàng)建一個(gè)普通用戶

useradd ops

1.2 修改集群配置

OPS機(jī)器關(guān)聯(lián)kubectl進(jìn)行如下操作：

root用戶執(zhí)行：

mkdir -p /home/ops/.kube/
cp ~/.kube/config  /home/ops/.kube/
chown deployer:deployer /home/ops/.kube
chown deployer:deployer /home/ops/.kube/config

ops用戶執(zhí)行：

echo  "export KUBECONFIG=/home/ops/.kube/config" >> ~/.bash_profile
echo "source <(kubectl completion bash)" >> /home/ops/.bashrc
source  ~/.bash_profile

1.3 驗(yàn)證

[root@k8s-master1 ~]# su ops
[ops@k8s-master1 root]$ kubectl get node
NAME          STATUS   ROLES                  AGE   VERSION
k8s-master1   Ready    control-plane,master   42d   v1.22.0
k8s-master2   Ready    control-plane,master   42d   v1.22.0
k8s-master3   Ready    control-plane,master   42d   v1.22.0
k8s-node1     Ready    <none>                 42d   v1.22.0
k8s-node2     Ready    <none>                 42d   v1.22.0
k8s-node3     Ready    <none>                 42d   v1.22.0
[ops@k8s-master1 root]$ kubectl get ns
NAME              STATUS   AGE
default           Active   42d
kube-node-lease   Active   42d
kube-public       Active   42d
kube-system       Active   42d
monitoring        Active   42d

此時(shí)已經(jīng)可以使用ops用戶來(lái)管理k8s集群（若需要針對(duì)ops用戶指定ns以及資源對(duì)象擁有特定權(quán)限，可以使用RBAC來(lái)限制）

二、非root用戶管理docker

由于docker軟件安裝好之后，自動(dòng)會(huì)創(chuàng)建好docker用戶組，所以這里只需要?jiǎng)?chuàng)建好管理docer容器的用戶就好。

[root@k8s-master1 ~]# cat /etc/group
....................
docker:x:995:

首先來(lái)看一下正常的普通用戶管理docker是什么樣的

切換dev用戶執(zhí)行docker命令，報(bào)錯(cuò)如下：

[root@k8s-master1 ~]# su dev
[dev@k8s-master1 root]$ docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docker.sock: connect: permission denied
[dev@k8s-master1 root]$ docker images
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/json": dial unix /var/run/docker.sock: connect: permission denied

現(xiàn)在我們把ops用戶加入docker用戶組中

usermod -g docker ops

接下來(lái)切換ops用戶來(lái)查看一下效果：

[root@k8s-master1 ~]# su ops
[ops@k8s-master1 root]$ docker version
Client: Docker Engine - Community
 Version:           20.10.12
 API version:       1.39
 Go version:        go1.16.12
 Git commit:        e91ed57
 Built:             Mon Dec 13 11:45:41 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          18.09.9
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.11.13
  Git commit:       039a7df
  Built:            Wed Sep  4 16:22:32 2019
  OS/Arch:          linux/amd64
  Experimental:     false
[ops@k8s-master1 root]$ docker images
REPOSITORY                                                        TAG       IMAGE ID       CREATED         SIZE
rancher/mirrored-flannelcni-flannel                               v0.17.0   9247abf08677   3 months ago    59.8MB
rancher/mirrored-flannelcni-flannel                               v0.16.3   8cb5de74f107   4 months ago    59.7MB
rancher/mirrored-flannelcni-flannel-cni-plugin                    v1.0.1    ac40ce625740   4 months ago    8.1MB
quay.io/prometheus/node-exporter                                  v1.3.1    1dbe0e931976   5 months ago    20.9MB
registry.aliyuncs.com/google_containers/kube-apiserver            v1.22.0   838d692cbe28   10 months ago   128MB
registry.aliyuncs.com/google_containers/kube-controller-manager   v1.22.0   5344f96781f4   10 months ago   122MB
registry.aliyuncs.com/google_containers/kube-scheduler            v1.22.0   3db3d153007f   10 months ago   52.7MB
registry.aliyuncs.com/google_containers/kube-proxy                v1.22.0   bbad1636b30d   10 months ago   104MB
registry.aliyuncs.com/google_containers/etcd                      3.5.0-0   004811815584   11 months ago   295MB
registry.aliyuncs.com/google_containers/coredns                   v1.8.4    8d147537fb7d   12 months ago   47.6MB
registry.aliyuncs.com/google_containers/pause                     3.5       ed210e3e4a5b   14 months ago   683kB
[ops@k8s-master1 root]$

至此就完成了非root用戶管理docker容器了