Is there a way to prevent kubectl from de-registering the kubernet nodes?

By default, you use something like superuser, which can do whatever it wants with a cluster.

RBAC . RBAC .

:

• Kops --authorization RBAC , "rbac" "":

  authorization: rbac: {}

• Bitnami . , , office . , firs:

  kubectl create namespace office

• :

  openssl genrsa -out employee.key 2048
openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=bitnami"

• , CA ( S3 PKI), :

  openssl x509 -req -in employee.csr -CA CA_LOCATION/ca.crt -CAkey CA_LOCATION/ca.key -CAcreateserial -out employee.crt -days 500

• :

  kubectl config set-credentials employee --client-certificate=/home/employee/.certs/employee.crt --client-key=/home/employee/.certs/employee.key

• :

  kubectl config set-context employee-context --cluster=YOUR_CLUSTER_NAME --namespace=office --user=employee

• . , , , , . role-deployment-manager.yaml :

kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: office name: deployment-manager rules: - apiGroups: ["", "extensions", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

8. rolebinding-deployment-manager.yaml Rolebinding, :

kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: deployment-manager-binding namespace: office subjects: - kind: User name: employee apiGroup: "" roleRef: kind: Role name: deployment-manager apiGroup: ""

9. :

kubectl create -f role-deployment-manager.yaml kubectl create -f rolebinding-deployment-manager.yaml

, , .