目录
- 进入证书目录
- # cd /etc/kubernetes/pki
-
- 创建key
- # openssl genrsa -out user1.key 2048
- Generating RSA private key, 2048 bit long modulus
- .....................................................+++
- ........+++
- e is 65537 (0x10001)
-
- 创建csr
- # openssl req -new -key user1.key -out user1.csr -subj "/CN=user1"
-
- 查看创建结果
- # ll
- total 72
- -rw-r--r-- 1 root root 1310 Jun 12 14:52 apiserver.crt
- -rw-r--r-- 1 root root 1155 Jun 12 14:52 apiserver-etcd-client.crt
- -rw------- 1 root root 1679 Jun 12 14:52 apiserver-etcd-client.key
- -rw------- 1 root root 1679 Jun 12 14:52 apiserver.key
- -rw-r--r-- 1 root root 1164 Jun 12 14:52 apiserver-kubelet-client.crt
- -rw------- 1 root root 1675 Jun 12 14:52 apiserver-kubelet-client.key
- -rw-r--r-- 1 root root 1099 Jun 12 14:52 ca.crt
- -rw------- 1 root root 1675 Jun 12 14:52 ca.key
- -rw-r--r-- 1 root root 17 Oct 10 18:07 ca.srl
- drwxr-xr-x 2 root root 4096 Jun 12 14:52 etcd
- -rw-r--r-- 1 root root 1115 Jun 12 14:52 front-proxy-ca.crt
- -rw------- 1 root root 1675 Jun 12 14:52 front-proxy-ca.key
- -rw-r--r-- 1 root root 1119 Jun 12 14:52 front-proxy-client.crt
- -rw------- 1 root root 1679 Jun 12 14:52 front-proxy-client.key
- -rw------- 1 root root 1679 Jun 12 14:52 sa.key
- -rw------- 1 root root 451 Jun 12 14:52 sa.pub
- -rw-r--r-- 1 root root 883 Oct 10 18:27 user1.csr
- -rw-r--r-- 1 root root 1679 Oct 10 18:26 user1.key
-
- 修改权限
- # chmod 600 user1.key
使用集群证书签发
- # openssl x509 -req -in user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user1.crt -days 1095
-
- Signature ok
- subject=/CN=user1
- Getting CA Private Key
查看签发的证书
- # openssl x509 -in user1.crt -text -noout
-
- Certificate:
- Data:
- Version: 1 (0x0)
- Serial Number:
- fc:aa:fd:55:13:43:c3:62
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=kubernetes
- Validity
- Not Before: Oct 10 10:30:34 2023 GMT
- Not After : Oct 9 10:30:34 2026 GMT
- Subject: CN=user1
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:d8:c0:f2:4c:35:42:32:97:12:0f:c1:c2:0f:16:
- ........篇幅省略
- Exponent: 65537 (0x10001)
- Signature Algorithm: sha256WithRSAEncryption
- 8d:92:df:d1:53:cf:0c:e6:97:10:cc:53:37:16:01:0c:69:c3:
- ......篇幅省略
- # kubectl config set-credentials user1 --client-certificate=./user1.crt --client-key=./user1.key --embed-certs=true
-
- User "user1" set.
- # kubectl config set-context user1@kubernetes --cluster=kubernetes --user=user1
-
- Context "user1@kubernetes" created.
查看集群信息
- # kubectl config view
-
- apiVersion: v1
- clusters:
- - cluster:
- certificate-authority-data: DATA+OMITTED
- server: https://master01:6443
- name: kubernetes
- contexts:
- - context:
- cluster: kubernetes
- user: kubernetes-admin
- name: kubernetes-admin@kubernetes
- - context:
- cluster: kubernetes
- user: user1
- name: user1@kubernetes
- current-context: kubernetes-admin@kubernetes
- kind: Config
- preferences: {}
- users:
- - name: kubernetes-admin
- user:
- client-certificate-data: DATA+OMITTED
- client-key-data: DATA+OMITTED
- - name: user1
- user:
- client-certificate-data: DATA+OMITTED
- client-key-data: DATA+OMITTED
可以看到user1已经存在并可以登陆
- # kubectl config use-context user1@kubernetes
-
- Switched to context "user1@kubernetes".
但此时用户没有任何权限,需要配置rbac
- # kubectl get pod
-
- Error from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" in the namespace "default"
- # kubectl config delete-context user1@kubernetes
-
- deleted context user1@kubernetes from /root/.kube/config
-
- # kubectl config unset users.user1
-
- Property "users.user1" unset.
- # cat user1_pod_get.yaml
-
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- namespace: default
- name: pod-log-reader
- rules:
- - apiGroups: [""]
- resources: ["pods", "pods/log"]
- verbs: ["get", "list"] # 允许 "user1" 用户获取和列出 Pod 以及日志
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: pod-log-reader-binding
- namespace: default
- subjects:
- - kind: User
- name: user1 # 这里的 "user1" 是您之前创建的用户名称
- apiGroup: rbac.authorization.k8s.io
- roleRef:
- kind: Role
- name: pod-log-reader
- apiGroup: rbac.authorization.k8s.io
再次使用user1用户就可以查看pod和日志了
- # kubectl get pod -n default
-
- # kubectl logs -f pod/free-study-questionnaire-5c7f8c878d-859wl
默认需要切换,但给开发人员或者相关人员时他们是不需要切换的,所以需要配置kubectl
首先需要按照kubectl命令
安装完成后有几种方式配置:
1、拷贝创建当初创建用户的kubectl命令所在服务器下的'$HOME/.kube/config'到新kubectl命令所在服务器的'$HOME/.kube/config',然后删除admin和其他不需要的用户后即可
2、手动编写
需要拷贝ca.crt、user1.crt、user1.key到新kubectl服务器
编写如下文件
- apiVersion: v1
- clusters:
- - cluster:
- certificate-authority: ca.crt
- server: https://master01:6443
- name: kubernetes
- contexts:
- - context:
- cluster: kubernetes
- user: user1
- name: user1@kubernetes
- current-context: user1@kubernetes
- kind: Config
- preferences: {}
- users:
- - name: user1
- user:
- client-certificate: user1.crt
- client-key: user1.key
如果将该文件名称定义为 config, 则可以直接使用kubectl命令进行操作
如果改名称为其他,如 user1.yaml,则使用命令需要指定文件
kubectl --kubeconfig=$HOME/.kube/user1.yaml get pods当然你可以有多个yaml,放在任何目录下,就可以操作多个环境