-
k8s 创建UserAccount
参考:
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
1·创建个人证书
- # 生成user私钥
- openssl genrsa -out zhanglei.key 2048
- # 创建证书签署请求
- openssl req -new -key zhanglei.key -out zhanglei.csr -subj "/O=org/CN=neozhao"
- # 使用集群证书签署个人证书
- openssl x509 -req -in neozhao.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out zhanglei.crt -days 365
2·生成配置文件
- # 设置集群参数
- kubectl config set-cluster kubernetes \
- --certificate-authority=/etc/kubernetes/pki/ca.crt \
- --embed-certs=true \
- --server=https://192.168.110.6:6443 \
- --kubeconfig=./config
- # 设置客户端认证参数
- kubectl config set-credentials zhanglei \
- --client-certificate=zhanglei.crt \
- --client-key=zhanglei.key \
- --embed-certs=true \
- --kubeconfig=./config
- # 设置上下文参数
- kubectl config set-context zhanglei-config \
- --cluster=kubernetes \
- --user=zhanglei \
- --kubeconfig=./config
- # 设置默认上下文
- kubectl config use-context zhanglei-config \
- --kubeconfig=./config
3.设置权限
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- namespace: loggie
- name: loggie-user-role
- rules:
- - apiGroups:
- - ""
- resources:
- - nodes
- - pods/log
- - patch
- - update
- verbs:
- - get
- - watch
- - list
- - apiGroups:
- - ""
- resources:
- - pods
- - serviceaccounts
- - namespaces
- verbs:
- - get
- - watch
- - list
- - create
- - patch
- - update
- - delete
- - apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - create
- - patch
- - update
- - get
- - list
- - watch
- - apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - clusterrolebindings
- - clusterroles
- - serviceaccounts
- verbs:
- - create
- - patch
- - update
- - get
- - list
- - watch
- - delete
- - apiGroups:
- - ""
- resources:
- - events
- - configmaps
- - services
- verbs:
- - get
- - watch
- - list
- - update
- - create
- - patch
- - apiGroups:
- - extensions
- - apps
- resources:
- - deployments
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - apps
- resources:
- - daemonsets
- verbs:
- - get
- - list
- - watch
- - update
- - create
- - patch
- - delete
- - apiGroups:
- - loggie.io
- resources:
- - logconfigs
- - logconfigs/status
- - clusterlogconfigs
- - clusterlogconfigs/status
- - sinks
- - interceptors
- verbs:
- - get
- - list
- - watch
- - update
- - patch
- - apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
- - get
- - list
- - update
4.绑定权限
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: loggie-user-role-bind
- namespace: loggie
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: loggie-user-role
- subjects:
- - apiGroup: rbac.authorization.k8s.io
- kind: User
- name: loggie
5.非master节点创建用户
创建private key
- openssl genrsa -out john.key 2048
- openssl req -new -key john.key -out john.csr -subj "/CN=john"
- openssl req -in john.csr -text
任意用户创建CSR(CertificateSigningRequest)
- cat <<EOF | kubectl apply -f -
- apiVersion: certificates.k8s.io/v1
- kind: CertificateSigningRequest
- metadata:
- name: john
- spec:
- request: $(cat john.csr | base64 | tr -d '\n')
- signerName: kubernetes.io/kube-apiserver-client
- usages:
- - client auth
- EOF
- kubectl get csr john
k8s管理员批准CSR,并导出证书
- kubectl certificate approve john
- kubectl get csr john -o jsonpath='{.status.certificate}'| base64 -d > john.crt
-
相关阅读:
springboot基础(28):jdbcTemplate
二叉树刷题
实验:vlan的基本配置
Stable Diffusion 关键词tag语法教程
Jmeter 命令式执行脚本,使用windows bat 命令进行全自动静默获取token
redis系列之——高可用(主从、哨兵)
Altair:Python数据可视化库的魅力之旅
完整数字华容道02:软件结构设计
Java SE String类(一):常用方法(上)
Python logging模块:别再用print来打印啦~
- 原文地址:https://blog.csdn.net/qq_32783703/article/details/126728612
