zoukankan      html  css  js  c++  java

  • K8S 创建用户账号-User Account(二)

    使用cfssl方法创建普通用户

    准备工作

    mkdir /root/pki/
将k8s ca.pem  ca-key.pem ca-config.json证书拷贝到此目录
cp /opt/kubernetes/ssl/ca-key.pem  /root/pki/
cp /opt/kubernetes/ssl/ca.pem  /root/pki/
cp /root/k8s/cert/k8s/ca-config.json /root/pki/   

与openssl方法 这里多出一个ca-config.json 文件

     

    查看ca-config.json

    [root@master k8s]# cat /root/k8s/cert/k8s/ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}

    安装cfssl

    下载安装包:
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64


chmod -x cfssl*

for x in cfssl*; do mv $x ${x%*_linux-amd64};  done

mv cfssl* /usr/bin

    一、生成普通用户证书

    cat > devuser-csr.json <<EOF
{
  "CN": "devuser",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

     

    二、执行

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser

    设置集群参数:

    kubectl config set-cluster k8s 
  --server=https://192.168.124.61:6443 
  --certificate-authority=ca.pem 
  --embed-certs=true 
  --kubeconfig=/root/devuser.conf

    设置上下文参数:

    kubectl config set-context dev@k8s 
  --cluster=k8s 
  --user=devuser 
  --kubeconfig=/root/devuser.conf

      

    设置客户端参数

    kubectl config set-credentials devuser 
  --client-certificate=devuser.pem 
  --client-key=devuser-key.pem 
  --embed-certs=true 
  --kubeconfig=/root/devuser.conf

    切换context

    kubectl config use-context dev@k8s --kubeconfig=/root/dev.conf
kubectl config view --kubeconfig=/root/dev.conf

    创建系统用户

    useradd dev
mkdir -p /home/dev/.kube
cp /root/dev.conf /home/dev/.kube/config
chown dev.dev -R /home/dev/
su - dev

      

    创建Role 

    root@k8s-master:~# cat > pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
 EOF

    创建Rolebinding

    root@k8s-master:~# cat >test-pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cbmljs-pods-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev
EOF

      

      

      

     

      
  • 相关阅读:
    ios UIWebView截获html并修改便签内容(转载)
    IOS获取系统时间 NSDate
    ios 把毫秒值转换成日期 NSDate
    iOS  如何判断当前网络连接状态  网络是否正常  网络是否可用
    IOS开发 xcode报错之has been modified since the precompiled header was built
    iOS系统下 的手机屏幕尺寸 分辨率 及系统版本 总结
    iOS 切图使用 分辨率 使用 相关总结
    整合最优雅SSM框架:SpringMVC + Spring + MyBatis 基础
    Java面试之PO,VO,TO,QO,BO
    Notes模板说明
  • 原文地址:https://www.cnblogs.com/Tempted/p/13469730.html
Copyright © 2011-2022 走看看