zoukankan      html  css  js  c++  java

  • K8S 创建用户账号-User Account(二)

    使用cfssl方法创建普通用户

    准备工作

    mkdir /root/pki/
将k8s ca.pem  ca-key.pem ca-config.json证书拷贝到此目录
cp /opt/kubernetes/ssl/ca-key.pem  /root/pki/
cp /opt/kubernetes/ssl/ca.pem  /root/pki/
cp /root/k8s/cert/k8s/ca-config.json /root/pki/   

与openssl方法 这里多出一个ca-config.json 文件

     

    查看ca-config.json

    [root@master k8s]# cat /root/k8s/cert/k8s/ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}

    安装cfssl

    下载安装包:
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64


chmod -x cfssl*

for x in cfssl*; do mv $x ${x%*_linux-amd64};  done

mv cfssl* /usr/bin

    一、生成普通用户证书

    cat > devuser-csr.json <<EOF
{
  "CN": "devuser",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

     

    二、执行

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser

    设置集群参数:

    kubectl config set-cluster k8s 
  --server=https://192.168.124.61:6443 
  --certificate-authority=ca.pem 
  --embed-certs=true 
  --kubeconfig=/root/devuser.conf

    设置上下文参数:

    kubectl config set-context dev@k8s 
  --cluster=k8s 
  --user=devuser 
  --kubeconfig=/root/devuser.conf

      

    设置客户端参数

    kubectl config set-credentials devuser 
  --client-certificate=devuser.pem 
  --client-key=devuser-key.pem 
  --embed-certs=true 
  --kubeconfig=/root/devuser.conf

    切换context

    kubectl config use-context dev@k8s --kubeconfig=/root/dev.conf
kubectl config view --kubeconfig=/root/dev.conf

    创建系统用户

    useradd dev
mkdir -p /home/dev/.kube
cp /root/dev.conf /home/dev/.kube/config
chown dev.dev -R /home/dev/
su - dev

      

    创建Role 

    root@k8s-master:~# cat > pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
 EOF

    创建Rolebinding

    root@k8s-master:~# cat >test-pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cbmljs-pods-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev
EOF

      

      

      

     

      
  • 相关阅读:
    加工零件(Dijkstra)
    尼克的任务(DP)
    挖地雷(记忆化搜索)
    滑雪(DP,记忆化搜索)
    子串和子序列(DP)
    八皇后(DFS)
    打印feign报错日志
    restTemplate 踩坑
    共享全局对象
    获取当月多少天
  • 原文地址:https://www.cnblogs.com/Tempted/p/13469730.html
Copyright © 2011-2022 走看看