zoukankan      html  css  js  c++  java

  • [k8s]创建Kubernetes的ssl/tls用户

    1.1、生成密钥文件

    root@ubuntu-kubeadm-master:~# cd /etc/kubernetes/pki
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# (umask 077; openssl genrsa -out kube-user1.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
.....+++
e is 65537 (0x010001)

    1.2、创建证书签署请求

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl req -new -key kube-user1.key -out kube-user1.csr -subj "/CN=kube-user1/O=kubeusers"

    1.3、基于kubeadm安装kubernetes集群时生成的CA签署证书

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -req -in kube-user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-user1.crt -days 3650

    1.4、验证证书信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -in kube-user1.crt -text –noout

    2.1、配置集群信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-cluster kubernetes 
--embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt 
--server=https://192.168.253.174:6443

    2.2、配置客户端证书和密钥

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-credentials kube-user1 
--embed-certs=true 
--client-certificate=/etc/kubernetes/pki/kube-user1.crt 
--client-key=/etc/kubernetes/pki/kube-user1.key

    2.3、配置上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-context kube-user1@kubernetes --cluster=kubernetes --user=kube-user1

    2.4、指定上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kube-user1@kubernetes

    2.5、测试访问集群资源,不过在启用RBAC的集群上执行命令时,是无法获得集群资源的访问权限

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "default"
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes

    2.6、可以使用命令切换回管理员

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
NAME                                    READY   STATUS      RESTARTS   AGE
etcd-0                                  1/1     Running     0          45h
etcd-1                                  1/1     Running     0          45h
etcd-2                                  1/1     Running     0          45h

      
  • 相关阅读:
    POJ 3904 Sky Code (容斥原理)
    HDU 4334 Trouble (暴力)
    UVA 10325 The Lottery( 容斥原理)
    HDU 2841 Visible Trees 数论+容斥原理
    UVA11806-Cheerleaders(容斥原理+二进制)
    HDU1695 GCD (欧拉函数+容斥原理)
    HDU 5651 xiaoxin juju needs help (组合数)
    最大子矩阵和 51Nod 1051 模板题
    最大子段和 模板题 51Nod 1049
    51Nod 1006 最长公共子序列Lcs问题 模板题
  • 原文地址:https://www.cnblogs.com/baylorqu/p/10898891.html
Copyright © 2011-2022 走看看