zoukankan      html  css  js  c++  java

  • [k8s]创建Kubernetes的ssl/tls用户

    1.1、生成密钥文件

    root@ubuntu-kubeadm-master:~# cd /etc/kubernetes/pki
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# (umask 077; openssl genrsa -out kube-user1.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
.....+++
e is 65537 (0x010001)

    1.2、创建证书签署请求

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl req -new -key kube-user1.key -out kube-user1.csr -subj "/CN=kube-user1/O=kubeusers"

    1.3、基于kubeadm安装kubernetes集群时生成的CA签署证书

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -req -in kube-user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-user1.crt -days 3650

    1.4、验证证书信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -in kube-user1.crt -text –noout

    2.1、配置集群信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-cluster kubernetes 
--embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt 
--server=https://192.168.253.174:6443

    2.2、配置客户端证书和密钥

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-credentials kube-user1 
--embed-certs=true 
--client-certificate=/etc/kubernetes/pki/kube-user1.crt 
--client-key=/etc/kubernetes/pki/kube-user1.key

    2.3、配置上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-context kube-user1@kubernetes --cluster=kubernetes --user=kube-user1

    2.4、指定上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kube-user1@kubernetes

    2.5、测试访问集群资源,不过在启用RBAC的集群上执行命令时,是无法获得集群资源的访问权限

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "default"
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes

    2.6、可以使用命令切换回管理员

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
NAME                                    READY   STATUS      RESTARTS   AGE
etcd-0                                  1/1     Running     0          45h
etcd-1                                  1/1     Running     0          45h
etcd-2                                  1/1     Running     0          45h

      
  • 相关阅读:
    2017-2018 ACM-ICPC, NEERC, Northern Subregional Contest C
    Codeforces Round #445 div.2 D. Restoration of string 乱搞
    hdu 6228 Tree
    数塔(入门级dp)
    逆序数(归并排序和树状数组)
    poj2104 K-th Number 主席树入门;
    Codeforces Round #466 (Div. 2)F. Machine Learning 离散化+带修改的莫队
    Codeforces Round #470 (rated, Div. 2, based on VK Cup 2018 Round 1)C. Producing Snow+差分标记
    2038: [2009国家集训队]小Z的袜子(hose)+莫队入门
    Codeforces Round #220 (Div. 2)D. Inna and Sequence 树状数组+二分
  • 原文地址:https://www.cnblogs.com/baylorqu/p/10898891.html
Copyright © 2011-2022 走看看