zoukankan      html  css  js  c++  java

  • [k8s]创建Kubernetes的ssl/tls用户

    1.1、生成密钥文件

    root@ubuntu-kubeadm-master:~# cd /etc/kubernetes/pki
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# (umask 077; openssl genrsa -out kube-user1.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
.....+++
e is 65537 (0x010001)

    1.2、创建证书签署请求

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl req -new -key kube-user1.key -out kube-user1.csr -subj "/CN=kube-user1/O=kubeusers"

    1.3、基于kubeadm安装kubernetes集群时生成的CA签署证书

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -req -in kube-user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-user1.crt -days 3650

    1.4、验证证书信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -in kube-user1.crt -text –noout

    2.1、配置集群信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-cluster kubernetes 
--embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt 
--server=https://192.168.253.174:6443

    2.2、配置客户端证书和密钥

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-credentials kube-user1 
--embed-certs=true 
--client-certificate=/etc/kubernetes/pki/kube-user1.crt 
--client-key=/etc/kubernetes/pki/kube-user1.key

    2.3、配置上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-context kube-user1@kubernetes --cluster=kubernetes --user=kube-user1

    2.4、指定上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kube-user1@kubernetes

    2.5、测试访问集群资源,不过在启用RBAC的集群上执行命令时,是无法获得集群资源的访问权限

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "default"
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes

    2.6、可以使用命令切换回管理员

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
NAME                                    READY   STATUS      RESTARTS   AGE
etcd-0                                  1/1     Running     0          45h
etcd-1                                  1/1     Running     0          45h
etcd-2                                  1/1     Running     0          45h

      
  • 相关阅读:
    4KB对齐
    小甲鱼PE详解之区块表(节表)和区块(节)(PE详解04)
    策略设计模式与c语言中的函数指针
    包装类类值传第
    java的 clone方法
    ubuntu中maven建的web项目不能将project facet设置为 dynamic web module 3.0
    maven 笔记
    eclipse中xml文件不能自动提示的解决办法
    oracle merge into 的例子
    oracle 常用sql
  • 原文地址:https://www.cnblogs.com/baylorqu/p/10898891.html
Copyright © 2011-2022 走看看