zoukankan      html  css  js  c++  java

  • [k8s]创建Kubernetes的ssl/tls用户

    1.1、生成密钥文件

    root@ubuntu-kubeadm-master:~# cd /etc/kubernetes/pki
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# (umask 077; openssl genrsa -out kube-user1.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
.....+++
e is 65537 (0x010001)

    1.2、创建证书签署请求

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl req -new -key kube-user1.key -out kube-user1.csr -subj "/CN=kube-user1/O=kubeusers"

    1.3、基于kubeadm安装kubernetes集群时生成的CA签署证书

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -req -in kube-user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-user1.crt -days 3650

    1.4、验证证书信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -in kube-user1.crt -text –noout

    2.1、配置集群信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-cluster kubernetes 
--embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt 
--server=https://192.168.253.174:6443

    2.2、配置客户端证书和密钥

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-credentials kube-user1 
--embed-certs=true 
--client-certificate=/etc/kubernetes/pki/kube-user1.crt 
--client-key=/etc/kubernetes/pki/kube-user1.key

    2.3、配置上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-context kube-user1@kubernetes --cluster=kubernetes --user=kube-user1

    2.4、指定上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kube-user1@kubernetes

    2.5、测试访问集群资源,不过在启用RBAC的集群上执行命令时,是无法获得集群资源的访问权限

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "default"
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes

    2.6、可以使用命令切换回管理员

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
NAME                                    READY   STATUS      RESTARTS   AGE
etcd-0                                  1/1     Running     0          45h
etcd-1                                  1/1     Running     0          45h
etcd-2                                  1/1     Running     0          45h

      
  • 相关阅读:
    How to maintain Oracle10g Recyclebin?
    C++函数
    巧算星期几
    如何把resin安装为Windows服务
    c++ try_catch throw
    PNG图片优化技术(一)
    内存回收专题
    [资料] 史上最强的伯克利大学1024线飞龙AI下载地址,有没有人有兴趣来测试一手?
    mmo游戏开发应在profile下运行,才能保证正式运行不卡
    Discuz多人斗地主积分版,消耗论坛积分的斗地主
  • 原文地址:https://www.cnblogs.com/baylorqu/p/10898891.html
Copyright © 2011-2022 走看看