zoukankan      html  css  js  c++  java
  • k8s 创建 kubeconfig 用户授权证书文件 用于 kubectl 访问集群

    k8s_secret_kubeconfig

    • TSSC

    2.创建用户授权-kubeconfig

    • 需要使用 openssl 工具手动创建单用户的证书文件
    • 用于命令行管理 k8s 集群

    2.1.创建用户证书文件

    • user: devuser
    # 创建用户授权文件目录
    cd /etc/kubernetes/pki
    mkdir -p users
    cd users/
    
    # 创建 openssl.cnf 配置文件
    vim openssl.cnf
    ------------------------
    [ req ]
    default_bits = 2048
    default_md = sha256
    distinguished_name = req_distinguished_name
     
    [req_distinguished_name]
     
    [ v3_ca ]
    basicConstraints = critical, CA:TRUE
    keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
     
    [ v3_req_server ]
    basicConstraints = CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth
     
    [ v3_req_client ]
    basicConstraints = CA:FALSE
    keyUsage = critical, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth
    ------------------------
    
    # 使用 openssl 工具创建用户秘钥文件
    openssl genrsa -out devuser.key 2048
    
    # 使用 openssl 工具生成用户证书请求文件
    openssl req -new -key devuser.key -subj "/CN=devuser/O=zuiyoujie" -out devuser.csr
    
    # 使用 openssl 工具生成用户证书
    openssl x509 -req -in devuser.csr -CA ../ca.crt -CAkey ../ca.key -CAcreateserial -extensions v3_req_client -extfile openssl.cnf -out devuser.crt -days 3650
    

    2.2.使用用户证书生成 kubeconfig 配置文件

    # 设置集群参数变量,设置一个集群,需要指定根证书和 server-api 服务地址,指定 kubeconfig 文件
    export KUBE_APISERVER="https://{{K8S_MASTER_IP}}:6443"
    kubectl config set-cluster {{K8S_CLUSTER_NAME}} 
    --certificate-authority=../ca.crt 
    --server=${KUBE_APISERVER} 
    --embed-certs=true 
    --kubeconfig=devuser
    
    # 设置客户端认证参数,设置一个证书用户 devuser,需要指定用户证书和秘钥,指定 kubeconfig 文件
    kubectl config set-credentials devuser 
    --client-certificate=devuser.crt 
    --client-key=devuser.key 
    --embed-certs=true 
    --kubeconfig=devuser
    
    # 设置上下文参数,需要指定用户名,可以指定 NAMESPACE,指定 kubeconfig 文件
    kubectl config set-context {{K8S_CLUSTER_NAME}} 
    --cluster={{K8S_CLUSTER_NAME}} 
    --namespace=test01 
    --user=devuser 
    --kubeconfig=devuser
    
    # 设置上下文配置,指定 kubeconfig 文件
    kubectl config use-context {{K8S_CLUSTER_NAME}} --kubeconfig=devuser
    
    # 执行完毕,会在当前目录生成以 devuser 命令的 kubeconfig 配置文件
    

    2.3.配置 namespace 的访问授权

    • 为单个用户 devuser 创建 namespace 的相关授权,用于查看和切换 namespace
    mkdir -p /opt/k8s/grant
    cd /opt/k8s/grant
    vim k8s_create_kubeconfig_ClusterRoleNamespace.yaml
    -------------------------------
    # 创建用户授权规则:便于普通用户查看或者切换 namespace
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: devuser-ns
      labels:
        rbac.zuiyoujie.com/name: devuser
    rules:
      - apiGroups:
          - ""
        resources:
          - namespaces
        verbs:
          - get
          - list
    
    # 绑定授权规则到用户 devuser
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: devuser-ns
    subjects:
      - kind: User
        name: devuser
        apiGroup: rbac.authorization.k8s.io
    roleRef:
      kind: ClusterRole
      name: devuser-ns
      apiGroup: rbac.authorization.k8s.io
    ---------------------------------
    
    # 应用授权配置
    kubectl apply -f k8s_create_kubeconfig_ClusterRoleNamespace.yaml
    

    2.4.配置 k8s 集群的操作权限

    • 为单个用户 devuser 创建 k8s 集群的操作权限
    mkdir -p /opt/k8s/grant
    cd /opt/k8s/grant
    vim k8s_create_kubeconfig_ClusterRoleUser.yaml
    --------------------------------
    # 用户授权规则:用户的可操作权限
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: devuser
      labels:
        rbac.zuiyoujie.com/name: devuser
    rules:
      - apiGroups:
          - ""
        resources:
          - pods
          - pods/attach
          - pods/exec
          - pods/log
          - pods/status
          - configmaps
          - services
        verbs:
          - get
          - list
          - watch
          - create
          - describe
      - apiGroups:
          - extensions
          - apps
        resources:
          - deployments
          - deployments/status
          - replicasets
          - replicasets/status
          - daemonsets
          - daemonsets/status
          - ingresses
          - ingresses/status
        verbs:
          - get
          - list
          - watch
          - describe
      - apiGroups:
          - metrics.k8s.io
        resources:
          - pods
          - nodes
        verbs:
          - get
          - list
          - watch
    
    # 授权用户 devuser 可以访问的 namespace
    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: RoleBinding
    metadata:
      name: devuser
      namespace: test01
      labels:
        rbac.zuiyoujie.com/name: devuser
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: devuser
    subjects:
      - kind: User
        name: devuser
        apiGroup: rbac.authorization.k8s.io
    
    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: RoleBinding
    metadata:
      name: devuser
      namespace: test02
      labels:
        rbac.zuiyoujie.com/name: devuser
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: devuser
    subjects:
      - kind: User
        name: devuser
        apiGroup: rbac.authorization.k8s.io
    
    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: RoleBinding
    metadata:
      name: devuser
      namespace: test03
      labels:
        rbac.zuiyoujie.com/name: devuser
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: devuser
    subjects:
      - kind: User
        name: devuser
        apiGroup: rbac.authorization.k8s.io
    ---
    ---------------------------------
    
    # 应用授权配置文件
    kubectl apply -f k8s_create_kubeconfig_ClusterRoleUser.yaml
    

    2.5.检查绑定的授权规则

    [root@zuiyoujie grant]# kubectl describe clusterrole devuser
    Name:                            devuser
    Labels:                          rbac.zuiyoujie.com/name=devuser
    Annotations:                     PolicyRule:
      Resources                      Non-Resource URLs  Resource Names  Verbs
      ---------                      -----------------  --------------  -----
      configmaps                     []                 []              [get list watch create describe]
      pods/attach                    []                 []              [get list watch create describe]
      pods/exec                      []                 []              [get list watch create describe]
      pods/log                       []                 []              [get list watch create describe]
      pods/status                    []                 []              [get list watch create describe]
      pods                           []                 []              [get list watch create describe]
      services                       []                 []              [get list watch create describe]
      daemonsets.apps/status         []                 []              [get list watch describe]
      daemonsets.apps                []                 []              [get list watch describe]
      deployments.apps/status        []                 []              [get list watch describe]
      deployments.apps               []                 []              [get list watch describe]
      ingresses.apps/status          []                 []              [get list watch describe]
      ingresses.apps                 []                 []              [get list watch describe]
      replicasets.apps/status        []                 []              [get list watch describe]
      replicasets.apps               []                 []              [get list watch describe]
      daemonsets.extensions/status   []                 []              [get list watch describe]
      daemonsets.extensions          []                 []              [get list watch describe]
      deployments.extensions/status  []                 []              [get list watch describe]
      deployments.extensions         []                 []              [get list watch describe]
      ingresses.extensions/status    []                 []              [get list watch describe]
      ingresses.extensions           []                 []              [get list watch describe]
      replicasets.extensions/status  []                 []              [get list watch describe]
      replicasets.extensions         []                 []              [get list watch describe]
      nodes.metrics.k8s.io           []                 []              [get list watch]
      pods.metrics.k8s.io            []                 []              [get list watch]
    
    [root@zuiyoujie grant]# kubectl describe clusterrole devuser-ns
    Name:         devuser-ns
    Labels:       rbac.zuiyoujie.com/name=devuser
    Annotations:  PolicyRule:
      Resources   Non-Resource URLs  Resource Names  Verbs
      ---------   -----------------  --------------  -----
      namespaces  []                 []              [get list]
    
    本文版权归作者和博客园共有,如需转载请在文章页面给出原文链接,否则保留追究法律责任的权利。
  • 相关阅读:
    python基础一 day40 守护线程
    python基础一 day40 线程复习
    python基础一 day39 线程探索
    python基础一 day39 复习-回调函数
    python基础一 day38 进程池代码
    python基础一 day38 进程间的数据共享
    python基础一 day38 管道
    python基础一 day18 认识正则表达式及探索
    python小白-day3 函数
    python小白-day3 深浅拷贝
  • 原文地址:https://www.cnblogs.com/tssc/p/14845640.html
Copyright © 2011-2022 走看看