标签:master1 kubectl Account kubernetes role User chen K8S root
# 本文主要介绍自建证书的方式创建user account 以及生成用户的token 绑定到Service Account上 查看dashboard权限
# 基于openssl 生产用户相关证书
1、生成用户的key文件 [root@master1 chen]# openssl genrsa -out chen.key 2048 Generating RSA private key, 2048 bit long modulus ......................................................................................................+++ .....................................................................+++ e is 65537 (0x10001) 2、基于key 生成csr文件(证书签名请求) O表示组织组 CN表示用户 [root@master1 chen]# openssl req -new -key chen.key -out chen.csr -subj "/O=kubernetes/CN=chen" [root@master1 chen]# ls chen.csr chen.key 3、生成 crt 文件(用参数 -days 设置证书有效期) [root@master1 chen]# openssl x509 -req -in chen.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out chen.crt -days 365 Signature ok subject=/O=kubernetes/CN=chen Getting CA Private Key
# kubectl config 设置集群信息
[root@master1 chen]# kubectl config set-cluster kubernetes --server=https://192.168.24.31:6443 --kubeconfig=/root/role/user/chen/config --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true Cluster "kubernetes" set.
#设置 用户信息
[root@master1 chen]# kubectl config set-credentials chen --kubeconfig=/root/role/user/chen/config --client-key=chen.key --client-certificate=chen.crt --embed-certs=true User "chen" set.
# 配置 context
[root@master1 chen]# kubectl config set-context chen@kubernetes --cluster=kubernetes --user=chen --kubeconfig=/root/role/user/chen/config Context "chen@kubernetes" created.
# 查看配置
[root@master1 chen]# kubectl config view --kubeconfig=./config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.24.31:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: chen
name: chen@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: chen
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master1 chen]# cat config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hNVEEwTkRReE0xb1hEVE15TURjd09EQTBORFF4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUJxCit1RkJDZHBUSzY0cUN0bGdUaTNXVE9QWGR6Wmtydll2dTJ5NTgzeWV4MFI3cHNOdFZMVkN3ejYvVUFDNFNITkwKblpWcGlTV1c2TjkrOUtLMWlkRnhoenRXbVlFRFR0SFUvajlZTk9TZkowelFWSGxMQmwvOTVUSVlLK2dRbTdMYgpMTjFpUXJ6ODh4VFBCZ1A3MS96Qk5QMUlrUnZCcnQzOE5HZE16cTh1V2d4N1ZycnFEaXczNUJxa1BWRVNlaXU5CjliVGYvdUl4TmhhaUdYSCt2K2oxWUx0dk1QeU16eTJHcE5uc1ZwQXVEbXdUSHdCOWtBZnBNbC90WDBwbndOSVkKeHprLzNJZUZ5SFFsVEFGK1JtSTBPejZrRjA4TVdoWkp6ZDluWDd3Vy9QMUpUVVV5Ui9mcHBLdHlGazZZbmtMbAoxRUZXd3dzUnFPVk5xelc0ZEowQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCTnQ1SjhWSEdSRmRTRGZwT3J0aTFlZEN4amMKc29EUXhhU2NoU1gzYmhwY2kzVFd2V3ZkTk5wcVk3amNZa09oQno1QVlpbkFXTkZ5Q0ovR2RKM0p6T0twNzNUVQpGbVFHK1hucmlKY2VLQ3h0Ri8xRXlPVXM2bVhWK25OQm9iUUpxMnh3MkhqSEUxcStLTE5oYnFkK1NzMi94UzlXCmpYQ0NrTGY3NEF2SUhFSldUNHI5UkRBeTQvaEtnMkVvaEpkZFErVmJjYUZ0S3c3cEFGT25Wei9RWGs1OWVQWE8Kd2hNei9ZV1NNU3dLNHI1RkpkbmF3Z3E0c28rdXZvTFp4K1RRNmFhV0l4OVVmRkg3S20xbEFNUGJCbk1xVVhGYQpENkhEYjlORmxCZ3Irc1hBZHNoQm55YnhJc2cvQ2NrWmVuY2tEbkwwNkhLL2kxemd0Qm5VV0t5OVV6dz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.24.31:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: chen
name: chen@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: chen
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN0VENDQVowQ0NRQ3l0QUJFTFRLOWZEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXlNRGN4TlRBM01ETXpNVm9YRFRJek1EY3hOVEEzTURNek1Wb3dKREVUTUJFRwpBMVVFQ2d3S2EzVmlaWEp1WlhSbGN6RU5NQXNHQTFVRUF3d0VZMmhsYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUt0R1JwVmkrSS9CNjFrc2VKQmIxaWlpOTZjc2NpSGN5bFo3YWdJVlI3R1IKTjczbFY3Ukt3RE44clZrZHdGbXhubVhXQzVHRFMra3JoRDM1b0JDUy84ZE9NeXBWYk1wWFNoTXd2TUhocmM5MgpVenZUVVhIa0tsbkhOUkFybjkrYnRKZnBsaG4vU3ltU0tqdmt4WUtuWThWeXFDNnFlenhtdFd2eklSdVVDa0xRCmdWRmhHRGgxbmp6R2E2Szk3OWczMXEyTjk2K2hzZEJWSUpCNlpIcllWSUpRL0FxdXppUy93WU5zSE1VU054U1MKVmxBQ1c2N3NFSFg5b1MzZkhhcldXMEJXMHQ4QUZ6clJXN1h6L2VvU1o5Uk5TU09VcGxHZXcvV1pMVUNDaks5RApUaTlVN3RUSFNEcFdOWGc1aGpvckpjb29IcmUxRmwrZUhVekg5TjU2YWcwQ0F3RUFBVEFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQVFFQU0vZWJ0Nmd3L3hiNEpUYTUyMERXdzJZL1pCUC9vRVh4Nnd3T1g1SUtZMjhiR2lpSHNGZWMKLzdaaFprWFdvWTMzVDRZenBUWU5ucXV3b1NhTDJ6WEVndmRqbEs3emxETSsvazdsNjd4R0FJT3hFZG1kaXRvcApQYi92MmljTk1xQnRYK0hwaFBxMldDdHBKUlF5eFFBV3hSWTk3SndEc1BDandVRUVlY1JWMjlKa0EwOE9ZTnkvClNYLzJIWCtZU295UUZBUUxnV3NYT1g1OERkUTlxQlpZVTF0SE05bFRxOWlXK1JJdlhpNXVheWM1VllQV3JzZjcKaEQ3QmcrL2ExSGtxZEhCTmJ2cEhEVmlSb0JSdGFlcXo0MUkxVk53RmxjRXMyQWxTeGdlbmFsM25FM0VNZjJ1OApPM2haUUZiZjZ1RTlUV0wyQUxaZ1g1MzF3YlVqZ0FkbXp3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcTBaR2xXTDRqOEhyV1N4NGtGdldLS0wzcHl4eUlkektWbnRxQWhWSHNaRTN2ZVZYCnRFckFNM3l0V1IzQVdiR2VaZFlMa1lOTDZTdUVQZm1nRUpML3gwNHpLbFZzeWxkS0V6Qzh3ZUd0ejNaVE85TlIKY2VRcVdjYzFFQ3VmMzV1MGwrbVdHZjlMS1pJcU8rVEZncWRqeFhLb0xxcDdQR2ExYS9NaEc1UUtRdENCVVdFWQpPSFdlUE1acm9yM3YyRGZXclkzM3I2R3gwRlVna0hwa2V0aFVnbEQ4Q3E3T0pML0JnMndjeFJJM0ZKSldVQUpiCnJ1d1FkZjJoTGQ4ZHF0WmJRRmJTM3dBWE90RmJ0ZlA5NmhKbjFFMUpJNVNtVVo3RDlaa3RRSUtNcjBOT0wxVHUKMU1kSU9sWTFlRG1HT2lzbHlpZ2V0N1VXWDU0ZFRNZjAzbnBxRFFJREFRQUJBb0lCQUZheWJndzBXd201NlgzcwpLdU0zK1lIOGJFdnREYURpZUhHcWF4Qys0Tm1iWHBIN1E1ZjV0cXpaVVk0b3B6TS8yNlJFNHZvM2NmZUhsWnNoCmZzcWsvbUJPejB1QWpsOG1MRkxtZXNYUmpQL1ZMM0M3R1NFRGxBUjU5L3hGZU5uaG9WcThYTVN3RzhYaFBRdXcKVStJOUJSM3ZXZjYxUVVoajNUWFZqazY5Y3l3Nk5semh4WkRLaTd5STAveXdPVlRBSjNNdEFJY3FibUZ1cmNhdAo2S2FMVFcvNjBNc1g5M2lnbkV4VXMrS1N5bTZpdVZPdUR1V29CVVY4Q1VhSmxkdVk3ajM3YVRaK2l2WDdrSW8yClZwZ2UwOElOSmR6UFpjMXlCRkJLNVZac2w3K1ZseVREM2FmcFNiWXpUNTVjS25qZHJwcERkT0tlWERzWERmeFYKci9kMHFPa0NnWUVBNDlXT09KNXl4L2hTcE5Pd2Vvb0JmenRqclA0S1k5R0NlUHZ4dUZZQmVMdEMyQjR3ZkVCYwp4RjBqcS8zNXUyUis4UXRYblVSbTBhQmhqQ2J4K3FSK0JPUzRzWEE5VWpUNUFCSFBsL0lkeWRXelN4ZEJXRUpYClp1cDZwMGdSM24rM1lERlBhTVZRNWpWbWhJQjM0N3cyZVhMODhsVktrMnFnSERycHJCclc2bU1DZ1lFQXdISzcKY1FlYS9wWm10ekdNbmU5a0ljMm5NeGdjTlZsRnBHL0oycnduQVppSk1CWVkxcVljVzFXb0xMQ0N4STRZM0FNMwprcElwcTNJWkd2TCtvcnJxQkprZnUvVFNDYThDdkM1Z0xycEJlbkdiWmNOditlU1BPWmIwajg2WmlFTjZDVXE0Ck9tUHNsOU5MRzE3cTJoZUpPalZLZ3JDRVMzb1JWWnIwSHVZa3pNOENnWUFpRU1GR0YvTGprVzZSOUpEemtZVHQKeUN4OEpqUFpmdTc2TmZtTGJWaWsrNkxmKzR1V1dHMUdjd0t0YWJrWVdzdGNNU3oxZDgvRDBpNGpyWU1LemVPRgp5Y2tQeHM5MFpqVkEzR2prdUMvYUNOalpCbTRmeXpPVVVNVHNGQ3VQMEJyVUNDdHVaK3BUc1hKVnAzdkZrbE8yCnp3bWhGajJqVXhNRGhZK0F5emFOTHdLQmdEVE5CY3FNT0tWVEpKbHNtZFVYUWxUWDlPRGE0NXByaE9VSjJzc04KeG5IMHBPY3htTjBEdEZJRzNWNXRpMk5jVFV2SUFpNVB0ZWtaSS9RMTZWRkNrVVJ6c3JaQ0JJS3Rwc1YwditUeQpLMWJwNXFYMENqdjR6cWNSV01ZLysvWGI5WmFwRG9UT3Q3SXNRYllmdzdYVXNVenNKQ1paUWVMbmVld1AySnpGCnJpRVhBb0dCQU1TVXExUWgzYnEzT0RVMHFjb2FLNWtaZzU2dUlVUXhPZWVuU1pZNG5aN29NK01mTFRMR3VjTWMKaUJ1aG80empSUWdFbS9uSU0wRUhPSVhDRldPTjBEVWJiWVB1WC8yZmJONm5wUVdSRnBiRXVXdzlvNFFGNkU0YgpMYWhJUWRyREpucitUenphcUlBZ2I2V1dWNFRuelhucDBXcnNRK1lLbFdLWGtzWWlhU2ZUCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
# 验证chen用户是否可以访问集群
[root@master1 chen]# kubectl get pods --kubeconfig=./config Error from server (Forbidden): pods is forbidden: User "chen" cannot list resource "pods" in API group "" in the namespace "default"
# 基于RBAC 访问授权
#创建对应的rol 和rolebinding
[root@master1 chen]# cat chen_role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: chen_role namespace: default rules: - apiGroups: [""] resources: ["pods","pods/log","pods/exec"] verbs: ["get","list","watch","create"] [root@master1 chen]# cat chen_rolebindind.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: chen_rolebindind namespace: default subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: chen roleRef: kind: Role apiGroup: rbac.authorization.k8s.io name: chen_role
# kubectl apply -f 应用权限
[root@master1 chen]# kubectl apply -f chen_role.yaml role.rbac.authorization.k8s.io/chen_role created [root@master1 chen]# kubectl apply -f chen_rolebindind.yaml rolebinding.rbac.authorization.k8s.io/chen_rolebindind created
#再次查看 chen用户的权限
[root@master1 chen]# kubectl get pods,svc --kubeconfig=./config NAME READY STATUS RESTARTS AGE mytomcat-5f97c868bd-bghht 1/1 Running 0 2d17h mytomcat-5f97c868bd-xh5cz 1/1 Running 0 2d mytomcat2-6746bcc65b-hmxgb 1/1 Running 0 2d2h Error from server (Forbidden): services is forbidden: User "chen" cannot list resource "services" in API group "" in the namespace "default" #因为没有开通service的权限 所以forbidden
####如何让用户chen 可以访问dashboard呢#########
# 简单省事儿的方法是创建serviceaccount 绑定权限即可 以下是示例:
[root@master1 chen]# kubectl create sa chen serviceaccount/chen created
# 创建对应的role 和rolebindind 文件
[root@master1 chen]# cat chen_role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: chen_role namespace: default rules: - apiGroups: [""] resources: ["pods","pods/log","pods/exec"] verbs: ["get","list","watch","create"] - apiGroups: [""] resources: ["services"] verbs: ["get","list","watch","create"] - apiGroups: [""] resources: ["deployments"] verbs: ["get","list","watch","create"] ##rolebindind [root@master1 chen]# cat chen_rolebindind.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: chen_rolebindind namespace: default subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: chen ## 添加sa账户 - kind: ServiceAccount name: chen roleRef: kind: Role apiGroup: rbac.authorization.k8s.io name: chen_role
# 授权后查看 kubectl 以及dashboard权限
[root@master1 chen]# kubectl apply -f chen_role.yaml role.rbac.authorization.k8s.io/chen_role created [root@master1 chen]# kubectl apply -f chen_rolebindind.yaml rolebinding.rbac.authorization.k8s.io/chen_rolebindind created
#查看chen用户的token 登录dashboard 验证
[root@master1 chen]# kubectl get secret chen-token-h2d8l -o jsonpath={.data.token} | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNoZW4tdG9rZW4taDJkOGwiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2hlbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzYzBjYjg3LTNkY2QtNDc0OC1hM2VlLTAyM2VlNTU5YTY5NiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmNoZW4ifQ.X18a6j69NwQSkzbMkhDNfreifvOAOfaQbSvDi_hYmwDV28eCSdCHgoALMLd-fOq2Fno0XKdu5sbvyv8tzaMw72u1b5ZxnH1wIeSc54ILrZYLY4iOanYD-lat7tI66Nu3UrBZMThjDZ22aoXEAACe3p-hVYLBfImFrikI2V6cTc-QINtWxsJLIuRWEYOuKMz64yApP6QVbbsSfUm465CG9sKZ9rAqsqEA-Om5bGmPAY7DFMLIUz6b7RunuD-QL1wnkZ0VjI7LdqlMAibALHzPMfwgemWqQGCNXMjoV0O7sVsiLotuftrc_gjEVlquPFpH_z65iUi4r_fkcJ7qHYTwVw[root@master1 chen]#
# 也可以把token 加在config里 基于kubeconfig 登录 类似于这样 然后把文件下载下来 在dashboard通过kubeconfig 登录
# 验证kubectl 权限 刚才增加了几条权限
#验证完毕 本次部署完成
标签:master1,kubectl,Account,kubernetes,role,User,chen,K8S,root 来源: https://www.cnblogs.com/Chen-PY/p/16481831.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。