一、认证及sa
1.进入到证书目录
cd /etc/kubernetes/pki/
2.创建kxq用户的私钥
(umask 077; openssl genrsa -out kxq.key 2048 )
3.创建kxq用户的证书
openssl req -new -key kxq.key -out kxq.csr -subj "/CN=kxq"
4.利用ca.crt,ca.key进行签证
[root@master pki]# openssl x509 -req -in kxq.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out kxq.crt -days 365
Signature ok
subject=/CN=kxq
Getting CA Private Key
5.查看证书
[root@master pki]# openssl x509 -in kxq.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b4:37:49:0b:95:9e:00:8f
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Dec 20 10:00:38 2020 GMT
Not After : Dec 20 10:00:38 2021 GMT
Subject: CN=kxq
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:96:97:ca:44:07:cc:6b:82:44:f5:5c:d8:70:
e3:bf:83:4b:8c:eb:91:27:42:f8:a7:b5:95:db:45:
27:6b:b2:16:84:a7:6d:4f:03:6d:2f:a7:7d:05:79:
fd:18:84:2d:e7:93:eb:46:90:0a:74:cc:b0:4d:78:
7b:a2:30:55:94:dd:01:6d:ce:04:79:a0:4f:c1:15:
77:b4:dd:dd:19:4d:7c:e3:0e:bb:4d:36:69:f9:40:
14:2e:24:03:4c:85:d5:65:ad:04:4a:c4:38:45:46:
40:bd:45:17:90:39:f3:49:fe:f0:1e:73:35:e7:74:
b5:94:de:3c:27:50:97:94:25:f9:b4:87:c1:46:8f:
c4:24:f5:24:6e:28:88:be:28:81:2a:f9:bc:14:a3:
5a:a5:74:bb:63:77:4d:22:af:2c:b1:3a:7f:24:12:
70:26:34:57:40:a0:18:27:10:6c:73:27:a4:30:08:
8f:d9:e9:35:6f:da:70:a3:62:c8:9a:9f:56:8a:ca:
cb:4f:82:74:73:d3:ae:55:83:b2:3e:e2:99:67:8c:
b0:2a:ad:97:a0:46:a5:d7:d6:de:36:9b:7c:75:2d:
15:f0:8e:bd:0b:d9:4c:cb:fd:d4:f4:ab:cc:cb:33:
05:10:12:eb:e9:16:40:16:34:7d:f7:9c:7c:31:e9:
ec:7d
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
52:76:fe:7f:69:53:af:bb:aa:d0:f5:18:d6:3f:f5:83:d1:30:
56:04:8c:9c:45:6d:45:3c:33:90:44:be:a4:18:11:3a:0f:a5:
63:fc:bc:20:ea:c6:51:b4:11:04:7d:ee:28:bc:30:80:11:31:
21:22:a4:43:6e:e0:eb:b4:97:d6:1e:5b:d2:2f:34:99:68:e3:
5d:21:36:eb:c7:fc:50:b4:69:95:9a:19:93:c8:4a:e4:d7:7b:
76:a9:1d:e1:44:ce:49:94:a2:0e:d2:e6:cd:79:50:23:f3:e2:
35:8a:50:71:46:2a:9c:ed:5f:40:36:98:18:ed:fb:01:f5:a5:
a5:e0:bf:a0:90:fc:c9:ad:85:69:06:16:8f:40:a7:3e:02:ef:
7b:09:20:39:32:4a:79:00:f2:9e:34:cb:16:24:b3:94:db:13:
23:23:ca:e6:ac:94:90:b7:b2:57:ca:ed:09:a7:a0:00:d7:d1:
65:e8:1a:eb:de:04:ad:f1:b2:7b:4b:ab:01:44:4e:c9:86:5e:
4c:c2:b0:8d:67:c2:82:7b:b9:74:4e:f3:26:ec:5a:22:5d:60:
a6:2a:b5:e1:92:27:3c:15:e4:06:38:b7:ed:19:d9:8c:d1:06:
54:32:b8:e6:d1:aa:d2:69:37:29:85:a6:ed:07:93:a2:ae:21:
04:ae:97:47
6.设置用户账号信息添加到去认证k8s集群的信息
[root@master pki]# kubectl config set-credentials kxq --client-certificate=kxq.crt --client-key=kxq.key --embed-certs=true
User "kxq" set.
7.查看
8.设置上下文
[root@master pki]# kubectl config set-context kxq@kubernetes --cluster=kubernetes --user=kxq
Context "kxq@kubernetes" created.
9.设置当前上下文
[root@master pki]# kubectl config use-context kxq@kubernetes
Switched to context "kxq@kubernetes".
此时kubectl get pods
是访问不了任何资源的。
(集群我们没有设置,可以使用kubectl config set-cluster --help
查看如何设置)
10.设置集群
[root@master pki]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://192.168.10.180:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "mycluster" set.
[root@master pki]# cat /tmp/test.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01USXdNVEF4TXpJMU4xb1hEVE13TVRFeU9UQXhNekkxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjBMCldmbUJIdEc5a2lycVZ4U3U3WEtETm05QjdZcTNlSjRvaFVPZ2JFQjZZYVNYNU5ENnZXWDFLS2lWZWRoMGZTc3UKVEQyTFBSYVNqSXVlOXNpOERxWWR5aVlPVlNETFl1bzNzTnB3MmkwK1hJd0FnQVJQd215YzdGUVR3ckxxcDdPRgpsZVowejdndlQ5NHB3REhpZXJRdGVNSlZ5cXkrenRvcnA3bXZHNXEzV0Jtc3ZVRFByVytiRHlFRFozKzVlMXpZCkVXaWtQeDRwclRQb2RCaHNVWG1ZRVNQMzhsd0dTN2xNZVJabnBwck9oWlk4MGVzcXFHUyt2YndIbmpaOEhQc3kKZDlkaStJWDBrTXoyUHBWWmJVK1Q4a3FZM1F6blZ6Qm13OEtSd2czRi8wMm5raVNzU09JbEU4NGRtMzJJY1JOKwpZamp1ZWZuVnNKL3JralE4eUVFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJVjhCSUN2a01QelkyYmZVdnRFdWgybHV4OFVNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCOFExMkxiLzcvcGRXZDNuWjEyMUFobS9QZFdHbkxLSWVqdUtxbEVVRWc5cFJEcGI5Mwppbjg4TmpIVFRnY2ZScE5zbzZjYnJmUEtCRW10Sk9XRjRFWWdDdThXb0loV0ZPWXRqckdKZUtkOGhTbS9XY2M3Cm9nN1YxKzQ0MkxsYS81Wk9SRHlmRmhTeThtRit3ZnBoQ25mTklGUW4veGY2ME1WWWJ3YkJhL3ord0J2Uis4UmgKTS91NG9hNFU5aUhDRkE4UFhOU0ZKUGdWdVFSUU5lSDNOSDhrU1FtSk9MbC95MWRmYXoxMFlQWmNsSkZFQ1pRegpobXFPMGpMR29QbVlERGtrY0E5NTdCa1NRTTRvSy9nQkdmSENpOU1UTFdHaCtRNDRyZXFTbjBOQWQvYzM3Z0g3Cm1XL0tqeDkzRlJCdnAzcUdLeklVaWFjSU5XUE9DTWdjMUNsZwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.10.180:6443
name: mycluster
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
也可以查看我的另一篇文章:k8s-Authorization鉴权
二、RBAC授权
我测试的是基于user用户的,更多可以访问官网:https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/
1.查看创建的方法:
kubectl create role --help
2.创建简单的role
[root@master helm]# kubectl create role pods-reader --verb=get,list --resource=pods --dry-run=client -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: pods-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
3.rolebinding
[root@master rbac]# cat read-pods-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kxq-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: testuser
4.clusterrole
[root@master rbac]# cat cluster-role-reader.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-reader
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
5.clusterrolebinding
[root@master rbac]# cat clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: kxq-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kxq