实验环境
主机 | 权限 |
---|---|
k8s-master-1 | admin |
k8s-node-1 | 无 |
签发用户证书
创建kubectl证书请求文件,必须要由和apiserver证书相同机构来颁发这个证书,否则apiserver使用它的CA公钥无法认证这个证书
- 如果提供了客户端证书并且证书被验证通过,
则 subject 中的公共名称(Common Name)就被 作为请求的用户名
- Kubernetes 1.4 开始,客户端证书还可以通过证书的
organization 字段标明用户的组成员信息
。 要包含用户的多个组成员信息,可以在证书种包含多个 organization 字段:openssl req -new -key jbeda.pem -out jbeda-csr.pem -subj "/CN=jbeda/O=app1/O=app2"
创建证书请求文件
cfssl csr格式参考链接
:https://github.com/cloudflare/cfssl/wiki/Creating-a-new-CSR
-
"CN"
:Common Name,设置用户名为user1
-
"C"
: country -
"ST"
: the state or province -
"L"
: locality or municipality (such as city or town name) -
"O"
: organisation,设置属于二个组,group1,group2
-
"OU"
: organisational unit, such as the department responsible for owning the key; it can also be used for a “Doing Business As” (DBS) name
[root@k8s-master-1 different]# cat > kubectl-csr.json <<EOF
{
"CN": "user1",
"hosts": [], # 这里设置host也不生效,无法限制,原因未知
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "hunan",
"L": "changsha",
"O": "group1",
"OU": "system"
}
]
}
EOF
颁发证书
-ca
:签发apiserver证书的CA证书-ca-key
:私钥-config
:CA配置
# 生成证书
cfssl gencert -ca=/root/cluster/pki/kube-apiserver-ca.pem -ca-key=/root/cluster/pki/kube-apiserver-ca-key.pem -config=/root/cluster/pki/ca-config.json -profile=kubernetes kubectl-csr.json | cfssljson -bare kubectl
# 或者使用openssl方式
openssl genrsa -out kubectl-key 2048
openssl req -new -key kubectl-key -out kubectl.csr -subj "/CN=user1/O=group1/O=group2"
openssl x509 -req -CA /root/cluster/pki/kube-apiserver-ca.pem -CAkey /root/cluster/pki/kube-apiserver-ca-key.pem -CAcreateserial -days 730 -in kubectl.csr -out kubectl.crt
# 查看生成的证书
[root@k8s-master-1 different]# ls
kubectl.csr kubectl-csr.json kubectl-key.pem kubectl.pem
# 设置集群参数
kubectl config set-cluster kubernetes --certificate-authority=/root/cluster/pki/kube-apiserver-ca.pem --embed-certs=true --server=https://192.168.0.10:6443 --kubeconfig=kube.config
# 设置客户端认证参数,生成了一个kubectl的user,里面包含了证书
kubectl config set-credentials kubectl --client-certificate=kubectl.pem --client-key=kubectl-key.pem --embed-certs=true --kubeconfig=kube.config
# 设置上下文参数,--user,使用上面的kubectl,这里仅仅是标识区分作用,实际不会以这个用户去向apiserver通信
kubectl config set-context kubernetes --cluster=kubernetes --user=kubectl --kubeconfig=kube.config
# 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=kube.config
# 将kube.config传到k8s-node-1
[root@k8s-master-1 different]# ssh root@k8s-node-1 "mkdir -p /root/.kube/" && scp kube.config root@k8s-node-1:/root/.kube/config
# k8s-node-1 执行命令,因为此时未授权故而没法正常
[root@k8s-node-1 .kube]# kubectl get pods -A
Error from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" at the cluster scope
基于用户和组颁发权限
cluster-admin 是通过system:masters组方式进行授权
,如果我们在创建用户证书时,/CN=XX/O=system:masters,那么这个用户就拥有超级管理员的权限
基于用户授权
# 基于用户方式授权,cluster-admin 这个clusterrole权限很大,可以操作集群内所有资源,也可以使用自定义的clusterole
[root@k8s-master-1 different]# kubectl create clusterrolebinding kubectl-test --clusterrole=cluster-admin --user=user1
clusterrolebinding.rbac.authorization.k8s.io/kubectl-test created
# 授权完成后,看是否可以执行相关命令
[root@k8s-node-1 .kube]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master-1 Ready master 5d19h v1.20.15
k8s-node-1 Ready node 5d19h v1.20.15
# 删除授权
[root@k8s-master-1 different]# kubectl delete clusterrolebinding kubectl-test
clusterrolebinding.rbac.authorization.k8s.io "kubectl-test" deleted
基于用户组授权
# 基于用户组授权
[root@k8s-master-1 different]# kubectl create clusterrolebinding kubectl-test --clusterrole=cluster-admin --group=group1
clusterrolebinding.rbac.authorization.k8s.io/kubectl-test created
# 授权后,查看是否可以执行相关命令
[root@k8s-node-1 .kube]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master-1 Ready master 5d19h v1.20.15
k8s-node-1 Ready node 5d19h v1.20.15
# 删除授权
[root@k8s-master-1 different]# kubectl delete clusterrolebinding kubectl-test
clusterrolebinding.rbac.authorization.k8s.io "kubectl-test" deleted