K8s新建用户制作证书绑定角色
role roulebind clustrrole clustrrloebinding
Kubeadm 创建的k8s集群默认证书有限期为三年,三年后会过期
Kubernetes创建一个集群用户连接API-Server 使用命令模式
#可以用现有用户kubernetes-admin@kubernetes的CA证书 【ca.crt ca.key】 去签署一个新创建的用户,进行绑定 文件默认路径/etc/Kubernetes/pki/
-
创建私钥
cd /etc/Kubernetes/pki/
openssl genrsa -out sunwenbo.key 2048 -
生成证书签署请求
openssl req -new -key sunwenbo.key -out sunwenbo.csr -subj "/CN=sunwenbo" -
用CA证书签证
openssl x509 -req -in sunwenbo.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out sunwenbo.crt -days 365 -
查看签署后的证书内容
openssl x509 -in sunwenbo.crt -text -noout - 创建一个新的集群用户,使用自签证书和私钥 –embed-certs=true 将证书和私钥隐藏
kubectl config set-credentials sunwenbo --client-certificate=./sunwenbo.crt --client-key=./sunwenbo.key --embed-certs=true
kubectl config view #查看会多出一个users
-
设置上下文,让新建sunwenbo的用户也可以去访问kubernetes集群
kubectl config set-context sunwenbo@kubernetes --cluster=Kubernetes --user=sunwenbo
kubectl config view #查看会多出一个context - 切换账号
kubectl config use-context sunwenbo@kubernetes
kubectl get pods
#此时会提示 No resources found Error from server (forbiddent): pods is forbiddent: User “sunwenbo”cannot list pods in the namespace “default”
#原因是我们只是有了一个可登录的用户,但是这个用户并没有任何权限。
1#创建一个自定义的集群
kubectl config set-cluster mycluster --kubeconfig=/tmp/mycluster.conf --server="192.168.10.231:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
#查看自定义集群的信息
kubectl config view --kubeconfig=/tmp/mycluster.conf
创建role角色和绑定
- 创建一个role
kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml >role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
createionTimestamp: null
name: pods-reader
rules:
- apiGroup:
- ""
resources:
- pods
verbs:
- get
- list
- watch
kubectl apply -f role.yaml
kubectl get role
kubectl describe role pods-reader
- 创建一个rolebinding,将角色绑定到一个用户
kubectl create rolebinding sunwenbo-read-pods --role=pods-reader --user=sunwenbo --dry-run -o yaml >rolebanging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: sunwenbo-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kubectl apply -f rolebanging.yaml
kubectl describe rolebinding sunwenbo-read-pods #查看详细内容
- 切换用户验证
kubectl config use-context sunwenbo@kubernetes
kubect get pod #只能查看default 名称空间下的资源,如果是其他名称空间,创建role时指定namespace 即可
创建clusterrole可以访问所有名称空间
- 创建clusterrole
kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > cluster.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroup:
- ""
resources:
- pods
verbs:
- get
- list
- watch
kubectl apply -f cluster.yaml
kubectl get clusterrole | grep cluster-reader
kubectl describe clusterrole cluster-reader
- 绑定role
#如果这个用户已经绑定了其他role需要将rolebanding删掉,删除立即生效
kubectl delete rolebinding sunwenbo-read-pods
kubectl create clusterrolebinging admin-read-pods --clusterrole=cluster-reder --user=sunwenbo --dry-run -o yaml > clusterrolebinging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-read-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cluster-reder
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: sunwenbo
- 切换用户验证
kubectl config use-context sunwenbo@kubernetes
kubect get pod #可以查看所有名称空间下的资源,但是只有get,list,watch权限
#rolebinding绑定clusterbinding,clusterbinding会自动降级,跟随rolebinding定义的权限规则
#给用户绑定系统默认role,可以指定拥有某个名称空间的权限
kubectl create rolebinging default-ns-admin --clusterrole=admin –user=sunwenbo –dry -run -o yaml > default-user-banding.yaml