《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.7环境中验证
OpenShift的身份认证方式
客户端在访问OpenShift的时候可以使用3种方式向OpenShift提供认证信息。
- 用户名密码
- Token
- CA证书
本文说明如何为客户端配置认证CA,并将其配置到kubeconfig中进行自动登录。
为客户端配置认证CA证书
- 先用clusteradmin角色的用户登录OpenShift。
- 设置变量
$ AUTH_NAME="auth2kube"
$ KUBECONFIG_FILE="~/mykubeconfig"
- 为“myuser”创建证书申请(csr文件)和对应秘钥。
$ openssl req -new -newkey rsa:4096 -nodes -keyout $AUTH_NAME.key -out $AUTH_NAME.csr -subj "/CN=myuser/O=system:masters"
Generating a RSA private key
.....................++++
..++++
writing new private key to 'auth2kube.key'
-----
- 为证书签名请求(csr)创建对应的K8s对象。
$ cat << EOF >> $AUTH_NAME-csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: $AUTH_NAME-access
spec:
groups:
- system:authenticated
request: $(cat $AUTH_NAME.csr | base64 | tr -d '\n')
usages:
- client auth
EOF
$ oc create -f auth2kube-csr.yaml
W0610 07:38:10.053898 536 warnings.go:70] certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
certificatesigningrequest.certificates.k8s.io/auth2kube-access created
- 查看csr 请求,并审批通过。
$ oc get csr auth2kube-access
NAME AGE SIGNERNAME REQUESTOR CONDITION
auth2kube-access 16s kubernetes.io/legacy-unknown admin Pending
$ oc adm certificate approve auth2kube-access
certificatesigningrequest.certificates.k8s.io/auth2kube-access approved
- 从批准后的证书获取客户端证书(crt文件)。
$ oc get csr $AUTH_NAME-access -o jsonpath='{.status.certificate}' | base64 -d > $AUTH_NAME-access.crt
- 利用客户端证书和秘钥创建新的kubeconfig。
$ oc config set-credentials myuser --client-certificate=$AUTH_NAME-access.crt --client-key=$AUTH_NAME.key --embed-certs --kubeconfig=${KUBECONFIG_FILE}
User "myuser" set.
- 设置 myuser 登录后缺省使用default项目。
$ oc config set-context myuser --cluster=$(oc config view -o jsonpath='{.clusters[0].name}') --namespace=default --user=myuser --kubeconfig=${KUBECONFIG_FILE}
Context "myuser" created.
- 获得OpenShift的CA证书,并将其加入kubeconfig中。
$ oc -n openshift-authentication rsh `oc get pods -n openshift-authentication -o name | head -1` cat /run/secrets/kubernetes.io/serviceaccount/ca.crt > ingress-ca.crt
$ oc config set-cluster $(oc config view -o jsonpath='{.clusters[0].name}') --server=$(oc config view -o jsonpath='{.clusters[0].cluster.server}') --certificate-authority=ingress-ca.crt --kubeconfig=${KUBECONFIG_FILE} --embed-certs
Cluster "local" set.
- 设置当前使用${KUBECONFIG_FILE}中的配置。
$ oc config use-context myuser --kubeconfig=${KUBECONFIG_FILE}
Switched to context "myuser".
$ export KUBECONFIG=${KUBECONFIG_FILE}
- 直接用myuser登录验证,登录过程不需要密码,而是用kubeconfig中的证书进行登录。
$ oc login -u myuser
Logged into "https://openshift:6443" as "myuser" using existing credentials.
You have access to 61 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "default".
$ oc whoami
myuser
参考
https://rcarrata.com/openshift/regenerate-kubeconfig/