一、非集群主机管理K8S主机配置
1、下载kubectl命令
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
yum -y install kubectl
2、拷贝config文件
scp /root/.kube/config remote_ip:/root/config
二、对kubectl使用用户的权限控制
1、基于ca根证书创建用户证书
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
# 下面的“CN"字段对应的即为用户名
cat > xyh-csr.json <<EOF
{
"CN": "xyh",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes xyh-csr.json | cfssljson -bare xyh
2、生成对应的kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=https://192.168.112.110:16443 \
--kubeconfig=xyh.kubeconfig
# 设置客户端认证
kubectl config set-credentials xyh \
--client-key=xyh-key.pem \
--client-certificate=xyh.pem \
--embed-certs=true \
--kubeconfig=xyh.kubeconfig
# 设置默认上下文
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=xyh \
--kubeconfig=xyh.kubeconfig
# 设置当前使用配置
kubectl config use-context kubernetes --kubeconfig=xyh.kubeconfig
3、创建角色绑定
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
# 下方的name字段对应用户名,即证书中的CN
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: xyh
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
注意:
- role中定义的aipgroups的“ ”,代表核心组,可通过kubectl api-resources的第三列确定资源所属组
- pods属于核心组:“ ”
- deployments属于apps组
- apiservices属于piregistration.k8s.io组
- 需要修改用户相应的权限,只需修改role中定义的权限
- apiGroups: ["",“apps”] 添加apps组资源
- resources: [“pods”,“deployments”] 添加apps组中的deployments资源
- verbs: [“get”, “watch”, “list”,“delete”] 添加delete上述资源的权限
[root@k8s-master1 RBAC]# kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
bindings v1 true Binding
pods po v1 true Pod
services svc v1 true Service
apiservices piregistration.k8s.io/v1 false APIService
daemonsets ds apps/v1 true DaemonSet
deployments deploy apps/v1 true Deployment
replicasets rs apps/v1 true ReplicaSet