基于x509创建访问apiserver的user

已于 2022-10-18 17:38:36 修改
阅读量147 收藏
点赞数
分类专栏: k8s pod高可用 文章标签: 运维 linux kubernetes
于 2022-09-04 11:13:40 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wuyong15221125927/article/details/126687026
版权

1 创建一个key用于生成对应的csr(certificate sign request)
openssl genrsa -out myuser.key 2048
2.生成csr
openssl req -new -key myuser.key -out myuser.csr
3. cat myuser.csr | base64 | tr -d “\n”
查看csr中的request 填入下方k8s csr对象中

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQzdEQ0NBZFFDQVFBd2dZWXhDekFKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJREFoVGFHRnVaMmhoYVRFUgpNQThHQTFVRUJ3d0lVMmhoYm1kb1lXa3hEekFOQmdOVkJBb01CbTE1ZFhObGNqRVBNQTBHQTFVRUN3d0diWGwxCmMyVnlNUTh3RFFZRFZRUUREQVp0ZVhWelpYSXhIakFjQmdrcWhraUc5dzBCQ1FFV0QyMTVkWE5sY2k1QU1UWXoKTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5IOFIydUppaEFRY2V2OAphc0tCdVA2VktWWTF3WXp3d2dPNWlGL2ZQVUc3a21LY3hoREF0aENvM1Z2M3c2K2FzY1RsQlZtbjdRY1V5TG1UClp1SWJWS2JRNUVjdWR3TXc5bDh3aENvRGp0N09PMDhBNktnUlMwcXVEdE5UK3lDQldQNFFPdGRvTnpKVng0ZHUKZmVoOXplNHBrdThlRTJPUTYxc3Y0VHpsTGphQU1qbDdIV2NiNVlxWTQ4ZDJCUTcrTFJCejJycDRSVmR4aDVCNwpENGVRckc4UXpCbDhkUnM4ZWs2dHJYUTU0dUo5VUtWQThhYWx1Q3VVRjRUZW9lTW5qRDBTTFVtdVFPQ1lRQ1hjCmNzNHY3Y1orMnBwYXpXazF3dnc2ZGM3MXlXWWpwK1U5cW1xR1lVejVGZitMbzlhVHprSjFvalltTnJiWHBMUkUKTXkvdWRCMENBd0VBQWFBZ01CNEdDU3FHU0liM0RRRUpCekVSREE5MFptZHFNVGs1TWpBeE1ETlhXU293RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGYlFUSFJQT09HOGRGM1l6cU9XbmNjTFQ3ZWgzcnRTeXVNREZnNjgxNTFMCkpic1BLRmhxRmlJOWVZL1lJeE14dytvL3RQZWw0a2JEeFFKSFdUc1d3NERFbEEzNmdrSEtRdkFER0hSQWJJYm0KU1UzTUVUelFNZ1hwbWlNSHpuQVh3Z2FDd1BJdG9WNmpoUVpSNXA1M1lBaU5aNmJvMUpHMEticE1nRC9wM0w4QQpLS2tjQ2lNNTdQaXZVa3YrVkZoMVNFaTlFV3E1emxiSHlNZk42aEtaUGJSaHladi9taUxwV2tWZlhMQ2hvbVhVCllBZTlzR3Z5OXBCeW9xZkRTTnpBQ3ZtOTZ6ejRlZU9ZbnJGL2Y4RlZWU3lVbG03a2xpQVhQa3hnTjFEYVovTVEKT29COWlBVUprWGpDTWdIZ3kweXJsaUswL0d5aXVXL1pTelF1Qk02Z2NXQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 8640000  # one day
  usages:
  - client auth
EOF

k8s apporve certifacate
kubectl certificate approve myuser
获取对应的证书
kubectl get csr myuser -o jsonpath=‘{.status.certificate}’| base64 -d > myuser.crt

把证书设置到kube config中 Set credential

kubectl config set-credentials myuser --client-key=myuser.key --client-certificate=myuser.crt --embed-certs=true

对myuser授权

``sh
kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods
kubectl create rolebinding developer-binding-myuser --role=developer --user=myuser

最终可以通过
kubectl get pods --username=myuser 访问pod信息

fightingwy
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值