一般来说,用户的key是用户的保密信息,不应该由集群管理员提供,而是用户向集群管理员提供csr文件,不过有时为了方便也由集群管理员统一生成并发放。
linmao@debian-1:/etc/kubernetes/pki$ sudo openssl genrsa -out linmao.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .....+++++ ..........+++++ e is 65537 (0x010001)生成Csr(证书签署请求)
sudo openssl req -new -key linmao.key -out linmao.csr -subj "/O=linmao_corp/CN=linmao"签署证书
linmao@debian-1:/etc/kubernetes/pki$ sudo openssl x509 -req -in linmao.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out linmao.crt -days 365 Signature ok subject=O = linmao_corp, CN = linmao Getting CA Private Key复制证书
证书到这一步就已经完成了。现在由集群管理员把证书发放给用户。证书包括:ca.crt,用户名.crt,用户名.key。前边说了,这个用户名.key本来是应该由用户自己生成,然后再把用这个key生成的csr文件给集群管理员进行签署,不过这里假设管理员为了方便,直接帮用户生成了这个key。但这并不是最佳实践。
现在我们通过把证书复制到客户端的电脑来模拟证书发放的过程。
PS C:Usersmarlin.kube> scp debian1:/etc/kubernetes/pki/ca.crt . ca.crt 100% 1099 95.3KB/s 00:00 PS C:Usersmarlin.kube> scp debian1:/etc/kubernetes/pki/linmao.crt . linmao.crt 100% 1017 248.0KB/s 00:00 PS C:Usersmarlin.kube> scp debian1:/etc/kubernetes/pki/linmao.key . linmao.key 100% 1679 819.8KB/s 00:00创建Role/ClusterRole和RoleBinding/ClusterRoleBinding
Role 和 ClusterRole的区别在于,Role需要指定namespace,也就是说,role是与namespace绑定的。而clusterRole则是集群级别的权限,不受namespace限制。我们这里给出ClusterRule和ClusterRoleBinding的例子:
cluster-role.yaml:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-operator rules: - apiGroups: - "" - "batch" - "apps" resources: - pods - nodes - services - cronjobs - jobs - endpoints - deployments - namespaces - pods/log - persistentvolumes - configmaps - secrets verbs: - get - list - watch - delete - create
cluster-role-binding.yaml: 把上边创建的role绑定到用户linmao身上。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: read-all-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-operator subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: linmao
上边两个文件通过sudo kubectl apply -f 文件名 提交到集群中。
配置客户端到这里,服务端的配置就全部完成了。现在开始配置客户端。还记得刚才从服务端复制出来的三个文件(ca.crt, linmao.crt, linmao.key)吗?这里需要用到他们了。可以先把这几个文件放在HOME目录下的.kube目录下。
1、创建cluster
C:Usersmarlin>kubectl config set-cluster test-cluster --server=https://192.168.1.195:6443 --certificate-authority=C:Usersmarlin.kubeca.crt Cluster "test-cluster" set.
2、创建user
C:Usersmarlin>kubectl config set-credentials linmao --client-certificate=C:Usersmarlin.kubelinmao.crt --client-key=C:Usersmarlin.kubelinmao.key User "linmao" set.
3、创建context,就是把刚才创建的cluster和user关联起来
C:Usersmarlin>kubectl config set-context linmao@test-cluster --cluster=test-cluster --user=linmao Context "linmao@test-cluster" created.
4、检查刚才创建的内容
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
linmao@test-cluster test-cluster linmao
5、测试一下
C:Usersmarlin>kubectl config use-context linmao@test-cluster Switched to context "linmao@test-cluster". C:Usersmarlin>kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE common data-service-589c97fc76-98k5g 1/1 Running 0 133m default vscode-884887b4d-wfgsv 1/1 Running 0 11h kube-system coredns-6d8c4cb4d-2vp27 1/1 Running 0 11h kube-system coredns-6d8c4cb4d-jp5w2 1/1 Running 0 11h kube-system etcd-debian-1 1/1 Running 11 11h kube-system kube-apiserver-debian-1 1/1 Running 11 11h kube-system kube-controller-manager-debian-1 1/1 Running 7 11h kube-system kube-flannel-ds-57bzc 1/1 Running 0 11h kube-system kube-flannel-ds-w2f56 1/1 Running 0 11h kube-system kube-flannel-ds-xxkr7 1/1 Running 0 11h kube-system kube-proxy-b4dnv 1/1 Running 0 11h kube-system kube-proxy-rjlwx 1/1 Running 0 11h kube-system kube-proxy-tl2f4 1/1 Running 0 11h kube-system kube-scheduler-debian-1 1/1 Running 11 11h
成功!
