无说明的情况下,以下操作均在/etc/kubernetes/pki目录下执行
root@master:/etc/kubernetes/pki# cd /etc/kubernetes/pki
1,创建用户密钥
root@master:/etc/kubernetes/pki# openssl genrsa -out leeqiand.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .........+++++ ...........................+++++ e is 65537 (0x010001)
2,创建证书签署请求
#CN= 用户名
root@master:/etc/kubernetes/pki# openssl req -new -key leeqiand.key -out leeqiand.csr -subj "/CN=leeqiand"
3,签署证书
root@master:/etc/kubernetes/pki# openssl x509 -req -in leeqiand.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out leeqiand.crt -days 365 Signature ok subject=CN = leeqiand Getting CA Private Key
查看生成的文件
root@master:/etc/kubernetes/pki# ls |grep leeqiand leeqiand.crt leeqiand.csr leeqiand.key
4,创建kubeconfig文件
创建集群信息
--server根据实际信息填写即可
root@master:/etc/kubernetes/pki# kubectl config set-cluster kubernetes --certificate-authority=ca.crt --embed-certs=true --server=https://10.0.2.2:6443 --kubeconfig=leeqiand.kubeconfig
Cluster "kubernetes" set.
root@master:/etc/kubernetes/pki# cat leeqiand.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data:
。。。。。。。。。。。。
server: https://10.0.2.2:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
创建用户
root@master:/etc/kubernetes/pki# kubectl config set-credentials leeqiand --client-certificate=/etc/kubernetes/pki/leeqiand.crt --client-key=/etc/kubernetes/pki/leeqiand.key --embed-certs=true --kubeconfig=leeqiand.kubeconfig User "leeqiand" set.
创建context
root@master:/etc/kubernetes/pki# kubectl config set-context leeqiand@kubernetes --cluster=kubernetes --user=leeqiand --kubeconfig=leeqiand.kubeconfig Context "leeqiand@kubernetes" created.
5,创建role以及rolebinding
(任意目录)
role以及rolebinding网上资料较多,仅做一简单范例
role:
root@master:~/kube/sa# cat role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: lee rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list", "create", "update", "patch"]
rolebinding
root@master:~/kube/sa# cat rolebind.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: mytest namespace: default subjects: - kind: User name: leeqiand apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: lee apiGroup: rbac.authorization.k8s.io
创建:
root@master:~/kube/sa# kubectl create -f role.yaml role.rbac.authorization.k8s.io/lee created root@master:~/kube/sa# kubectl create -f rolebind.yaml rolebinding.rbac.authorization.k8s.io/mytest created root@master:~/kube/sa# kubectl get role,rolebinding NAME CREATED AT role.rbac.authorization.k8s.io/lee 2022-03-02T09:12:25Z NAME ROLE AGE rolebinding.rbac.authorization.k8s.io/mytest Role/lee 42s
6,将配置文件分发给普通用户
root@master:/etc/kubernetes/pki# cp leeqiand.kubeconfig /home/lee/.kube/config root@master:/etc/kubernetes/pki# chown lee:lee /home/lee/.kube/config
切换到普通用户
root@master:/etc/kubernetes/pki# su - lee
lee@master:~$ cd .kube/
lee@master:~/.kube$ ls
config
lee@master:~/.kube$ kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?
因为没指定current-context,手动修改config
lee@master:~/.kube$ vim config
contexts:
- context:
cluster: kubernetes
user: leeqiand
name: leeqiand@kubernetes
current-context: leeqiand@kubernetes
7,测试
由于我们授予了create权限,所以可以创建pod,但是并无delete权限,所以无法delete,由以下测试可以查看与预期相符
lee@master:~/.kube$ kubectl get pods NAME READY STATUS RESTARTS AGE dns 1/1 Running 22 (165m ago) 21d lee@master:~/.kube$ kubectl run nginx --image=nginx pod/nginx created lee@master:~/.kube$ kubectl get pods NAME READY STATUS RESTARTS AGE dns 1/1 Running 22 (165m ago) 21d nginx 1/1 Running 0 10s lee@master:~/.kube$ kubectl delete pod nginx Error from server (Forbidden): pods "nginx" is forbidden: User "leeqiand" cannot delete resource "pods" in API group "" in the namespace "default" lee@master:~/.kube$
