Kubernetes添加用户
kubernetes中有两种用户, 一种是service account, 另一种是普通用户
Service Account 认证
从1.24开始, 创建service account的同时不再创建secret
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubepi-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubepi-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubepi-user
namespace: kube-system
创建完成SA和ClusterRoleBinding 后, 执行以下命令创建token
kubectl create token kubepi-user -n kube-system
测试token能正常使用
➜ root@localhost ~ kubectl --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IndVZzRLV1FWelg0Qk01dnVFNFF2Q3VvMzAwWnNOY0VpVXNpUmdycng1TDgifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNjg3NzcyNTY2LCJpYXQiOjE2ODc3Njg5NjYsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJrdWJlcGktdXNlciIsInVpZCI6ImE1Y2RiYjBjLTM2NWYtNGNmNC1hODlhLWMxYTdlMDcxMDNjNyJ9fSwibmJmIjoxNjg3NzY4OTY2LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZXBpLXVzZXIifQ.Z6HPT6gUJmOaZ9u92tZIiDz1fLcpeFCFfo7sqBcXsdZUnZLMJZoio_WCYUBArzRFc9rQaJ93E6lfFNnZbM7ZuM-O31m4Pb6iGqGxCbAyJJUPfeYvufvoohYNVX_jDWAYls8bLIYqiuPGwuosYS97GmT-MZwbtt2mDb8BkMQTK4GAg8vhxLImdBRTcUuvJaSIijkqoQiXqb9_QGz_UKJf-Ou_W5Aq-LGShh0wMXI6ZO-vYpz3-829yD8G4bfpY9XFT5HlLXFNUmkguf1JilnIAOulBpeb-UsnxLfZsbjx3Rq7sPI8E09R8MwgZCX2PlfYj7NjrLymSKnN0hPgJBP13A get pods --server https://localhost:6443 --insecure-skip-tls-verify=true -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system local-path-provisioner-69dff9496c-fbgsn 1/1 Running 1 (18d ago) 18d
kube-system coredns-8b9777675-4rd6h 1/1 Running 2 (18d ago) 18d
kube-system metrics-server-5f9f776df5-m9zlm 1/1 Running 2 (18d ago) 18d
kube-system nvidia-device-plugin-daemonset-hgwd5 1/1 Running 0 18d
普通用户使用证书认证
# 创建私钥
openssl genrsa -out tom.key 2048
# 创建csr文件,这里CN的值一定要和用户名相同
openssl req -new -key tom.key -out tom.csr -subj "/CN=tom/O=MGM"
# 通过k8s的CA证书文件, 为用户颁发证书, 如果用的是k3s, 证书和证书的私钥可以照抄
openssl x509 -req -in tom.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out tom.crt -days 3650
创建clusterrobebinding的yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tom-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: User
name: tom
apiGroup: rbac.authorization.k8s.io
kubectl apply -f crb.yaml
# 创建用户
kubectl config set-credentials tom --client-certificate=tom.crt --client-key=tom.key
# 创建context 配置, 不知道cluster填啥可以执行kubectl config get-clusters查看
kubectl config set-context tom@local --cluster=default --user=tom
# 激活新建的context
kubectl config use-context tom@local