Kubernetes添加用户

kubernetes中有两种用户, 一种是service account, 另一种是普通用户

Service Account 认证

从1.24开始, 创建service account的同时不再创建secret

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubepi-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubepi-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: kubepi-user
    namespace: kube-system

创建完成SA和ClusterRoleBinding 后, 执行以下命令创建token

kubectl create token kubepi-user -n kube-system

测试token能正常使用

➜ root@localhost  ~  kubectl --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IndVZzRLV1FWelg0Qk01dnVFNFF2Q3VvMzAwWnNOY0VpVXNpUmdycng1TDgifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNjg3NzcyNTY2LCJpYXQiOjE2ODc3Njg5NjYsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJrdWJlcGktdXNlciIsInVpZCI6ImE1Y2RiYjBjLTM2NWYtNGNmNC1hODlhLWMxYTdlMDcxMDNjNyJ9fSwibmJmIjoxNjg3NzY4OTY2LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06a3ViZXBpLXVzZXIifQ.Z6HPT6gUJmOaZ9u92tZIiDz1fLcpeFCFfo7sqBcXsdZUnZLMJZoio_WCYUBArzRFc9rQaJ93E6lfFNnZbM7ZuM-O31m4Pb6iGqGxCbAyJJUPfeYvufvoohYNVX_jDWAYls8bLIYqiuPGwuosYS97GmT-MZwbtt2mDb8BkMQTK4GAg8vhxLImdBRTcUuvJaSIijkqoQiXqb9_QGz_UKJf-Ou_W5Aq-LGShh0wMXI6ZO-vYpz3-829yD8G4bfpY9XFT5HlLXFNUmkguf1JilnIAOulBpeb-UsnxLfZsbjx3Rq7sPI8E09R8MwgZCX2PlfYj7NjrLymSKnN0hPgJBP13A get pods --server https://localhost:6443 --insecure-skip-tls-verify=true -A
NAMESPACE     NAME                                      READY   STATUS    RESTARTS      AGE
kube-system   local-path-provisioner-69dff9496c-fbgsn   1/1     Running   1 (18d ago)   18d
kube-system   coredns-8b9777675-4rd6h                   1/1     Running   2 (18d ago)   18d
kube-system   metrics-server-5f9f776df5-m9zlm           1/1     Running   2 (18d ago)   18d
kube-system   nvidia-device-plugin-daemonset-hgwd5      1/1     Running   0             18d

普通用户使用证书认证

# 创建私钥
openssl genrsa -out tom.key 2048
# 创建csr文件,这里CN的值一定要和用户名相同
openssl req -new -key tom.key -out tom.csr -subj "/CN=tom/O=MGM"
# 通过k8s的CA证书文件, 为用户颁发证书, 如果用的是k3s, 证书和证书的私钥可以照抄
openssl x509 -req -in tom.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out tom.crt -days 3650

创建clusterrobebinding的yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tom-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: User
    name: tom
    apiGroup: rbac.authorization.k8s.io

kubectl apply -f crb.yaml
# 创建用户
kubectl config set-credentials tom --client-certificate=tom.crt --client-key=tom.key
# 创建context 配置, 不知道cluster填啥可以执行kubectl config get-clusters查看
kubectl config set-context tom@local --cluster=default --user=tom
# 激活新建的context
kubectl config use-context tom@local
posted @ 2023-06-26 17:45  Chinor  阅读(303)  评论(0编辑  收藏  举报