K8S 创建用户账号-User Account(二)
使用cfssl方法创建普通用户
准备工作
1 2 3 4 5 6 7 | mkdir /root/pki/ 将k 8 s ca.pem ca-key.pem ca-config.json证书拷贝到此目录 cp /opt/kubernetes/ssl/ca-key.pem /root/pki/ cp /opt/kubernetes/ssl/ca.pem /root/pki/ cp /root/k 8 s/cert/k 8 s/ca-config.json /root/pki/ 与openssl方法 这里多出一个ca-config.json 文件 |
查看ca-config.json
[root@master k8s]# cat /root/k8s/cert/k8s/ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } }
安装cfssl
1 2 3 4 5 6 7 8 9 10 11 | 下载安装包: wget https://pkg.cfssl.org/R 1.2 /cfssl_linux-amd 64 wget https://pkg.cfssl.org/R 1.2 /cfssljson_linux-amd 64 wget https://pkg.cfssl.org/R 1.2 /cfssl-certinfo_linux-amd 64 chmod -x cfssl* for x in cfssl*; do mv $x ${x%*_linux-amd 64 }; done mv cfssl* /usr/bin |
一、生成普通用户证书
cat > devuser-csr.json <<EOF { "CN": "devuser", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF
二、执行
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser |
设置集群参数:
kubectl config set-cluster k8s \ --server=https://192.168.124.61:6443 \ --certificate-authority=ca.pem \ --embed-certs=true \ --kubeconfig=/root/devuser.conf
设置上下文参数:
kubectl config set-context dev@k8s \ --cluster=k8s \ --user=devuser \ --kubeconfig=/root/devuser.conf
设置客户端参数
kubectl config set-credentials devuser \ --client-certificate=devuser.pem \ --client-key=devuser-key.pem \ --embed-certs=true \ --kubeconfig=/root/devuser.conf
切换context
1 2 | kubectl config use-context dev@k 8 s --kubeconfig=/root/dev.conf kubectl config view --kubeconfig=/root/dev.conf |
创建系统用户
1 2 3 4 5 | useradd dev mkdir -p /home/dev/.kube cp /root/dev.conf /home/dev/.kube/config chown dev.dev -R /home/dev/ su - dev |
创建Role
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | root@k 8 s-master:~# cat > pods-reader.yaml <<EOF apiVersion: rbac.authorization.k 8 s.io/v 1 kind: Role metadata: name: pods-reader rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch EOF |
创建Rolebinding
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | root@k 8 s-master:~# cat >test-pods-reader.yaml <<EOF apiVersion: rbac.authorization.k 8 s.io/v 1 kind: RoleBinding metadata: name: cbmljs-pods-reader roleRef: apiGroup: rbac.authorization.k 8 s.io kind: Role name: pods-reader subjects: - apiGroup: rbac.authorization.k 8 s.io kind: User name: dev EOF |
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步