K8S 创建用户账号-User Account(二)

 

使用cfssl方法创建普通用户

准备工作

mkdir /root/pki/
将k8s ca.pem  ca-key.pem ca-config.json证书拷贝到此目录
cp /opt/kubernetes/ssl/ca-key.pem  /root/pki/
cp /opt/kubernetes/ssl/ca.pem  /root/pki/
cp /root/k8s/cert/k8s/ca-config.json /root/pki/   

与openssl方法 这里多出一个ca-config.json 文件

 

查看ca-config.json

 

[root@master k8s]# cat /root/k8s/cert/k8s/ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}

 

安装cfssl

下载安装包:
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64


chmod -x cfssl*

for x in cfssl*; do mv $x ${x%*_linux-amd64};  done

mv cfssl* /usr/bin

 

一、生成普通用户证书

cat > devuser-csr.json <<EOF
{
  "CN": "devuser",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

 

 

二、执行

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes devuser-csr.json | cfssljson -bare devuser

 

设置集群参数:

kubectl config set-cluster k8s \
  --server=https://192.168.124.61:6443 \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --kubeconfig=/root/devuser.conf

 

设置上下文参数:

kubectl config set-context dev@k8s \
  --cluster=k8s \
  --user=devuser \
  --kubeconfig=/root/devuser.conf

  

设置客户端参数

kubectl config set-credentials devuser \
  --client-certificate=devuser.pem \
  --client-key=devuser-key.pem \
  --embed-certs=true \
  --kubeconfig=/root/devuser.conf

 

切换context

kubectl config use-context dev@k8s --kubeconfig=/root/dev.conf
kubectl config view --kubeconfig=/root/dev.conf

创建系统用户

useradd dev
mkdir -p /home/dev/.kube
cp /root/dev.conf /home/dev/.kube/config
chown dev.dev -R /home/dev/
su - dev

  

创建Role 

root@k8s-master:~# cat > pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
 EOF

创建Rolebinding

root@k8s-master:~# cat >test-pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cbmljs-pods-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev
EOF

  

  

  

 

  

posted @ 2020-08-10 14:48  执酒  阅读(690)  评论(0编辑  收藏  举报