原文:https://hbayraktar.medium.com/how-to-create-a-user-in-a-kubernetes-cluster-and-grant-access-bfeed991a0ef
1.使用openssl生成密钥对和CSR(Certificate Signing Request )
openssl genrsa -out developer.key 2048 openssl req -new -key developer.key -out developer.csr -subj "/CN=developer"
2.创建CSR YAML文件
cat <<EOF > csr_template.yaml apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: developer-csr spec: request: <Base64_encoded_CSR> signerName: kubernetes.io/kube-apiserver-client usages: - client auth EOF
3.使用base64编码developer.csr文件中的内容,替换<Base64_encoded_CSR>
CSR_CONTENT=$(cat developer.csr | base64 | tr -d '\n') sed "s|<Base64_encoded_CSR>|$CSR_CONTENT|" csr_template.yaml > developer_csr.yaml
4.在kubernetes中创建csr
#创建 kubectl create -f developer_csr.yaml #查看 kubectl get csr #通过CSR kubectl certificate approve developer-csr #查看通过的CSR证书 kubectl get csr developer-csr -o jsonpath='{.status.certificate}'
5.导出通过的CSR证书
kubectl get csr developer-csr -o jsonpath='{.status.certificate}' | base64 --decode > developer.crt
6.生成新的kubeconfig文件
#查看当前集群配置信息 kubectl config view #根据当前集群信息创建新的kubeconfig文件 kubectl config set-cluster kubernetes --server=https://127.0.0.1:6443 --certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --embed-certs=true --kubeconfig=developer.kubeconfig #设置用户认证信息 kubectl config set-credentials developer --client-certificate=developer.crt --client-key=developer.key --embed-certs=true --kubeconfig=developer.kubeconfig #设置用户上下文 kubectl config set-context developer-context --cluster=kubernetes --namespace=default --user=developer --kubeconfig=developer.kubeconfig #切换到用户上下文 kubectl config use-context developer-context --kubeconfig=developer.kubeconfig
7.添加用户对应的ClusterRole,设置访问权限
#创建ClusterRole
cat <<EOF > developer-cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: developer-role
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
EOF
#绑定用户和ClusterRole
cat <<EOF > developer-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding
namespace: default
subjects:
- kind: User
name: developer
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: developer-role
apiGroup: rbac.authorization.k8s.io
EOF
1 | kubectl apply -f developer-cluster-role.yaml -f developer-role-binding.yaml |
8.测试用户
kubectl --kubeconfig=developer.kubeconfig get pods kubectl --kubeconfig=developer.kubeconfig run nginx --image=nginx kubectl --kubeconfig=developer.kubeconfig get pods
分类:
k8s、etcd、calico
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· DeepSeek “源神”启动!「GitHub 热点速览」
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· C# 集成 DeepSeek 模型实现 AI 私有化(本地部署与 API 调用教程)
· DeepSeek R1 简明指南:架构、训练、本地部署及硬件要求
· NetPad:一个.NET开源、跨平台的C#编辑器