随笔- 11  文章- 0  评论- 0  阅读- 1467 

原文:https://hbayraktar.medium.com/how-to-create-a-user-in-a-kubernetes-cluster-and-grant-access-bfeed991a0ef

1.使用openssl生成密钥对和CSR(Certificate Signing Request )

openssl genrsa -out developer.key 2048
openssl req -new -key developer.key -out developer.csr -subj "/CN=developer"

2.创建CSR YAML文件

复制代码
cat <<EOF > csr_template.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: developer-csr
spec:
  request: <Base64_encoded_CSR>
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
EOF
复制代码

3.使用base64编码developer.csr文件中的内容,替换<Base64_encoded_CSR>

CSR_CONTENT=$(cat developer.csr | base64 | tr -d '\n')
sed "s|<Base64_encoded_CSR>|$CSR_CONTENT|" csr_template.yaml > developer_csr.yaml

4.在kubernetes中创建csr

#创建
kubectl create -f developer_csr.yaml
#查看
kubectl get csr
#通过CSR
kubectl certificate approve developer-csr
#查看通过的CSR证书
kubectl get csr developer-csr -o jsonpath='{.status.certificate}'

5.导出通过的CSR证书

kubectl get csr developer-csr -o jsonpath='{.status.certificate}' | base64 --decode > developer.crt

6.生成新的kubeconfig文件

复制代码
#查看当前集群配置信息
kubectl config view
#根据当前集群信息创建新的kubeconfig文件
kubectl config set-cluster kubernetes --server=https://127.0.0.1:6443 --certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --embed-certs=true --kubeconfig=developer.kubeconfig
#设置用户认证信息
kubectl config set-credentials developer --client-certificate=developer.crt --client-key=developer.key --embed-certs=true --kubeconfig=developer.kubeconfig
#设置用户上下文
kubectl config set-context developer-context --cluster=kubernetes --namespace=default --user=developer --kubeconfig=developer.kubeconfig
#切换到用户上下文
kubectl config use-context developer-context --kubeconfig=developer.kubeconfig
复制代码

7.添加用户对应的ClusterRole,设置访问权限

复制代码
#创建ClusterRole
cat <<EOF > developer-cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developer-role
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
EOF
#绑定用户和ClusterRole
cat <<EOF > developer-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding
namespace: default
subjects:
- kind: User
name: developer
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: developer-role
apiGroup: rbac.authorization.k8s.io
EOF
1
kubectl apply -f developer-cluster-role.yaml -f developer-role-binding.yaml
复制代码

8.测试用户

kubectl --kubeconfig=developer.kubeconfig get pods
kubectl --kubeconfig=developer.kubeconfig run nginx --image=nginx
kubectl --kubeconfig=developer.kubeconfig get pods

 

 posted on   小SEI子  阅读(10)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· DeepSeek “源神”启动!「GitHub 热点速览」
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· C# 集成 DeepSeek 模型实现 AI 私有化(本地部署与 API 调用教程)
· DeepSeek R1 简明指南:架构、训练、本地部署及硬件要求
· NetPad:一个.NET开源、跨平台的C#编辑器
点击右上角即可分享
微信分享提示