k8s 创建 kubeconfig 用户授权证书文件 用于 kubectl 访问集群

k8s_secret_kubeconfig

  • TSSC

2.创建用户授权-kubeconfig

  • 需要使用 openssl 工具手动创建单用户的证书文件
  • 用于命令行管理 k8s 集群

2.1.创建用户证书文件

  • user: devuser
# 创建用户授权文件目录
cd /etc/kubernetes/pki
mkdir -p users
cd users/

# 创建 openssl.cnf 配置文件
vim openssl.cnf
------------------------
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
 
[req_distinguished_name]
 
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
 
[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
 
[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
------------------------

# 使用 openssl 工具创建用户秘钥文件
openssl genrsa -out devuser.key 2048

# 使用 openssl 工具生成用户证书请求文件
openssl req -new -key devuser.key -subj "/CN=devuser/O=zuiyoujie" -out devuser.csr

# 使用 openssl 工具生成用户证书
openssl x509 -req -in devuser.csr -CA ../ca.crt -CAkey ../ca.key -CAcreateserial -extensions v3_req_client -extfile openssl.cnf -out devuser.crt -days 3650

2.2.使用用户证书生成 kubeconfig 配置文件

# 设置集群参数变量,设置一个集群,需要指定根证书和 server-api 服务地址,指定 kubeconfig 文件
export KUBE_APISERVER="https://{{K8S_MASTER_IP}}:6443"
kubectl config set-cluster {{K8S_CLUSTER_NAME}} \
--certificate-authority=../ca.crt \
--server=${KUBE_APISERVER} \
--embed-certs=true \
--kubeconfig=devuser

# 设置客户端认证参数,设置一个证书用户 devuser,需要指定用户证书和秘钥,指定 kubeconfig 文件
kubectl config set-credentials devuser \
--client-certificate=devuser.crt \
--client-key=devuser.key \
--embed-certs=true \
--kubeconfig=devuser

# 设置上下文参数,需要指定用户名,可以指定 NAMESPACE,指定 kubeconfig 文件
kubectl config set-context {{K8S_CLUSTER_NAME}} \
--cluster={{K8S_CLUSTER_NAME}} \
--namespace=test01 \
--user=devuser \
--kubeconfig=devuser

# 设置上下文配置,指定 kubeconfig 文件
kubectl config use-context {{K8S_CLUSTER_NAME}} --kubeconfig=devuser

# 执行完毕,会在当前目录生成以 devuser 命令的 kubeconfig 配置文件

2.3.配置 namespace 的访问授权

  • 为单个用户 devuser 创建 namespace 的相关授权,用于查看和切换 namespace
mkdir -p /opt/k8s/grant
cd /opt/k8s/grant
vim k8s_create_kubeconfig_ClusterRoleNamespace.yaml
-------------------------------
# 创建用户授权规则:便于普通用户查看或者切换 namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: devuser-ns
  labels:
    rbac.zuiyoujie.com/name: devuser
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list

# 绑定授权规则到用户 devuser
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devuser-ns
subjects:
  - kind: User
    name: devuser
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: devuser-ns
  apiGroup: rbac.authorization.k8s.io
---------------------------------

# 应用授权配置
kubectl apply -f k8s_create_kubeconfig_ClusterRoleNamespace.yaml

2.4.配置 k8s 集群的操作权限

  • 为单个用户 devuser 创建 k8s 集群的操作权限
mkdir -p /opt/k8s/grant
cd /opt/k8s/grant
vim k8s_create_kubeconfig_ClusterRoleUser.yaml
--------------------------------
# 用户授权规则:用户的可操作权限
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: devuser
  labels:
    rbac.zuiyoujie.com/name: devuser
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/attach
      - pods/exec
      - pods/log
      - pods/status
      - configmaps
      - services
    verbs:
      - get
      - list
      - watch
      - create
      - describe
  - apiGroups:
      - extensions
      - apps
    resources:
      - deployments
      - deployments/status
      - replicasets
      - replicasets/status
      - daemonsets
      - daemonsets/status
      - ingresses
      - ingresses/status
    verbs:
      - get
      - list
      - watch
      - describe
  - apiGroups:
      - metrics.k8s.io
    resources:
      - pods
      - nodes
    verbs:
      - get
      - list
      - watch

# 授权用户 devuser 可以访问的 namespace
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: devuser
  namespace: test01
  labels:
    rbac.zuiyoujie.com/name: devuser
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: devuser
subjects:
  - kind: User
    name: devuser
    apiGroup: rbac.authorization.k8s.io

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: devuser
  namespace: test02
  labels:
    rbac.zuiyoujie.com/name: devuser
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: devuser
subjects:
  - kind: User
    name: devuser
    apiGroup: rbac.authorization.k8s.io

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: devuser
  namespace: test03
  labels:
    rbac.zuiyoujie.com/name: devuser
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: devuser
subjects:
  - kind: User
    name: devuser
    apiGroup: rbac.authorization.k8s.io
---
---------------------------------

# 应用授权配置文件
kubectl apply -f k8s_create_kubeconfig_ClusterRoleUser.yaml

2.5.检查绑定的授权规则

[root@zuiyoujie grant]# kubectl describe clusterrole devuser
Name:                            devuser
Labels:                          rbac.zuiyoujie.com/name=devuser
Annotations:                     PolicyRule:
  Resources                      Non-Resource URLs  Resource Names  Verbs
  ---------                      -----------------  --------------  -----
  configmaps                     []                 []              [get list watch create describe]
  pods/attach                    []                 []              [get list watch create describe]
  pods/exec                      []                 []              [get list watch create describe]
  pods/log                       []                 []              [get list watch create describe]
  pods/status                    []                 []              [get list watch create describe]
  pods                           []                 []              [get list watch create describe]
  services                       []                 []              [get list watch create describe]
  daemonsets.apps/status         []                 []              [get list watch describe]
  daemonsets.apps                []                 []              [get list watch describe]
  deployments.apps/status        []                 []              [get list watch describe]
  deployments.apps               []                 []              [get list watch describe]
  ingresses.apps/status          []                 []              [get list watch describe]
  ingresses.apps                 []                 []              [get list watch describe]
  replicasets.apps/status        []                 []              [get list watch describe]
  replicasets.apps               []                 []              [get list watch describe]
  daemonsets.extensions/status   []                 []              [get list watch describe]
  daemonsets.extensions          []                 []              [get list watch describe]
  deployments.extensions/status  []                 []              [get list watch describe]
  deployments.extensions         []                 []              [get list watch describe]
  ingresses.extensions/status    []                 []              [get list watch describe]
  ingresses.extensions           []                 []              [get list watch describe]
  replicasets.extensions/status  []                 []              [get list watch describe]
  replicasets.extensions         []                 []              [get list watch describe]
  nodes.metrics.k8s.io           []                 []              [get list watch]
  pods.metrics.k8s.io            []                 []              [get list watch]

[root@zuiyoujie grant]# kubectl describe clusterrole devuser-ns
Name:         devuser-ns
Labels:       rbac.zuiyoujie.com/name=devuser
Annotations:  PolicyRule:
  Resources   Non-Resource URLs  Resource Names  Verbs
  ---------   -----------------  --------------  -----
  namespaces  []                 []              [get list]
posted @ 2021-06-03 16:13  天生帅才  阅读(3944)  评论(0编辑  收藏  举报
// 百度统计