生成 key
$ openssl genrsa --out mkt.key 2048
根据 key 生成 csr
CN: 为 mkt
$ openssl req -new -key mkt.key -out mkt.csr -subj "/CN=mkt"
把 csr 发给 apiserver 的 ca 生成 crt
$ openssl x509 -req -in mkt.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out mkt.crt -days 1095
Signature ok
subject=CN = mkt
Getting CA Private Key
生成文件:
root@master1:~/tmp# ls
mkt.crt mkt.csr mkt.key
查看证书
$ openssl x509 -in mkt.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
01:60:fb:9a:ce:5e:59:28:b0:e3:d6:76:90:99:eb:52:41:a5:b9:86
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jan 3 06:44:53 2024 GMT
Not After : Jan 2 06:44:53 2027 GMT
Subject: CN = mkt
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d2:52:66:f1:f9:66:b6:9d:26:12:0e:1b:87:5d:
38:bb:56:a3:b0:ce:e1:49:91:b5:f5:cb:35:28:93:
1f:c8:55:7c:db:21:fc:84:ba:e9:15:27:e6:f9:fb:
38:19:0c:73:7a:0b:71:85:d9:66:f4:e4:5e:1c:3b:
6f:ea:b4:2b:e7:42:45:b2:96:fb:b9:74:97:f0:58:
e7:ec:dd:04:54:05:81:37:45:e8:e1:13:d5:01:2e:
7e:34:48:63:63:56:90:b1:83:a7:79:c7:76:ee:03:
9c:1a:f6:e0:18:86:7b:12:54:c6:0f:fc:d3:63:4e:
62:f3:bc:ad:4a:c7:5e:a0:73:88:1e:df:46:72:c8:
e2:84:11:5c:07:0c:23:58:81:f5:6d:15:9e:1c:48:
fa:f5:76:1a:2b:0f:56:90:76:4f:06:3a:74:af:15:
87:23:c1:cf:04:69:fd:a1:91:d2:53:64:f8:02:da:
58:59:f2:ce:13:b2:40:91:da:fe:4d:2f:24:bf:fe:
6a:b7:ff:01:d8:4b:04:02:ab:f2:d6:e6:c2:61:af:
12:1e:53:ad:1a:cc:07:ee:f5:f1:d1:84:ef:67:01:
ba:80:cf:21:61:87:bc:bb:d9:e6:25:de:b4:d7:23:
76:67:bb:b0:db:89:d0:53:c6:13:fa:31:30:32:5e:
ba:f3
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
86:3a:a2:70:d1:10:88:4f:b7:16:2b:76:37:52:2b:7d:c0:0b:
34:f9:fa:d3:ca:19:be:e8:20:5a:d6:e8:dd:19:46:4b:85:dd:
b2:aa:74:3a:61:b1:96:a6:1c:8e:3c:fc:1f:5f:17:28:6e:0e:
cc:be:e8:f9:f9:2f:02:cb:47:89:34:a3:9b:6b:d2:e6:3e:a4:
e3:99:c4:cd:f9:2b:fe:bc:79:e1:d2:02:84:a3:e0:6c:90:e4:
c9:76:1e:d8:52:56:96:61:f6:83:8d:f5:41:6f:50:49:ab:08:
24:32:e5:b1:1c:16:88:39:2e:a9:38:93:cd:32:df:f8:dc:c2:
32:c1:3d:14:fd:cf:ac:42:74:53:47:a9:e1:20:fc:88:3a:e3:
87:c7:b0:49:b2:46:11:0a:9f:1a:f3:d6:c4:1e:2d:7c:68:75:
87:08:43:ff:95:20:46:f3:8a:61:cc:54:72:bf:81:d8:2b:92:
f1:0d:f8:ae:2e:b9:16:f1:f0:b3:a7:8e:0a:93:c4:0b:a1:c4:
c3:bd:58:a0:e2:e1:f8:96:40:12:cd:de:97:54:a3:14:4c:fe:
37:61:e2:83:1b:50:2e:f9:a3:96:3e:6d:d2:09:67:56:63:07:
98:8c:14:33:69:e1:24:66:d2:20:33:2e:30:8f:92:a9:61:02:
7a:1a:97:49
查看 kubeconfig
$ kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://11.0.1.150:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
创建 k8s 用户
$ kubectl config set-credentials mkt --client-certificate=mkt.crt --client-key=mkt.key --embed-certs=true
User "mkt" set.
查看 kubeconfig
$ kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://11.0.1.150:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
- name: mkt
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
查看 pod
$ k get po -A --user mkt
Error from server (Forbidden): pods is forbidden: User "mkt" cannot list resource "pods" in API group "" at the cluster scope
新建一个 context
$ k config set-context mkt@kubernetes --cluster kubernetes --user mkt
切换 context
$ k config use-context mkt@kubernetes
$ k get po -A # 默认用户已为 mkt
Error from server (Forbidden): pods is forbidden: User "mkt" cannot list resource "pods" in API group "" at the cluster scope
其中 “mkt” 是 csr 中的 CN
为用户绑定 role
# 创建 2 个 user
$ kubectl config set-credentials user1 --client-certificate mkt.crt --client-key mkt.key --embed-certs=true
$ kubectl config set-credentials user2 --client-certificate mkt.crt --client-key mkt.key --embed-certs=true
# 创建 clusterrole
$ kubectl create clusterrole podsOwe --verb='*' --resource=pods
# 创建 clusterrolebinding
$ kubectl create clusterrolebinding pods-binding --clusterrole=podsOwe --user=mkt
查看 pod
$ kubectl get po -A --user=user1
$ kubectl get po -A --user=user2
calico-apiserver calico-apiserver-69fc754d76-9w7p6 1/1 Running 4 (103m ago) 3d23h
calico-apiserver calico-apiserver-69fc754d76-kdxt4 1/1 Running 4 (103m ago) 3d23h
calico-system calico-kube-controllers-b9dcc57c4-gzlhk 1/1 Running 4 (103m ago) 3d23h
calico-system calico-node-5jckf 1/1 Running 4 (103m ago) 3d23h
calico-system calico-node-gq882 1/1 Running 4 (103m ago) 3d23h
calico-system calico-node-zksvz 1/1 Running 4 (101m ago) 3d22h
calico-system calico-typha-5cdb9d5d59-tnjzh 1/1 Running 4 (103m ago) 3d23h
calico-system calico-typha-5cdb9d5d59-z7tnk 1/1 Running 4 (101m ago) 3d22h
calico-system csi-node-driver-j4648 2/2 Running 8 (103m ago) 3d23h
calico-system csi-node-driver-jf548 2/2 Running 8 (101m ago) 3d22h
......
我们是把 rolebinding 绑给的 mkt, 但user1, user2均能获取 pod
说明: 关键的是 csr 的 “CN”
补充: 如果有分组的话, 就看 csr 的 “O”