白眉大叔 1.使用k8s ca签发客户端证
1.1> 解压证书管理工具包
下载地址:
https://github.com/cloudflare/cfssl/releases
下载后,最好把后缀名字去掉:
然后再移动到 /usr/bin下边
tar xf baimei-cfssl.tar.gz -C /usr/bin/ && chmod +x /usr/bin/cfssl*
mkdir
/manifests/rbac/cfssl/user
1.2> 编写证书请求
过期时间 10年= 87600小时
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
1.3 生成证书
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=ca-config.json -profile=kubernetes baimei-csr.json | cfssljson -bare baimei
可以去查看证书详细信息
cfssl-certinfo -cert baimei.pem
2.生成kubeconfig授权文件
2.1 编写生成kubeconfig文件的脚本
目的是把证书文件写入 baimei-linux86.kubeconfig
cat > kubeconfig.sh <<'EOF'
# 配置集群
# --certificate-authority
# 指定K8s的ca根证书文件路径
# --embed-certs
# 如果设置为true,表示将根证书文件的内容写入到配置文件中,
# 如果设置为false,则只是引用配置文件,将kubeconfig
# --server
# 指定APIServer的地址。
# --kubeconfig
# 指定kubeconfig的配置文件名称
kubectl config set-cluster baimei-linux86 \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=https://10.0.0.231:6443 \
--kubeconfig=baimei-linux86.kubeconfig
# 设置客户端认证
kubectl config set-credentials baimei \
--client-key=baimei-key.pem \
--client-certificate=baimei.pem \
--embed-certs=true \
--kubeconfig=baimei-linux86.kubeconfig
# 设置默认上下文
kubectl config set-context linux86 \
--cluster=baimei-linux86 \
--user=baimei \
--kubeconfig=baimei-linux86.kubeconfig
# 设置当前使用的上下文
kubectl config use-context linux86 --kubeconfig=baimei-linux86.kubeconfig
EOF
2.2生成kubeconfig文件
bash kubeconfig.sh
3.创建RBAC授权策略
3.1 创建rbac等配置文件
cat rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: linux-role-reader
rules:
# API组,""表示核心组,该组包括但不限于"configmaps","nodes","pods","services"等资源.
# 暂时这样理解:
# 如果一个资源是apps/v1,则其组取"/"之前的,也就是apps.
# 如果一个资源是v1,则默认为"/"。
# 如果遇到不知道所述哪个组的也别着急,他会有报错提示,如下所示:
# User "baimei" cannot list resource "deployments" in API group "apps" in the namespace "default"
# 如上所示,表示的是"deployments"的核心组是"apps"。
- apiGroups: ["","apps"]
# 资源类型,不支持写简称,必须写全称哟!!
# resources: ["pods","deployments"]
resources: ["pods","deployments","services"]
# 对资源的操作方法.
# verbs: ["get", "list"]
verbs: ["get", "list","delete"]
- apiGroups: ["","apps"]
resources: ["configmaps","secrets","daemonsets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: baimei-linux86-resources-reader
namespace: default
subjects:
# 主体类型
- kind: User
# 用户名
name: baimei
apiGroup: rbac.authorization.k8s.io
roleRef:
# 角色类型
kind: Role
# 绑定角色名称
name: linux-role-reader
apiGroup: rbac.authorization.k8s.io3.2 应用rbac授权
kubectl apply -f rbac.yaml
3.3 访问测试
kubectl get pods --kubeconfig=baimei-linux86.kubeconfig 
kubectl delete pods --all --kubeconfig=baimei-linux86.kubeconfig
kubectl get deploy,ds,svc,cm --kubeconfig=baimei-linux86.kubeconfig kubectl get deploy,ds --kubeconfig=baimei-linux86.kubeconfig
欢迎来撩 : 汇总all
