關于Kubernetes中kube-apiserver使用token、kubeconfig文件認證的一些筆記（kubernetes api server）

寫在前面

學習K8s涉及，整理筆記記憶

博文偏實戰，內容涉及：

token方式的API Server認證Demo

Kubeconfig文件方式的API Server認證Demo

Kubeconfig文件的創建Demo

只有能做到“盡人事而聽天命”，一個人才能永遠保持心情的平衡。 ----- 《季羨林談人生》

API Server認證管理

Kubernetes集群中所有資源的訪問和變更都是通過Kubernetes API Server的REST API來實現的,所以集群安全的關鍵點就在于如何鑒權和授權

一個簡單的Demo,在master節點上,我們通過root用戶可以直接通kubectl來請求API Service從而獲取集群信息,但是我們通過其他用戶登錄就沒有這個權限,這就涉及到k8s的一個認證問題.

root用戶可以正常訪問

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$kubectl get pods NAME READY STATUS RESTARTS AGE liruilong-grafana-5955564c75-zpbjq 3/3 Terminating 0 8h liruilong-kube-prometheus-operator-5cb699b469-fbkw5 1/1 Terminating 0 8h liruilong-prometheus-node-exporter-vm7s9 1/1 Terminating 2 (109m ago) 8h prometheus-liruilong-kube-prometheus-prometheus-0 2/2 Terminating 0 8h ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$

切換tom用戶來訪問，沒有權限，報錯找不到集群ＡＰＩ的位置，那么為什么會這樣呢？

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$su tom [tom@vms81 k8s-helm-create]$ kubectl get pods The connection to the server localhost:8080 was refused - did you specify the right host or port? [tom@vms81 k8s-helm-create]$ exit exit

為了演示認證，我們需要在集群外的機器上安裝一個客戶端工具kubectl，用于和集群的入口api-Service交互

┌──[root@liruilongs.github.io]-[~] └─$ yum install -y kubectl-1.22.2-0 --disableexcludes=kubernetes

可以通過kubectl cluster-info來查看集群的相關信息

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$kubectl cluster-info Kubernetes control plane is running at https://192.168.26.81:6443 CoreDNS is running at https://192.168.26.81:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy Metrics-server is running at https://192.168.26.81:6443/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$

Kubernetes集群提供了3種級別的客戶端身份認證方式

HTTP Token認證：通過一個Token來識別合法用戶。

HTTPS 證書認證：基于CA根證書簽名的雙向數字證書認證方式

HTTP Base認證：通過用戶名+密碼的方式認證，這個只有1.19之前的版本適用，之后的版本不在支持

下面就Token和SSL和小伙伴分享下，Bash因為在高版本的K8s中不在支持，所以我們這里不聊。關于上面的普通用戶范圍集群的問題，我們也會改出解答

HTTP Token認證

HTTP Token的認證是用一個很長的特殊編碼方式的并且難以被模仿的字符串Token來表明客戶身份的一種方式。

每個Token對應一個用戶名,存儲在APIServer能訪問的一個文件中。當客戶端發起API調用請求時,需要在HTTP Header里放入Token,這樣一來, API Server就能識別合法用戶和非法用戶了。

當 API 服務器的命令行設置了--token-auth-file=SOMEFILE選項時，會從文件中 讀取持有者令牌。目前，令牌會長期有效，并且在不重啟 API 服務器的情況下 無法更改令牌列表。下面我們一個通過Demo來演示通過靜態Token的用戶認證,

通過openssl生成一個令牌

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$openssl rand -hex 10 4bf636c8214b7ff0a0fb

令牌文件是一個 CSV 文件，包含至少 3 個列：令牌、用戶名和用戶的 UID。 其余列被視為可選的組名。這里需要注意的是，令牌文件要放到/etc/kubernetes/pki目錄下才可以，可能默認讀取令牌的位置即是這個位置

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$echo "4bf636c8214b7ff0a0fb,admin2,3" > /etc/kubernetes/pki/liruilong.csv ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$cat /etc/kubernetes/pki/liruilong.csv 4bf636c8214b7ff0a0fb,admin2,3

通過Sed添加kube-apiserver服務啟動參數，- --token-auth-file=/etc/kubernetes/pki/liruilong.csv

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$sed '17a \ \ \ \ - --token-auth-file=/etc/kubernetes/pki/liruilong.csv' /etc/kubernetes/manifests/kube-apiserver.yaml | grep -A 5 command - command: - kube-apiserver - --advertise-address=192.168.26.81 - --allow-privileged=true - --token-auth-file=/etc/kubernetes/liruilong.csv - --authorization-mode=Node,RBAC ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$sed -i '17a \ \ \ \ - --token-auth-file=/etc/kubernetes/pki/liruilong.csv' /etc/kubernetes/manifests/kube-apiserver.yaml

檢查修改的啟動參數

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$cat -n /etc/kubernetes/manifests/kube-apiserver.yaml | grep -A 5 command 14 - command: 15 - kube-apiserver 16 - --advertise-address=192.168.26.81 17 - --allow-privileged=true 18 - --token-auth-file=/etc/kubernetes/pki/liruilong.csv 19 - --authorization-mode=Node,RBAC ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$

重啟kubelet服務

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$systemctl restart kubelet ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create] └─$

確認集群能夠正常訪問

┌──[root@vms81.liruilongs.github.io]-[/etc/kubernetes/pki] └─$kubectl get nodes NAME STATUS ROLES AGE VERSION vms81.liruilongs.github.io Ready control-plane,master 34d v1.22.2 vms82.liruilongs.github.io Ready 34d v1.22.2 vms83.liruilongs.github.io NotReady 34d v1.22.2 ┌──[root@vms81.liruilongs.github.io]-[/etc/kubernetes/pki] └─$

在集群外的客戶機訪問集群信息，這里提示我們admin2用戶沒有訪問的權限，說明已經認證成功了，只是沒有權限

┌──[root@liruilongs.github.io]-[~] └─$ kubectl -s="https://192.168.26.81:6443" --insecure-skip-tls-verify=true --token="4bf636c8214b7ff0a0fb" get pods -n kube-system Error from server (Forbidden): pods is forbidden: User "admin2" cannot list resource "pods" in API group "" in the namespace "kube-system" ┌──[root@liruilongs.github.io]-[~] └─$

這里我們修改一些token的字符串，Token和集群的Token文件不對應，會提示我們沒有獲得授權，即認證失敗

┌──[root@liruilongs.github.io]-[~] └─$ kubectl -s="https://192.168.26.81:6443" --insecure-skip-tls-verify=true --token="4bf636c8214b7ff0a0f" get pods -n kube-system error: You must be logged in to the server (Unauthorized)

kubeconfig文件認證

在回到我們之前的那個問題，為什么使用root用戶可以訪問集群信息，但是通過tom用戶去不能夠訪問集群信息，這里就涉及到一個kubeconfig 文件認證的問題

在通過kubeadm創建集群的時候，不知道小伙伴沒還記不記得下面這個文件admin.conf，這個文件就是kubeadm幫我們生成的kubeconfig文件

┌──[root@vms81.liruilongs.github.io]-[~/.kube] └─$ll /etc/kubernetes/admin.conf -rw------- 1 root root 5676 12月 13 02:13 /etc/kubernetes/admin.conf ┌──[root@vms81.liruilongs.github.io]-[~/.kube] └─$

我們把這個文件拷貝到tom用戶的目錄下，修改權限

┌──[root@vms81.liruilongs.github.io]-[~/.kube] └─$cp /etc/kubernetes/admin.conf ~tom/ ┌──[root@vms81.liruilongs.github.io]-[~/.kube] └─$chown tom:tom ~tom/admin.conf

這個時候發現通過 --kubeconfig=admin.conf 指定這個文件，就可以訪問集群信息

[tom@vms81 home]$ cd tom/ [tom@vms81 ~]$ ls admin.conf [tom@vms81 ~]$ kubectl get pods The connection to the server localhost:8080 was refused - did you specify the right host or port? [tom@vms81 ~]$ kubectl get pods -A --kubeconfig=admin.conf NAMESPACE NAME READY STATUS RESTARTS AGE ingress-nginx ingress-nginx-controller-744d4fc6b7-t9n4l 1/1 Running 6 (8h ago) 44h kube-system calico-kube-controllers-78d6f96c7b-85rv9 1/1 Running 193 31d kube-system calico-node-6nfqv 1/1 Running 254 34d kube-system calico-node-fv458 0/1 Running 50 34d kube-system calico-node-h5lsq 1/1 Running 94 (7h10m ago) 34d kube-system ..........................

那個，kubeconfig文件是個什么東西，官方文檔中這樣描述：

使用 kubeconfig 文件來組織有關集群、用戶、命名空間和身份認證機制的信息。kubectl 命令行工具使用 kubeconfig 文件來查找選擇集群所需的信息，并與集群的 API 服務器進行通信。

換句話講，通過kubeconfig與集群的 API 服務器進行通信，類似上面的Token的作用，我們要說的HTTPS證書認證就是放到這里

默認情況下，kubectl 在 $HOME/.kube 目錄下查找名為 config 的文件。

┌──[root@vms81.liruilongs.github.io]-[~] └─$ls ~/.kube/config /root/.kube/config ┌──[root@vms81.liruilongs.github.io]-[~] └─$ll ~/.kube/config -rw------- 1 root root 5663 1月 16 02:33 /root/.kube/config

將kubeconfig文件復制到 $HOME/.kube 目錄下改名為 config 發現tom用戶依舊可以訪問

[tom@vms81 ~]$ ls admin.conf [tom@vms81 ~]$ cp admin.conf .kube/config [tom@vms81 ~]$ kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-78d6f96c7b-85rv9 1/1 Running 193 31d calico-node-6nfqv 1/1 Running 254 34d calico-node-fv458 0/1 Running 50 34d calico-node-h5lsq 1/1 Running 94 (7h13m ago) 34d 。。。。。。。

也可以通過設置 KUBECONFIG 環境變量或者設置 --kubeconfig參數來指定其他kubeconfig文件。

[tom@vms81 ~]$ export KUBECONFIG=admin.conf [tom@vms81 ~]$ kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-78d6f96c7b-85rv9 1/1 Running 193 31d calico-node-6nfqv 1/1 Running 254 34d calico-node-fv458 0/1 Running 50 34d calico-node-h5lsq 1/1 Running 94 (7h11m ago) 34d ..............

當我們什么都不設置時，tom用戶獲取不到kubeconfig文件，沒有認證信息，無法訪問

[tom@vms81 ~]$ unset KUBECONFIG [tom@vms81 ~]$ kubectl get pods -n kube-system The connection to the server localhost:8080 was refused - did you specify the right host or port?

查看kubeconfig文件的配置信息

┌──[root@vms81.liruilongs.github.io]-[~/.kube] └─$kubectl config view

apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.26.81:6443 name: kubernetes contexts: - context: cluster: kubernetes namespace: liruilong-rbac-create user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED ┌──[root@vms81.liruilongs.github.io]-[~/.kube] └─$

所以我們要想訪問集群信息，只需要把這個kubeconfig 文件拷貝到客戶機上就OK了

創建 kubeconfig 文件

一個kubeconfig 文件包括一下幾部分：

集群信息：

集群CA證書

集群地址

上下文信息

所有上下文信息

當前上下文

用戶信息

用戶CA證書

用戶私鑰

要創建 kubeconfig 文件的話，我們需要一個私鑰，以及集群 CA 授權頒發的證書。同理我們不能直接用私鑰生成公鑰，而必須是用私鑰生成證書請求文件(申請書)，然后根據證書請求文件向 CA(權威機構)申請證書(身份證)，CA 審核通過之后會頒發證書。

環境準備

┌──[root@vms81.liruilongs.github.io]-[~/ansible] └─$kubectl create ns liruilong-rbac-create namespace/liruilong-rbac-create created ┌──[root@vms81.liruilongs.github.io]-[~/ansible] └─$mkdir k8s-rbac-create;cd k8s-rbac-create ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl config set-context $(kubectl config current-context) --namespace=liruilong-rbac-create Context "kubernetes-admin@kubernetes" modified. ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$

生成一個 2048 位的 私鑰 iruilong.key 文件

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$openssl genrsa -out liruilong.key 2048 Generating RSA private key, 2048 bit long modulus ....................+++ ...........................................................................................................+++ e is 65537 (0x10001)

查看私鑰文件

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$cat liruilong.key -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAt9OBnwaA3VdFfjdiurJPtcaiXOGPc1AWFmrlgocq4vT5WZgq .............................. .................................. LHd0n1yCKpwbYMGghF4iGmEGIIdsCVZP+EV6lduPKjqEm9kjuLROKzRZHFoGyASO Krb3VR4CKHvnZAPVctv7Pu+4JgMliJHl8GVYhqM5UykbLRMdNHSNIQ== -----END RSA PRIVATE KEY----- ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$

利用剛生成的私有 liruilong.key 生成證書請求文件 liruilong.key：這里CN的值 liruilong，就是后面我們授權的用戶。

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$openssl req -new -key liruilong.key -out liruilong.csr -subj "/CN=liruilong/O=cka2020" ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$ls liruilong.csr liruilong.key

對證書請求文件進行 base64 編碼

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$cat liruilong.csr | base64 |tr -d "\n" LS0tLS1CRUdJTiBDRVJUSUZJ...............

編寫申請證書請求文件的 yaml 文件:cat csr.yaml

apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: liruilong spec: signerName: kubernetes.io/kube-apiserver-client request: LS0tLS1CRUdJTiBDRVJUSUZJ............... usages: - client auth

這里 request 里的是 base64 編碼之后的證書請求文件。申請證書

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl apply -f csr.yaml certificatesigningrequest.certificates.k8s.io/liruilong created

查看已經發出證書申請請求：

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION liruilong 15s kubernetes.io/kube-apiserver-client kubernetes-admin Pending

批準證書：

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl certificate approve liruilong certificatesigningrequest.certificates.k8s.io/liruilong approved

查看審批通過的證書：

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl get csr/liruilong -o yaml

apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"liruilong"},"spec":{"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2F6Q0NBVk1DQVFBd0pqRVNNQkFHQTFVRUF3d0piR2x5ZFdsc2IyNW5NUkF3RGdZRFZRUUtEQWRqYTJFeQpNREl3TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpCnVySlB0Y2FpWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1IKb1Eybk83K3FnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VgphZTIwcXFBRXpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvCnN4UkFFNXlrWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTkKSE5NWTkweUhYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUNwptSzhKeHdJREFRQUJvQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUFwa09aUUNTTGxGYWJTVk9zNmtzL1ZyCmd3b3FTdjFOM1YzUC84SmNzR1pFUTc4TkpJb2R0REExS3EwN25DWjJWUktselZDN1kyMCszZUVzTXZNWnFMc1MKbUtaS0w2SFE3N2RHa1liUjhzKzRMaFo4YXR6cXVMSnlqZUZKODQ2N1ZrUXF5T1R6by9wZ3E4YWJJY01XNzlKMgoxWEkybi92RWlIMEgvWU9DaWExVHRqTnpSWGtlL2hPQTZ4Y29CcVRpdWtkUHBqZDJSaWFTRUNUS1h4ZGNOS0xLCmZVbFhkb2s5UkVkQ2V3bU9ISUdvVG9qUGRWdWlPdkYzZkFqUXZNNDJ3UjJDdklHMWs1YUQzdWVlbzcwd0pnUlQKYzhZNnUwY2padEI5ZW5xUStmRFFqdUUyZElrMDJLbm5HQVppK0wxUnRnSnA2Tm1udEg5WUc3RlBLSXYrakFZPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}} creationTimestamp: "2022-01-16T15:25:24Z" name: liruilong resourceVersion: "1185668" uid: 51837659-7214-4dec-bcd4-b7a9129ee2bb spec: groups: - system:masters - system:authenticated request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2F6Q0NBVk1DQVFBd0pqRVNNQkFHQTFVRUF3d0piR2x5ZFdsc2IyNW5NUkF3RGdZRFZRUUtEQWRqYTJFeQpNREl3TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpCnVySlB0Y2FpWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1IKb1Eybk83K3FnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VgphZTIwcXFBRXpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvCnN4UkFFNXlrWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTkKSE5NWTkweUhYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUNwptSzhKeHdJREFRQUJvQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUFwa09aUUNTTGxGYWJTVk9zNmtzL1ZyCmd3b3FTdjFOM1YzUC84SmNzR1pFUTc4TkpJb2R0REExS3EwN25DWjJWUktselZDN1kyMCszZUVzTXZNWnFMc1MKbUtaS0w2SFE3N2RHa1liUjhzKzRMaFo4YXR6cXVMSnlqZUZKODQ2N1ZrUXF5T1R6by9wZ3E4YWJJY01XNzlKMgoxWEkybi92RWlIMEgvWU9DaWExVHRqTnpSWGtlL2hPQTZ4Y29CcVRpdWtkUHBqZDJSaWFTRUNUS1h4ZGNOS0xLCmZVbFhkb2s5UkVkQ2V3bU9ISUdvVG9qUGRWdWlPdkYzZkFqUXZNNDJ3UjJDdklHMWs1YUQzdWVlbzcwd0pnUlQKYzhZNnUwY2padEI5ZW5xUStmRFFqdUUyZElrMDJLbm5HQVppK0wxUnRnSnA2Tm1udEg5WUc3RlBLSXYrakFZPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K signerName: kubernetes.io/kube-apiserver-client usages: - client auth username: kubernetes-admin status: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRUC9aR05rUjdzVy9sdHhkQTNGQjBoekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURFeE5qRTFNakV3TWxvWERUSXpNREV4TmpFMQpNakV3TWxvd0pqRVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1ERVNNQkFHQTFVRUF4TUpiR2x5ZFdsc2IyNW5NSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpdXJKUHRjYWkKWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1JvUTJuTzcrcQpnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VmFlMjBxcUFFCnpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvc3hSQUU1eWsKWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTlITk1ZOTB5SApYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUN21LOEp4d0lECkFRQUJvMFl3UkRBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWQKSXdRWU1CYUFGR0RjS1N1dVY1TTV5Wk5CR1AxLzZoN0xZNytlTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCagpOelREMmZ5bTc3bXQ4dzlacXRZN3NQelhmNHJQTXpWUzVqV3NzenpidlhEUzhXcFNMWklIYkQ3VU9vYlYxcFYzClYzRW02RXlpWUEvbjhMYTFRMnZra0EyUDk1d3JqWlBuemZIeUhWVFpCTUY4YU1MSHVpVHZ5WlVVV0JYMTg1UFAKQ2MxRncwanNmVThJMDBzbUNOeURBZjVMejFjRUVrNWlGYUswMDJRblUyNk5lcDF3U3BMcVZWWVptSW9UVU9DOApCNzNpU3J6Y0wyVmdBejRCaUQxdUVlUkFMM20zRTB2VVpsQjduKzF1MllrNDFCajdGYnpWR2w1dFpYT3hDMVhxCjJVc0hSbmkzY1VYZ203QlloZDU3aTFHclRRRFJpckRwVFV1RDB3ZlFYTjZLdEx1TmVDYUc0alc4ZTl4QkQrTjIKOFE4Z25UZjdPSEI3VWZkUzVnMWQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= conditions: - lastTransitionTime: "2022-01-16T15:26:02Z" lastUpdateTime: "2022-01-16T15:26:01Z" message: This CSR was approved by kubectl certificate approve. reason: KubectlApprove status: "True" type: Approved

導出證書文件：

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl get csr liruilong -o jsonpath='{.status.certificate}'| base64 -d > liruilong.crt

給用戶授權，這里給 liruilong 一個集群角色 cluster-role(類似于root一樣的角色)，這樣 liruilong 具有管理員權限

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl create clusterrolebinding test --clusterrole=cluster-admin --user=liruilong clusterrolebinding.rbac.authorization.k8s.io/test created ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$

拷貝 CA 證書

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$ls csr.yaml #(申請證書請求文件yaml) liruilong.crt #公鑰(證書文件) liruilong.csr #(證書請求文件) liruilong.key #私鑰 ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$ls /etc/kubernetes/pki/ apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key sa.pub apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key liruilong.csv apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.key ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$cp /etc/kubernetes/pki/ca.crt .

設置集群字段，這里包含集群名字，服務地址和集群證書

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl config --kubeconfig=kc1 set-cluster cluster1 --server=https://192.168.26.81:6443 --certificate-authority=ca.crt --embed-certs=true Cluster "cluster1" set.

在上面集群中創建一個上下文context1

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl config --kubeconfig=kc1 set-context context1 --cluster=cluster1 --namespace=default --user=liruilong Context "context1" created.

這里–embed-certs=true 的意思是把證書內容寫入到此 kubeconfig 文件里。

設置用戶字段，包含用戶名字，用戶證書，用戶私鑰

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl config --kubeconfig=kc1 set-credentials liruilong --client-certificate=liruilong.crt --client-key=liruilong.key --embed-certs=true User "liruilong" set.

查看創建的kubeconfig文件信息

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$cat kc1

apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1USXhNakUyTURBME1sb1hEVE14TVRJeE1ERTJNREEwTWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkdkCisrWnhFRDJRQlR2Rm5ycDRLNFBrd2lsYXUrNjdXNTVobVdwc09KSHF6ckVoWUREY3l4ZTU2Z1VJVDFCUTFwbU0KcGFrM0V4L0JZRStPeHY4ZmxtellGbzRObDZXQjl4VXovTW5HQi96dHZsTGpaVEVHZy9SVlNIZTJweCs2MUlSMQo2Mkh2OEpJbkNDUFhXN0pmR3VXNDdKTXFUNTUrZUNuR00vMCtGdnI2QUJnT2YwNjBSSFFuaVlzeGtpSVJmcjExClVmcnlPK0RFTGJmWjFWeDhnbi9tcGZEZ044cFgrVk9FNFdHSDVLejMyNDJtWGJnL3A0emd3N2NSalpSWUtnVlUKK2VNeVIyK3pwaTBhWW95L2hLYmg4RGRUZ3FZeERDMzR6NHFoQ3RGQnVia1hmb3Ftc3FGNXpQUm1ZS051RUgzVAo2c1FNSFl4emZXRkZvSGQ2Y0JNQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZHRGNLU3V1VjVNNXlaTkJHUDEvNmg3TFk3K2VNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRVE0SUJhM0hBTFB4OUVGWnoyZQpoSXZkcmw1U0xlanppMzkraTdheC8xb01SUGZacElwTzZ2dWlVdHExVTQ2V0RscTd4TlFhbVVQSFJSY1RrZHZhCkxkUzM5Y1UrVzk5K3lDdXdqL1ZrdzdZUkpIY0p1WCtxT1NTcGVzb3lrOU16NmZxNytJUU9lcVRTbGpWWDJDS2sKUFZxd3FVUFNNbHFNOURMa0JmNzZXYVlyWUxCc01EdzNRZ3N1VTdMWmg5bE5TYVduSzFoR0JKTnRndjAxdS9MWAo0TnhKY3pFbzBOZGF1OEJSdUlMZHR1dTFDdEFhT21CQ2ZjeTBoZHkzVTdnQXh5blR6YU1zSFFTamIza0JDMkY5CkpWSnJNN1FULytoMStsOFhJQ3ZLVzlNM1FlR0diYm13Z1lLYnMvekswWmc1TE5sLzFJVThaTUpPREhTVVBlckQKU09ZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== server: https://192.168.26.81:6443 name: cluster1 contexts: - context: cluster: cluster1 namespace: default user: liruilong name: context1 current-context: "" kind: Config preferences: {} users: - name: liruilong user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRUC9aR05rUjdzVy9sdHhkQTNGQjBoekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURFeE5qRTFNakV3TWxvWERUSXpNREV4TmpFMQpNakV3TWxvd0pqRVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1ERVNNQkFHQTFVRUF4TUpiR2x5ZFdsc2IyNW5NSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpdXJKUHRjYWkKWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1JvUTJuTzcrcQpnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VmFlMjBxcUFFCnpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvc3hSQUU1eWsKWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTlITk1ZOTB5SApYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUN21LOEp4d0lECkFRQUJvMFl3UkRBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWQKSXdRWU1CYUFGR0RjS1N1dVY1TTV5Wk5CR1AxLzZoN0xZNytlTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCagpOelREMmZ5bTc3bXQ4dzlacXRZN3NQelhmNHJQTXpWUzVqV3NzenpidlhEUzhXcFNMWklIYkQ3VU9vYlYxcFYzClYzRW02RXlpWUEvbjhMYTFRMnZra0EyUDk1d3JqWlBuemZIeUhWVFpCTUY4YU1MSHVpVHZ5WlVVV0JYMTg1UFAKQ2MxRncwanNmVThJMDBzbUNOeURBZjVMejFjRUVrNWlGYUswMDJRblUyNk5lcDF3U3BMcVZWWVptSW9UVU9DOApCNzNpU3J6Y0wyVmdBejRCaUQxdUVlUkFMM20zRTB2VVpsQjduKzF1MllrNDFCajdGYnpWR2w1dFpYT3hDMVhxCjJVc0hSbmkzY1VYZ203QlloZDU3aTFHclRRRFJpckRwVFV1RDB3ZlFYTjZLdEx1TmVDYUc0alc4ZTl4QkQrTjIKOFE4Z25UZjdPSEI3VWZkUzVnMWQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdDlPQm53YUEzVmRGZmpkaXVySlB0Y2FpWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxCndYOU9Eb0p6Q0RCWWVRSUN4dFpublJPV2NQdnVQeitSb1Eybk83K3FnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVgKNnZEQ3ZYMVA0d1ZzRXVzcnZWQXZBeDZnamU2czVveFZhZTIwcXFBRXpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bQppaTRzc2laUEV1NWRWSEVrOXR3QnlGU1dHbGpyRE5Ib3N4UkFFNXlrWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxCmtndFNMQzJVUnMvUFlMMERjUkJvc1FMdHNybm5RUjE5SE5NWTkweUhYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZTgKVmY4QUxabGw1QU5yeUlCam1za2NNUDNpUTM3cVhmVDdtSzhKeHdJREFRQUJBb0lCQUJsS0I3TVErZmw1WUI0VgpFSWdPcjlpYUV3d2tHOUFKWElDSkJEb0l6bVdhdmhNTlZCUjZwd3BuOTl0UWkxdGFZM2RuVjZuTVlBMzdHck9vCjB5Z004TXpQZVczUUh6Z2p5cGFkRkJqR204Mm1iUHNoekVDT0RyeHkyT0txaEV1MS9yWjBxWU1NVzVvckU2NUQKOEJ3NmozaEp1MTlkY251bk1Lb2hyUlJ4MGNGOGJrVHpRcWk1Y0xGZ0lBUlArNklFcnQrS0FVSGFVQ0wvSUtTYgoyblJnSmhvSWszTUJnQnM3eVl0NFpVNlpkSVFLRU56RzRUd2VjNG5ESXE2TkllU1ZpSEVtbmdjRXVOdTNOaWEvCmxwTWd5ZHJKZWJKYStrc0FiZU4zU21TRGc2MXpVWUpHV2FOZUFPemdmbkZRTVp2Y2FyNEQ1b0xCQUE5Rlpic0EKc0hUZjBBRUNnWUVBNWVmdDJSV25kM2pueWJBVVExa3dRTzlzN1BmK241OXF3ekIwaEdrcC9qcjh2dGRYZkxMNgo0THBoNWFhKzlEM0w5TEpMdk8xa0cyaG5UbFE4Q25uVXpVUUUreldiYlRJblR0eE1hRzB5VjJlZ3NaQkFseERYClk1K2tZZ29EVXIyN2dWbE5QZ29SWVkzRG1ZZHplVmp0NEFHOE9JNWRPUlJ6bFE3VHN0Nk9XUUVDZ1lFQXpMQ3kKM2Q0SkRZRjBpeXFFc2FsNFNsckdEc3hmY2xxeUZaVWpmcUcvdGFHeEFTeE9zL0h3SDNwR1cwQXh3c2tPdVNkUwpWcGxOOC9uZjBMQjdPV0hQL2FjTlJLbHdJeUZrNG9EU0VMOVJ5d0FFVEF3NHdrYitoRzNZdUFHU2YvY1dEWXNtCjNJUUxlMVdFS0JSZDVBS1lkYXdyYlJtclFkSndSaFFkalNzOTJzY0NnWUVBck1WSVpwVHhUc1ViV3VQcHRscjEKK2paekl2bVM3WjI5ZTRXVWFsVWxhNW9raWI0R1R2MnBydXdoMlpVZmR5aGhkemZ0MXNLSE1sbVpHTElRbE1iTgpkcHdoS2k4MDZEQ0NmYTdyOUtYcTZPaEZTR3JoUHlVMjEvVUdjVzZZNUxzVWg3WDJhQ0xrd096cUN4eFJXT1hOCmpVT0FrUGZiY3FPOTRFeE9KdU05RWdFQ2dZRUFwNUVqN0xPL0wzcENBVWVlZDU3bjVkN244dWRtWDhSVnM0dHoKRWxDeUU2dzVybDhxVXUrR0J3N2ZtQVkyZG1LSUZoVlZ0NlVyQnNjUmJkTjhIUjZ3MmRNdTduM1RXajhWU3NQdwp0RnNiUjVkTTdVQzRHbnRxRXRtbUtBVEpmTTYzRkFGTm9Bck5KM3Q3aENBZ09PL1RCY29iaHVZVHAvL3hmNzBwCjhBNXRSYk1DZ1lCMkJTb0ZTbW1sVFN5RjdnZnhmM281dTNXM3lwTENIRFV0cFZkYlAxZm9vemJwZUs3V29IY2YKTEhkMG4xeUNLcHdiWU1HZ2hGNGlHbUVHSUlkc0NWWlArRVY2bGR1UEtqcUVtOWtqdUxST0t6UlpIRm9HeUFTTwpLcmIzVlI0Q0tIdm5aQVBWY3R2N1B1KzRKZ01saUpIbDhHVllocU01VXlrYkxSTWROSFNOSVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$

修改kubeconfig文件當前的上下文為之前創建的上下文

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$sed 's#current-context: ""#current-context: "context1"#' kc1 | grep current-context current-context: "context1" ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$sed -i 's#current-context: ""#current-context: "context1"#' kc1 ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$cat kc1 | grep current-context current-context: "context1"

這樣 kubeconfig 文件就創建完畢了，下面開始驗證 kubeconfig 文件。

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl auth can-i list pods --as liruilong #檢查是否具有 list 當前命名空間里的 pod 的權限 yes ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$kubectl auth can-i list pods -n kube-system --as liruilong #檢查 是否具有 list 命名空間 kube-system 里 pod 的權限 yes ┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$

拷貝證書到客戶機

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create] └─$scp kc1 root@192.168.26.55:~

客戶機指定證書訪問測試

┌──[root@liruilongs.github.io]-[~] └─$ kubectl --kubeconfig=kc1 get pods -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-78d6f96c7b-85rv9 1/1 Running 194 (14h ago) 33d calico-node-6nfqv 0/1 Running 255 (14h ago) 35d calico-node-fv458 0/1 Running 50 35d calico-node-h5lsq 1/1 Running 94 (38h ago) 35d 。。。。。。。。。。。。 ┌──[root@liruilongs.github.io]-[~] └─$

這樣一個kubeconfig文件就創建完成

https Kubernetes

版權聲明：本文內容由網絡用戶投稿，版權歸原作者所有，本站不擁有其著作權，亦不承擔相應法律責任。如果您發現本站中有涉嫌抄襲或描述失實的內容，請聯系我們jiasou666@gmail.com 處理，核實后本網站將在24小時內刪除侵權內容。