K8S User Account 创建授权
作者:互联网
# 本文主要介绍自建证书的方式创建user account 以及生成用户的token 绑定到Service Account上 查看dashboard权限
# 基于openssl 生产用户相关证书
1、生成用户的key文件 [root@master1 chen]# openssl genrsa -out chen.key 2048 Generating RSA private key, 2048 bit long modulus ......................................................................................................+++ .....................................................................+++ e is 65537 (0x10001) 2、基于key 生成csr文件(证书签名请求) O表示组织组 CN表示用户 [root@master1 chen]# openssl req -new -key chen.key -out chen.csr -subj "/O=kubernetes/CN=chen" [root@master1 chen]# ls chen.csr chen.key 3、生成 crt 文件(用参数 -days 设置证书有效期) [root@master1 chen]# openssl x509 -req -in chen.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out chen.crt -days 365 Signature ok subject=/O=kubernetes/CN=chen Getting CA Private Key
# kubectl config 设置集群信息
[root@master1 chen]# kubectl config set-cluster kubernetes --server=https://192.168.24.31:6443 --kubeconfig=/root/role/user/chen/config --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true Cluster "kubernetes" set.
#设置 用户信息
[root@master1 chen]# kubectl config set-credentials chen --kubeconfig=/root/role/user/chen/config --client-key=chen.key --client-certificate=chen.crt --embed-certs=true User "chen" set.
# 配置 context
[root@master1 chen]# kubectl config set-context chen@kubernetes --cluster=kubernetes --user=chen --kubeconfig=/root/role/user/chen/config Context "chen@kubernetes" created.
# 查看配置
[root@master1 chen]# kubectl config view --kubeconfig=./config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.24.31:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: chen
name: chen@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: chen
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master1 chen]# cat config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hNVEEwTkRReE0xb1hEVE15TURjd09EQTBORFF4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUJxCit1RkJDZHBUSzY0cUN0bGdUaTNXVE9QWGR6Wmtydll2dTJ5NTgzeWV4MFI3cHNOdFZMVkN3ejYvVUFDNFNITkwKblpWcGlTV1c2TjkrOUtLMWlkRnhoenRXbVlFRFR0SFUvajlZTk9TZkowelFWSGxMQmwvOTVUSVlLK2dRbTdMYgpMTjFpUXJ6ODh4VFBCZ1A3MS96Qk5QMUlrUnZCcnQzOE5HZE16cTh1V2d4N1ZycnFEaXczNUJxa1BWRVNlaXU5CjliVGYvdUl4TmhhaUdYSCt2K2oxWUx0dk1QeU16eTJHcE5uc1ZwQXVEbXdUSHdCOWtBZnBNbC90WDBwbndOSVkKeHprLzNJZUZ5SFFsVEFGK1JtSTBPejZrRjA4TVdoWkp6ZDluWDd3Vy9QMUpUVVV5Ui9mcHBLdHlGazZZbmtMbAoxRUZXd3dzUnFPVk5xelc0ZEowQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCTnQ1SjhWSEdSRmRTRGZwT3J0aTFlZEN4amMKc29EUXhhU2NoU1gzYmhwY2kzVFd2V3ZkTk5wcVk3amNZa09oQno1QVlpbkFXTkZ5Q0ovR2RKM0p6T0twNzNUVQpGbVFHK1hucmlKY2VLQ3h0Ri8xRXlPVXM2bVhWK25OQm9iUUpxMnh3MkhqSEUxcStLTE5oYnFkK1NzMi94UzlXCmpYQ0NrTGY3NEF2SUhFSldUNHI5UkRBeTQvaEtnMkVvaEpkZFErVmJjYUZ0S3c3cEFGT25Wei9RWGs1OWVQWE8Kd2hNei9ZV1NNU3dLNHI1RkpkbmF3Z3E0c28rdXZvTFp4K1RRNmFhV0l4OVVmRkg3S20xbEFNUGJCbk1xVVhGYQpENkhEYjlORmxCZ3Irc1hBZHNoQm55YnhJc2cvQ2NrWmVuY2tEbkwwNkhLL2kxemd0Qm5VV0t5OVV6dz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.24.31:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: chen
name: chen@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: chen
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN0VENDQVowQ0NRQ3l0QUJFTFRLOWZEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXlNRGN4TlRBM01ETXpNVm9YRFRJek1EY3hOVEEzTURNek1Wb3dKREVUTUJFRwpBMVVFQ2d3S2EzVmlaWEp1WlhSbGN6RU5NQXNHQTFVRUF3d0VZMmhsYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUt0R1JwVmkrSS9CNjFrc2VKQmIxaWlpOTZjc2NpSGN5bFo3YWdJVlI3R1IKTjczbFY3Ukt3RE44clZrZHdGbXhubVhXQzVHRFMra3JoRDM1b0JDUy84ZE9NeXBWYk1wWFNoTXd2TUhocmM5MgpVenZUVVhIa0tsbkhOUkFybjkrYnRKZnBsaG4vU3ltU0tqdmt4WUtuWThWeXFDNnFlenhtdFd2eklSdVVDa0xRCmdWRmhHRGgxbmp6R2E2Szk3OWczMXEyTjk2K2hzZEJWSUpCNlpIcllWSUpRL0FxdXppUy93WU5zSE1VU054U1MKVmxBQ1c2N3NFSFg5b1MzZkhhcldXMEJXMHQ4QUZ6clJXN1h6L2VvU1o5Uk5TU09VcGxHZXcvV1pMVUNDaks5RApUaTlVN3RUSFNEcFdOWGc1aGpvckpjb29IcmUxRmwrZUhVekg5TjU2YWcwQ0F3RUFBVEFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQVFFQU0vZWJ0Nmd3L3hiNEpUYTUyMERXdzJZL1pCUC9vRVh4Nnd3T1g1SUtZMjhiR2lpSHNGZWMKLzdaaFprWFdvWTMzVDRZenBUWU5ucXV3b1NhTDJ6WEVndmRqbEs3emxETSsvazdsNjd4R0FJT3hFZG1kaXRvcApQYi92MmljTk1xQnRYK0hwaFBxMldDdHBKUlF5eFFBV3hSWTk3SndEc1BDandVRUVlY1JWMjlKa0EwOE9ZTnkvClNYLzJIWCtZU295UUZBUUxnV3NYT1g1OERkUTlxQlpZVTF0SE05bFRxOWlXK1JJdlhpNXVheWM1VllQV3JzZjcKaEQ3QmcrL2ExSGtxZEhCTmJ2cEhEVmlSb0JSdGFlcXo0MUkxVk53RmxjRXMyQWxTeGdlbmFsM25FM0VNZjJ1OApPM2haUUZiZjZ1RTlUV0wyQUxaZ1g1MzF3YlVqZ0FkbXp3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcTBaR2xXTDRqOEhyV1N4NGtGdldLS0wzcHl4eUlkektWbnRxQWhWSHNaRTN2ZVZYCnRFckFNM3l0V1IzQVdiR2VaZFlMa1lOTDZTdUVQZm1nRUpML3gwNHpLbFZzeWxkS0V6Qzh3ZUd0ejNaVE85TlIKY2VRcVdjYzFFQ3VmMzV1MGwrbVdHZjlMS1pJcU8rVEZncWRqeFhLb0xxcDdQR2ExYS9NaEc1UUtRdENCVVdFWQpPSFdlUE1acm9yM3YyRGZXclkzM3I2R3gwRlVna0hwa2V0aFVnbEQ4Q3E3T0pML0JnMndjeFJJM0ZKSldVQUpiCnJ1d1FkZjJoTGQ4ZHF0WmJRRmJTM3dBWE90RmJ0ZlA5NmhKbjFFMUpJNVNtVVo3RDlaa3RRSUtNcjBOT0wxVHUKMU1kSU9sWTFlRG1HT2lzbHlpZ2V0N1VXWDU0ZFRNZjAzbnBxRFFJREFRQUJBb0lCQUZheWJndzBXd201NlgzcwpLdU0zK1lIOGJFdnREYURpZUhHcWF4Qys0Tm1iWHBIN1E1ZjV0cXpaVVk0b3B6TS8yNlJFNHZvM2NmZUhsWnNoCmZzcWsvbUJPejB1QWpsOG1MRkxtZXNYUmpQL1ZMM0M3R1NFRGxBUjU5L3hGZU5uaG9WcThYTVN3RzhYaFBRdXcKVStJOUJSM3ZXZjYxUVVoajNUWFZqazY5Y3l3Nk5semh4WkRLaTd5STAveXdPVlRBSjNNdEFJY3FibUZ1cmNhdAo2S2FMVFcvNjBNc1g5M2lnbkV4VXMrS1N5bTZpdVZPdUR1V29CVVY4Q1VhSmxkdVk3ajM3YVRaK2l2WDdrSW8yClZwZ2UwOElOSmR6UFpjMXlCRkJLNVZac2w3K1ZseVREM2FmcFNiWXpUNTVjS25qZHJwcERkT0tlWERzWERmeFYKci9kMHFPa0NnWUVBNDlXT09KNXl4L2hTcE5Pd2Vvb0JmenRqclA0S1k5R0NlUHZ4dUZZQmVMdEMyQjR3ZkVCYwp4RjBqcS8zNXUyUis4UXRYblVSbTBhQmhqQ2J4K3FSK0JPUzRzWEE5VWpUNUFCSFBsL0lkeWRXelN4ZEJXRUpYClp1cDZwMGdSM24rM1lERlBhTVZRNWpWbWhJQjM0N3cyZVhMODhsVktrMnFnSERycHJCclc2bU1DZ1lFQXdISzcKY1FlYS9wWm10ekdNbmU5a0ljMm5NeGdjTlZsRnBHL0oycnduQVppSk1CWVkxcVljVzFXb0xMQ0N4STRZM0FNMwprcElwcTNJWkd2TCtvcnJxQkprZnUvVFNDYThDdkM1Z0xycEJlbkdiWmNOditlU1BPWmIwajg2WmlFTjZDVXE0Ck9tUHNsOU5MRzE3cTJoZUpPalZLZ3JDRVMzb1JWWnIwSHVZa3pNOENnWUFpRU1GR0YvTGprVzZSOUpEemtZVHQKeUN4OEpqUFpmdTc2TmZtTGJWaWsrNkxmKzR1V1dHMUdjd0t0YWJrWVdzdGNNU3oxZDgvRDBpNGpyWU1LemVPRgp5Y2tQeHM5MFpqVkEzR2prdUMvYUNOalpCbTRmeXpPVVVNVHNGQ3VQMEJyVUNDdHVaK3BUc1hKVnAzdkZrbE8yCnp3bWhGajJqVXhNRGhZK0F5emFOTHdLQmdEVE5CY3FNT0tWVEpKbHNtZFVYUWxUWDlPRGE0NXByaE9VSjJzc04KeG5IMHBPY3htTjBEdEZJRzNWNXRpMk5jVFV2SUFpNVB0ZWtaSS9RMTZWRkNrVVJ6c3JaQ0JJS3Rwc1YwditUeQpLMWJwNXFYMENqdjR6cWNSV01ZLysvWGI5WmFwRG9UT3Q3SXNRYllmdzdYVXNVenNKQ1paUWVMbmVld1AySnpGCnJpRVhBb0dCQU1TVXExUWgzYnEzT0RVMHFjb2FLNWtaZzU2dUlVUXhPZWVuU1pZNG5aN29NK01mTFRMR3VjTWMKaUJ1aG80empSUWdFbS9uSU0wRUhPSVhDRldPTjBEVWJiWVB1WC8yZmJONm5wUVdSRnBiRXVXdzlvNFFGNkU0YgpMYWhJUWRyREpucitUenphcUlBZ2I2V1dWNFRuelhucDBXcnNRK1lLbFdLWGtzWWlhU2ZUCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
# 验证chen用户是否可以访问集群
[root@master1 chen]# kubectl get pods --kubeconfig=./config Error from server (Forbidden): pods is forbidden: User "chen" cannot list resource "pods" in API group "" in the namespace "default"
# 基于RBAC 访问授权
#创建对应的rol 和rolebinding
[root@master1 chen]# cat chen_role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: chen_role namespace: default rules: - apiGroups: [""] resources: ["pods","pods/log","pods/exec"] verbs: ["get","list","watch","create"] [root@master1 chen]# cat chen_rolebindind.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: chen_rolebindind namespace: default subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: chen roleRef: kind: Role apiGroup: rbac.authorization.k8s.io name: chen_role
# kubectl apply -f 应用权限
[root@master1 chen]# kubectl apply -f chen_role.yaml role.rbac.authorization.k8s.io/chen_role created [root@master1 chen]# kubectl apply -f chen_rolebindind.yaml rolebinding.rbac.authorization.k8s.io/chen_rolebindind created
#再次查看 chen用户的权限
[root@master1 chen]# kubectl get pods,svc --kubeconfig=./config NAME READY STATUS RESTARTS AGE mytomcat-5f97c868bd-bghht 1/1 Running 0 2d17h mytomcat-5f97c868bd-xh5cz 1/1 Running 0 2d mytomcat2-6746bcc65b-hmxgb 1/1 Running 0 2d2h Error from server (Forbidden): services is forbidden: User "chen" cannot list resource "services" in API group "" in the namespace "default" #因为没有开通service的权限 所以forbidden
####如何让用户chen 可以访问dashboard呢#########
# 简单省事儿的方法是创建serviceaccount 绑定权限即可 以下是示例:
[root@master1 chen]# kubectl create sa chen serviceaccount/chen created
# 创建对应的role 和rolebindind 文件
[root@master1 chen]# cat chen_role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: chen_role namespace: default rules: - apiGroups: [""] resources: ["pods","pods/log","pods/exec"] verbs: ["get","list","watch","create"] - apiGroups: [""] resources: ["services"] verbs: ["get","list","watch","create"] - apiGroups: [""] resources: ["deployments"] verbs: ["get","list","watch","create"] ##rolebindind [root@master1 chen]# cat chen_rolebindind.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: chen_rolebindind namespace: default subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: chen ## 添加sa账户 - kind: ServiceAccount name: chen roleRef: kind: Role apiGroup: rbac.authorization.k8s.io name: chen_role
# 授权后查看 kubectl 以及dashboard权限
[root@master1 chen]# kubectl apply -f chen_role.yaml role.rbac.authorization.k8s.io/chen_role created [root@master1 chen]# kubectl apply -f chen_rolebindind.yaml rolebinding.rbac.authorization.k8s.io/chen_rolebindind created
#查看chen用户的token 登录dashboard 验证
[root@master1 chen]# kubectl get secret chen-token-h2d8l -o jsonpath={.data.token} | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNoZW4tdG9rZW4taDJkOGwiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2hlbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzYzBjYjg3LTNkY2QtNDc0OC1hM2VlLTAyM2VlNTU5YTY5NiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmNoZW4ifQ.X18a6j69NwQSkzbMkhDNfreifvOAOfaQbSvDi_hYmwDV28eCSdCHgoALMLd-fOq2Fno0XKdu5sbvyv8tzaMw72u1b5ZxnH1wIeSc54ILrZYLY4iOanYD-lat7tI66Nu3UrBZMThjDZ22aoXEAACe3p-hVYLBfImFrikI2V6cTc-QINtWxsJLIuRWEYOuKMz64yApP6QVbbsSfUm465CG9sKZ9rAqsqEA-Om5bGmPAY7DFMLIUz6b7RunuD-QL1wnkZ0VjI7LdqlMAibALHzPMfwgemWqQGCNXMjoV0O7sVsiLotuftrc_gjEVlquPFpH_z65iUi4r_fkcJ7qHYTwVw[root@master1 chen]#
# 也可以把token 加在config里 基于kubeconfig 登录 类似于这样 然后把文件下载下来 在dashboard通过kubeconfig 登录
# 验证kubectl 权限 刚才增加了几条权限
#验证完毕 本次部署完成
标签:master1,kubectl,Account,kubernetes,role,User,chen,K8S,root 来源: https://www.cnblogs.com/Chen-PY/p/16481831.html