其他分享
首页 > 其他分享> > K8S User Account 创建授权

K8S User Account 创建授权

作者:互联网

 

# 本文主要介绍自建证书的方式创建user account 以及生成用户的token 绑定到Service Account上 查看dashboard权限

# 基于openssl 生产用户相关证书

1、生成用户的key文件
[root@master1 chen]# openssl genrsa -out chen.key 2048
Generating RSA private key, 2048 bit long modulus
......................................................................................................+++
.....................................................................+++
e is 65537 (0x10001)

2、基于key 生成csr文件(证书签名请求) O表示组织组 CN表示用户
[root@master1 chen]# openssl req -new -key chen.key -out chen.csr -subj "/O=kubernetes/CN=chen"
[root@master1 chen]# ls
chen.csr  chen.key

3、生成 crt 文件(用参数 -days 设置证书有效期)
[root@master1 chen]# openssl x509 -req -in chen.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out chen.crt -days 365
Signature ok
subject=/O=kubernetes/CN=chen
Getting CA Private Key

# kubectl config 设置集群信息

[root@master1 chen]# kubectl config set-cluster kubernetes --server=https://192.168.24.31:6443  --kubeconfig=/root/role/user/chen/config --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
Cluster "kubernetes" set.

#设置 用户信息

[root@master1 chen]# kubectl config set-credentials chen   --kubeconfig=/root/role/user/chen/config --client-key=chen.key --client-certificate=chen.crt --embed-certs=true
User "chen" set.

# 配置 context

[root@master1 chen]#  kubectl config set-context chen@kubernetes --cluster=kubernetes --user=chen --kubeconfig=/root/role/user/chen/config
Context "chen@kubernetes" created.

# 查看配置

[root@master1 chen]# kubectl config view --kubeconfig=./config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.24.31:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: chen
  name: chen@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: chen
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED



[root@master1 chen]# cat config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hNVEEwTkRReE0xb1hEVE15TURjd09EQTBORFF4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUJxCit1RkJDZHBUSzY0cUN0bGdUaTNXVE9QWGR6Wmtydll2dTJ5NTgzeWV4MFI3cHNOdFZMVkN3ejYvVUFDNFNITkwKblpWcGlTV1c2TjkrOUtLMWlkRnhoenRXbVlFRFR0SFUvajlZTk9TZkowelFWSGxMQmwvOTVUSVlLK2dRbTdMYgpMTjFpUXJ6ODh4VFBCZ1A3MS96Qk5QMUlrUnZCcnQzOE5HZE16cTh1V2d4N1ZycnFEaXczNUJxa1BWRVNlaXU5CjliVGYvdUl4TmhhaUdYSCt2K2oxWUx0dk1QeU16eTJHcE5uc1ZwQXVEbXdUSHdCOWtBZnBNbC90WDBwbndOSVkKeHprLzNJZUZ5SFFsVEFGK1JtSTBPejZrRjA4TVdoWkp6ZDluWDd3Vy9QMUpUVVV5Ui9mcHBLdHlGazZZbmtMbAoxRUZXd3dzUnFPVk5xelc0ZEowQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCTnQ1SjhWSEdSRmRTRGZwT3J0aTFlZEN4amMKc29EUXhhU2NoU1gzYmhwY2kzVFd2V3ZkTk5wcVk3amNZa09oQno1QVlpbkFXTkZ5Q0ovR2RKM0p6T0twNzNUVQpGbVFHK1hucmlKY2VLQ3h0Ri8xRXlPVXM2bVhWK25OQm9iUUpxMnh3MkhqSEUxcStLTE5oYnFkK1NzMi94UzlXCmpYQ0NrTGY3NEF2SUhFSldUNHI5UkRBeTQvaEtnMkVvaEpkZFErVmJjYUZ0S3c3cEFGT25Wei9RWGs1OWVQWE8Kd2hNei9ZV1NNU3dLNHI1RkpkbmF3Z3E0c28rdXZvTFp4K1RRNmFhV0l4OVVmRkg3S20xbEFNUGJCbk1xVVhGYQpENkhEYjlORmxCZ3Irc1hBZHNoQm55YnhJc2cvQ2NrWmVuY2tEbkwwNkhLL2kxemd0Qm5VV0t5OVV6dz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.24.31:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: chen
  name: chen@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: chen
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN0VENDQVowQ0NRQ3l0QUJFTFRLOWZEQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXlNRGN4TlRBM01ETXpNVm9YRFRJek1EY3hOVEEzTURNek1Wb3dKREVUTUJFRwpBMVVFQ2d3S2EzVmlaWEp1WlhSbGN6RU5NQXNHQTFVRUF3d0VZMmhsYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUt0R1JwVmkrSS9CNjFrc2VKQmIxaWlpOTZjc2NpSGN5bFo3YWdJVlI3R1IKTjczbFY3Ukt3RE44clZrZHdGbXhubVhXQzVHRFMra3JoRDM1b0JDUy84ZE9NeXBWYk1wWFNoTXd2TUhocmM5MgpVenZUVVhIa0tsbkhOUkFybjkrYnRKZnBsaG4vU3ltU0tqdmt4WUtuWThWeXFDNnFlenhtdFd2eklSdVVDa0xRCmdWRmhHRGgxbmp6R2E2Szk3OWczMXEyTjk2K2hzZEJWSUpCNlpIcllWSUpRL0FxdXppUy93WU5zSE1VU054U1MKVmxBQ1c2N3NFSFg5b1MzZkhhcldXMEJXMHQ4QUZ6clJXN1h6L2VvU1o5Uk5TU09VcGxHZXcvV1pMVUNDaks5RApUaTlVN3RUSFNEcFdOWGc1aGpvckpjb29IcmUxRmwrZUhVekg5TjU2YWcwQ0F3RUFBVEFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQVFFQU0vZWJ0Nmd3L3hiNEpUYTUyMERXdzJZL1pCUC9vRVh4Nnd3T1g1SUtZMjhiR2lpSHNGZWMKLzdaaFprWFdvWTMzVDRZenBUWU5ucXV3b1NhTDJ6WEVndmRqbEs3emxETSsvazdsNjd4R0FJT3hFZG1kaXRvcApQYi92MmljTk1xQnRYK0hwaFBxMldDdHBKUlF5eFFBV3hSWTk3SndEc1BDandVRUVlY1JWMjlKa0EwOE9ZTnkvClNYLzJIWCtZU295UUZBUUxnV3NYT1g1OERkUTlxQlpZVTF0SE05bFRxOWlXK1JJdlhpNXVheWM1VllQV3JzZjcKaEQ3QmcrL2ExSGtxZEhCTmJ2cEhEVmlSb0JSdGFlcXo0MUkxVk53RmxjRXMyQWxTeGdlbmFsM25FM0VNZjJ1OApPM2haUUZiZjZ1RTlUV0wyQUxaZ1g1MzF3YlVqZ0FkbXp3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcTBaR2xXTDRqOEhyV1N4NGtGdldLS0wzcHl4eUlkektWbnRxQWhWSHNaRTN2ZVZYCnRFckFNM3l0V1IzQVdiR2VaZFlMa1lOTDZTdUVQZm1nRUpML3gwNHpLbFZzeWxkS0V6Qzh3ZUd0ejNaVE85TlIKY2VRcVdjYzFFQ3VmMzV1MGwrbVdHZjlMS1pJcU8rVEZncWRqeFhLb0xxcDdQR2ExYS9NaEc1UUtRdENCVVdFWQpPSFdlUE1acm9yM3YyRGZXclkzM3I2R3gwRlVna0hwa2V0aFVnbEQ4Q3E3T0pML0JnMndjeFJJM0ZKSldVQUpiCnJ1d1FkZjJoTGQ4ZHF0WmJRRmJTM3dBWE90RmJ0ZlA5NmhKbjFFMUpJNVNtVVo3RDlaa3RRSUtNcjBOT0wxVHUKMU1kSU9sWTFlRG1HT2lzbHlpZ2V0N1VXWDU0ZFRNZjAzbnBxRFFJREFRQUJBb0lCQUZheWJndzBXd201NlgzcwpLdU0zK1lIOGJFdnREYURpZUhHcWF4Qys0Tm1iWHBIN1E1ZjV0cXpaVVk0b3B6TS8yNlJFNHZvM2NmZUhsWnNoCmZzcWsvbUJPejB1QWpsOG1MRkxtZXNYUmpQL1ZMM0M3R1NFRGxBUjU5L3hGZU5uaG9WcThYTVN3RzhYaFBRdXcKVStJOUJSM3ZXZjYxUVVoajNUWFZqazY5Y3l3Nk5semh4WkRLaTd5STAveXdPVlRBSjNNdEFJY3FibUZ1cmNhdAo2S2FMVFcvNjBNc1g5M2lnbkV4VXMrS1N5bTZpdVZPdUR1V29CVVY4Q1VhSmxkdVk3ajM3YVRaK2l2WDdrSW8yClZwZ2UwOElOSmR6UFpjMXlCRkJLNVZac2w3K1ZseVREM2FmcFNiWXpUNTVjS25qZHJwcERkT0tlWERzWERmeFYKci9kMHFPa0NnWUVBNDlXT09KNXl4L2hTcE5Pd2Vvb0JmenRqclA0S1k5R0NlUHZ4dUZZQmVMdEMyQjR3ZkVCYwp4RjBqcS8zNXUyUis4UXRYblVSbTBhQmhqQ2J4K3FSK0JPUzRzWEE5VWpUNUFCSFBsL0lkeWRXelN4ZEJXRUpYClp1cDZwMGdSM24rM1lERlBhTVZRNWpWbWhJQjM0N3cyZVhMODhsVktrMnFnSERycHJCclc2bU1DZ1lFQXdISzcKY1FlYS9wWm10ekdNbmU5a0ljMm5NeGdjTlZsRnBHL0oycnduQVppSk1CWVkxcVljVzFXb0xMQ0N4STRZM0FNMwprcElwcTNJWkd2TCtvcnJxQkprZnUvVFNDYThDdkM1Z0xycEJlbkdiWmNOditlU1BPWmIwajg2WmlFTjZDVXE0Ck9tUHNsOU5MRzE3cTJoZUpPalZLZ3JDRVMzb1JWWnIwSHVZa3pNOENnWUFpRU1GR0YvTGprVzZSOUpEemtZVHQKeUN4OEpqUFpmdTc2TmZtTGJWaWsrNkxmKzR1V1dHMUdjd0t0YWJrWVdzdGNNU3oxZDgvRDBpNGpyWU1LemVPRgp5Y2tQeHM5MFpqVkEzR2prdUMvYUNOalpCbTRmeXpPVVVNVHNGQ3VQMEJyVUNDdHVaK3BUc1hKVnAzdkZrbE8yCnp3bWhGajJqVXhNRGhZK0F5emFOTHdLQmdEVE5CY3FNT0tWVEpKbHNtZFVYUWxUWDlPRGE0NXByaE9VSjJzc04KeG5IMHBPY3htTjBEdEZJRzNWNXRpMk5jVFV2SUFpNVB0ZWtaSS9RMTZWRkNrVVJ6c3JaQ0JJS3Rwc1YwditUeQpLMWJwNXFYMENqdjR6cWNSV01ZLysvWGI5WmFwRG9UT3Q3SXNRYllmdzdYVXNVenNKQ1paUWVMbmVld1AySnpGCnJpRVhBb0dCQU1TVXExUWgzYnEzT0RVMHFjb2FLNWtaZzU2dUlVUXhPZWVuU1pZNG5aN29NK01mTFRMR3VjTWMKaUJ1aG80empSUWdFbS9uSU0wRUhPSVhDRldPTjBEVWJiWVB1WC8yZmJONm5wUVdSRnBiRXVXdzlvNFFGNkU0YgpMYWhJUWRyREpucitUenphcUlBZ2I2V1dWNFRuelhucDBXcnNRK1lLbFdLWGtzWWlhU2ZUCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

 

# 验证chen用户是否可以访问集群

[root@master1 chen]# kubectl get pods --kubeconfig=./config
Error from server (Forbidden): pods is forbidden: User "chen" cannot list resource "pods" in API group "" in the namespace "default"

 

# 基于RBAC 访问授权

#创建对应的rol 和rolebinding

[root@master1 chen]# cat chen_role.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: chen_role
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods","pods/log","pods/exec"]
  verbs: ["get","list","watch","create"]



[root@master1 chen]# cat chen_rolebindind.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: chen_rolebindind
  namespace: default
subjects:
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: chen
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: chen_role

# kubectl apply -f  应用权限

[root@master1 chen]# kubectl apply -f chen_role.yaml 
role.rbac.authorization.k8s.io/chen_role created
[root@master1 chen]# kubectl apply -f chen_rolebindind.yaml
rolebinding.rbac.authorization.k8s.io/chen_rolebindind created

#再次查看 chen用户的权限

[root@master1 chen]# kubectl get pods,svc --kubeconfig=./config
NAME                         READY   STATUS    RESTARTS   AGE
mytomcat-5f97c868bd-bghht    1/1     Running   0          2d17h
mytomcat-5f97c868bd-xh5cz    1/1     Running   0          2d
mytomcat2-6746bcc65b-hmxgb   1/1     Running   0          2d2h
Error from server (Forbidden): services is forbidden: User "chen" cannot list resource "services" in API group "" in the namespace "default"

#因为没有开通service的权限 所以forbidden

 

####如何让用户chen 可以访问dashboard呢#########

# 简单省事儿的方法是创建serviceaccount 绑定权限即可 以下是示例:

[root@master1 chen]# kubectl create sa chen
serviceaccount/chen created

# 创建对应的role 和rolebindind 文件 

[root@master1 chen]# cat chen_role.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: chen_role
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods","pods/log","pods/exec"]
  verbs: ["get","list","watch","create"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","list","watch","create"]
- apiGroups: [""]
  resources: ["deployments"]
  verbs: ["get","list","watch","create"]



##rolebindind
[root@master1 chen]# cat chen_rolebindind.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: chen_rolebindind
  namespace: default
subjects:
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: chen
## 添加sa账户
- kind: ServiceAccount
  name: chen
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: chen_role

# 授权后查看 kubectl 以及dashboard权限

[root@master1 chen]# kubectl apply -f chen_role.yaml 
role.rbac.authorization.k8s.io/chen_role created

[root@master1 chen]# kubectl apply -f chen_rolebindind.yaml 
rolebinding.rbac.authorization.k8s.io/chen_rolebindind created

#查看chen用户的token 登录dashboard 验证

[root@master1 chen]# kubectl get secret  chen-token-h2d8l -o jsonpath={.data.token} | base64 -d 
eyJhbGciOiJSUzI1NiIsImtpZCI6ImswYXhTbEtMZE5udEJzdnNKTUNfNURpY2NzVkxQZTBmMTgyY0p0VGpveHcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNoZW4tdG9rZW4taDJkOGwiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2hlbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzYzBjYjg3LTNkY2QtNDc0OC1hM2VlLTAyM2VlNTU5YTY5NiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmNoZW4ifQ.X18a6j69NwQSkzbMkhDNfreifvOAOfaQbSvDi_hYmwDV28eCSdCHgoALMLd-fOq2Fno0XKdu5sbvyv8tzaMw72u1b5ZxnH1wIeSc54ILrZYLY4iOanYD-lat7tI66Nu3UrBZMThjDZ22aoXEAACe3p-hVYLBfImFrikI2V6cTc-QINtWxsJLIuRWEYOuKMz64yApP6QVbbsSfUm465CG9sKZ9rAqsqEA-Om5bGmPAY7DFMLIUz6b7RunuD-QL1wnkZ0VjI7LdqlMAibALHzPMfwgemWqQGCNXMjoV0O7sVsiLotuftrc_gjEVlquPFpH_z65iUi4r_fkcJ7qHYTwVw[root@master1 chen]#

 

 

# 也可以把token 加在config里 基于kubeconfig 登录  类似于这样 然后把文件下载下来 在dashboard通过kubeconfig 登录

 

 # 验证kubectl 权限 刚才增加了几条权限 

 

 

 

#验证完毕 本次部署完成

 

标签:master1,kubectl,Account,kubernetes,role,User,chen,K8S,root
来源: https://www.cnblogs.com/Chen-PY/p/16481831.html