K8s新建用户制作证书绑定角色

yevvzi 2020-04-26

K8s新建用户制作证书绑定角色
role roulebind clustrrole clustrrloebinding
Kubeadm 创建的k8s集群默认证书有限期为三年,三年后会过期

Kubernetes创建一个集群用户连接API-Server 使用命令模式
#可以用现有用户的CA证书 【ca.crt ca.key】 去签署一个新创建的用户,进行绑定 文件默认路径/etc/Kubernetes/pki/

  1. 创建私钥
    Cd /etc/Kubernetes/pki/
    Openssl genrsa -out sunwenbo,key 2048

  2. 生成证书签署请求
    Openssl req -new -key sunwenbo.key -out sunwenbo.csr -subj “/CN=sunwenbo”

  3. 用CA证书签证
    Openssl x509 -req -in sunwenbo.csr -CA ./ca.crt -Cakey ./ca.key -CAcreateserial -out sunwenbo.crt -days 365

  4. 查看签署后的证书内容
    Openssl x509 -in sunwenbo.crt -text -noout

  5. 创建一个新的集群用户,使用自签证书和私钥 –embed-certs=true 将证书和私钥隐藏

Kubectl config set-credentials sunwenbo –client-certificate=./sunwenbo.crt –client-key=./sunwenbo,key –embed-certs=true
Kubectl config view #查看会多出一个users

  1. 设置上下文,让新建sunwenbo的用户也可以去访问kubernetes集群
    Kubectl config set-context –cluster=Kubernetes –user=sunwenbo
    Kubectl config view #查看会多出一个context

  2. 切换账号
    Kubectl config use-context
    Kubectl get pods
    #此时会提示 No resources found Error from server (forbiddent): pods is forbiddent: User “sunwenbo”cannot list pods in the namespace “default”
    #原因是我们只是有了一个可登录的用户,但是这个用户并没有任何权限。

1#创建一个自定义的集群
Kubectl config set-cluster mycluster –kubeconfig=/tmp/mycluster.conf –server=”IP:端口号” –certificate-authority=/etc/Kubernetes/pki/car.crt –embed-certs=true
#查看自定义集群的信息
Kubectl config view –kubeconfig=/tmp/mycluster.conf

创建role角色和绑定

  1. 创建一个role
    Kubectl create role pods-reader –verb=get,list,watch –resource=pods –dry -run -o yaml >role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
  createionTimestamp: null
  name: pods-reader
rules:
  - apiGroup:
  - ""
resources:
  - pods
verbs:
  - get
  - list 
  - watch
kubectl apply -f role.yaml
    kubectl get role
    kubectl describe role pods-reader
  1. 创建一个rolebinding,将角色绑定到一个用户
    Kubectl create rolebinging sunwenbo-read-pods --role=pods-reader –user=sunwenbo –dry -run -o yaml >rolebanging.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
   creationTimestamp: null
   name: sunwenbo-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kubectl apply -f rolebanging.yaml
kubectl describe rolebinding sunwenbo-erad-pods #查看详细内容
  1. 切换用户验证
    kubectl config use-context
    kubect get pod #只能查看default 名称空间下的资源,如果是其他名称空间,创建role时指定namespace 即可

创建clusterrole可以访问所有名称空间

  1. 创建clusterrole
    Kubectl create clusterrole cluster-reader –verb=get,list,watch –resource=pods –dry -run -o yaml > cluster.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
  - apiGroup:
  - ""
resources:
  - pods
verbs:
  - get
  - list 
  - watch
kubectl apply -f cluster.yaml
    kubectl get role
    kubectl describe role cluster-reader
  1. 绑定role
    #如果这个用户已经绑定了其他role需要将rolebanding删掉,删除立即生效
    kubectl delete rolebinding sunwenbo-read-pods

kubectl create clusterrolebinging admin-read-pods --clusterrole=cluster-reder –user=sunwenbo –dry -run -o yaml > clusterrolebinging.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
   name: admin-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: cluster-reder
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: sunwenbo
  1. 切换用户验证
    kubectl config use-context
    kubect get pod #可以查看所有名称空间下的资源,但是只有get,list,watch权限

#rolebinding绑定clusterbinding,clusterbinding会自动降级,跟随rolebinding定义的权限规则

#给用户绑定系统默认role,可以指定拥有某个名称空间的权限
kubectl create rolebinging default-ns-admin --clusterrole=admin –user=sunwenbo –dry -run -o yaml > default-user-banding.yaml

相关推荐