参考:
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
1·创建个人证书
# 生成user私钥
openssl genrsa -out zhanglei.key 2048
# 创建证书签署请求
openssl req -new -key zhanglei.key -out zhanglei.csr -subj "/O=org/CN=neozhao"
# 使用集群证书签署个人证书
openssl x509 -req -in neozhao.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out zhanglei.crt -days 365
2·生成配置文件
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=https://192.168.110.6:6443 \
--kubeconfig=./config
# 设置客户端认证参数
kubectl config set-credentials zhanglei \
--client-certificate=zhanglei.crt \
--client-key=zhanglei.key \
--embed-certs=true \
--kubeconfig=./config
# 设置上下文参数
kubectl config set-context zhanglei-config \
--cluster=kubernetes \
--user=zhanglei \
--kubeconfig=./config
# 设置默认上下文
kubectl config use-context zhanglei-config \
--kubeconfig=./config
3.设置权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
namespace: loggie
name: loggie-user-role
rules:
- apiGroups:
- ""
resources:
- nodes
- pods/log
- patch
- update
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
- serviceaccounts
- namespaces
verbs:
- get
- watch
- list
- create
- patch
- update
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- patch
- update
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- serviceaccounts
verbs:
- create
- patch
- update
- get
- list
- watch
- delete
- apiGroups:
- ""
resources:
- events
- configmaps
- services
verbs:
- get
- watch
- list
- update
- create
- patch
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- list
- watch
- update
- create
- patch
- delete
- apiGroups:
- loggie.io
resources:
- logconfigs
- logconfigs/status
- clusterlogconfigs
- clusterlogconfigs/status
- sinks
- interceptors
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
4.绑定权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: loggie-user-role-bind
namespace: loggie
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: loggie-user-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: loggie
5.非master节点创建用户
创建private key
openssl genrsa -out john.key 2048
openssl req -new -key john.key -out john.csr -subj "/CN=john"
openssl req -in john.csr -text
任意用户创建CSR(CertificateSigningRequest)
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john
spec:
request: $(cat john.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
kubectl get csr john
k8s管理员批准CSR,并导出证书
kubectl certificate approve john
kubectl get csr john -o jsonpath='{.status.certificate}'| base64 -d > john.crt