无说明的情况下,以下操作均在/etc/kubernetes/pki目录下执行

root@master:/etc/kubernetes/pki# cd /etc/kubernetes/pki

1,创建用户密钥

root@master:/etc/kubernetes/pki# openssl genrsa -out  leeqiand.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
...........................+++++
e is 65537 (0x010001)

2,创建证书签署请求

#CN= 用户名

root@master:/etc/kubernetes/pki# openssl req -new -key leeqiand.key -out leeqiand.csr -subj "/CN=leeqiand"

3,签署证书

root@master:/etc/kubernetes/pki# openssl  x509 -req -in leeqiand.csr -CA ca.crt -CAkey ca.key  -CAcreateserial -out leeqiand.crt -days 365
Signature ok
subject=CN = leeqiand
Getting CA Private Key

查看生成的文件

root@master:/etc/kubernetes/pki# ls |grep leeqiand
leeqiand.crt
leeqiand.csr
leeqiand.key

4,创建kubeconfig文件

创建集群信息

--server根据实际信息填写即可

    root@master:/etc/kubernetes/pki# kubectl config set-cluster kubernetes --certificate-authority=ca.crt --embed-certs=true --server=https://10.0.2.2:6443 --kubeconfig=leeqiand.kubeconfig
    Cluster "kubernetes" set.



    root@master:/etc/kubernetes/pki# cat leeqiand.kubeconfig
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data:

        。。。。。。。。。。。。
    server: https://10.0.2.2:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

创建用户

root@master:/etc/kubernetes/pki# kubectl config set-credentials leeqiand --client-certificate=/etc/kubernetes/pki/leeqiand.crt --client-key=/etc/kubernetes/pki/leeqiand.key --embed-certs=true --kubeconfig=leeqiand.kubeconfig
User "leeqiand" set.


创建context

root@master:/etc/kubernetes/pki# kubectl config set-context leeqiand@kubernetes --cluster=kubernetes --user=leeqiand --kubeconfig=leeqiand.kubeconfig
Context "leeqiand@kubernetes" created.


5,创建role以及rolebinding

(任意目录)

role以及rolebinding网上资料较多,仅做一简单范例

role:

root@master:~/kube/sa# cat role.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: lee
rules:
- apiGroups: [""] 
  resources: ["pods"]
  verbs: ["get", "watch", "list", "create", "update", "patch"]

rolebinding

root@master:~/kube/sa# cat rolebind.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: mytest
  namespace: default
subjects:
- kind: User
  name: leeqiand 
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: lee 
  apiGroup: rbac.authorization.k8s.io

创建:

root@master:~/kube/sa# kubectl  create -f role.yaml 
role.rbac.authorization.k8s.io/lee created
root@master:~/kube/sa# kubectl  create -f rolebind.yaml 
rolebinding.rbac.authorization.k8s.io/mytest created
root@master:~/kube/sa# kubectl  get role,rolebinding
NAME                                 CREATED AT
role.rbac.authorization.k8s.io/lee   2022-03-02T09:12:25Z

NAME                                           ROLE       AGE
rolebinding.rbac.authorization.k8s.io/mytest   Role/lee   42s


 

6,将配置文件分发给普通用户

root@master:/etc/kubernetes/pki# cp leeqiand.kubeconfig  /home/lee/.kube/config
root@master:/etc/kubernetes/pki# chown lee:lee /home/lee/.kube/config 

切换到普通用户

root@master:/etc/kubernetes/pki# su - lee
lee@master:~$ cd .kube/
lee@master:~/.kube$ ls
config

lee@master:~/.kube$ kubectl  get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?

因为没指定current-context,手动修改config

lee@master:~/.kube$ vim config 

contexts:
- context:
    cluster: kubernetes
    user: leeqiand
  name: leeqiand@kubernetes
current-context: leeqiand@kubernetes


7,测试

由于我们授予了create权限,所以可以创建pod,但是并无delete权限,所以无法delete,由以下测试可以查看与预期相符

lee@master:~/.kube$ kubectl  get pods 
NAME   READY   STATUS    RESTARTS        AGE
dns    1/1     Running   22 (165m ago)   21d
lee@master:~/.kube$ kubectl  run nginx --image=nginx
pod/nginx created
lee@master:~/.kube$ kubectl  get pods 
NAME    READY   STATUS    RESTARTS        AGE
dns     1/1     Running   22 (165m ago)   21d
nginx   1/1     Running   0               10s
lee@master:~/.kube$ kubectl  delete pod nginx
Error from server (Forbidden): pods "nginx" is forbidden: User "leeqiand" cannot delete resource "pods" in API group "" in the namespace "default"
lee@master:~/.kube$ 

Logo

开源、云原生的融合云平台

更多推荐