碼上歡樂
相關內容    簡體    繁體

K8S 創建用戶賬號-User Account(一)

本文轉載自   查看原文   2020-08-08 14:07   2227    k8s

創建k8s User Account

使用openssl方法創建普通用戶

准備工作

mkdir /root/pki/
將k8s ca.pem  ca-key.pem 證書拷貝到此目錄
cp /opt/kubernetes/ssl/ca-key.pem  /root/pki/
cp /opt/kubernetes/ssl/ca.pem  /root/pki/

  

一、創建證書

1.創建user私鑰

(umask 077;openssl genrsa -out dev.key 2048)

2.創建證書簽署請求

 O=組織信息,CN=用戶名

openssl req -new -key dev.key -out dev.csr -subj "/O=k8s/CN=dev"

3.簽署證書

openssl  x509 -req -in dev.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dev.crt -days 365
Signature ok
subject=/O=k8s/CN=dev

二、創建配置文件

kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE      #集群配置
kubectl config set-credentials NAME --kubeconfig=/PATH/TO/SOMEFILE #用戶配置
kubectl config set-context    #context配置
kubectl config use-context    #切換context

* --embed-certs=true的作用是不在配置文件中顯示證書信息。
* --kubeconfig=/root/dev.conf用於創建新的配置文件,如果不加此選項,則內容會添加到家目錄下.kube/config文件中,可以使用use-context來切換不同的用戶管理k8s集群。
* context簡單的理解就是用什么用戶來管理哪個集群,即用戶和集群的結合。

  

創建集群配置

kubectl config set-cluster k8s --server=https://192.168.124.61:6443 \
--certificate-authority=ca.pem \
--embed-certs=true  \
--kubeconfig=/root/dev.conf

  

創建用戶配置

kubectl config set-credentials dev \
--client-certificate=dev.crt \
--client-key=dev.key \
--embed-certs=true \
--kubeconfig=/root/dev.conf

 

創建context配置

kubectl config set-context dev@k8s \
--cluster=k8s \
--user=dev \
--kubeconfig=/root/dev.conf

  

切換context

kubectl config use-context dev@k8s --kubeconfig=/root/dev.conf
kubectl config view --kubeconfig=/root/dev.conf

  

 

創建系統用戶

useradd dev
mkdir -p /home/dev/.kube
cp /root/dev.conf /home/dev/.kube/config
chown dev.dev -R /home/dev/
su - dev

  

k8s驗證文件

kubectl get pod

這個時候不成功是因為沒有進行權限綁定

 

創建Role

 

cat >role.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
EOF

  

創建Rolebinding

用戶dev和role pods-reader的綁定

root@k8s-master:~# cat >test-pods-reader.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cbmljs-pods-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev
EOF

   

到這一步就可以進行驗證了

kubectl get pod

我們是可以查看查看default命名空間的pod,但是其他空間的pod是無法查看的。

創建ClusterRole

root@k8s-master:~# cat cluster-reader.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

創建ClusterRoleBinding

root@k8s-master:~# cat cbmljs-read-all-pod.yaml 
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: billy-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: dev

驗證結果

kubectl get pod --all-namespaces

就可以看到所有命名空間的pod了.

 

權限綁定指定的namespace

也可以使用下面方法進行綁定

 kubectl get clusterrole  查看系統自帶角色

kubectl create rolebinding devuser-admin-rolebinding(rolebinding的名字) --clusterrole=admin(clusterrole的名字,admin在k8s所有namespace下都有最高權限) --user=devuser(將admin的權限賦予devuser用戶) --namespace=dev(范圍是dev這個namespace下) 即dev

 

擴展:

kubectl api-resources 可以查看apiGroups

示例:
創建集群角色

cat  clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterrole
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["extensions", "apps"]
    resources: ["deployments"]
    verbs: ["get", "watch", "list"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["namespaces","namespaces/status"]
    verbs: ["*"]   # 也可以使用['*']
  - apiGroups: ["","apps","extensions","apiextensions.k8s.io"]
    resources: ["role","replicasets","deployments","customresourcedefinitions","configmaps"]
    verbs: ["*"]

  

  

  

 集群綁定

[root@master role]#  cat  test-classbind.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: test-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: test-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test

  

 

 

參考:

https://blog.csdn.net/cbmljs/article/details/102953428

  

  

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 k8s創建用戶賬號——User Account k8s之serviceaccount,登錄賬號創建 mysql創建用戶賬號出錯 k8s的認證和service account簡述 K8S創建用戶RBAC授權 k8s學習筆記之九: Service Account K8S 創建管理員賬號 Oracle EBS FND User Info API (轉) EBS用戶賬號密碼職責相關 k8s 創建nfs 創建k8s context
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM