k8s_secret_kubeconfig
2.創建用戶授權-kubeconfig
- 需要使用 openssl 工具手動創建單用戶的證書文件
- 用於命令行管理 k8s 集群
2.1.創建用戶證書文件
# 創建用戶授權文件目錄
cd /etc/kubernetes/pki
mkdir -p users
cd users/
# 創建 openssl.cnf 配置文件
vim openssl.cnf
------------------------
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
------------------------
# 使用 openssl 工具創建用戶秘鑰文件
openssl genrsa -out devuser.key 2048
# 使用 openssl 工具生成用戶證書請求文件
openssl req -new -key devuser.key -subj "/CN=devuser/O=zuiyoujie" -out devuser.csr
# 使用 openssl 工具生成用戶證書
openssl x509 -req -in devuser.csr -CA ../ca.crt -CAkey ../ca.key -CAcreateserial -extensions v3_req_client -extfile openssl.cnf -out devuser.crt -days 3650
2.2.使用用戶證書生成 kubeconfig 配置文件
# 設置集群參數變量,設置一個集群,需要指定根證書和 server-api 服務地址,指定 kubeconfig 文件
export KUBE_APISERVER="https://{{K8S_MASTER_IP}}:6443"
kubectl config set-cluster {{K8S_CLUSTER_NAME}} \
--certificate-authority=../ca.crt \
--server=${KUBE_APISERVER} \
--embed-certs=true \
--kubeconfig=devuser
# 設置客戶端認證參數,設置一個證書用戶 devuser,需要指定用戶證書和秘鑰,指定 kubeconfig 文件
kubectl config set-credentials devuser \
--client-certificate=devuser.crt \
--client-key=devuser.key \
--embed-certs=true \
--kubeconfig=devuser
# 設置上下文參數,需要指定用戶名,可以指定 NAMESPACE,指定 kubeconfig 文件
kubectl config set-context {{K8S_CLUSTER_NAME}} \
--cluster={{K8S_CLUSTER_NAME}} \
--namespace=test01 \
--user=devuser \
--kubeconfig=devuser
# 設置上下文配置,指定 kubeconfig 文件
kubectl config use-context {{K8S_CLUSTER_NAME}} --kubeconfig=devuser
# 執行完畢,會在當前目錄生成以 devuser 命令的 kubeconfig 配置文件
2.3.配置 namespace 的訪問授權
- 為單個用戶 devuser 創建 namespace 的相關授權,用於查看和切換 namespace
mkdir -p /opt/k8s/grant
cd /opt/k8s/grant
vim k8s_create_kubeconfig_ClusterRoleNamespace.yaml
-------------------------------
# 創建用戶授權規則:便於普通用戶查看或者切換 namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: devuser-ns
labels:
rbac.zuiyoujie.com/name: devuser
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
# 綁定授權規則到用戶 devuser
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devuser-ns
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: devuser-ns
apiGroup: rbac.authorization.k8s.io
---------------------------------
# 應用授權配置
kubectl apply -f k8s_create_kubeconfig_ClusterRoleNamespace.yaml
2.4.配置 k8s 集群的操作權限
- 為單個用戶 devuser 創建 k8s 集群的操作權限
mkdir -p /opt/k8s/grant
cd /opt/k8s/grant
vim k8s_create_kubeconfig_ClusterRoleUser.yaml
--------------------------------
# 用戶授權規則:用戶的可操作權限
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: devuser
labels:
rbac.zuiyoujie.com/name: devuser
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/log
- pods/status
- configmaps
- services
verbs:
- get
- list
- watch
- create
- describe
- apiGroups:
- extensions
- apps
resources:
- deployments
- deployments/status
- replicasets
- replicasets/status
- daemonsets
- daemonsets/status
- ingresses
- ingresses/status
verbs:
- get
- list
- watch
- describe
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
# 授權用戶 devuser 可以訪問的 namespace
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: devuser
namespace: test01
labels:
rbac.zuiyoujie.com/name: devuser
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: devuser
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: devuser
namespace: test02
labels:
rbac.zuiyoujie.com/name: devuser
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: devuser
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: devuser
namespace: test03
labels:
rbac.zuiyoujie.com/name: devuser
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: devuser
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
---
---------------------------------
# 應用授權配置文件
kubectl apply -f k8s_create_kubeconfig_ClusterRoleUser.yaml
2.5.檢查綁定的授權規則
[root@zuiyoujie grant]# kubectl describe clusterrole devuser
Name: devuser
Labels: rbac.zuiyoujie.com/name=devuser
Annotations: PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [get list watch create describe]
pods/attach [] [] [get list watch create describe]
pods/exec [] [] [get list watch create describe]
pods/log [] [] [get list watch create describe]
pods/status [] [] [get list watch create describe]
pods [] [] [get list watch create describe]
services [] [] [get list watch create describe]
daemonsets.apps/status [] [] [get list watch describe]
daemonsets.apps [] [] [get list watch describe]
deployments.apps/status [] [] [get list watch describe]
deployments.apps [] [] [get list watch describe]
ingresses.apps/status [] [] [get list watch describe]
ingresses.apps [] [] [get list watch describe]
replicasets.apps/status [] [] [get list watch describe]
replicasets.apps [] [] [get list watch describe]
daemonsets.extensions/status [] [] [get list watch describe]
daemonsets.extensions [] [] [get list watch describe]
deployments.extensions/status [] [] [get list watch describe]
deployments.extensions [] [] [get list watch describe]
ingresses.extensions/status [] [] [get list watch describe]
ingresses.extensions [] [] [get list watch describe]
replicasets.extensions/status [] [] [get list watch describe]
replicasets.extensions [] [] [get list watch describe]
nodes.metrics.k8s.io [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
[root@zuiyoujie grant]# kubectl describe clusterrole devuser-ns
Name: devuser-ns
Labels: rbac.zuiyoujie.com/name=devuser
Annotations: PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
namespaces [] [] [get list]
