美文网首页K8K8s
22.kubernetes(k8s)笔记 认证、授权与准入控制(

22.kubernetes(k8s)笔记 认证、授权与准入控制(

作者: Bigyong | 来源:发表于2021-12-29 22:24 被阅读0次

    目录
    Users Accounts认证
    kubeconfig配置文件
    kubeconfig文件3种不同的指定方式
    kubeconfig文件查看常用命令
    示例1: 使用openssl创建认证帐号kubeconfig配置文件
    示例2: kubeconfig证书合并 tom.crt证书在示例1已经完成

    Users Accounts认证

    kubeconfig配置文件

    之前有提到过,K8S间的通信是通过https实现,https通信每次都需要认证,比如我们在命令行输入命令

    [root@k8s-master ~]# kubectl get pod
    

    都需要https认证,而且https是无状态链接 意味着每次访问 都需要附带证书,如果这一切都手动指定完成,实际操作肯定非常不方便,为了简化连接和方便使用,K8s使用kubeconfig配置文件来简化使用时文件附带认证信息

    kubeconfig配置文件:3种搜索路径

    1.指定证书位置 优先级最高
    2.通过环境变量 $KUBECONFIG加载config文件
    3.读取用户家目录 $HOME/.kube/config

    kubeconfig配置文件:

    将用户名、认证信息等组织一起,便于认证到API Server上的认证信息文件;支持一个文件中保存m个集群的n个认证信息;


    • kubectl选项中可以看到可以指定证书与秘钥
    [root@k8s-master kubernetes]# kubectl options 
    The following options can be passed to any command:
    
          --add-dir-header=false: If true, adds the file directory to the header of the log messages
          --alsologtostderr=false: log to standard error as well as files
          --as='': Username to impersonate for the operation
          --as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
          --cache-dir='/root/.kube/cache': Default cache directory
          --certificate-authority='': Path to a cert file for the certificate authority
          --client-certificate='': Path to a client certificate file for TLS   #客户端证书
          --client-key='': Path to a client key file for TLS   #指客户端秘钥
          --cluster='': The name of the kubeconfig cluster to use
          --context='': The name of the kubeconfig context to use
          --insecure-skip-tls-verify=false: If true, the server's certificate will not be checked for validity. This will
    make your HTTPS connections insecure
    ...
    
    • kubeconfig配置文件
    • 大致会包含4种信息;支持一个文件中保存m个集群的n个认证信息;
    1. clusters:配置要访问的kubernetes集群
    2. contexts:配置访问kubernetes集群的具体上下文环境
    3. current-context:配置当前使用的上下文环境
    4. users:配置访问的用户信息,用户名以及证书信息
    系统默认几个config配置文件
    [root@k8s-master core]# cd /etc/kubernetes/
    
    [root@k8s-master kubernetes]# ll  #kubernetes 安装完成 几个config配置文件 
    total 32
    -rw------- 1 root root 5565 Jun 29 01:42 admin.conf   #管理员配置文件
    -rw------- 1 root root 5601 Jun 29 01:42 controller-manager.conf  #管理控制器配置文件
    -rw------- 1 root root 1933 Jun 29 01:43 kubelet.conf    
    drwx------ 2 root root  113 Jun 29 01:42 manifests
    drwxr-xr-x 3 root root 4096 Jun 29 01:42 pki
    -rw------- 1 root root 5541 Jun 29 01:42 scheduler.conf   #调度器的配置文件 
    
    [root@k8s-master kubernetes]# cat admin.conf 
    apiVersion: v1
    clusters:  # 集群相关的信息
    - cluster:   #API service ca证书
        certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        server: https://192.168.4.170:6443
      name: kubernetes  #集群名称
    contexts:   #通过上下文件 把集群和用户名建立关联关系,所以在一个配置文件中,并不一一对应的,一个用户可以管理 多个集群
    - context:
        cluster: kubernetes
        user: kubernetes-admin
      name: kubernetes-admin@kubernetes   
    current-context: kubernetes-admin@kubernetes  #建立集群与用户
    kind: Config
    preferences: {}
    users:
    - name: kubernetes-admin  #用户相关的信息
      user: #用户token 秘钥
        client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lJTzB3MXV1SWhEbDR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBMk1qZ3hOelF5TVRCYUZ3MHlNakEyTWpneE56UXnp2V3RsRStRdUc2Ulk0bjB3UEc0OFR1N0JobGgxVTQKYTNVb3p4SHV4MmRBdi9JNHdBMmRrem8xc0FIL1pFUUFFTjNBN0JZL28rWWE1MXErNmNYMjYvN3hkVlhvMjVKTwpzRkdqUjVJbTIvcDYwR2R4N1MraGlDSE9MZzc1ZFBlZVQvOTZRMk15cVFiaHAyYmlERnNtMnRCSjBhWXdhQThyCm9rMHJYcTd4NmZ1M2l1R2NmaWt0azhRWjA5b29WM29Kd21ORVlSY3A5RTd4TjIxM042dFlOcHVtK0dxVWNiVTIKSHB5MmF4YjZhRWNOVk90YTVJdWluZUtmR1NaZ1hmND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
        client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeVVSd3hnVmwvNmczRkpiYnh3Y2EwUi9kejdua0lpbGVFcWl1Tm1yTVE3UlhaSnR3Ckh1bEhnTlQvREtENUMxOTg0cGtQZXV5RzZJc3V6VHFtL0REVERMdndBNXArMWNFNksvWDI5LzV3U29TMUtJN2c3dXc2NEZnSHRBazB3aVloYkhQUGVOMVAKa0Y5RDVFUTdySkZ0S3ZDU2ZPKzdueDhYUEVFM01CTWdBNlR0cXdJREFRQUJBb0lCQUdldHVlcElIYUwxSkdxVwp5K0JhNkpXUnROR3RFTGdJVjAyRlZ6anhDd2hWZmk5MVl1eUpmeXYrak9RVWlEWXpta0dnVnprYlh1T3J6eEFwCmhwpdQpOMFFEaE9iZlE3c1BQV08wSWpzeVo0anVKbDlxYTVsS2N6TTNJTWU3aFdYcXpTUXMwblNKRW9QS04zQUh2UllhCkJNdFZBb0dBRnNkUyswcHBIVnllWlVoblRJZXhiOEhSa0ViT2I2Z3lXenM3bThzcllXK2dwU3RJTVBpR3NTNFoKL0xYZ0RvZ2xUQ01VTnJ1Zjd3RjVtRWcrVTFEZGEyTmtSeWZPRmlnZGQybDVyZkRTN1BxMDhIOGdrZmtNWXFYdQppYUg5cnR3QmRCOEF3bktzTjlKaWFTRkV4RXlxOCtRM3ZIaXpGenhkV1IxU0VQZzQ2V0E9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
    
    kubeconfig文件3种不同的指定方式
    • 方式1 指定配置文件
    [root@k8s-master ~]# kubectl --kubeconfig=/etc/kubernetes/admin.conf get pod   #指定config路径 这个文件也是集群初始化提示我们拷贝到家目录主文件
    NAME                                 READY   STATUS    RESTARTS   AGE
    centos-deployment-66d8cd5f8b-9x47c   1/1     Running   1          44h
    demodb-0                             1/1     Running   0          21h
    demodb-1                             1/1     Running   0          19h
    
    • 方式2 通过环境变量来指定
    [root@k8s-master ~]# export KUBECONFIG=/etc/kubernetes/admin.conf  #通过环境变量来
    [root@k8s-master ~]# echo $KUBECONFIG
    /etc/kubernetes/admin.conf
    
    • 方式3 拷贝到家目录
    • 集群初始化提示我们拷贝到家目录主文件
    To start using your cluster, you need to run the following as a regular user:
    
      mkdir -p $HOME/.kube
      sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
      sudo chown $(id -u):$(id -g) $HOME/.kube/config
    
    You should now deploy a pod network to the cluster.
    Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
      https://kubernetes.io/docs/concepts/cluster-administration/addons/
    
    Then you can join any number of worker nodes by running the following on each as root:
    
    kubeadm join 192.168.4.170:6443 --token abcdef.0123456789abcdef \
        --discovery-token-ca-cert-hash sha256:d31662998938389c1f9e432a0c7bcef7d05678b42c2f5fd67213ed228f356db2
    
    kubeconfig文件查看常用命令
    [root@k8s-master ~]# kubectl config -h
    Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"
    
     The loading order follows these rules:
    
      1.  If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once
    and no merging takes place.
      2.  If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path
    delimiting rules for your system). These paths are merged. When a value is modified, it is modified
    in the file that defines the stanza. When a value is created, it is created in the first file that
    exists. If no files in the chain exist, then it creates the last file in the list.
      3.  Otherwise, ${HOME}/.kube/config is used and no merging takes place.
    
    Available Commands:
      current-context Displays the current-context
      delete-cluster  Delete the specified cluster from the kubeconfig
      delete-context  Delete the specified context from the kubeconfig
      get-clusters    Display clusters defined in the kubeconfig
      get-contexts    Describe one or many contexts
      rename-context  Renames a context from the kubeconfig file.
      set             Sets an individual value in a kubeconfig file
      set-cluster     Sets a cluster entry in kubeconfig
      set-context     Sets a context entry in kubeconfig
      set-credentials Sets a user entry in kubeconfig
      unset           Unsets an individual value in a kubeconfig file
      use-context     Sets the current-context in a kubeconfig file
      view            Display merged kubeconfig settings or a specified kubeconfig file
    
    • 显示默认config信息
    [root@k8s-master ~]# kubectl config view 
    apiVersion: v1
    clusters:
    - cluster:
        server: ""
      name: /etc/kubernetes/admin.conf
    - cluster:
        server: ""
      name: etc/kubernetes/admin.conf
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.4.170:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: kubernetes-admin
      name: kubernetes-admin@kubernetes
    current-context: kubernetes-admin@kubernetes
    kind: Config
    preferences: {}
    users:
    - name: kubernetes-admin
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    
    • 查看指定config文件上下文信息
    [root@k8s-master ~]# kubectl config get-contexts  --kubeconfig=/etc/kubernetes/scheduler.conf
    CURRENT   NAME                               CLUSTER      AUTHINFO                NAMESPACE
    *         system:kube-scheduler@kubernetes   kubernetes   system:kube-scheduler 
    
    示例1: 使用openssl创建认证帐号kubeconfig配置文件
    1. 创建私钥
      使用openssl工具做 X509认证 支持双向认证 ,通过k8s自己的CA去签证
    • 在K8S组件目录中可以看到ca.crt只有一个,这是因为所有组件都是通过api-server的ca签发的,如果想让我们自己的key通过api-server认证,那么就需要通过这个ca来签发证书
    [root@k8s-master pki]# ls
    apiserver.crt              apiserver.key                 ca.crt  front-proxy-ca.crt      front-proxy-client.key
    apiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.key  front-proxy-ca.key      sa.key
    apiserver-etcd-client.key  apiserver-kubelet-client.key  etcd    front-proxy-client.crt  sa.pub
    
    • 创建私钥
    [root@k8s-master kubernetes]# mkdir usercerts
    [root@k8s-master kubernetes]# cd usercerts/
    [root@k8s-master usercerts]# (umask 077; openssl genrsa -out tom.key 2048)
    Generating RSA private key, 2048 bit long modulus
    ...............................................................+++
    .......................+++
    e is 65537 (0x10001)
    [root@k8s-master usercerts]# ls
    tom.key
    
    • 接下来创建证书 基于这个私钥创造一个自签证书是不行的,需要创造一个证书签署请求,通过k8s的ca来签署

    • openssl 常用选项
      -days 时间
      -CA 指定使用的CA
      -CAkey 指定私钥
      -CAcreateserial CA自己创造序列号
      -in 待签文件
      -out 输出

    [root@k8s-master usercerts]# openssl x509 -req -days 3655 -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -in tom.csr -out tom.crt
    Signature ok
    subject=/CN=tom/O=kubeusers
    Getting CA Private Key
    
    [root@k8s-master usercerts]# openssl x509 -in tom.crt -text -noout  #查看证书详情
    Certificate:
        Data:
            Version: 1 (0x0)
            Serial Number:
                bc:c3:53:df:96:10:ec:ed
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=kubernetes
            Validity
                Not Before: Aug 24 00:35:05 2021 GMT
                Not After : Aug 27 00:35:05 2031 GMT
            Subject: CN=tom, O=kubeusers
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:c5:c9:3d:ac:3a:b3:9d:38:58:f1:d9:c6:21:c5:
                        d5:57:d1:a5:5d:0a:92:a1:88:3e:3c:2d:8d:2d:20:
                        b1:a4:d1:07:03:7e:72:48:dd:d9:7e:4b:b6:fc:35:
                        46:b9:60:82:c2:36:30:7d:04:8c:83:b5:7c:8a:b1:
                        20:7d:f4:b3:5c:29:f4:e0:2b:67:96:5d:b8:a6:ba:
                        4a:0c:7e:4f:6b:34:82:5b:7d:1a:8c:26:ed:91:dd:
                        62:9f:37:68:70:14:a4:cf:ea:b0:51:b3:56:9e:d6:
                        1d:64:32:66:8c:c1:9e:40:4b:20:1c:0a:8b:2c:c8:
                        94:be:10:95:29:7f:8b:6e:a1:03:32:11:31:de:c6:
                        d1:8c:64:a8:43:4b:0b:ad:ff:64:e1:17:4d:55:fe:
                        04:9f:a5:59:2b:e5:13:5e:0d:2b:c1:c7:45:f8:b3:
                        a7:ad:da:dc:e8:aa:22:5a:37:e6:ce:75:8e:bc:e3:
                        1e:eb:95:db:be:14:dd:43:1b:51:e6:94:21:10:81:
                        1c:b5:e3:2d:3e:12:b6:78:14:d4:90:8a:06:32:7e:
                        ef:90:7b:e7:26:60:38:6c:52:04:bc:91:e1:3f:db:
                        8b:8a:05:39:ad:74:99:e1:80:ae:58:d6:4a:6d:7d:
                        64:a3:bc:16:b8:7c:d6:08:33:b8:23:56:35:75:18:
                        bb:57
                    Exponent: 65537 (0x10001)
        Signature Algorithm: sha256WithRSAEncryption
             40:fe:1b:d7:c1:67:bf:15:21:be:ac:0e:fb:32:a3:1e:58:e5:
             c8:2a:3f:3a:21:87:23:9c:14:dc:05:39:fb:5f:f8:1e:f3:66:
             98:54:48:1c:25:c1:b5:bc:1c:be:7d:d6:86:7d:09:ae:7c:40:
             2d:cd:0b:5d:29:7f:67:ec:51:1b:c3:97:d3:a2:17:d4:96:04:
             17:ba:aa:79:ff:0e:d0:53:2c:81:a3:8e:05:0b:a5:f5:12:0c:
             f8:38:f1:fb:6e:bf:7b:1b:40:f0:dc:b1:5e:b1:a8:c8:fc:ec:
             92:c5:fb:6b:76:ff:7c:ab:f5:ea:94:89:8a:fd:47:cf:c8:8a:
             b6:f3:42:19:b9:b2:74:41:de:bf:66:7e:b3:e2:78:8e:e1:db:
             ac:85:2b:ed:8d:c1:55:16:0f:15:8c:72:7b:0d:7e:31:ce:06:
             ce:2e:d3:9f:77:60:22:4e:11:32:33:b6:28:d5:93:2f:c9:a5:
             4c:f6:1f:4f:7d:e7:66:e0:74:14:c4:c8:de:c1:26:1e:56:db:
             29:54:35:b9:3b:24:8b:5f:f5:81:af:30:27:f4:1f:99:a5:aa:
             8d:f3:91:c4:4f:3e:3d:12:a9:a5:85:44:0b:17:19:2a:ac:ea:
             50:3f:39:31:c5:ef:15:04:f7:bf:11:a3:57:af:8f:ce:8d:d1:
             d7:5e:c4:31
    
    
      1. 生成kubeconfig配置文件 配置集群信息 存放在/tmp/mykubeconfig目录
    [root@k8s-master core]# kubectl config set-cluster kubernetes --server=https://k8s-master:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/mykubeconfig
    Cluster "kubernetes" set.
    
    [root@k8s-master ~]# cat /tmp/mykubeconfig 
    apiVersion: v1
    clusters:
    - cluster:  #集群的认证信息
        certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXdRCm1DSkowR3VJRGR6WmE4WEFKSXk3QlJVR0JUMG9JMGxWdVdjM1BEMjV3aHIxTUJSeVVydTB1MG43bUtWUVR6YlkKMEc4VVNIendTblg1MU9vTXBVNVl3SEs2V0dMZ0o2Z2RDZmpBWTZ2MTJlN3krcnZqT0tZbnM2bGpVZjJNbmFJTApuckN5MS91NTZMbmgxd0NIMVhrTEVDUDUzOU1GYW1Za1JHeGVTOUZabEZjZ0x2SnA0M1ZYOVY0SVdRZXVtSGQ5CjFhYktWZWkvNDFxYmJ2eURVN2w0bDdrbFVtTFVUR0RsWXBmMUdQVS9KYW9tNFFMUmFFdDJjc1ljTlo4SjN5YVkKR3ZPbG9HTTE1MFJzeDR2TDhEV09xWmNVVWcvdVh1aktnMU1mV1JyRDlLdnFLMVFkUDkySUUrbDZuWFVLWTM0cgp2b0RDbU9jTDhKMG5QeWpieWYwQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPd2kyd3JVYnV2Vm1iaVYycm5uTHR6MGhzZ2NNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCQ0ZrRVU0Z3lvdURzNGhHMHBqZGxySlJrRHcxa0tnMUpWOG0zQ3FjS1VLbUpCVVQ5SAo5UjhMYVUycy82eVM1elgzVlNkVU5nRjFWL2hwalVKNmJTdWQ5WGZubWJ3OGxIS1V1Y1VTSVdVOWErVEdUdmtuCkRxSThGY0M4Z0tzdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        server: https://k8s-master:6443
      name: kubernetes
    contexts: null
    current-context: ""    #上下文件信息为空
    kind: Config
    preferences: {}
    users: null   #用户为空
    
      1. 配置集群用户tom
    [root@k8s-master ~]# kubectl config set-credentials --help  #用户可以使用多种方式认证
    ...
    Usage:
      kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile]
    [--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name]
    [--auth-provider-arg=key=value] [--exec-command=exec_command] [--exec-api-version=exec_api_version] [--exec-arg=arg]
    [--exec-env=key=value] [options]
    
    [root@k8s-master usercerts]# kubectl config set-credentials tom --client-certificate=./tom.crt  --client-key=./tom.key --embed-certs=true  --kubeconfig=/tmp/mykubeconfig
    User "tom" set.
    [root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://k8s-master:6443
      name: kubernetes
    contexts: null
    current-context: ""
    kind: Config
    preferences: {}
    users:
    - name: tom  #添加用户tom
      user:
        client-certificate-data: REDACTED  #信息隐藏--embed-certs=true的作用
        client-key-data: REDACTED  #隐藏信息
    
    1. 添加上下文 对集群与用户进行绑定
    [root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes --kubeconfig=/tmp/mykubeconfig
    Context "tom@kubernetes" created.
    [root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://k8s-master:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: tom
      name: tom@kubernetes   #用户与集群通过进行绑定
    current-context: ""
    kind: Config
    preferences: {}
    users:
    - name: tom
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    
      1. 切换上下文切换认证用户为tom
    [root@k8s-master usercerts]# kubectl config use-context tom@kubernetes  --kubeconfig=/tmp/mykubeconfig
    Switched to context "tom@kubernetes"
    
    [root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://k8s-master:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: tom
      name: tom@kubernetes
    current-context: tom@kubernetes  #当前用户
    kind: Config
    preferences: {}
    users:
    - name: tom
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    
    [root@k8s-master usercerts]# kubectl get nodes --kubeconfig=/tmp/mykubeconfig
    Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope
    
    - 上面的错误是指授权有问题,认证已经通过,已经完成示例的要求,授权会在下一小节讲到
    
    示例2: kubeconfig证书合并 tom.crt证书在示例1已经完成
    • 集群不用在创建 默认配置文件里已经有了
    • 创建证书
    [root@k8s-master usercerts]#  kubectl config set-credentials tom --client-certificate=./tom.crt  --client-key=./tom.key --embed-certs=true
    User "tom" set.
    
    • 在默认kubeconfig中创建contexts
    [root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes
    Context "tom@kubernetes" created.
    [root@k8s-master usercerts]# kubectl config view
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.4.170:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: kubernetes-admin
      name: kubernetes-admin@kubernetes  #默认context
    - context:  
        cluster: kubernetes
        user: tom
      name: tom@kubernetes    #新建context
    
    current-context: kubernetes-admin@kubernetes    #当前context
    kind: Config
    preferences: {}
    users:
    - name: kubernetes-admin
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    - name: tom     #新建用户
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    
    • 切换当前context 为tom@kubernetes
    [root@k8s-master usercerts]# kubectl config use-context tom@kubernetes
    Switched to context "tom@kubernetes".
    [root@k8s-master usercerts]# kubectl get pod   #提示没有权限
    Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"
    
    • 指定使用前context
    [root@k8s-master usercerts]# kubectl get nodes --context=kubernetes-admin@kubernetes
    NAME         STATUS   ROLES    AGE   VERSION
    k8s-master   Ready    master   56d   v1.19.9
    k8s-node1    Ready    <none>   56d   v1.19.9
    k8s-node2    Ready    <none>   56d   v1.19.9
    k8s-node3    Ready    <none>   19d   v1.19.9
    
    [root@k8s-master usercerts]# kubectl config use-context kubernetes-admin@kubernetes  #修改默认context
    Switched to context "kubernetes-admin@kubernetes".
    [root@k8s-master usercerts]# kubectl get node
    NAME         STATUS   ROLES    AGE   VERSION
    k8s-master   Ready    master   56d   v1.19.9
    k8s-node1    Ready    <none>   56d   v1.19.9
    k8s-node2    Ready    <none>   56d   v1.19.9
    k8s-node3    Ready    <none>   19d   v1.19.9
    
    • 删除context
    [root@k8s-master usercerts]# kubectl config delete-context tom@kubernetes
    [root@k8s-master usercerts]# kubectl config delete-user  tom 
    [root@k8s-master usercerts]# kubectl config view
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.4.170:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: kubernetes-admin
      name: kubernetes-admin@kubernetes
    current-context: kubernetes-admin@kubernetes
    kind: Config
    preferences: {}
    users:
    - name: kubernetes-admin
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    
    
    • 通过环境变量合并配置文件合并配置文件
    [root@k8s-master usercerts]# export KUBECONFIG=$HOME/.kube/config:/tmp/mykubeconfig
    [root@k8s-master usercerts]# kubectl config view
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.4.170:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: kubernetes-admin
      name: kubernetes-admin@kubernetes
    - context:
        cluster: kubernetes
        user: tom
      name: tom@kubernetes
    current-context: kubernetes-admin@kubernetes
    kind: Config
    preferences: {}
    users:
    - name: kubernetes-admin
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    - name: tom
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    
      1. 在通过环境变量合并配置文件基础上 通过 --merge --flatten 选项,可以展平合并重复项,生成新的配置文件
    [root@k8s-master usercerts]# kubectl config view --merge --flatten > /tmp/newkubeconfig 
    [root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/newkubeconfig
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.4.170:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: kubernetes-admin
      name: kubernetes-admin@kubernetes
    - context:
        cluster: kubernetes
        user: tom
      name: tom@kubernetes
    current-context: kubernetes-admin@kubernetes
    kind: Config
    preferences: {}
    users:
    - name: kubernetes-admin
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    - name: tom
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    
    

    相关文章

      网友评论

        本文标题:22.kubernetes(k8s)笔记 认证、授权与准入控制(

        本文链接:https://www.haomeiwen.com/subject/credxrtx.html