9、k8s安全 - 2.RBAC鉴权-基于用户认证的kubeconfig - 《云原生-知识笔记》

# 创建用户授权文件目录
cd /etc/kubernetes/pki
mkdir -p users
cd users/
# 创建 openssl.cnf 配置文件
vim openssl.cnf
------------------------
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
------------------------
# 使用 openssl 工具创建用户秘钥文件
openssl genrsa -out ifcloud-viewer.key 2048
# 使用 openssl 工具生成用户证书请求文件
openssl req -new -key ifcloud-viewer.key -subj "/CN=ifcloud-viewer/O=CS" -out ifcloud-viewer.csr
# 使用 openssl 工具生成用户证书
openssl x509 -req -in ifcloud-viewer.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -extensions v3_req_client -extfile openssl.cnf -out ifcloud-viewer.crt -days 3650
==================================================
# 设置集群参数变量，设置一个集群，需要指定根证书和 server-api 服务地址，指定 kubeconfig 文件
export KUBE_APISERVER="https://lb.kubesphere.local:6443"
kubectl config set-cluster k8s-ifcloud-viewer \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--server=https://lb.kubesphere.local:6443 \
--embed-certs=true \
--kubeconfig=ifcloud-viewer.kubeconfig
# 设置客户端认证参数，设置一个证书用户 devuser，需要指定用户证书和秘钥，指定 kubeconfig 文件
kubectl config set-credentials ifcloud-viewer \        # clustername（自定义必须和其他的保持一致）
--client-certificate=ifcloud-viewer.crt \        
--client-key=ifcloud-viewer.key \
--embed-certs=true \
--kubeconfig=ifcloud-viewer.kubeconfig
# 设置上下文参数，需要指定用户名，可以指定 NAMESPACE，指定 kubeconfig 文件
kubectl config set-context k8s-ifcloud-viewer \        # clustername（自定义必须和其他的保持一致）
--cluster=k8s-ifcloud-viewer \            # clustername（自定义必须和其他的保持一致）
--user=ifcloud-viewer \            # 这里的用户必须要和openssl生成的用户证书CN保持一致
--kubeconfig=ifcloud-viewer.kubeconfig
# 设置上下文配置，指定 kubeconfig 文件
kubectl config use-context k8s-ifcloud-viewer --kubeconfig=ifcloud-viewer.kubeconfig
# 执行完毕，会在当前目录生成以 devuser 命令的 kubeconfig 配置文件
===================================================
vim k8s_create_kubeconfig_ClusterRole_Clusterrolebanding.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ifcloud-viewer
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ifcloud-viewer
rules:
- apiGroups: [""]
  resources: ["services", "namespaces", "pods", "deployments", "nodes"] 
  verbs: ["get", "watch", "list"]
- apiGroups: ["tenant.kubesphere.io"] 
  resources: ["workspaces"] 
  verbs: ["get", "watch", "list"] 
- apiGroups: ["extensions"] 
  resources: ["ingresses"] 
  verbs: ["get", "watch", "list"] 
- apiGroups: ["networking.k8s.io"] 
  resources: ["ingresses"] 
  verbs: ["get", "watch", "list"] 
- apiGroups: ["gateway.kubesphere.io"] 
  resources: ["gateways"] 
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ifcloud-viewer
subjects:
#- kind: ServiceAccount
#  name: ifcloud-viewer
#  namespace: default
- kind: User
  name: ifcloud-viewer
  apiGroup: rbac.authorization.k8s.io
roleRef:  
  kind: ClusterRole
  name: ifcloud-viewer
  apiGroup: rbac.authorization.k8s.io
=========================
# 查看权限
kubectl describe clusterrole ifcloud-viewer