背景说明

团队发展过程中经常会进来新人,考虑到新人学习,重新搭建一个全新的学习集群成本较高,可以创建一个用户并确定指定的命名空间供其练习

解决方案

证书登录

这里创建一个用户菜鸟用户bird

私钥创建

创建证书请求文件bird-csr.json

  1. {
  2.     "CN":"bird",
  3.     "key":{
  4.         "algo":"rsa",
  5.         "size":2048
  6.     },
  7.     "names":[
  8.         {
  9.             "C":"CN",
  10.             "ST":"ZheJiang",
  11.             "L":"HangZhou",
  12.             "O":"kubernetes"
  13.         }
  14.     ]
  15. }

通过cfssl工具生成证书请求文件和私钥

  1. [root@cka-master bird]# ./cfssl genkey bird-csr.json | ./cfssljson -bare bird
  2. 2022/03/15 06:26:14 [INFO] generate received request
  3. 2022/03/15 06:26:14 [INFO] received CSR
  4. 2022/03/15 06:26:14 [INFO] generating key: rsa-2048
  5. 2022/03/15 06:26:15 [INFO] encoded CSR
  6. [root@cka-master bird]# ls
  7. bird.csr  bird-csr.json  bird-key.pem  cfssl  cfssljson
  8. [root@cka-master bird]#

对证书请求文件john.csr进行base64编码

  1. [root@cka-master bird]# cat bird.csr | base64 | tr -d '\n'
  2. LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ25EQ0NBWVFDQVFBd1Z6RUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURVRNQkVHQTFVRUNoTUthM1ZpWlhKdVpYUmxjekVOTUFzR0ExVUVBeE1FClltbHlaRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLc2ZqUnE5THFKZkJ0ejIKaVRkRUorWnZGa0pwVVlnenh6MTFBTlFBRE1tRjNxNytZT2M3RVRoSmt4NkluZC9WYXAxTkFWYnJtczNUN2NvLwpNd3hZWHYyMkkxUDhZRzY4RGpJRVU2eGk1cWY4ZGpkUE5KeDB3b1BTVXdERDYrSjhOa1E4bXRZRExvR0g0Yzc1CkVXOWNnR0xLYlIyVFpUemJiMDdIUUYxNDlKMWxONC9YK3ZhamRhbHFTMGN2OGp6QWNJWGJCVUpydUN2TDBkVHgKWVZ5bXdTTkdCcWRWMHdhbWM4VjI2Tnp5VEdsZmw1MXhFc2lUZWxvSzh6MlUxeDY3SlVpdWVmVkRWQ0xxeDBnRgp1ZjdaOXdMOUtSQktDRzd3QmJnVURXQ0dNcGRXYzY1dkZhTmNoaFlia0pEODZKZFQ5VUkybzhQR1BsZDduOStDCjRmR3VpRHNDQXdFQUFhQUFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFSOThQK3MvNlo2elFqR2JXc0hPQUQKbkRRY2NBVlBnTlhwejhWMmRveE5MajBHNXZwVlZqRjhQdWxPdUtuK2FHeXMrRStPM3EwQ0x2amRYTC9tMzVJSQpxSW5LdDVLendXUVJpbGloU2VFbEFNM2pUTFdpU0xqR3VWbkkzbHFnaVFxK3kyNDhCUHJ3eUc4R0ZiT2NaOG0wCjZ1YjlndkowMlRCZkgxaGpiWWZmRzZUdWlucWpQRjlLdWtyU1ZEalU4WWpNWWRFNDArSjFjdVBLOEVkVmZnZFQKQW9HeUFJeU9nckxqbEpydmJUU2dRU2R5bmZIdVpiYkdIdmxqYXdLazFZSnZ6TWcrWStSRjBRUDVlVFlvb1ovbQpWOUpNMlBRVitjZ3krNTIrVWJudThkWlgxNkk2T2pjWFhEMVVuT3BJenMvT1B3SlhxOTM2UGNaOXozWk9GdjJTCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  3. [root@cka-master bird]#

证书加签

创建文件bird-csr.yaml

  1. apiVersion: certificates.k8s.io/v1
  2. kind: CertificateSigningRequest
  3. metadata:
  4.   name: bird-csr
  5. spec:
  6.   request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ25EQ0NBWVFDQVFBd1Z6RUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0Zwb1pVcHBZVzVuTVJFdwpEd1lEVlFRSEV3aElZVzVuV21odmRURVRNQkVHQTFVRUNoTUthM1ZpWlhKdVpYUmxjekVOTUFzR0ExVUVBeE1FClltbHlaRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLc2ZqUnE5THFKZkJ0ejIKaVRkRUorWnZGa0pwVVlnenh6MTFBTlFBRE1tRjNxNytZT2M3RVRoSmt4NkluZC9WYXAxTkFWYnJtczNUN2NvLwpNd3hZWHYyMkkxUDhZRzY4RGpJRVU2eGk1cWY4ZGpkUE5KeDB3b1BTVXdERDYrSjhOa1E4bXRZRExvR0g0Yzc1CkVXOWNnR0xLYlIyVFpUemJiMDdIUUYxNDlKMWxONC9YK3ZhamRhbHFTMGN2OGp6QWNJWGJCVUpydUN2TDBkVHgKWVZ5bXdTTkdCcWRWMHdhbWM4VjI2Tnp5VEdsZmw1MXhFc2lUZWxvSzh6MlUxeDY3SlVpdWVmVkRWQ0xxeDBnRgp1ZjdaOXdMOUtSQktDRzd3QmJnVURXQ0dNcGRXYzY1dkZhTmNoaFlia0pEODZKZFQ5VUkybzhQR1BsZDduOStDCjRmR3VpRHNDQXdFQUFhQUFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFSOThQK3MvNlo2elFqR2JXc0hPQUQKbkRRY2NBVlBnTlhwejhWMmRveE5MajBHNXZwVlZqRjhQdWxPdUtuK2FHeXMrRStPM3EwQ0x2amRYTC9tMzVJSQpxSW5LdDVLendXUVJpbGloU2VFbEFNM2pUTFdpU0xqR3VWbkkzbHFnaVFxK3kyNDhCUHJ3eUc4R0ZiT2NaOG0wCjZ1YjlndkowMlRCZkgxaGpiWWZmRzZUdWlucWpQRjlLdWtyU1ZEalU4WWpNWWRFNDArSjFjdVBLOEVkVmZnZFQKQW9HeUFJeU9nckxqbEpydmJUU2dRU2R5bmZIdVpiYkdIdmxqYXdLazFZSnZ6TWcrWStSRjBRUDVlVFlvb1ovbQpWOUpNMlBRVitjZ3krNTIrVWJudThkWlgxNkk2T2pjWFhEMVVuT3BJenMvT1B3SlhxOTM2UGNaOXozWk9GdjJTCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  7.   signerName: kubernetes.io/kube-apiserver-client
  8.   expirationSeconds: 8640000
  9.   usages:
  10.   - client auth

应用证书签名请求

  1. [root@cka-master role]# kubectl apply -f bird-csr.yaml 
  2. certificatesigningrequest.certificates.k8s.io/bird-csr created

查看证书签名请求

  1. [root@cka-master bird]# kubectl get csr
  2. NAME       AGE   SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
  3. bird-csr   21s   kubernetes.io/kube-apiserver-client   kubernetes-admin   100d                Pending
  4. [root@cka-master bird]# kubectl certificate approve bird-csr

加签导出

  1. [root@cka-master bird]# kubectl get csr bird-csr -o jsonpath='{.status.certificate}'| base64 -d > bird.crt
  2. [root@cka-master bird]# ls
  3. bird.crt  bird.csr  bird-csr.json  bird-csr.yaml  bird-key.pem  cfssl  cfssljson
  4. [root@cka-master bird]#

凭据写入

查看当前上下文

  1. [root@cka-master pki]# kubectl config get-contexts 
  2. CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
  3. *         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   nsrole

写入凭据信息

  1. [root@cka-master bird]#  kubectl config set-credentials bird --client-key=bird-key.pem  --client-certificate=bird.crt --embed-certs=true
  2. User "bird" set.
  3. [root@cka-master bird]# cat ~/.kube/config 
  4. apiVersion: v1
  5. clusters:
  6. - cluster:
  7.     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ETXhNekUxTWpNME5Wb1hEVE15TURNeE1ERTFNak0wTlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUEJnCmlMZXVkdzk1eEFQak1VKzlZdVNsNkhGUmxUeEdJMGZpbG9raU9XYWI3Y1ltK1lWdGtsZ09oY25KSWdVZ3cvQk8KSUF1QTBlSk9pRThFYmNYVDFiZlpLNHNjVUVJTE5CK0ZvbDBBZkdsYk9JbVJTS3N5clF4VmxkWU1KdXNKVDJGcApkREtCUFpNMmhoMXg5QU9CYjBvN2NYZ01zTWNHSHlwQmUvSWFGY3RGUlZ5UDZQMW15TVIyVGtWL3h5WHNHUUkxCit1QklnT2g1V0l0enAzVE1yOFBSVGVOYzdwekczK044eTFWWkNEYVBIVkV6UTk0L1hBN1h2K3hnaGJNS25LbWgKMTZOY1ZVR3FXSHRxSFd3dkovei9ScGkvZUUraVRON3FwOWtTdEtaZ1V1dVhXOUxTdFp3RCtiQ2hUM0lTWWJCeQplK21CWTBEZTJGWkZ6eFhQOGdjQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNSVFacjQzeHJlNmd3aFdKR2diNmVaMDF5ZUlNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSE5LajZndkZUeTJ3TmtHVlBnbgo1V25wdWlhWmlvYnNYTGlraVZUQ1NnRERkbVk4ZTJxWG5BTzVST3R6ZkhDVGg3OWMrankvdGV1M1JleGtUT0F4ClQ2L1hOZ3FYRi9BMnROSk9oUW9USlZrOHJ4M0Q3aTRxYjAveldsdzEreWwvbUxFM3hLRTBxMG95RzFKMmNFRkoKK3EyZDEyd2Ywc1dJZit3Qjh5bG53YWd0cy9FdW5oUFF3QlRCKzU1bVA1WVBYWjNZeS9mUEd3c1Y3TjRsc3hKTAplWWF0aUpldTBJdlYxQmdoZGNNclg0d2pidXZuZk5WUWhRY3ZDd3ZxRVQ1dVcyeXNPQnJTNGJsaDZRZmdOYkxOCjdRK0hMWEE3SDNrMjhrVnRJWFlYSHpFL3NNWTVFc2hPcWNYenIxWWpPSlkzb2RxQjNuOWRMcy9hbkFtYVdEelUKRlJBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  8.     server: https://192.168.184.128:6443
  9.   name: kubernetes
  10. contexts:
  11. - context:
  12.     cluster: kubernetes
  13.     user: kubernetes-admin
  14.   name: kubernetes-admin@kubernetes
  15. current-context: kubernetes-admin@kubernetes
  16. kind: Config
  17. preferences: {}
  18. users:
  19. - name: bird
  20.   user:
  21.     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQVENDQWlXZ0F3SUJBZ0lSQUtnV1JuSG5rYzYwc1RkT1N4MjJQMUV3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UUXlNakkyTlRKYUZ3MHlNakEyTWpJeQpNakkyTlRKYU1GY3hDekFKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJRXdoYWFHVkthV0Z1WnpFUk1BOEdBMVVFCkJ4TUlTR0Z1WjFwb2IzVXhFekFSQmdOVkJBb1RDbXQxWW1WeWJtVjBaWE14RFRBTEJnTlZCQU1UQkdKcGNtUXcKZ2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3JINDBhdlM2aVh3YmM5b2szUkNmbQpieFpDYVZHSU04YzlkUURVQUF6SmhkNnUvbURuT3hFNFNaTWVpSjNmMVdxZFRRRlc2NXJOMCszS1B6TU1XRjc5CnRpTlQvR0J1dkE0eUJGT3NZdWFuL0hZM1R6U2NkTUtEMGxNQXcrdmlmRFpFUEpyV0F5NkJoK0hPK1JGdlhJQmkKeW0wZGsyVTgyMjlPeDBCZGVQU2RaVGVQMS9yMm8zV3Bha3RITC9JOHdIQ0Yyd1ZDYTdncnk5SFU4V0ZjcHNFagpSZ2FuVmRNR3BuUEZkdWpjOGt4cFg1ZWRjUkxJazNwYUN2TTlsTmNldXlWSXJubjFRMVFpNnNkSUJibisyZmNDCi9Ta1FTZ2h1OEFXNEZBMWdoaktYVm5PdWJ4V2pYSVlXRzVDUS9PaVhVL1ZDTnFQRHhqNVhlNS9mZ3VIeHJvZzcKQWdNQkFBR2pSakJFTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRApWUjBqQkJnd0ZvQVV3aEJtdmpmR3Q3cURDRllrYUJ2cDVuVFhKNGd3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCCkFLUWI1WDNYRmU1UFluZ1g3R1NpZ1ozYzZGa2ROeUd5dER5eDlOZWxaQm1JSktQaC9xbjdGM3lYd3B3T29DcDYKZW8rT29sVFlyUnJlREtSQkN5WnJsM0xOUWc5aUtFWWQ2ZmFiQUNJYzRaZS9kK0d5NjhpVExiOVBsUE43VXNydQoreVFIRTVtT0lTcndNb09XYVlSd0h1SHpEdzJXNlJRL3RFY0x0ODFoZVc4Yjh2SVVTMW5TZXNWdUZhNDVYRXZyCnBMVEpiWmJCSmNoMWV1UGtKMldiamx2OXE0Q3B3QkRNZExKaEFmNVlESTFtOXNhR1V0Y2lBYXlxZTJKdkFSR0wKcVFlWmF6dG1MN3V6cEUxa3lhcTBsM3Q0RFhNY2N1c0RWT2xia2JtSFgzd2RCYnV6VGVZaDBMZm02MkZpOGxzUAp6WGQ3WlFUVkVMYVdKS0ZadHRSN2ZOQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  22.     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcXgrTkdyMHVvbDhHM1BhSk4wUW41bThXUW1sUmlEUEhQWFVBMUFBTXlZWGVydjVnCjV6c1JPRW1USG9pZDM5VnFuVTBCVnV1YXpkUHR5ajh6REZoZS9iWWpVL3hnYnJ3T01nUlRyR0xtcC94Mk4wODAKbkhUQ2c5SlRBTVByNG53MlJEeWExZ011Z1lmaHp2a1JiMXlBWXNwdEhaTmxQTnR2VHNkQVhYajBuV1UzajlmNgo5cU4xcVdwTFJ5L3lQTUJ3aGRzRlFtdTRLOHZSMVBGaFhLYkJJMFlHcDFYVEJxWnp4WGJvM1BKTWFWK1huWEVTCnlKTjZXZ3J6UFpUWEhyc2xTSzU1OVVOVUl1ckhTQVc1L3RuM0F2MHBFRW9JYnZBRnVCUU5ZSVl5bDFaenJtOFYKbzF5R0ZodVFrUHpvbDFQMVFqYWp3OFkrVjN1ZjM0TGg4YTZJT3dJREFRQUJBb0lCQVFDVjRSK2NzT0E4bFJDVQp6bFlta3NxRHVQNTlFbk8zNE9uOE9ST05tN0dYZkdvclNXQWtod2F4RHpnTlFVbE51RVlXR2xFM0NVcmdSbVA2CmhWbzMwTnI2U3VJc2VGc2FBaHBJMHFOYTFKRUR4MHJmYkw4KzNjRlU1ZzJQR1Fyc3B6QjhtYnhnQUE5bW9sWTAKQ3RDcmdoQnM5ckdWZXZqcjBhSnZGSE9hcXd0Tkl1QkdKM1lKT3F1ZW9JajBQRllyRFR0VUt2blFYYW1tVVArTwpadEtQUEJwQ1MxcFA2Zys0aVF5bnNQVUFOVGE2L29pUGZWUWFpbDVaSmtEZ1dmcS91dlFTOWFTNFYrcVhubDI4ClY3Z0U1R1hqSFV1cGpuT0l4TTVHenphdU9GMFJOR0JOUHJ6cW9QQ1JEV08wRGtIQnZ0NEw4dlpwVFhLLzhCUEgKeVZKWE1BUFJBb0dCQU5ZOEtRZjFMMFhBZ281cFNYTExHOUlzRityTnExMDFTZURNbTNFR2thcmtBNGpyRWg1egpZanJNV1E0cmlRendsM0huUk01aTYrTFJwS0h6Y09pRHBUcW55VUZFUGJ1VVZCT0FmY3ZvNG9HanVvYkpReUZRClNib2x4RWtCbXdzb0xwWmpuamJyYUZHeXBYNDVHdzNsRG5UdWZXVmlmTm1Vc25xbzdRT1gxLy9EQW9HQkFNeDcKejFPeE5GOHRyZzl6YnZqVGRHb3VsSm05SFdXT0h6RXAyR2hTNmJWSzUvaWwwMFlzWkdDU3c4VmxmNytIOVNCOQpNSnZCM0NrajVnK2NjcFREYS80WGVJT1RzZ3VhL0x6V3M0emJ1VHNzVjJIVEJwT3JvZ2dJZ2tYUTZZWmdvZWtWCjlrWW9wRVB2ZzZCUTlmSmVoOCt3NFljbFV4a1d2a083aStzR0NBWXBBb0dBUG9qTkNVK2VmdVBVdURFdmlWeVUKUUdNeWtBMTg2ZlkySEhKZEpUN2ZvbHh3VTdVYVV0MG5YVFp0QUYvZzMzQVRKT0ozQ1MrQzMzQ0dkK2VSbTYxaAp1NTlpZGJTdnVHTnhyMGVnY0xjSDl3T04zTzQrdENpMWZLcXRnd24rOGVER3lJdEhrWXhocFFkYW0xK2I4QkJlCmllOWJsdzZLbHhCNmtLZGlsOXZvNXZVQ2dZQjV4YkZ0OGJWeWlNMkRQZ2J6LzFqd2N0VGp5UTljandwY1NNTXIKUFZVWU5ZZDNONmxkdk1uNkNPeTAvUURhbXFpTHRJSGgvOHlRWTJSNkgzek13cVBwS1NrSGtra1JTRGNDYmdsMgo5TktXUG8yN0grUm14R3MxeFh0dkFENVJXL0tQMEJoZEo0N0xOak40b1Q0V0c5MWMvY1VRcWxXV04wa1BKUHpwCjlTbUtJUUtCZ0EwN3hkWTBWQlZRaUQwWHFzMU4wWW53cnFmWUcweWwzSjd2alNQTTJPNFJ6WllYdS9ZeDhjUmYKQWxBQ3dEMmdmZ00zRVBxTThrL2xkeUJYSlM4M1dxVkxOS1lJc1lZYlA0b3hVZDY5MXpvRXhWM21rbnJYdlBxUwp2akxDL3k4djFFbkpLVC9XWVBqM1U4RjJWUjRiVU1IejhwYS8vekx2c3UrSGt1OWpUOGpSCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
  23. - name: kubernetes-admin
  24.   user:
  25.     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJQkhPbXArdGo3VHd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBek1UTXhOVEl6TkRWYUZ3MHlNekF6TVRNeE5USXpORGRhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXp4Qk1BMVN1K3dJUEtjM2IKZFE4YzY1dGE5WmRWSGtRWk9KSjZHQ01Pcm04dFBrL3VPU2R5dGVscjJMQUd5TU9sTWJXV2pocmJHcHFyanA4UwpnNzRsWEhMbjBPcGhrcEMvWnVQb1FOaitldnFsaUxUTGt4czEwN2NLN2FubDJTaXZURVJvbkdjUHc1V3FzUVBHClF5bnRCR3VZcHdDb0o5Z2tiWTdHTlF2MlFpQkJ3bUV0UkV3STJtREtYY1hlTVZGUDNKQzFwaTFqNkZXUnFkNFcKbjV3YU1wMkhXMVFqZ29nSERIZk9EZHp0cUROOHdwYkpzQkU4SlBNUWY4cWNkSWduYmh4N2JCY2luSGNrSysxTQpyMndYZi8yMm5NWHpCVUtpeHgvalc5VU41THkxQWJ0WVRiMFdEYnNUcDA3RFdPZ0hyYXNNbkJkekIrckU5dzRNCitpMmFMUUlEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JUQ0VHYStOOGEzdW9NSVZpUm9HK25tZE5jbgppREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBd2hYclhOT3g0TEtRcWU0K3RBRVRKN2pmTTVxdnovS3FhWUc2CmxDWERlSXFkTCtPRUU3Tnh1TUJYb3lHNHVTODJCQUtTbk5YU1F2a0RBNm55RU9VVkFWZDdTcThXcTQ2K1cwSDQKVzkza1loUGVWTzd4MGV1WFlYemxsQUxYSTZRQmF5UkRuL1pJV2tzMGtaSjBpTVRVaEt2RVZ1TXBGaE9tYUh1Zgp5ck1iUGpYKzNIb013a1k4YmJsUk5kcTdlbE1FTjB2RTFpRmFRTXN2andYYlR2Z3h5czdLa21iMm9neDhvUHdIClgyd0NhWGR4OFRvK2NFWHllMG1FYUJuS0pKYVVVaThndTdzdjJUR2ZCRjZlZHhLeVpJc214WVJDYlJaa05XRnMKdDBPSitjVHpLcW43UWhiZ1Q2U1Bkb29VR0NwcStuMy9VcVRHMHNaK3VRdXBGMk5kS3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  26.     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBenhCTUExU3Urd0lQS2MzYmRROGM2NXRhOVpkVkhrUVpPSko2R0NNT3JtOHRQay91Ck9TZHl0ZWxyMkxBR3lNT2xNYldXamhyYkdwcXJqcDhTZzc0bFhITG4wT3Boa3BDL1p1UG9RTmorZXZxbGlMVEwKa3hzMTA3Y0s3YW5sMlNpdlRFUm9uR2NQdzVXcXNRUEdReW50Qkd1WXB3Q29KOWdrYlk3R05RdjJRaUJCd21FdApSRXdJMm1ES1hjWGVNVkZQM0pDMXBpMWo2RldScWQ0V241d2FNcDJIVzFRamdvZ0hESGZPRGR6dHFETjh3cGJKCnNCRThKUE1RZjhxY2RJZ25iaHg3YkJjaW5IY2tLKzFNcjJ3WGYvMjJuTVh6QlVLaXh4L2pXOVVONUx5MUFidFkKVGIwV0Ric1RwMDdEV09nSHJhc01uQmR6QityRTl3NE0raTJhTFFJREFRQUJBb0lCQVFERlVEOVBFVHhwSHM0NgpSTnR5a2dNNkZPRzVsQXJkZTRFWklxUE1LbVFNSHc5YkNLbjJ0cnVkMDZBY2Jha1pXUzRxejJKM2Flb09VUU5ZCk5nZGJtUzliQ0hnVTRiUTNDVTRMQ3ZUQURzZDVneTJJdHRnakIxUGt1dEZrSm5sTDFYUXVWaVhsbkdRdU9ZbmQKZ3I1RU5FaVM1TUVqcXdHU2JtcFFLRFNDU2pMUlVOamJVaG5OejFVZWJxQ2xIbXVVa25BTURLSzU4TzZrcDBxVQpUb2hMRHo3YS9aT0FiQjNSVzVDT3gySzM2S2o4Vll4QUxKOWhQSTV4VCtWY1VvM1hHeHpma0ozQ0VwdXIxWEN3CjA4K0Zaa0pNZkpiKzV4Rk5zQ0k5TzFNVFhjZTZUNnNqdzl6d1k1VG1NSjVaK0t3dFFwSGZuVXQ4c0kzQkY4MkYKR1l3KzU0d1ZBb0dCQU5Ec2lJR2lzWVN2SWoycWhBb1IrYTBrNUhtMElPZnp5UFIzditWZXBPS0pBSitwSGZydgo0WFBvTmFnUEFTVWZpY0tQWW1iNXZCYkhCYTVoNnVEMTZoOS85cnEwamxQU2F4RFZoZWdzckFCMjhCMzJ6U0t4Cnd2UUJPU3QrS1V4bC9aR2hRcTQ5NjdkMDh2b25CakwzM0FoRkZCZGpGZHZMVEluenhRa3NmU0p2QW9HQkFQMjQKZElhd2hCWHZENHNwLzdGd1kwZG8ycnAyRmZtLzRnSUdtYWlEalJYRTc3NTZna2Vudm1FV3ZVcDJBQ2tDUktGUQptTFVkZm1HYStzWEwzNlpWK2xkY3IxTS9xdlNNcFFQYWkwaXVLWFFNTFZyaUtoNUhIeGJSV3pJMVRPZGI4bUJqClJGbnlHc2Y1Nmh2TFUrR2REVnkzM0EzSCtHREZvTCsvOTdmRDZ1c2pBb0dCQUlHdUFBRXZZaTZ3b25sU2FRanoKSlY0Q28wcWpzelVtamRxb3BkVVNqUmdMMy9ZNmUrQnhteWhkdjBoa245cFNIQ2xHNU5aME52cVFhSWRZUWZtRwp5dDdvaDlaV0VtNFhFdHZ0SFdRQ3JuVFBYclhLcG9QZGdOd0NFbUZidXZpdjZkZkdGK1NkakwxZit4Mm9zV0ZiCmxoa1AvNnVRbGxYS2QrUzlDZFZxNXZWREFvR0JBSkhMRzVLRi9mQ0lwWnJuTUZtcTVqR1RqQlNYWkh0V0NxMzEKVXZpbFZ6NEtJMldHQ2pUWXJDb29JZStXclBManJjSXdpUCtTQ2h4V0xRSFo3Qk10MXFPNnk3aC9ubUhXSzhCeQpKWlZIRnVUclZtaWlDMmZJb0pIQkRiRmxOV0xBMEI4WkM1N1A0eG5FZndVbnFuUzdoWUVnMlo5RnFIRWJQd3JRCmFhMDhORktYQW9HQkFNYWIvTlpIUk42ek5vaU9nVVl6MFNqKzdCZVh5NWFrV3IzME10NUVIWisxRVFDT2dBNzMKY2txYVJrTnYrbE5md01jOCtxMDhBVlNjaXRjd2Q0WG1lZmtDYXpUaVVQTHBTUjAyd0R6SDg4bGxiM0EvUWluagpvNkkzYTJ5SEkwdEk1c1BaaHZXQlNsd0MvQld5azc2MTNQMzk1bkFDckJpRnJEdVR3ODhpUVAzWAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
  27. [root@cka-master bird]#

权限验证

创建测试命名空间ns1

  1. [root@cka-master ~]# kubectl create ns  ns1
  2. namespace/ns1 created
  3. [root@cka-master ~]# kubectl get ns
  4. NAME              STATUS   AGE
  5. default           Active   30h
  6. kube-node-lease   Active   30h
  7. kube-public       Active   30h
  8. kube-system       Active   30h
  9. ns1               Active   18h

验证bird权限

  1. [root@cka-master ~]# kubectl auth can-i list pods --namespace ns1
  2. yes
  3. [root@cka-master ~]# kubectl auth can-i list pods --namespace ns1 --as bird
  4. no

可以看到当前bird用户没有相关权限对资源对象进行操作

角色绑定

角色资源

创建角色文件bird-role.yaml

  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: Role
  3. metadata:
  4.   namespace: ns1
  5.   name: bird-role
  6. rules:
  7. - apiGroups: [""] 
  8.   resources: ["pods"]
  9.   verbs: ["list"]

绑定文件

创建角色绑定文件bird-role-bind.yaml

  1. kind: RoleBinding
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. metadata:
  4.   name: bird-role-bind
  5.   namespace: ns1
  6. subjects:
  7. - kind: User
  8.   name: bird
  9.   apiGroup: rbac.authorization.k8s.io
  10. roleRef:
  11.   kind: Role
  12.   name: bird-role
  13.   apiGroup: rbac.authorization.k8s.io

roleRef:指定关联的 Role subjects:指定关联用户,可以是 normal user,serviceaccount 或者 group

应用文件

  1. [root@cka-master bird]# kubectl apply -f  bird-role.yaml 
  2. role.rbac.authorization.k8s.io/bird-role created
  3. [root@cka-master bird]# kubectl apply -f bird-role-bind.yaml 
  4. rolebinding.rbac.authorization.k8s.io/bird-role-bind created
  5. [root@cka-master bird]#

验证权限

  1. [root@cka-master bird]# kubectl auth can-i list pods --namespace ns1 --as bird
  2. yes
  3. [root@cka-master bird]#

登录配置

文件配置

  1. [root@cka-master bird]# kubectl config set-context bird@kubernetes --cluster=kubernetes --user=bird
  2. Context "bird@kubernetes" created.
  3. [root@cka-master bird]# kubectl config get-contexts 
  4. CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
  5.           bird@kubernetes               kubernetes   bird               
  6. *         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   
  7. [root@cka-master bird]# kubectl config  view
  8. apiVersion: v1
  9. clusters:
  10. - cluster:
  11.     certificate-authority-data: DATA+OMITTED
  12.     server: https://192.168.184.128:6443
  13.   name: kubernetes
  14. contexts:
  15. - context:
  16.     cluster: kubernetes
  17.     namespace: ns1
  18.     user: bird
  19.   name: bird@kubernetes
  20. - context:
  21.     cluster: kubernetes
  22.     namespace: nsrole
  23.     user: kubernetes-admin
  24.   name: kubernetes-admin@kubernetes
  25. current-context: bird
  26. kind: Config
  27. preferences: {}
  28. users:
  29. - name: bird
  30.   user:
  31.     client-certificate-data: REDACTED
  32.     client-key-data: REDACTED
  33. - name: kubernetes-admin
  34.   user:
  35.     client-certificate-data: REDACTED
  36.     client-key-data: REDACTED
  37. [root@cka-master bird]# 
  38. [root@cka-master bird]# kubectl config use-context bird@kubernetes
  39. Switched to context "bird@kubernetes".
  40. [root@cka-master bird]# kubectl config get-contexts 
  41. CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
  42. *         bird@kubernetes               kubernetes   bird                    
  43.           kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   
  44. [root@cka-master bird]#

默认空间

  1. [root@cka-master bird]# kubectl get pods
  2. Error from server (Forbidden): pods is forbidden: User "bird" cannot list resource "pods" in API group "" in the namespace "default"
  3. [root@cka-master bird]# kubectl config set-context $(kubectl config current-context) --namespace=ns1
  4. Context "bird" modified.

权限验证

  1. [root@cka-master bird]# kubectl get ns
  2. Error from server (Forbidden): namespaces is forbidden: User "bird" cannot list resource "namespaces" in API group "" at the cluster scope
  3. [root@cka-master bird]# kubectl get pods -n ns1
  4. No resources found in ns1 namespace.
  5. [root@cka-master bird]# kubectl get pods -n default
  6. Error from server (Forbidden): pods is forbidden: User "bird" cannot list resource "pods" in API group "" in the namespace "default"
  7. [root@cka-master bird]#

相关文件

bird.zip