kubeconfig文件

安装完 Kubernetes 集群后会生成 $HOME/.kube/config 文件,这个文件就是 kubectl 命令行工具访问集群时使用的认证文件,也叫 Kubeconfig 文件。这个 Kubeconfig 文件中有很多重要的信息,文件大概结构是这样,这里说明下每个字段的含义:

  1. apiVersion: v1
  2. clusters:
  3. - cluster:
  4.     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01Ea3lNakV6TXpFd04xb1hEVE13TURreU1ERXpNekV3TjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmY3CnRVYnY5d1U2TlpvR210SW1TMmJPaFZ0eUMwUkxXRnhKc0FZZnZwVWVFWSt3KzhLajloSFAxZmxVbFByaXkwNksKZUViSWNORjJVbVp1RnQvTUZsNHBhK2kwdDBYY0JwUlFPc2hQczFrOVlVRkFKa09IR1RYL3lzcFhUS2lmbUt4cwp0c2JweGpRUFk2b09vZ0NGbW9LbDZsTFNtSVIzWjJGS2xBZWtPNldQQTdMUzNoTGZrK0pvMXd0RElnOE5xY2p1ClNkM3pMdlVkMlh5cWlsNlI5ZEJ3eXBOMTBVWG54ZlQwdDlZdkdiZ2ZnalByTkRYdW5JTjF0N0JsbCtqZVNiTlMKdmw0cGxSOW1keHpzV0tzdG1ZUlFSUzU5eGJMVW1IMjNEbXRoSEtWbjlRdmk0RHFwS3hmOHVQNU5mVzVTNHNydwpuOVNlaEl2THJBdU5kdVg3cE9NQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZDTjEyNDczYi9TYTJMcmpYYjI3MXJ2b1dkenJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFBM2tlekhaTmpuWXNxQkdBbjR0MSswWU8xL2VXWTA3cE9DZjhmUExQSVNja3F4Mzc1dwpJemt0bnRGWndHQlowYTkrM0l0ek80OTJwVnA3YzQ0Ymc3ZXVpVmdBNnM2NndOayt4Z3R1Znd0K0hBRStGbFZNCjdSU2ZrR1lyZjgwYTEvbURKanVGbkRXOFpZT1lmcUZrTGRXMG9ZSGR1WWNLa3pFZHZsQUx4c0lxaWtISFFRQzQKRk9zcU9EeWdidmF6U21xZlZpVlFBQmFGR1lHbE9pVUhJR2g2dVE2VHlhQmxCZXVBclFxcHhxS2EwQiswZ1IwcAoraWhUTWVUK0FTZU1ITUV0RldnWVhGdTFxYTV3ZzYvMUZLcEJZWjhSWm9wYkY5SWp2cUUzTnZGc0lwRTBza0xjCjJqMW1VemhsMjZ2Ny81NzJZQzhEODNCWC83RVk0Mm82K1JHSgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  5.     server: https://10.176.122.1:6443
  6.   name: kubernetes
  7. contexts:
  8. - context:
  9.     cluster: kubernetes
  10.     user: kubernetes-admin
  11.   name: kubernetes-admin@kubernetes
  12. current-context: kubernetes-admin@kubernetes
  13. kind: Config
  14. preferences: {}
  15. users:
  16. - name: kubernetes-admin
  17.   user:
  18.     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lJV3Z4dkxJdFhicjh3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBNU1qSXhNek14TURkYUZ3MHlNVEE1TWpJeE16TXhNVEJhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTFPakpQWG5qU0ZxbU1Bd1QKMlkwZHJDamxkNVp0WXdUcXJuaFNVNC85bUdCODByKzVHVmI2dFJXeUduSFJrWE5nVlVKVFM3WXFqcXlIL2s0WQpBUGlILzJPUFVhL2J4YU5QYXk1TWVMYjY4MjJ2ekwyWE15UWd3dXM2L25ValI3L0M4Y0VsT3FGYmFrM1ZXVkY4CkhHSXE0YzF4aWZDQUV2UDRXSmhKWkg4eW1MVzB3cHNtNHQwcjg2Q0MwbUVqWkFZbmVKSHpVRHZBbEQyOWdZbzQKRVk4S0NsWXFIdElHTEZudUFZb0syVHdTUC9sRGdFc0lsM1lmdEZmVVJSek42ZFlNQTdlTG9QekZsY3lVWVBjSwpOOEpCbDE1dExRVUpVUGtheHkrRXFJY0lTVjZBZGVTdUdkbWdZMG5ITXp4Z2lwbzUrMG44M092aGpRcmRkQVAvCjZ5dlNNd0lEQVFBQm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVJM1hianZkdjlKcll1dU5kdmJ2V3UraFozT3N3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFNWFFvMkVDQWxkRHB2RzZlWDlscWlycGExNUZwR1FqK0NYeUQrRXREVkdEd0RYaVlwdFBGa1RGCnBiNWY3UnNMaGFMYVV6ZXZ1OGhTbHBnWTk2K1dXbkdtVUxyTnVsL0VsZDhRcHp3ejc3byt3VlNFZEZSL1VPRlkKUTZYQ2JrOXRRcFJ4SjF6T3M0cWt0ZDlpM0M1NDhlazQ3WFJwSngwWFpuencrc1JGeml3NXB5cVIydjJiNkNtMQppTUFVRkFLQmkxSWZrOHNyWnVFcmcrSmFQOTY1RFMvQ1VvWUpFUGNITHZrMk81anIyaHBoazI1UXliM3QvejU5CmpudzJPTE5ETGU4ZFFNQng4bW5tS2RFZEhYc0xHaFZtM3FhSEZwL3hreVJYWlZWWlNTUkwvb0dwRkwrSUc5MDgKSGFDaUFZQ3RhWmNEeWptdkp1a003NEkrR1VLSTFBTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  19.     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMU9qSlBYbmpTRnFtTUF3VDJZMGRyQ2psZDVadFl3VHFybmhTVTQvOW1HQjgwcis1CkdWYjZ0Uld5R25IUmtYTmdWVUpUUzdZcWpxeUgvazRZQVBpSC8yT1BVYS9ieGFOUGF5NU1lTGI2ODIydnpMMlgKTXlRZ3d1czYvblVqUjcvQzhjRWxPcUZiYWszVldWRjhIR0lxNGMxeGlmQ0FFdlA0V0poSlpIOHltTFcwd3BzbQo0dDByODZDQzBtRWpaQVluZUpIelVEdkFsRDI5Z1lvNEVZOEtDbFlxSHRJR0xGbnVBWW9LMlR3U1AvbERnRXNJCmwzWWZ0RmZVUlJ6TjZkWU1BN2VMb1B6RmxjeVVZUGNLTjhKQmwxNXRMUVVKVVBrYXh5K0VxSWNJU1Y2QWRlU3UKR2RtZ1kwbkhNenhnaXBvNSswbjgzT3ZoalFyZGRBUC82eXZTTXdJREFRQUJBb0lCQVFDdU1RS3NsSE82dDhldQpHY09IdzJmYWVkODcxMHdKcm5VZlozdmJ1RHdBRmprcDZBaFZ6Zzd5Wnh5L2ZBMjgxY3VrRmM2MmJBVW5rOHJ6CjZnckRpSk1rQk4yMk5JNDNoZVN0U1VUeG9xdHd6SFgvcWNIeDZvWVBVNHVCc202NS9nOU40ZnRHbTh1Q0Rzb1YKK0kvMVhPKytyR3BQTkFCbEFVeFhsOGk4TzBFM0pEdnRqMFlzSDR1UTI1WTFsTUhqamVXaUV5U2YzUW94WGNQTAoxZlRFUUZlMGVwajN0UUJMWmxmdk00cm5TVWhGL0p6K0xveE5kYWQ5aFVEVzJLS2dOWTg4dmcxQUdpbXNHRjVtClJUM0U0bllXV3JqR0NUemcwSEtjRFA3a3gybWpKRDg3OEtTQXZTTk42MFJhVTkwdisyU21xM0UzdGVuL3JRZUwKSkozYThORUpBb0dCQVB2emhEOGpqenl5SXV4ZFkvOUMrWk54OVFLRzVCZ0JaOWttemtEZ3dvakxpeURnRFN5Ywp4VDVFZHV2cmRrclJ1WkhFQ01CSmtOSkNheFlsRTh3ZWdodVF3UHZ4MTQ0ekZKdFlJWWU0ZG5Oc2pCM1ZRWUdhCnZOZ3Y5dGNJK0cvd2t6QjdweHNyUjg2SzMzdjNkc1JlRXUvWW9GemY5S3VhSkhEOTFhakFZMFBGQW9HQkFOaFUKcUdxd1ZvUUdhVDBocFljMDNtblVYM0ZQSzlRNExjeElud29MT1R6bE82T0xMZFIyOGsxRjRQdnJNc0htalBNSwpmWGJEb2g4dUU1MUZscXZxMlFkdnZtakZsNzhTMTUvNEk3cWY4N3lFWUZrNDV0N3ZoSFQ4dDlKTDljbWUvajZFCk8wb25TOW1ybm1vOWxKUTVxamlXemd0NVhoVDVURFZwWTdwbjNBV1hBb0dBSksvdDl0K3ZzTS9qby9WcFpUY1UKYm5MdWtXS2cvaG5lVEZHSlFRczVhSC96RDJOd3A2bGdVMVBXMlQyZEtRSG0rcUhJQUcvMTVaZ0VUZUl5UXN2QwplRThZdXRjWll6eHU2THZwamdDL1JzbHNrYitHM1Y5eDFpME56WHdoNlBMb0MreEZoZ0JFWVgvNVVPelUzMzB2ClZydDlobWlhRVE3TjlhSVFwWlQySDEwQ2dZRUFpNGczUlBGT0xFUHlWeksva0hEaVVFSmgrVFRHb1ZCSEFlK0oKWFRJV0RoZ1JHcEJuMUJXUWZaVG40N1UxZk9tVzJpQlhBbVoyeUVPdzlRendmUnl5TldDMjROOHAzRjFyNU10cApTRE5wUTV2aWhVbjFaNi8zc0hsY20zRFJMT1czT1YyUzNHWnlQd2k1MmU2MFNkTFQzMEl0emlyUEt4b05OSm93CmNBZ1RXeXNDZ1lCRk1ZK0IxbmE4OWNFc1ZaNGVBWTJkenUxZHp4U0R1dFdWYTArWDV6bHEvaWdwNmt4ZkdYdE4KaXY4aWRTd1FaRUN2RTFBSzdDdXVTSGxXQlEyOGdsdUxnOUZNTDE2QmJzZ1ozaXI3YnJOaTFnV0doRjdiOVY1MQp4OHVDek5mUHFIbk5jR2w5MVJoakVVMzRKUkc0UUpZcFhPMGNhbUJlZTNOMUJCME1iVlFmSEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

可以看出文件分为三大部分:clusters、contexts、users。
clusters 部分::定义集群信息,包括 api-server 地址、certificate-authority-data: 用于服务端证书认证的自签名 CA 根证书(master 节点 /etc/kubernetes/pki/ca.crt 文件内容 )。
contexts 部分:集群信息和用户的绑定,kubectl 通过上下文提供的信息连接集群。
users 部分
多种用户类型,默认是客户端证书(x.509 标准的证书)和证书私钥,也可以是 ServiceAccount Token。

  • client-certificate-data:base64 加密后的客户端证书;
  • client-key-data:base64 加密后的证书私钥;

一个请求在通过 api-server 的认证关卡后,api-server 会从收到客户端证书中取用户信息,然后用于后面的授权关卡,这里所说的用户并不是服务账号(SA),而是客户端证书里面的 Subject 信息:O 代表用户组,CN 代表用户名。使用下面的命令查看客户端证书中的信息:

  1. #1.对client-certificate-data进行base64解密
  2. root@k8s-master .kube]# echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lJV3Z4dkxJdFhicjh3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBNU1qSXhNek14TURkYUZ3MHlNVEE1TWpJeE16TXhNVEJhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTFPakpQWG5qU0ZxbU1Bd1QKMlkwZHJDamxkNVp0WXdUcXJuaFNVNC85bUdCODByKzVHVmI2dFJXeUduSFJrWE5nVlVKVFM3WXFqcXlIL2s0WQpBUGlILzJPUFVhL2J4YU5QYXk1TWVMYjY4MjJ2ekwyWE15UWd3dXM2L25ValI3L0M4Y0VsT3FGYmFrM1ZXVkY4CkhHSXE0YzF4aWZDQUV2UDRXSmhKWkg4eW1MVzB3cHNtNHQwcjg2Q0MwbUVqWkFZbmVKSHpVRHZBbEQyOWdZbzQKRVk4S0NsWXFIdElHTEZudUFZb0syVHdTUC9sRGdFc0lsM1lmdEZmVVJSek42ZFlNQTdlTG9QekZsY3lVWVBjSwpOOEpCbDE1dExRVUpVUGtheHkrRXFJY0lTVjZBZGVTdUdkbWdZMG5ITXp4Z2lwbzUrMG44M092aGpRcmRkQVAvCjZ5dlNNd0lEQVFBQm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVJM1hianZkdjlKcll1dU5kdmJ2V3UraFozT3N3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFNWFFvMkVDQWxkRHB2RzZlWDlscWlycGExNUZwR1FqK0NYeUQrRXREVkdEd0RYaVlwdFBGa1RGCnBiNWY3UnNMaGFMYVV6ZXZ1OGhTbHBnWTk2K1dXbkdtVUxyTnVsL0VsZDhRcHp3ejc3byt3VlNFZEZSL1VPRlkKUTZYQ2JrOXRRcFJ4SjF6T3M0cWt0ZDlpM0M1NDhlazQ3WFJwSngwWFpuencrc1JGeml3NXB5cVIydjJiNkNtMQppTUFVRkFLQmkxSWZrOHNyWnVFcmcrSmFQOTY1RFMvQ1VvWUpFUGNITHZrMk81anIyaHBoazI1UXliM3QvejU5CmpudzJPTE5ETGU4ZFFNQng4bW5tS2RFZEhYc0xHaFZtM3FhSEZwL3hreVJYWlZWWlNTUkwvb0dwRkwrSUc5MDgKSGFDaUFZQ3RhWmNEeWptdkp1a003NEkrR1VLSTFBTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | base64 --decode
  4. #2.将解密后的内容复制到文件client.crt中
  5. [root@k8s-master .kube]# cat <<EOF > client.crt
  6. > -----BEGIN CERTIFICATE-----
  7. > MIIDEzCCAfugAwIBAgIIWvxvLItXbr8wDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
  8. > AxMKa3ViZXJuZXRlczAeFw0yMDA5MjIxMzMxMDdaFw0yMTA5MjIxMzMxMTBaMDQx
  9. > FzAVBgNVBAoTDnN5c3RlbTptYXN0ZXJzMRkwFwYDVQQDExBrdWJlcm5ldGVzLWFk
  10. > bWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1OjJPXnjSFqmMAwT
  11. > 2Y0drCjld5ZtYwTqrnhSU4/9mGB80r+5GVb6tRWyGnHRkXNgVUJTS7YqjqyH/k4Y
  12. > APiH/2OPUa/bxaNPay5MeLb6822vzL2XMyQgwus6/nUjR7/C8cElOqFbak3VWVF8
  13. > HGIq4c1xifCAEvP4WJhJZH8ymLW0wpsm4t0r86CC0mEjZAYneJHzUDvAlD29gYo4
  14. > EY8KClYqHtIGLFnuAYoK2TwSP/lDgEsIl3YftFfURRzN6dYMA7eLoPzFlcyUYPcK
  15. > N8JBl15tLQUJUPkaxy+EqIcISV6AdeSuGdmgY0nHMzxgipo5+0n83OvhjQrddAP/
  16. > 6yvSMwIDAQABo0gwRjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
  17. > AwIwHwYDVR0jBBgwFoAUI3Xbjvdv9JrYuuNdvbvWu+hZ3OswDQYJKoZIhvcNAQEL
  18. > BQADggEBAMXQo2ECAldDpvG6eX9lqirpa15FpGQj+CXyD+EtDVGDwDXiYptPFkTF
  19. > pb5f7RsLhaLaUzevu8hSlpgY96+WWnGmULrNul/Eld8Qpzwz77o+wVSEdFR/UOFY
  20. > Q6XCbk9tQpRxJ1zOs4qktd9i3C548ek47XRpJx0XZnzw+sRFziw5pyqR2v2b6Cm1
  21. > iMAUFAKBi1Ifk8srZuErg+JaP965DS/CUoYJEPcHLvk2O5jr2hphk25Qyb3t/z59
  22. > jnw2OLNDLe8dQMBx8mnmKdEdHXsLGhVm3qaHFp/xkyRXZVVZSSRL/oGpFL+IG908
  23. > HaCiAYCtaZcDyjmvJukM74I+GUKI1AM=
  24. > -----END CERTIFICATE-----
  25. > EOF
  27. #3.使用openssl解析证书信息
  28. [root@k8s-master .kube]# openssl x509 -in client.crt -text
  29. Certificate:
  30.     Data:
  31.         Version: 3 (0x2)
  32.         Serial Number: 6556237394651606719 (0x5afc6f2c8b576ebf)
  33.     Signature Algorithm: sha256WithRSAEncryption
  34.         Issuer: CN=kubernetes
  35.         Validity
  36.             Not Before: Sep 22 13:31:07 2020 GMT
  37.             Not After : Sep 22 13:31:10 2021 GMT
  38.         Subject: O=system:masters, CN=kubernetes-admin
  39.         Subject Public Key Info:
  40.             Public Key Algorithm: rsaEncryption
  41.                 Public-Key: (2048 bit)
  42.                 Modulus:
  43.                     00:d4:e8:c9:3d:79:e3:48:5a:a6:30:0c:13:d9:8d:
  44.                     1d:ac:28:e5:77:96:6d:63:04:ea:ae:78:52:53:8f:
  45.                     fd:98:60:7c:d2:bf:b9:19:56:fa:b5:15:b2:1a:71:
  46.                     d1:91:73:60:55:42:53:4b:b6:2a:8e:ac:87:fe:4e:
  47.                     18:00:f8:87:ff:63:8f:51:af:db:c5:a3:4f:6b:2e:
  48.                     4c:78:b6:fa:f3:6d:af:cc:bd:97:33:24:20:c2:eb:
  49.                     3a:fe:75:23:47:bf:c2:f1:c1:25:3a:a1:5b:6a:4d:
  50.                     d5:59:51:7c:1c:62:2a:e1:cd:71:89:f0:80:12:f3:
  51.                     f8:58:98:49:64:7f:32:98:b5:b4:c2:9b:26:e2:dd:
  52.                     2b:f3:a0:82:d2:61:23:64:06:27:78:91:f3:50:3b:
  53.                     c0:94:3d:bd:81:8a:38:11:8f:0a:0a:56:2a:1e:d2:
  54.                     06:2c:59:ee:01:8a:0a:d9:3c:12:3f:f9:43:80:4b:
  55.                     08:97:76:1f:b4:57:d4:45:1c:cd:e9:d6:0c:03:b7:
  56.                     8b:a0:fc:c5:95:cc:94:60:f7:0a:37:c2:41:97:5e:
  57.                     6d:2d:05:09:50:f9:1a:c7:2f:84:a8:87:08:49:5e:
  58.                     80:75:e4:ae:19:d9:a0:63:49:c7:33:3c:60:8a:9a:
  59.                     39:fb:49:fc:dc:eb:e1:8d:0a:dd:74:03:ff:eb:2b:
  60.                     d2:33
  61.                 Exponent: 65537 (0x10001)
  62.         X509v3 extensions:
  63.             X509v3 Key Usage: critical
  64.                 Digital Signature, Key Encipherment
  65.             X509v3 Extended Key Usage:
  66.                 TLS Web Client Authentication
  67.             X509v3 Authority Key Identifier:
  68.                 keyid:23:75:DB:8E:F7:6F:F4:9A:D8:BA:E3:5D:BD:BB:D6:BB:E8:59:DC:EB
  70.     Signature Algorithm: sha256WithRSAEncryption
  71.          c5:d0:a3:61:02:02:57:43:a6:f1:ba:79:7f:65:aa:2a:e9:6b:
  72.          5e:45:a4:64:23:f8:25:f2:0f:e1:2d:0d:51:83:c0:35:e2:62:
  73.          9b:4f:16:44:c5:a5:be:5f:ed:1b:0b:85:a2:da:53:37:af:bb:
  74.          c8:52:96:98:18:f7:af:96:5a:71:a6:50:ba:cd:ba:5f:c4:95:
  75.          df:10:a7:3c:33:ef:ba:3e:c1:54:84:74:54:7f:50:e1:58:43:
  76.          a5:c2:6e:4f:6d:42:94:71:27:5c:ce:b3:8a:a4:b5:df:62:dc:
  77.          2e:78:f1:e9:38:ed:74:69:27:1d:17:66:7c:f0:fa:c4:45:ce:
  78.          2c:39:a7:2a:91:da:fd:9b:e8:29:b5:88:c0:14:14:02:81:8b:
  79.          52:1f:93:cb:2b:66:e1:2b:83:e2:5a:3f:de:b9:0d:2f:c2:52:
  80.          86:09:10:f7:07:2e:f9:36:3b:98:eb:da:1a:61:93:6e:50:c9:
  81.          bd:ed:ff:3e:7d:8e:7c:36:38:b3:43:2d:ef:1d:40:c0:71:f2:
  82.          69:e6:29:d1:1d:1d:7b:0b:1a:15:66:de:a6:87:16:9f:f1:93:
  83.          24:57:65:55:59:49:24:4b:fe:81:a9:14:bf:88:1b:dd:3c:1d:
  84.          a0:a2:01:80:ad:69:97:03:ca:39:af:26:e9:0c:ef:82:3e:19:
  85.          42:88:d4:03
  86. -----BEGIN CERTIFICATE-----
  87. MIIDEzCCAfugAwIBAgIIWvxvLItXbr8wDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
  88. AxMKa3ViZXJuZXRlczAeFw0yMDA5MjIxMzMxMDdaFw0yMTA5MjIxMzMxMTBaMDQx
  89. FzAVBgNVBAoTDnN5c3RlbTptYXN0ZXJzMRkwFwYDVQQDExBrdWJlcm5ldGVzLWFk
  90. bWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1OjJPXnjSFqmMAwT
  91. 2Y0drCjld5ZtYwTqrnhSU4/9mGB80r+5GVb6tRWyGnHRkXNgVUJTS7YqjqyH/k4Y
  92. APiH/2OPUa/bxaNPay5MeLb6822vzL2XMyQgwus6/nUjR7/C8cElOqFbak3VWVF8
  93. HGIq4c1xifCAEvP4WJhJZH8ymLW0wpsm4t0r86CC0mEjZAYneJHzUDvAlD29gYo4
  94. EY8KClYqHtIGLFnuAYoK2TwSP/lDgEsIl3YftFfURRzN6dYMA7eLoPzFlcyUYPcK
  95. N8JBl15tLQUJUPkaxy+EqIcISV6AdeSuGdmgY0nHMzxgipo5+0n83OvhjQrddAP/
  96. 6yvSMwIDAQABo0gwRjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
  97. AwIwHwYDVR0jBBgwFoAUI3Xbjvdv9JrYuuNdvbvWu+hZ3OswDQYJKoZIhvcNAQEL
  98. BQADggEBAMXQo2ECAldDpvG6eX9lqirpa15FpGQj+CXyD+EtDVGDwDXiYptPFkTF
  99. pb5f7RsLhaLaUzevu8hSlpgY96+WWnGmULrNul/Eld8Qpzwz77o+wVSEdFR/UOFY
  100. Q6XCbk9tQpRxJ1zOs4qktd9i3C548ek47XRpJx0XZnzw+sRFziw5pyqR2v2b6Cm1
  101. iMAUFAKBi1Ifk8srZuErg+JaP965DS/CUoYJEPcHLvk2O5jr2hphk25Qyb3t/z59
  102. jnw2OLNDLe8dQMBx8mnmKdEdHXsLGhVm3qaHFp/xkyRXZVVZSSRL/oGpFL+IG908
  103. HaCiAYCtaZcDyjmvJukM74I+GUKI1AM=
  104. -----END CERTIFICATE-----

第38行Subject: O=system:masters, CN=kubernetes-admin,可以看出该证书绑定的用户组是 system:masters,用户名是 kubernetes-admin,而集群中默认有个 ClusterRoleBinding 叫 cluster-admin,它将名为 cluster-admin 的 ClusterRole 和用户组 system:masters 进行了绑定,而名为 cluster-admin 的 ClusterRole 有集群范围的 Superadmin 权限,这也就理解了为什么默认的 Kubeconfig 能拥有极高的权限来操作 Kubernetes 集群了。

安装Kubernetes cli工具并修改kubeconfig文件

kubernetes cli工具安装参考:https://kubernetes.io/zh/docs/tasks/tools/install-kubectl/
首先可以在本地找到~/.kube/config文件(默认的Kubeconfig文件),然后修改其中的clusters、contexts、users信息,得到新的kubernetes客户端的配置。在我的PC上,有Docker自带的Kubernetes配置,配置如下:

  1. apiVersion: v1
  2. clusters:
  3. - cluster:
  4.     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1EY3lOREV5TlRReU5Wb1hEVEk0TURjeU1URXlOVFF5TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTFBSCm9JMkZpbHVuTzBNL1R6UXErczdDN1Bud1lGQndQZ3RWWnY4cDBrOUE1akwvVVVrNE4wWitPempPM1Vva2tsMEwKNFRBMExTWEVuMXh2ZXVsUkhZbTNydWdWVjJ4a2hPTEJRUm9DYnRJM3VyZjFteTBnN1dqYzFTaDFZMjZNWkFRcQo1K3M0QUNSbEh2TDZyR3J3TW8vQ3RtSkk1VHNLUy9KK1dSSDRZV0R5Ykd5NG55TmcwTE1xZnFlSG0zSlcxb2c4Cm5yakVqNmw5ck9kczlXWng4YytYdzZYWHJUeXBUY1g1Q3Y1QnFpTEpVZzlUK0V5WWFhSHZxRmx0dkRSbTNid0gKZVpGUVFlbnZvM1RhbU5Od0dUWFUxVG9TY25zQVFrVXlzTjlTcW5SMmQwVmpqS09ZV0czNnVkS1YxdkVIUkhxSgpjLzBHSmZtcmpKTjJnblJadTVjQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCZHQwQ1Y5aEJxS3doV2ZqR2ZkTVovVmhzR3MKSEh4SjJzOXBvTkFjTlVhdzUrdmkvcXNKVDRZaXRFenNsMnhZU2Y5VmJBL3dZTVBDR3JFWlI3Y2FHdjlRUkRKZAowbENFTmU4dDdvZGNhNk14dnk5cjlkVkl4ZjdWZ2htZml5SFQ1UW5za00rZkEwZmd2ZmVkNWtEZkp3VmkxTmpmClBoZXRGckdTZGRTVWtSSTREdmlOeGJjdmRjMzhiMTcrVFZBWXJ4a2RNTWdMZVVkMmduYmh1NG5ZR1hUMnZzTXAKUDJjQ0xWUnUwVkFVcER0c2Y5TnRqM2pHZ2FSMGxwbXQ2VlJCQlhLeEFYeVhmVGdkSndNR2dYZ01IQnB2OS82LwpFWXB6UCs4MUhvaDdnbitFRVQ3ZHpzRWhIZGc0eTQ3eEprNWNKNHdQS1RVenJFakM1SEVmcklXcGdncz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  5.     server: https://kubernetes.docker.internal:6443
  6.   name: docker-desktop
  7. contexts:
  8. - context:
  9.     cluster: docker-desktop
  10.     user: docker-desktop
  11.   name: docker-desktop
  12. - context:
  13.     cluster: docker-desktop
  14.     user: docker-desktop
  15.   name: docker-for-desktop
  16. current-context: docker-desktop
  17. kind: Config
  18. preferences: {}
  19. users:
  20. - name: docker-desktop
  21.   user:
  22.     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5Z0F3SUJBZ0lJTW5zSGR4NHNXdkF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T0RBM01qUXhNalUwTWpWYUZ3MHlNVEEzTWpjd09EUTBNVGRhTURZeApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sc3dHUVlEVlFRREV4SmtiMk5yWlhJdFptOXlMV1JsCmMydDBiM0F3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREhicEVVZWh3YVY3S2EKS2tweFl6SnArRGxHYmxiM1dzSmZOVjhTS29lRUhrRnZGVkN2SFptUkdWRWQ3VWUwQzhkRGRnc1VuaGplUFFoMwpWTXpSem81WkozYW9WcWpSQU9meEMxOWdQcVJJYU1VdmxiWVpzYUVuZCt2cXdJZ0NWbUpmRU1HbFVzYVViT203ClFhMnlZaC9GSVRpN3MxQUJuTldjTE5QVXUwMjlpTHhFMlNjbGpJWWJwYXc5S3BkTElVM29RRzJKSDZYcUFVN0YKNE9abnp1UHF0N241dlN3THM4ZlNmS0Nxa0Z6dTBLaDVxTlBNb3hMbnc3MUZWWDRJbDRCb0I4N3Zia1Bpa2J6cQp6UGYwNDI2TGdZMTZreWlhREc2T1kwcWFpbU85ZlExS2kxa2dwUXh5aUQ1SlkxOFZ2aTA1SkdhNDh0SW9BZWhuCjlDaU9WL3BMQWdNQkFBR2pKekFsTUE0R0ExVWREd0VCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUYKQlFjREFqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFSUW14VWJWMmU1cE5RTU1nYkpZWVk0VWNGU08rOVJnRAord3RyTnQxdFp0MWlpR2VSMTdKNTcwUkxPYVVGOVdVc3BoLytXQms1Ni9TV3J5dzFoQ2VuQW9XcmUwSXRlTDBxCnA0OHdkWXEvNXpZQ1FlVy9zdW1heEdmVmh4ZnI3enkxTmF1bTdMTDFySEMvcnV3dzVxSnlzMlp0N0VyaVJJamUKY3JIaDZCcmNGRS9YalFRaXM5aHhoaDJEcUozVExhTGthOENCOHBmUWFEd24rR3IxSEorQVJxVXcvWWt2T3dwSQpna0RmWU03Y2pLTmYxV3ErYy9nWVpVZ0ZEaWlNT09FUDkvMTBWekRaa0lJV0R1aGpMLzE5YXNsa1UwSXNYZkJLCmFGb0h5WVkxNlN5c1grektjY3FhNWxzRG0veEczTkVXZlRWQnVuTSs1NWR0UlJRaDMzVzhDdz09CtLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  23.     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeDI2UkZIb2NHbGV5bWlwS2NXTXlhZmc1Um01VzkxckNYelZmRWlxSGhCNUJieFZRCnJ4MlprUmxSSGUxSHRBdkhRM1lMRko0WTNqMElkMVRNMGM2T1dTZDJxRmFvMFFEbjhRdGZZRDZrU0dqRkw1VzIKR2JHaEozZnI2c0NJQWxaaVh4REJwVkxHbEd6cHUwR3RzbUlmeFNFNHU3TlFBWnpWbkN6VDFMdE52WWk4Uk5rbgpKWXlHRzZXc1BTcVhTeUZONkVCdGlSK2w2Z0ZPeGVEbVo4N2o2cmU1K2Iwc0M3UEgwbnlncXBCYzd0Q29lYWpUCnpLTVM1OE85UlZWK0NKZUFhQWZPNzI1RDRwRzg2c3ozOU9OdWk0R05lcE1vbWd4dWptTkttb3BqdlgwTlNvdFoKSUtVTWNvZytTV05mRmI0dE9TUm11UExTS0FIb1ovUW9qbGY2U3dJREFRQUJBb0lCQURJRExVallVb0hjcWtKMQpCcFFtenphNTlBc1FrcWlYVHhVM09pOUJFUmoxeVcwRkNHWFI0M2Y2eEZmZjhGSmJmYzRTSlRjM2FuOFpDUzE3Cnk1MTEwa2JUV2JOZmdCaGh4TWl6RkdqN2JKRm9ETU1oSlRpT1RoNnF1VFAyc21UN3F0R3lUdzJaazRrWFF3b2QKcjJTRHJQbnZtZDJnV3hqOGJxa3FxTGk1ZkFaaWVaWHNvM2FqQlJpN3hYbHBydEd5UzVnNlFjT0oyUllKU0wxbwpRQStHSzFncUpEeFBMWGkrZXZNeWJ3aEx3b2FlUnp5Y3p5THh3NGpNdkEvbnZrck1rODlJam50dWlKUGozTTdmCkFSb1FuMGcwbTRTREpUTlJXS0NPNktxSXAwVUpsa1Ywc1J5ZWxoWFdkMkV1ZU9BVmlFYktiWnhmbGdYRXJsSkoKdnFKY0lPa0NnWUVBM3haNzN0S0lMQ1ZCdE9sNHZCTUZwSjkxL0xHeEZjSXZkejJ2ZktPcmdITFZXMDQ3WThlQQpzRmRoT3dDZ1ZtUE9iQlMrbUxGRnVQaGpGUmVCOTYwRXN3bjlTMUIrYjhmZm1tSy9najl2cThWZ3NIQUtSVWhwCnp1QXNnOXpydTRSZUE0cHJUU2tHaEpNWGh6THl6OGVTZUdXQWtnRVVaM05XRmhkeEpjWXh3eThDZ1lFQTVOcW4KRi9SMXhLWmNSS0ZiVnp2RVNiN1UrSHdvMlRZUkFoZURQcTlmQkhvK2k1M2krNitKdjZaalgyUUVrdUdwOTFCbQpaU3JWYkZaMWNDdmwxdmtwdnFaVGNuQ3NvWjA4V1prOGhGR0lmTjZGM2FtUGd6Qmk3cWVwMmlSamZDbDRGWTZMCnMraUx3QVVBazVRayswM2lUZUJpMnVPK3FteDZpVHJmL1FCV1k2VUNnWUFldnJLRG12QTVaVWtRN2J3OTcwRXYKMXVvajBUbGVqa3lNV212OCtYR0JXbElkSzBMMEZXS2U2dXZ6ZmJxYkxWWWRmeDVsWE1rSEhQUkt5OXFWajdxKwpFZnBlanRGZUJtWENtU2xiZ2ZLWjhiSEpueWRMTlJlZjh6VXZWeHNGMU5CQUhLdDlEdEpmSXdaekU0cHpLRVgvClliMitZWGUyYWliTEZKLzdYTDB1OFFLQmdRRGMwTWozU1M0MDc1d0pzSE5VeVZ0TkdLK2ZqeFZPK0djUzBLTVgKWWRsWmxhWXh5c2NQdUVFK1JZcU9xUS9zdFlidEZZdW5ROXdvSzRnbkVvUXpsN2lhdHh1L1NVNllwZ0ZzSm5vSQo1aTYrNVdyZkJWTnU3c29Xb25vMS9IUnRnZ25YS3ZKTFJpOUp1TW5rbThYUElVZ2hna2VBRXMyTzNScWl2TWNRCjlEbG03UUtCZ0I4VWUxajBEcUNVNGNqSU5HNDFHcTk2R2tzbkFqSHk5MTBOTEtjOEdja2JpN09JangrNWhiTVQKbHNDTXlsQjFYakdsY0wyeFFiVWlZZ2JkcmhseXVhbkp4enhsVmdrd0JmVTJFWS93SnRCSFhMT0Z1NnhYTEFHUwovbXBhVEl3czIvbUk2NHh4djJJc0NRZE1veTNRMWMzaFRMaDc4UExSZlpKK1liR0dUYldnCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

该配置,只能使我本机的kubernetes cli访问本机的k8s集群,若想通过本机的Kubernetes Client访问其他kubernetes集群,所以需要向集群自签名 CA 机构(master 节点)申请证书,然后通过 RBAC 授权方式给证书用户授予集群只读权限。步骤如下:

  1. 生成客户端TLS证书 ```yaml

    1. 创建证书私钥:

    openssl genrsa -out me.key 2048

2. 用上面私钥创建一个 csr(证书签名请求)文件,其中我们需要在 subject 里带上用户信息(CN为用户名,O为用户组,其中/O参数可以出现多次,即可以有多个用户组):

openssl req -new -key me.key -out me.csr -subj “/CN=kylinxiang”

3. 找到 Kubernetes 集群(API Server)的 CA 根证书文件,其位置取决于安装集群的方式,通常会在 master 节点的 /etc/kubernetes/pki/ 路径下,会有两个文件,一个是 CA 根证书(ca.crt),一个是 CA 私钥(ca.key)。通过集群的 CA 根证书和第 2 步创建的 csr 文件,来为用户颁发证书:

openssl x509 -req -in me.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out me.crt -days 365

  2. 2. 基于RBAC授权方式授予用户kylinxiang集群管理员权限
  3. ```yaml
  4. kubectl create clusterrolebinding kylin-mac --clusterrole=cluster-admin --user=kylinxiang
  1. 修改本机kubeconfig(~/.kube/config)文件
    • cluster部分:在clusters数组中,添加一个新的cluster元素(元素信息可以通过查看远程集群的~/.kube/config文件获取),主要包括certificate-authority-data字段、server字段信息,最后设置该cluster名字name字段为kubernetes(这个名字可以自己修改,前后一致就行)。
    • user部分:在users数组中,添加新的user信息,配置client-certificate-data字段信息,值为通过base64加密的上面生成me.crt内容,配置client-key-data字段信息,值为通过base64加密的上面生成me.key内容(base64加密是需要指定--wrap=0选项,即cat me.crt | base64 --wrap=0),最后设置该user的名字name字段为kylinxiang(此名字可以自由设置,前后一致就行)。
    • context部分:在contexts数组中新添加一个context元素,context元素用于将cluster和user关联起来,所以将context中的cluster字段设为kubernetes(cluster部分配置的name),将user字段配置为kylinxiang,最后设置context的名字为fudan1(此名字可以自由设置)

注意:这里配置的user的name,可以不用和第2步中—user的配置一直,因为第二步中—user匹配的是client证书中subject的CN的值。

  1. apiVersion: v1
  2. clusters:
  3. - cluster:
  4.     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1EY3lOREV5TlRReU5Wb1hEVEk0TURjeU1URXlOVFF5TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTFBSCm9JMkZpbHVuTzBNL1R6UXErczdDN1Bud1lGQndQZ3RWWnY4cDBrOUE1akwvVVVrNE4wWitPempPM1Vva2tsMEwKNFRBMExTWEVuMXh2ZXVsUkhZbTNydWdWVjJ4a2hPTEJRUm9DYnRJM3VyZjFteTBnN1dqYzFTaDFZMjZNWkFRcQo1K3M0QUNSbEh2TDZyR3J3TW8vQ3RtSkk1VHNLUy9KK1dSSDRZV0R5Ykd5NG55TmcwTE1xZnFlSG0zSlcxb2c4Cm5yakVqNmw5ck9kczlXWng4YytYdzZYWHJUeXBUY1g1Q3Y1QnFpTEpVZzlUK0V5WWFhSHZxRmx0dkRSbTNid0gKZVpGUVFlbnZvM1RhbU5Od0dUWFUxVG9TY25zQVFrVXlzTjlTcW5SMmQwVmpqS09ZV0czNnVkS1YxdkVIUkhxSgpjLzBHSmZtcmpKTjJnblJadTVjQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCZHQwQ1Y5aEJxS3doV2ZqR2ZkTVovVmhzR3MKSEh4SjJzOXBvTkFjTlVhdzUrdmkvcXNKVDRZaXRFenNsMnhZU2Y5VmJBL3dZTVBDR3JFWlI3Y2FHdjlRUkRKZAowbENFTmU4dDdvZGNhNk14dnk5cjlkVkl4ZjdWZ2htZml5SFQ1UW5za00rZkEwZmd2ZmVkNWtEZkp3VmkxTmpmClBoZXRGckdTZGRTVWtSSTREdmlOeGJjdmRjMzhiMTcrVFZBWXJ4a2RNTWdMZVVkMmduYmh1NG5ZR1hUMnZzTXAKUDJjQ0xWUnUwVkFVcER0c2Y5TnRqM2pHZ2FSMGxwbXQ2VlJCQlhLeEFYeVhmVGdkSndNR2dYZ01IQnB2OS82LwpFWXB6UCs4MUhvaDdnbitFRVQ3ZHpzRWhIZGc0eTQ3eEprNWNKNHdQS1RVenJFakM1SEVmcklXcGdncz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  5.     server: https://kubernetes.docker.internal:6443
  6.   name: docker-desktop
  7. - cluster:
  8.     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01Ea3lNakV6TXpFd04xb1hEVE13TURreU1ERXpNekV3TjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmY3CnRVYnY5d1U2TlpvR210SW1TMmJPaFZ0eUMwUkxXRnhKc0FZZnZwVWVFWSt3KzhLajloSFAxZmxVbFByaXkwNksKZUViSWNORjJVbVp1RnQvTUZsNHBhK2kwdDBYY0JwUlFPc2hQczFrOVlVRkFKa09IR1RYL3lzcFhUS2lmbUt4cwp0c2JweGpRUFk2b09vZ0NGbW9LbDZsTFNtSVIzWjJGS2xBZWtPNldQQTdMUzNoTGZrK0pvMXd0RElnOE5xY2p1ClNkM3pMdlVkMlh5cWlsNlI5ZEJ3eXBOMTBVWG54ZlQwdDlZdkdiZ2ZnalByTkRYdW5JTjF0N0JsbCtqZVNiTlMKdmw0cGxSOW1keHpzV0tzdG1ZUlFSUzU5eGJMVW1IMjNEbXRoSEtWbjlRdmk0RHFwS3hmOHVQNU5mVzVTNHNydwpuOVNlaEl2THJBdU5kdVg3cE9NQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZDTjEyNDczYi9TYTJMcmpYYjI3MXJ2b1dkenJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFBM2tlekhaTmpuWXNxQkdBbjR0MSswWU8xL2VXWTA3cE9DZjhmUExQSVNja3F4Mzc1dwpJemt0bnRGWndHQlowYTkrM0l0ek80OTJwVnA3YzQ0Ymc3ZXVpVmdBNnM2NndOayt4Z3R1Znd0K0hBRStGbFZNCjdSU2ZrR1lyZjgwYTEvbURKanVGbkRXOFpZT1lmcUZrTGRXMG9ZSGR1WWNLa3pFZHZsQUx4c0lxaWtISFFRQzQKRk9zcU9EeWdidmF6U21xZlZpVlFBQmFGR1lHbE9pVUhJR2g2dVE2VHlhQmxCZXVBclFxcHhxS2EwQiswZ1IwcAoraWhUTWVUK0FTZU1ITUV0RldnWVhGdTFxYTV3ZzYvMUZLcEJZWjhSWm9wYkY5SWp2cUUzTnZGc0lwRTBza0xjCjJqMW1VemhsMjZ2Ny81NzJZQzhEODNCWC83RVk0Mm82K1JHSgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  9.     server: https://10.176.122.1:6443
  10.   name: kubernetes
  11. contexts:
  12. - context:
  13.     cluster: docker-desktop
  14.     user: docker-desktop
  15.   name: docker-desktop
  16. - context:
  17.     cluster: docker-desktop
  18.     user: docker-desktop
  19.   name: docker-for-desktop
  20. - context:
  21.     cluster: kubernetes
  22.     user: kylinxiang
  23.   name: fudan1
  24. current-context: fudan1
  25. kind: Config
  26. preferences: {}
  27. users:
  28. - name: docker-desktop
  29.   user:
  30.     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5Z0F3SUJBZ0lJTW5zSGR4NHNXdkF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T0RBM01qUXhNalUwTWpWYUZ3MHlNVEEzTWpjd09EUTBNVGRhTURZeApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sc3dHUVlEVlFRREV4SmtiMk5yWlhJdFptOXlMV1JsCmMydDBiM0F3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREhicEVVZWh3YVY3S2EKS2tweFl6SnArRGxHYmxiM1dzSmZOVjhTS29lRUhrRnZGVkN2SFptUkdWRWQ3VWUwQzhkRGRnc1VuaGplUFFoMwpWTXpSem81WkozYW9WcWpSQU9meEMxOWdQcVJJYU1VdmxiWVpzYUVuZCt2cXdJZ0NWbUpmRU1HbFVzYVViT203ClFhMnlZaC9GSVRpN3MxQUJuTldjTE5QVXUwMjlpTHhFMlNjbGpJWWJwYXc5S3BkTElVM29RRzJKSDZYcUFVN0YKNE9abnp1UHF0N241dlN3THM4ZlNmS0Nxa0Z6dTBLaDVxTlBNb3hMbnc3MUZWWDRJbDRCb0I4N3Zia1Bpa2J6cQp6UGYwNDI2TGdZMTZreWlhREc2T1kwcWFpbU85ZlExS2kxa2dwUXh5aUQ1SlkxOFZ2aTA1SkdhNDh0SW9BZWhuCjlDaU9WL3BMQWdNQkFBR2pKekFsTUE0R0ExVWREd0VCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUYKQlFjREFqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFSUW14VWJWMmU1cE5RTU1nYkpZWVk0VWNGU08rOVJnRAord3RyTnQxdFp0MWlpR2VSMTdKNTcwUkxPYVVGOVdVc3BoLytXQms1Ni9TV3J5dzFoQ2VuQW9XcmUwSXRlTDBxCnA0OHdkWXEvNXpZQ1FlVy9zdW1heEdmVmh4ZnI3enkxTmF1bTdMTDFySEMvcnV3dzVxSnlzMlp0N0VyaVJJamUKY3JIaDZCcmNGRS9YalFRaXM5aHhoaDJEcUozVExhTGthOENCOHBmUWFEd24rR3IxSEorQVJxVXcvWWt2T3dwSQpna0RmWU03Y2pLTmYxV3ErYy9nWVpVZ0ZEaWlNT09FUDkvMTBWekRaa0lJV0R1aGpMLzE5YXNsa1UwSXNYZkJLCmFGb0h5WVkxNlN5c1grektjY3FhNWxzRG0veEczTkVXZlRWQnVuTSs1NWR0UlJRaDMzVzhDdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  31.     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeDI2UkZIb2NHbGV5bWlwS2NXTXlhZmc1Um01VzkxckNYelZmRWlxSGhCNUJieFZRCnJ4MlprUmxSSGUxSHRBdkhRM1lMRko0WTNqMElkMVRNMGM2T1dTZDJxRmFvMFFEbjhRdGZZRDZrU0dqRkw1VzIKR2JHaEozZnI2c0NJQWxaaVh4REJwVkxHbEd6cHUwR3RzbUlmeFNFNHU3TlFBWnpWbkN6VDFMdE52WWk4Uk5rbgpKWXlHRzZXc1BTcVhTeUZONkVCdGlSK2w2Z0ZPeGVEbVo4N2o2cmU1K2Iwc0M3UEgwbnlncXBCYzd0Q29lYWpUCnpLTVM1OE85UlZWK0NKZUFhQWZPNzI1RDRwRzg2c3ozOU9OdWk0R05lcE1vbWd4dWptTkttb3BqdlgwTlNvdFoKSUtVTWNvZytTV05mRmI0dE9TUm11UExTS0FIb1ovUW9qbGY2U3dJREFRQUJBb0lCQURJRExVallVb0hjcWtKMQpCcFFtenphNTlBc1FrcWlYVHhVM09pOUJFUmoxeVcwRkNHWFI0M2Y2eEZmZjhGSmJmYzRTSlRjM2FuOFpDUzE3Cnk1MTEwa2JUV2JOZmdCaGh4TWl6RkdqN2JKRm9ETU1oSlRpT1RoNnF1VFAyc21UN3F0R3lUdzJaazRrWFF3b2QKcjJTRHJQbnZtZDJnV3hqOGJxa3FxTGk1ZkFaaWVaWHNvM2FqQlJpN3hYbHBydEd5UzVnNlFjT0oyUllKU0wxbwpRQStHSzFncUpEeFBMWGkrZXZNeWJ3aEx3b2FlUnp5Y3p5THh3NGpNdkEvbnZrck1rODlJam50dWlKUGozTTdmCkFSb1FuMGcwbTRTREpUTlJXS0NPNktxSXAwVUpsa1Ywc1J5ZWxoWFdkMkV1ZU9BVmlFYktiWnhmbGdYRXJsSkoKdnFKY0lPa0NnWUVBM3haNzN0S0lMQ1ZCdE9sNHZCTUZwSjkxL0xHeEZjSXZkejJ2ZktPcmdITFZXMDQ3WThlQQpzRmRoT3dDZ1ZtUE9iQlMrbUxGRnVQaGpGUmVCOTYwRXN3bjlTMUIrYjhmZm1tSy9najl2cThWZ3NIQUtSVWhwCnp1QXNnOXpydTRSZUE0cHJUU2tHaEpNWGh6THl6OGVTZUdXQWtnRVVaM05XRmhkeEpjWXh3eThDZ1lFQTVOcW4KRi9SMXhLWmNSS0ZiVnp2RVNiN1UrSHdvMlRZUkFoZURQcTlmQkhvK2k1M2krNitKdjZaalgyUUVrdUdwOTFCbQpaU3JWYkZaMWNDdmwxdmtwdnFaVGNuQ3NvWjA4V1prOGhGR0lmTjZGM2FtUGd6Qmk3cWVwMmlSamZDbDRGWTZMCnMraUx3QVVBazVRayswM2lUZUJpMnVPK3FteDZpVHJmL1FCV1k2VUNnWUFldnJLRG12QTVaVWtRN2J3OTcwRXYKMXVvajBUbGVqa3lNV212OCtYR0JXbElkSzBMMEZXS2U2dXZ6ZmJxYkxWWWRmeDVsWE1rSEhQUkt5OXFWajdxKwpFZnBlanRGZUJtWENtU2xiZ2ZLWjhiSEpueWRMTlJlZjh6VXZWeHNGMU5CQUhLdDlEdEpmSXdaekU0cHpLRVgvClliMitZWGUyYWliTEZKLzdYTDB1OFFLQmdRRGMwTWozU1M0MDc1d0pzSE5VeVZ0TkdLK2ZqeFZPK0djUzBLTVgKWWRsWmxhWXh5c2NQdUVFK1JZcU9xUS9zdFlidEZZdW5ROXdvSzRnbkVvUXpsN2lhdHh1L1NVNllwZ0ZzSm5vSQo1aTYrNVdyZkJWTnU3c29Xb25vMS9IUnRnZ25YS3ZKTFJpOUp1TW5rbThYUElVZ2hna2VBRXMyTzNScWl2TWNRCjlEbG03UUtCZ0I4VWUxajBEcUNVNGNqSU5HNDFHcTk2R2tzbkFqSHk5MTBOTEtjOEdja2JpN09JangrNWhiTVQKbHNDTXlsQjFYakdsY0wyeFFiVWlZZ2JkcmhseXVhbkp4enhsVmdrd0JmVTJFWS93SnRCSFhMT0Z1NnhYTEFHUwovbXBhVEl3czIvbUk2NHh4djJJc0NRZE1veTNRMWMzaFRMaDc4UExSZlpKK1liR0dUYldnCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
  32. - name: kylinxiang
  33.   user:
  34.     client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNwakNDQVk0Q0NRRHNLeHBLekFzWEREQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSXdNVEV4TURFek1qZ3lNMW9YRFRJek1EZ3dOekV6TWpneU0xb3dGVEVUTUJFRwpBMVVFQXd3S2EzbHNhVzU0YVdGdVp6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFOdUJmdE9UNmtSOWI4ZnFQWldVMXNPY2hKdEt1b2VlWUFiSmpkTFdPd2ZURFhCeWMybVlpV1dEaEhQUHM1NC8KQ0hzY1JoQ1I1TVV3OTFBMnJLTlU2dzRyTnZVVUdPVGJjWjAzRnk5YmpnTTR3U01UcFZDdTM5Q2g2SGVmNDZpNQpJcCt3emZ4cUhZLzlibkNpR2hZZVJzbUd2TkJ6ZUJYcFFucFhLVG85R1M0R3NlOXZzeW5GYi9JeVg1YWJkVXVzClljNnhCV1hSUWFPanlrNnpyU0lmeVI4cktTa0lWK3NDcktQemliYkxSc1c5bnNZVERDcXRlaXZmSU1neDNEb2kKeWxQNVdDWnl6WWw2YjZWc2lyYmVocDRKYnlxRERXQWhFVFRRTW5uNFJDaHFsN0MrZGhsd3VrNW94WHlkNXRUbwprejRBYXVSTHNhSTQvU1hMZVI1VkxEMENBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQTBsdE9oaWdaCmp6NWxzeStCbzhRMXYwSVFER2J2WnhaNUJqL2diVmszSUZscEgyTWpwdVg5bVV4UjRRaFdaSkh1U2VOQjVSajUKMnk1L2Q4aDc4dnJzZ1lNNkU3NkNra0JickZVVFk0bEcraFR0V1BXVEdZeTdDVm5BZkEwQnFNSjRSN3J6cktFOApzdHhkZWNuR25nalJFYm5oWnNZUDNwMGQyY1dtMFEvRjgvWjNYNUZTdFFCTnBFMWxUTVoyUmVRdENYZlV6VmdrCnJoMGwwUlp4U3B1N3IyU01CdS9uV0k4d3RYVlVxT3NwT1MrQ3ppZEhsUWhseXg5WGJNRVF1WkpDWFhNcUdjVjIKSEFIOVY0RmZkb2dXTExBV21YbDhEVzhsNkEwOCtHRm5Oc3JsdkppWmVyMUZodnNXTUZJQS95Ky9hMkJPeVh4VgpwREQxOC9tc0FyRk5iZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  35.     client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBMjRGKzA1UHFSSDF2eCtvOWxaVFd3NXlFbTBxNmg1NWdCc21OMHRZN0I5TU5jSEp6CmFaaUpaWU9FYzgrem5qOElleHhHRUpIa3hURDNVRGFzbzFUckRpczI5UlFZNU50eG5UY1hMMXVPQXpqQkl4T2wKVUs3ZjBLSG9kNS9qcUxraW43RE4vR29kai8xdWNLSWFGaDVHeVlhODBITjRGZWxDZWxjcE9qMFpMZ2F4NzIregpLY1Z2OGpKZmxwdDFTNnhoenJFRlpkRkJvNlBLVHJPdEloL0pIeXNwS1FoWDZ3S3NvL09KdHN0R3hiMmV4aE1NCktxMTZLOThneURIY09pTEtVL2xZSm5MTmlYcHZwV3lLdHQ2R25nbHZLb01OWUNFUk5OQXllZmhFS0dxWHNMNTIKR1hDNlRtakZmSjNtMU9pVFBnQnE1RXV4b2pqOUpjdDVIbFVzUFFJREFRQUJBb0lCQUI0MFVYbFhyekxCZC9JdwpYMDBIOEExMnFpQ2NSZEtIam5zZ25PMVlJVU5RWFZjTnlLZk5INHJpY0FWbm5UVzNRcmwrQ0g0Yk5UbVZKVkxhClV5TWVla0cyM0pjWXJ0dysvZ0UrSldpVTFwUEc2WHlrSldsV3h1RjBoZ0ovODlteHIvdjlYanJQZDBYcS81bHMKRk43YVI2OVBaUWZoKzdJNEtMZWc2c0ZpeXVZME1GNUdQTTN1U2FvclBmc096cTN6V0wxblhtY0JVWUtLQkdZQQp3YTZyeS9RaTl6WEFmVXYyYkhxcGQwQkpkeDV3WHBmWERaQlFtbUhsellyRnVoMXFCS1NmRTRiL2JZcVB6Mm92Cnd6VWZyR05QaERhTUpKSXJvSkNoYzVVeVFEbTdMbDFNaXIybHhJM0ZRMFJqNlZrOU55bnBtSldBaE14N1l4RHgKaXdzdVlWa0NnWUVBOU1Ma1ZoK3cwdVhOUFhtVnRLTmd6ekFEZ0djUnQrNXJMcVJmOXB2bGRrd3pjb2kvc1pzTgpXc2RGYWhSUzRSRXFWbU1PR0ZGZDFwdSt1RFlZa2ZPMkZ0cG9zU3prN3hrMTV1aWI0b2xhd0Q4UStWbTFpSU8wClJoVTB6aWVZb3MvRjRlQ0ZmQzM4VkRkYVEwR0F0a3hGTitNRitidFZjOGFGdExYd0dSb09VaHNDZ1lFQTVaVzcKWFdBUWJHK09Tb2RscDFCbi8yRk04ejRBL0RwUTRaeXJDdG9aaStLY2pQMUtVcm5vcy83cTBhSGgySkNKbWdZVwprZDlobmUyUzA2SDF1VDBOaTBLQVBXMW4wR3BUSUVWaUUyYTRJcmR0NHBocUwrcU9jTHJVanYrWmpybDJVbkZoCnkrMGt2TDRKeEZQSElDWllEN0xZVGxOWGZUOXpCcTZGQlNmVm9JY0NnWUE4MjJSNHdZSnV2Ykt0VVZqV3hEU2kKNzFZL2krRU04WnYyeWVvT1lDN0tuaUhBblozRUpFQkt6UGRHYSswN2h0QVhFS1FGaWQyaUtiRmZEaHhIMWVmMQpnTEs5TXVOdFM4QnFQSFhkK3JiMHkvbUZkamU3ekx0N0hYUzJ1WU9ySDZ3ZEFIMVFKZ0x5VVowQTBmMlYxaHJ6CnpWL0QrejlBL1NCcmtUMDBrSlQwOXdLQmdRRFF0M3NLdkpheHZna2lBRTJOK2k5Um9HZVFpMEhpRERJVHFaWmwKMnpsMlRxSDhHeGxDYy9qMkNqMzRMcTlmYnFkcCt6YnhqcDcwTUZOWFN0cFZlUWVqSHVYdThsTjZ5ZTZnVy9ONQpwOXltMHhOMitSRXdWcEVBTXhtaWx3UkhHSnhVL3ZibHFjWElRUXdvQy9IdmJHeUtlUkRreENlNW1jRTh4ZFB3CmgvSlNhUUtCZ0hoM0NTbEFNMm5mQ1R2eHR6RHNzWkNYT2hTQmdOVCtkUHhuVUhmVEVXaE1KcmV4R05DMHMxREwKb09wam14MUhiSGZIK3lqREpMMDVVY0NDMFZPcjRHVzhSN3MyN05YQysyWEh4TGdxemJubFh4QmlBSmFhamsxSgo0UlVhU2NDdEszWUxSTEIyRUxJdDRmcGxEUTY0WG5nMXNaMDRHOW9JUEF3bXIxVDJKSW9wCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

到此就配置好了所有的信息,现在kubernetes client就有了两个集群的配置,一个本地集群,一个远程的集群,那么如何切换这两个集群呢?需要使用,该命令将./kube/config下的文件配置切换到fudan1上下文,—kubeconfig也可以指定其他配置文件(但是我没有试验成功)

  1. kubectl config --kubeconfig=config use-context fudan1

接下里就可以访问远程集群了。

参考:

  1. http://dockone.io/article/9848
  2. https://jimmysong.io/kubernetes-handbook/concepts/rbac.html
  3. https://kubernetes.io/zh/docs/tasks/tools/install-kubectl/
  4. https://kubernetes.io/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/