• [k8s]创建Kubernetes的ssl/tls用户

    1.1、生成密钥文件

    root@ubuntu-kubeadm-master:~# cd /etc/kubernetes/pki
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# (umask 077; openssl genrsa -out kube-user1.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
.....+++
e is 65537 (0x010001)

    1.2、创建证书签署请求

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl req -new -key kube-user1.key -out kube-user1.csr -subj "/CN=kube-user1/O=kubeusers"

    1.3、基于kubeadm安装kubernetes集群时生成的CA签署证书

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -req -in kube-user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-user1.crt -days 3650

    1.4、验证证书信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# openssl x509 -in kube-user1.crt -text –noout

    2.1、配置集群信息

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-cluster kubernetes 
--embed-certs=true --certificate-authority=/etc/kubernetes/pki/ca.crt 
--server=https://192.168.253.174:6443

    2.2、配置客户端证书和密钥

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-credentials kube-user1 
--embed-certs=true 
--client-certificate=/etc/kubernetes/pki/kube-user1.crt 
--client-key=/etc/kubernetes/pki/kube-user1.key

    2.3、配置上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config set-context kube-user1@kubernetes --cluster=kubernetes --user=kube-user1

    2.4、指定上下文

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kube-user1@kubernetes

    2.5、测试访问集群资源,不过在启用RBAC的集群上执行命令时,是无法获得集群资源的访问权限

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "kube-user1" cannot list resource "pods" in API group "" in the namespace "default"
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes

    2.6、可以使用命令切换回管理员

    root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
root@ubuntu-kubeadm-master:/etc/kubernetes/pki# kubectl get pods
NAME                                    READY   STATUS      RESTARTS   AGE
etcd-0                                  1/1     Running     0          45h
etcd-1                                  1/1     Running     0          45h
etcd-2                                  1/1     Running     0          45h

      
  • 相关阅读:
    Computer Vision: Algorithms and ApplicationsのImage processing
    LOJ6079「2017 山东一轮集训 Day7」养猫
    网络七层协议及其作用
    观察者模式深度剖析
    NIO 中的读和写
    NIO的通道和缓冲区
    NIO简介
    使用OutputStream向屏幕上输出内容
    对象的序列化
    PushBackInputStream回退流
  • 原文地址:https://www.cnblogs.com/baylorqu/p/10898891.html
Copyright © 2020-2023  润新知