认证
首先生成一个私钥
(umask 077; openssl genrsa -out caonw.key 2048)
然后基于私钥生成一个证书
1.生成私钥签署请求
openssl req -new -key caonw.key -out caonw.csr -subj "/CN=caonw"
2.使用ca进行签证
openssl x509 -req -in caonw.csr -CA ./ca.crt -CAkey ca.key -CAcreateserial -out caonw.crt -days 365
查看证书
openssl x509 -in caonw.crt -text -noout
3.将用户添加到kubernetes集群的认证信息
kubectl config set-credentials caonw --client-certificate=./caonw.crt --client-key=./caonw.key --embed-certs=true
4.添加上下文
kubectl config set-context caonw@kubernetes --cluster=kubernetes --user=caonw
5.切换默认上下文
kubectl config use-context caonw@kubernetes
6.测试认证
[root@k8s-lb pki]# kubectl get pod Error from server (Forbidden): pods is forbidden: User "caonw" cannot list resource "pods" in API group "" in the namespace "default"
授权 授权插件 node ABAC Webhook RBAC
RBAC
user useraccount serviceaccount
rolebinding clusterrolebinding
role clusterrole