k8s_secret_kubeconfig
2.创建用户授权-kubeconfig
- 需要使用 openssl 工具手动创建单用户的证书文件
- 用于命令行管理 k8s 集群
2.1.创建用户证书文件
# 创建用户授权文件目录
cd /etc/kubernetes/pki
mkdir -p users
cd users/
# 创建 openssl.cnf 配置文件
vim openssl.cnf
------------------------
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
------------------------
# 使用 openssl 工具创建用户秘钥文件
openssl genrsa -out devuser.key 2048
# 使用 openssl 工具生成用户证书请求文件
openssl req -new -key devuser.key -subj "/CN=devuser/O=zuiyoujie" -out devuser.csr
# 使用 openssl 工具生成用户证书
openssl x509 -req -in devuser.csr -CA ../ca.crt -CAkey ../ca.key -CAcreateserial -extensions v3_req_client -extfile openssl.cnf -out devuser.crt -days 3650
2.2.使用用户证书生成 kubeconfig 配置文件
# 设置集群参数变量,设置一个集群,需要指定根证书和 server-api 服务地址,指定 kubeconfig 文件
export KUBE_APISERVER="https://{{K8S_MASTER_IP}}:6443"
kubectl config set-cluster {{K8S_CLUSTER_NAME}}
--certificate-authority=../ca.crt
--server=${KUBE_APISERVER}
--embed-certs=true
--kubeconfig=devuser
# 设置客户端认证参数,设置一个证书用户 devuser,需要指定用户证书和秘钥,指定 kubeconfig 文件
kubectl config set-credentials devuser
--client-certificate=devuser.crt
--client-key=devuser.key
--embed-certs=true
--kubeconfig=devuser
# 设置上下文参数,需要指定用户名,可以指定 NAMESPACE,指定 kubeconfig 文件
kubectl config set-context {{K8S_CLUSTER_NAME}}
--cluster={{K8S_CLUSTER_NAME}}
--namespace=test01
--user=devuser
--kubeconfig=devuser
# 设置上下文配置,指定 kubeconfig 文件
kubectl config use-context {{K8S_CLUSTER_NAME}} --kubeconfig=devuser
# 执行完毕,会在当前目录生成以 devuser 命令的 kubeconfig 配置文件
2.3.配置 namespace 的访问授权
- 为单个用户 devuser 创建 namespace 的相关授权,用于查看和切换 namespace
mkdir -p /opt/k8s/grant
cd /opt/k8s/grant
vim k8s_create_kubeconfig_ClusterRoleNamespace.yaml
-------------------------------
# 创建用户授权规则:便于普通用户查看或者切换 namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: devuser-ns
labels:
rbac.zuiyoujie.com/name: devuser
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
# 绑定授权规则到用户 devuser
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devuser-ns
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: devuser-ns
apiGroup: rbac.authorization.k8s.io
---------------------------------
# 应用授权配置
kubectl apply -f k8s_create_kubeconfig_ClusterRoleNamespace.yaml
2.4.配置 k8s 集群的操作权限
- 为单个用户 devuser 创建 k8s 集群的操作权限
mkdir -p /opt/k8s/grant
cd /opt/k8s/grant
vim k8s_create_kubeconfig_ClusterRoleUser.yaml
--------------------------------
# 用户授权规则:用户的可操作权限
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: devuser
labels:
rbac.zuiyoujie.com/name: devuser
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/log
- pods/status
- configmaps
- services
verbs:
- get
- list
- watch
- create
- describe
- apiGroups:
- extensions
- apps
resources:
- deployments
- deployments/status
- replicasets
- replicasets/status
- daemonsets
- daemonsets/status
- ingresses
- ingresses/status
verbs:
- get
- list
- watch
- describe
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
# 授权用户 devuser 可以访问的 namespace
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: devuser
namespace: test01
labels:
rbac.zuiyoujie.com/name: devuser
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: devuser
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: devuser
namespace: test02
labels:
rbac.zuiyoujie.com/name: devuser
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: devuser
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: devuser
namespace: test03
labels:
rbac.zuiyoujie.com/name: devuser
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: devuser
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
---
---------------------------------
# 应用授权配置文件
kubectl apply -f k8s_create_kubeconfig_ClusterRoleUser.yaml
2.5.检查绑定的授权规则
[root@zuiyoujie grant]# kubectl describe clusterrole devuser
Name: devuser
Labels: rbac.zuiyoujie.com/name=devuser
Annotations: PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [get list watch create describe]
pods/attach [] [] [get list watch create describe]
pods/exec [] [] [get list watch create describe]
pods/log [] [] [get list watch create describe]
pods/status [] [] [get list watch create describe]
pods [] [] [get list watch create describe]
services [] [] [get list watch create describe]
daemonsets.apps/status [] [] [get list watch describe]
daemonsets.apps [] [] [get list watch describe]
deployments.apps/status [] [] [get list watch describe]
deployments.apps [] [] [get list watch describe]
ingresses.apps/status [] [] [get list watch describe]
ingresses.apps [] [] [get list watch describe]
replicasets.apps/status [] [] [get list watch describe]
replicasets.apps [] [] [get list watch describe]
daemonsets.extensions/status [] [] [get list watch describe]
daemonsets.extensions [] [] [get list watch describe]
deployments.extensions/status [] [] [get list watch describe]
deployments.extensions [] [] [get list watch describe]
ingresses.extensions/status [] [] [get list watch describe]
ingresses.extensions [] [] [get list watch describe]
replicasets.extensions/status [] [] [get list watch describe]
replicasets.extensions [] [] [get list watch describe]
nodes.metrics.k8s.io [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
[root@zuiyoujie grant]# kubectl describe clusterrole devuser-ns
Name: devuser-ns
Labels: rbac.zuiyoujie.com/name=devuser
Annotations: PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
namespaces [] [] [get list]