本篇帶給大家如何創建一個用戶、授權操作k8s集羣的過程。希望對你有所幫助! |
172.16.99.128是的我k8s集羣的master節點,此處是從這裏獲取集羣的證書。
openssl genrsa -out devops.key 2048
openssl req -new -key devops.key -out devops.csr -subj "/CN=devops/O=architechure"
我們使用的是kubeadm安裝的集羣,CA相關證書位於/etc/kubernetes/pki/目錄下面,如果你是二進制方式搭建的,你應該在最開始搭建集羣的時候就已經指定好了CA的目錄,我們會利用該目錄下面的ca.crt和ca.key兩個文件來批准上面的證書請求,生成最終的證書文件,我們這裏設置證書的有效期爲500天
scp [email protected]:/etc/kubernetes/pki/ca.crt . scp [email protected]:/etc/kubernetes/pki/ca.key . openssl x509 -req -in devops.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out devops.crt -days 500 ➜ ls -al total 72 drwxr-xr-x 11 marion staff 352 Dec 25 11:32 . drwxr-xr-x 13 marion staff 416 Dec 25 11:26 .. -rw-r--r-- 1 marion staff 17 Dec 25 11:32 .srl -rw-r--r-- 1 marion staff 1156 Dec 25 11:32 README.md -rw-r--r-- 1 marion staff 1025 Dec 25 11:30 ca.crt -rw------- 1 marion staff 1675 Dec 25 11:30 ca.key -rw-r--r-- 1 marion staff 1009 Dec 25 11:32 devops.crt -rw-r--r-- 1 marion staff 924 Dec 25 11:30 devops.csr -rw-r--r-- 1 marion staff 1679 Dec 25 11:27 devops.key
kubectl config set-credentials devops --client-certificate=devops.crt --client-key=devops.key
kubectl config set-context devops-context --cluster=cluster-tf26gt9mmk --namespace=architechure --user=devops
➜ kubectl get pods --context=devops-context Error from server (Forbidden): pods is forbidden: User "devops" cannot list resource "pods" in API group "" in the namespace "architechure" # 因爲該devops-context還沒有操作API的權限
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: devops-role namespace: architechure rules: - apiGroups: ["", "extensions", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 也可以使用['*']
然後在集羣中創建該角色
kubectl apply -f ./devops.role.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: devops-rolebinding namespace: architechure subjects: - kind: User name: devops apiGroup: "" roleRef: kind: Role name: devops-role # 上一步創建的devops-role實體 apiGroup: ""
在集羣中創建角色與用戶之間的綁定關係
k apply -f ./devops-rolebinding.yaml
此時,從下圖就可以查看到當前集羣的有一個新的用戶角色devops,上面用到的Kubecm我們之前也分享過,如果需要可以點此跳轉
> kubectl get pods No resources found in architechure namespace. > kubectl get replicasets No resources found in architechure namespace. > kubectl get deploy No resources found in architechure namespace. > kubectl get svc Error from server (Forbidden): services is forbidden: User "devops" cannot list resource "services" in API group "" in the namespace "architechure"
總結一下就是:
- 根據集羣的CA證書創建出來用戶證書
- 根據用戶證書創建該用戶在集羣內的憑證和上下文內容
- 要想用戶能進行基本的操作,需要對用戶針對apiGroup授權
kubecm switch # select dev
否則以下步驟會出錯:
kubectl config set-context devops-context --cluster=cluster-tf26gt9mmk --namespace=default --user=devops
此時查詢列舉default空間下的pods是不行的,因爲還沒允許操作
kubectl get pods --context=devops-context Error from server (Forbidden): pods is forbidden: User "devops" cannot list resource "pods" in API group "" in the namespace "default"
devops-role-default.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: devops-role namespace: default rules: - apiGroups: ["", "extensions", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # 也可以使用['*']
devops-rolebinding-default.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: devops-rolebinding namespace: default subjects: - kind: User name: devops apiGroup: "" roleRef: kind: Role name: devops-role apiGroup: ""
然後我們在集羣中創建這兩個對象
kubectl apply -f devops-role-default.yaml kubectl apply -f devops-rolebinding-default.yaml
kubectl get role -A |grep devops-role # 分別在architechure和default命名空間下 architechure devops-role 2021-05-17T07:57:27Z default devops-role 2021-05-28T03:19:24Z
kubecm switch # select devops-context kubectl get pods -n default kubectl get pods -n architechure
到這裏就基本上說清楚如何創建一個用戶、授權操作k8s集羣的過程了。