K8s新建用户制作证书绑定角色

原创

Super孙文波 2020-04-25 22:30:42 博主文章分类：kubernetes ©著作权

©著作权归作者所有：来自51CTO博客作者Super孙文波的原创作品，请联系作者获取转载授权，否则将追究法律责任

K8s新建用户制作证书绑定角色 role roulebind clustrrole clustrrloebinding Kubeadm 创建的k8s集群默认证书有限期为三年，三年后会过期

Kubernetes创建一个集群用户连接API-Server 使用命令模式 #可以用现有用户kubernetes-admin@kubernetes的CA证书【ca.crt ca.key】去签署一个新创建的用户，进行绑定文件默认路径/etc/Kubernetes/pki/

创建私钥 cd /etc/Kubernetes/pki/ openssl genrsa -out sunwenbo.key 2048
生成证书签署请求 openssl req -new -key sunwenbo.key -out sunwenbo.csr -subj "/CN=sunwenbo"
用CA证书签证 openssl x509 -req -in sunwenbo.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out sunwenbo.crt -days 365
查看签署后的证书内容 openssl x509 -in sunwenbo.crt -text -noout
创建一个新的集群用户，使用自签证书和私钥 –embed-certs=true 将证书和私钥隐藏

kubectl config set-credentials sunwenbo --client-certificate=./sunwenbo.crt --client-key=./sunwenbo.key --embed-certs=true

kubectl config view #查看会多出一个users

设置上下文，让新建sunwenbo的用户也可以去访问kubernetes集群 kubectl config set-context sunwenbo@kubernetes --cluster=Kubernetes --user=sunwenbo kubectl config view #查看会多出一个context
切换账号 kubectl config use-context sunwenbo@kubernetes kubectl get pods #此时会提示 No resources found Error from server (forbiddent): pods is forbiddent: User “sunwenbo”cannot list pods in the namespace “default” #原因是我们只是有了一个可登录的用户，但是这个用户并没有任何权限。

1#创建一个自定义的集群 kubectl config set-cluster mycluster --kubeconfig=/tmp/mycluster.conf --server="192.168.10.231:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true #查看自定义集群的信息 kubectl config view --kubeconfig=/tmp/mycluster.conf

创建role角色和绑定

创建一个role kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml >role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
  createionTimestamp: null
  name: pods-reader
rules:
  - apiGroup:
  - ""
resources:
  - pods
verbs:
  - get
  - list 
  - watch

kubectl apply -f role.yaml
kubectl get role
	kubectl describe role pods-reader

创建一个rolebinding,将角色绑定到一个用户 kubectl create rolebinding sunwenbo-read-pods --role=pods-reader --user=sunwenbo --dry-run -o yaml >rolebanging.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
   creationTimestamp: null
   name: sunwenbo-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io

kubectl apply -f rolebanging.yaml
kubectl describe rolebinding sunwenbo-read-pods  #查看详细内容

切换用户验证 kubectl config use-context sunwenbo@kubernetes kubect get pod #只能查看default 名称空间下的资源，如果是其他名称空间，创建role时指定namespace 即可

创建clusterrole可以访问所有名称空间

创建clusterrole kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > cluster.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
  -	apiGroup:
  - ""
resources:
  - pods
verbs:
  - get
  - list 
  - watch

kubectl apply -f cluster.yaml
kubectl  get clusterrole | grep cluster-reader
kubectl  describe  clusterrole cluster-reader

绑定role #如果这个用户已经绑定了其他role需要将rolebanding删掉，删除立即生效 kubectl delete rolebinding sunwenbo-read-pods

kubectl create clusterrolebinging admin-read-pods --clusterrole=cluster-reder --user=sunwenbo --dry-run -o yaml > clusterrolebinging.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
   name: admin-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
	  kind: Role
	  name: cluster-reder
	subjects:
	- apiGroup: rbac.authorization.k8s.io
	  kind: User
	  name: sunwenbo

切换用户验证 kubectl config use-context sunwenbo@kubernetes kubect get pod #可以查看所有名称空间下的资源，但是只有get，list，watch权限

#rolebinding绑定clusterbinding，clusterbinding会自动降级，跟随rolebinding定义的权限规则

#给用户绑定系统默认role,可以指定拥有某个名称空间的权限 kubectl create rolebinging default-ns-admin --clusterrole=admin –user=sunwenbo –dry -run -o yaml > default-user-banding.yaml