本文偏实战,内容涉及:
token方式的APIServer认证Demo
Kubeconfig文件方式的APIServer认证Demo
Kubeconfig文件的创建Demo
只有能做到“尽人事而听天命”,一个人才能永远保持心情的平衡。-----《季羡林谈人生》
Kubernetes集群中所有资源的访问和变更都是通过KubernetesAPIServer的RESTAPI来实现的,所以集群安全的关键点就在于如何鉴权和授权
root用户可以正常访问
┌──[root@]-[~/ansible/k8s-helm-create]└─$kubectlgetpodsNAMEREADYSTATUSRESTARTSAGEliruilong-grafana-5955564c75-zpbjq3/3Terminating08hliruilong-kube-prometheus-operator-5cb699b469-fbkw51/1Terminating08hliruilong-prometheus-node-exporter-vm7s91/1Terminating2(109mago)8hprometheus-liruilong-kube-prometheus-prometheus-02/2Terminating08h┌──[root@]-[~/ansible/k8s-helm-create]└─$
切换tom用户来访问,没有权限,报错找不到集群API的位置,那么为什么会这样呢?
┌──[root@]-[~/ansible/k8s-helm-create]└─$sutom[tom@vms81k8s-helm-create]$kubectlgetpodsTheconnectiontotheserverlocalhost:8080wasrefused-didyouspecifytherighthostorport?[tom@vms81k8s-helm-create]$exitexit
为了演示认证,我们需要在集群外的机器上安装一个客户端工具kubectl,用于和集群的入口api-Service交互
┌──[root@]-[~]└─$=kubernetes
可以通过kubectlcluster-info来查看集群的相关信息
┌──[root@]-[~/ansible/k8s-helm-create]└─$kubectlcluster-infoKubernetescontrolplaneisrunningat'kubectlcluster-infodump'.┌──[root@]-[~/ansible/k8s-helm-create]└─$
Kubernetes集群提供了3种级别的客户端身份认证方式
下面就Token和SSL和小伙伴分享下,Bash因为在高版本的K8s中不在支持,所以我们这里不聊。关于上面的普通用户范围集群的问题,我们也会改出解答
HTTPToken的认证是用一个很长的特殊编码方式的并且难以被模仿的字符串Token来表明客户身份的一种方式。
每个Token对应一个用户名,存储在APIServer能访问的一个文件中。当客户端发起API调用请求时,需要在HTTPHeader里放入Token,这样一来,APIServer就能识别合法用户和非法用户了。
当API服务器的命令行设置了--token-auth-file=SOMEFILE选项时,会从文件中读取持有者令牌。目前,令牌会长期有效,并且在不重启API服务器的情况下无法更改令牌列表。下面我们一个通过Demo来演示通过静态Token的用户认证,
通过openssl生成一个令牌
┌──[root@]-[~/ansible/k8s-helm-create]└─$opensslrand-hex104bf636c8214b7ff0a0fb
┌──[root@]-[~/ansible/k8s-helm-create]└─$echo"4bf636c8214b7ff0a0fb,admin2,3"/etc/kubernetes/pki/┌──[root@]-[~/ansible/k8s-helm-create]└─$cat/etc/kubernetes/pki/,admin2,3
通过Sed添加kube-apiserver服务启动参数,---token-auth-file=/etc/kubernetes/pki/
┌──[root@]-[~/ansible/k8s-helm-create]└─$sed'17a\\\\---token-auth-file=/etc/kubernetes/pki/'/etc/kubernetes/manifests/|grep-A5command-command:-kube-apiserver---advertise-address=192.168.26.81---allow-privileged=true---token-auth-file=/etc/kubernetes/=Node,RBAC┌──[root@]-[~/ansible/k8s-helm-create]└─$sed-i'17a\\\\---token-auth-file=/etc/kubernetes/pki/'/etc/kubernetes/manifests/
检查修改的启动参数
┌──[root@]-[~/ansible/k8s-helm-create]└─$cat-n/etc/kubernetes/manifests/|grep-A5command14-command:15-kube-apiserver16---advertise-address=192.168.26.8117---allow-privileged=true18---token-auth-file=/etc/kubernetes/pki/=Node,RBAC┌──[root@]-[~/ansible/k8s-helm-create]└─$
重启kubelet服务
┌──[root@]-[~/ansible/k8s-helm-create]└─$systemctlrestartkubelet┌──[root@]-[~/ansible/k8s-helm-create]└─$
确认集群能够正常访问
┌──[root@]-[/etc/kubernetes/pki]└─$,┌──[root@]-[/etc/kubernetes/pki]└─$
在集群外的客户机访问集群信息,这里提示我们admin2用户没有访问的权限,说明已经认证成功了,只是没有权限
┌──[root@]-[~]└─$kubectl-s=""--insecure-skip-tls-verify=true--token="4bf636c8214b7ff0a0fb"getpods-nkube-systemErrorfromserver(Forbidden):podsisforbidden:User"admin2"cannotlistresource"pods"inAPIgroup""inthenamespace"kube-system"┌──[root@]-[~]└─$
这里我们修改一些token的字符串,Token和集群的Token文件不对应,会提示我们没有获得授权,即认证失败
┌──[root@]-[~]└─$kubectl-s=""--insecure-skip-tls-verify=true--token="4bf636c8214b7ff0a0f"getpods-nkube-systemerror:Youmustbeloggedintotheserver(Unauthorized)kubeconfig文件认证
在通过kubeadm创建集群的时候,不知道小伙伴没还记不记得下面这个文件,这个文件就是kubeadm帮我们生成的kubeconfig文件
┌──[root@]-[~/.kube]└─$ll/etc/kubernetes/月1302:13/etc/kubernetes/┌──[root@]-[~/.kube]└─$
我们把这个文件拷贝到tom用户的目录下,修改权限
┌──[root@]-[~/.kube]└─$cp/etc/kubernetes/~tom/┌──[root@]-[~/.kube]└─$chowntom:tom~tom/
这个时候发现通过--kubeconfig=指定这个文件,就可以访问集群信息
[tom@vms81home]$cdtom/[tom@vms81~]$[tom@vms81~]$kubectlgetpodsTheconnectiontotheserverlocalhost:8080wasrefused-didyouspecifytherighthostorport?[tom@vms81~]$kubectlgetpods-A--kubeconfig=nx-controller-744d4fc6b7-t9n4l1/1Running6(8hago)44hkube-systemcalico-kube-controllers-78d6f96c7b-85rv91/1Running19331dkube-systemcalico-node-6nfqv1/1Running25434dkube-systemcalico-node-fv4580/1Running5034dkube-systemcalico-node-h5lsq1/1Running94(7h10mago)34dkube-system..
那个,kubeconfig文件是个什么东西,官方文档中这样描述:
换句话讲,通过kubeconfig与集群的API服务器进行通信,类似上面的Token的作用,我们要说的HTTPS证书认证就是放到这里
默认情况下,kubectl在$HOME/.kube目录下查找名为config的文件。
┌──[root@]-[~]└─$ls~/.kube/config/root/.kube/config┌──[root@]-[~]└─$ll~/.kube/config-rw-------1rootroot56631月1602:33/root/.kube/config
将kubeconfig文件复制到$HOME/.kube目录下改名为config发现tom用户依旧可以访问
[tom@vms81~]$[tom@vms81~]$/config[tom@vms81~]$kubectlgetpods-nkube-systemNAMEREADYSTATUSRESTARTSAGEcalico-kube-controllers-78d6f96c7b-85rv91/1Running19331dcalico-node-6nfqv1/1Running25434dcalico-node-fv4580/1Running5034dcalico-node-h5lsq1/1Running94(7h13mago)34d。。。。。。。
也可以通过设置KUBECONFIG环境变量或者设置--kubeconfig参数来指定其他kubeconfig文件。
[tom@vms81~]$exportKUBECONFIG=[tom@vms81~]$kubectlgetpods-nkube-systemNAMEREADYSTATUSRESTARTSAGEcalico-kube-controllers-78d6f96c7b-85rv91/1Running19331dcalico-node-6nfqv1/1Running25434dcalico-node-fv4580/1Running5034dcalico-node-h5lsq1/1Running94(7h11mago)34d..
当我们什么都不设置时,tom用户获取不到kubeconfig文件,没有认证信息,无法访问
[tom@vms81~]$unsetKUBECONFIG[tom@vms81~]$kubectlgetpods-nkube-systemTheconnectiontotheserverlocalhost:8080wasrefused-didyouspecifytherighthostorport?
查看kubeconfig文件的配置信息
┌──[root@]-[~/.kube]└─$kubectlconfigview
apiVersion:v1clusters:-cluster:certificate-authority-data:DATA+OMITTEDserver::{}users:-name:kubernetes-adminuser:client-certificate-data:REDACTEDclient-key-data:REDACTED┌──[root@]-[~/.kube]└─$
所以我们要想访问集群信息,只需要把这个kubeconfig文件拷贝到客户机上就OK了
一个kubeconfig文件包括一下几部分:
集群信息:
集群CA证书
集群地址
上下文信息
所有上下文信息
当前上下文
用户信息
用户CA证书
用户私钥
要创建kubeconfig文件的话,我们需要一个私钥,以及集群CA授权颁发的证书。同理我们不能直接用私钥生成公钥,而必须是用私钥生成证书请求文件(申请书),然后根据证书请求文件向CA(权威机构)申请证书(身份证),CA审核通过之后会颁发证书。
环境准备
┌──[root@]-[~/ansible]└─$kubectlcreatensliruilong-rbac-createnamespace/liruilong-rbac-createcreated┌──[root@]-[~/ansible]└─$mkdirk8s-rbac-create;cdk8s-rbac-create┌──[root@]-[~/ansible/k8s-rbac-create]└─$kubectlconfigset-context$(kubectlconfigcurrent-context)--namespace=liruilong-rbac-createContext"kubernetes-admin@kubernetes"modified.┌──[root@]-[~/ansible/k8s-rbac-create]└─$申请证书
生成一个2048位的私钥文件
┌──[root@]-[~/ansible/k8s-rbac-create]└─$,2048bitlongmodulus..+++..+++eis65537(0x10001)
查看私钥文件
┌──[root@]-[~/ansible/k8s-rbac-create]└─$+EV6lduPKjqEm9kjuLROKzRZHFoGyASOKrb3VR4CKHvnZAPVctv7Pu+4JgMliJHl8GVYhqM5UykbLRMdNHSNIQ==-----ENDRSAPRIVATEKEY-----┌──[root@]-[~/ansible/k8s-rbac-create]└─$
利用刚生成的私有生成证书请求文件:这里CN的值liruilong,就是后面我们授权的用户。
┌──[root@]-[~/ansible/k8s-rbac-create]└─$"/CN=liruilong/O=cka2020"┌──[root@]-[~/ansible/k8s-rbac-create]└─$
对证书请求文件进行base64编码
┌──[root@]-[~/ansible/k8s-rbac-create]└─$|base64|tr-d"\n"LS0tLS1CRUdJTiBDRVJUSUZJ
编写申请证书请求文件的yaml文件:
apiVersion:/v1kind:CertificateSigningRequestmetadata:name:liruilongspec:signerName:/kube-apiserver-clientrequest:LS0tLS1CRUdJTiBDRVJUSUZJusages:-clientauth
这里request里的是base64编码之后的证书请求文件。申请证书
┌──[root@]-[~/ansible/k8s-rbac-create]└─$/liruilongcreated
查看已经发出证书申请请求:
┌──[root@]-[~/ansible/k8s-rbac-create]└─$kubectlgetcsrNAMEAGESIGN/kube-apiserver-clientkubernetes-adminnonePing
批准证书:
┌──[root@]-[~/ansible/k8s-rbac-create]└─$/liruilongapproved
查看审批通过的证书:
┌──[root@]-[~/ansible/k8s-rbac-create]└─$kubectlgetcsr/liruilong-oyaml
apiVersion:/v1kind:CertificateSigningRequestmetadata:annotations:/last-applied-configuration:|{"apiVersion":"/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"liruilong"},"spec":{"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2F6Q0NBVk1DQVFBd0pqRVNNQkFHQTFVRUF3d0piR2x5ZFdsc2IyNW5NUkF3RGdZRFZRUUtEQWRqYTJFeQpNREl3TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpCnVySlB0Y2FpWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1IKb1Eybk83K3FnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VgphZTIwcXFBRXpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvCnN4UkFFNXlrWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTkKSE5NWTkweUhYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUNwptSzhKeHdJREFRQUJvQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUFwa09aUUNTTGxGYWJTVk9zNmtzL1ZyCmd3b3FTdjFOM1YzUC84SmNzR1pFUTc4TkpJb2R0REExS3EwN25DWjJWUktselZDN1kyMCszZUVzTXZNWnFMc1MKbUtaS0w2SFE3N2RHa1liUjhzKzRMaFo4YXR6cXVMSnlqZUZKODQ2N1ZrUXF5T1R6by9wZ3E4YWJJY01XNzlKMgoxWEkybi92RWlIMEgvWU9DaWExVHRqTnpSWGtlL2hPQTZ4Y29CcVRpdWtkUHBqZDJSaWFTRUNUS1h4ZGNOS0xLCmZVbFhkb2s5UkVkQ2V3bU9ISUdvVG9qUGRWdWlPdkYzZkFqUXZNNDJ3UjJDdklHMWs1YUQzdWVlbzcwd0pnUlQKYzhZNnUwY2padEI5ZW5xUStmRFFqdUUyZElrMDJLbm5HQVppK0wxUnRnSnA2Tm1udEg5WUc3RlBLSXYrakFZPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K","signerName":"/kube-apiserver-client","usages":["clientauth"]}}creationTimestamp:"2022-01-16T15:25:24Z"name:liruilongresourceVersion:"1185668"uid:51837659-7214-4dec-bcd4-b7a9129ee2bbspec:groups:-system:masters-system:authenticatedrequest:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2F6Q0NBVk1DQVFBd0pqRVNNQkFHQTFVRUF3d0piR2x5ZFdsc2IyNW5NUkF3RGdZRFZRUUtEQWRqYTJFeQpNREl3TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpCnVySlB0Y2FpWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1IKb1Eybk83K3FnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VgphZTIwcXFBRXpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvCnN4UkFFNXlrWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTkKSE5NWTkweUhYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUNwptSzhKeHdJREFRQUJvQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUFwa09aUUNTTGxGYWJTVk9zNmtzL1ZyCmd3b3FTdjFOM1YzUC84SmNzR1pFUTc4TkpJb2R0REExS3EwN25DWjJWUktselZDN1kyMCszZUVzTXZNWnFMc1MKbUtaS0w2SFE3N2RHa1liUjhzKzRMaFo4YXR6cXVMSnlqZUZKODQ2N1ZrUXF5T1R6by9wZ3E4YWJJY01XNzlKMgoxWEkybi92RWlIMEgvWU9DaWExVHRqTnpSWGtlL2hPQTZ4Y29CcVRpdWtkUHBqZDJSaWFTRUNUS1h4ZGNOS0xLCmZVbFhkb2s5UkVkQ2V3bU9ISUdvVG9qUGRWdWlPdkYzZkFqUXZNNDJ3UjJDdklHMWs1YUQzdWVlbzcwd0pnUlQKYzhZNnUwY2padEI5ZW5xUStmRFFqdUUyZElrMDJLbm5HQVppK0wxUnRnSnA2Tm1udEg5WUc3RlBLSXYrakFZPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KsignerName:/kube-apiserver-clientusages:-clientauthusername:kubernetes-adminstatus:certificate:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRUC9aR05rUjdzVy9sdHhkQTNGQjBoekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURFeE5qRTFNakV3TWxvWERUSXpNREV4TmpFMQpNakV3TWxvd0pqRVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1ERVNNQkFHQTFVRUF4TUpiR2x5ZFdsc2IyNW5NSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpdXJKUHRjYWkKWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1JvUTJuTzcrcQpnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VmFlMjBxcUFFCnpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvc3hSQUU1eWsKWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTlITk1ZOTB5SApYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUN21LOEp4d0lECkFRQUJvMFl3UkRBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWQKSXdRWU1CYUFGR0RjS1N1dVY1TTV5Wk5CR1AxLzZoN0xZNytlTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCagpOelREMmZ5bTc3bXQ4dzlacXRZN3NQelhmNHJQTXpWUzVqV3NzenpidlhEUzhXcFNMWklIYkQ3VU9vYlYxcFYzClYzRW02RXlpWUEvbjhMYTFRMnZra0EyUDk1d3JqWlBuemZIeUhWVFpCTUY4YU1MSHVpVHZ5WlVVV0JYMTg1UFAKQ2MxRncwanNmVThJMDBzbUNOeURBZjVMejFjRUVrNWlGYUswMDJRblUyNk5lcDF3U3BMcVZWWVptSW9UVU9DOApCNzNpU3J6Y0wyVmdBejRCaUQxdUVlUkFMM20zRTB2VVpsQjduKzF1MllrNDFCajdGYnpWR2w1dFpYT3hDMVhxCjJVc0hSbmkzY1VYZ203QlloZDU3aTFHclRRRFJpckRwVFV1RDB3ZlFYTjZLdEx1TmVDYUc0alc4ZTl4QkQrTjIKOFE4Z25UZjdPSEI3VWZkUzVnMWQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=conditions:-lastTransitionTime:"2022-01-16T15:26:02Z"lastUpdateTime:"2022-01-16T15:26:01Z"message::KubectlApprovestatus:"True"type:Approved
导出证书文件:
┌──[root@]-[~/ansible/k8s-rbac-create]└─$kubectlgetcsrliruilong-ojsonpath='{.}'|
给用户授权,这里给liruilong一个集群角色cluster-role(类似于root一样的角色),这样liruilong具有管理员权限
┌──[root@]-[~/ansible/k8s-rbac-create]└─$kubectlcreateclusterrolebindingtest--clusterrole=cluster-admin--user=/testcreated┌──[root@]-[~/ansible/k8s-rbac-create]└─$创建kubeconfig文件
拷贝CA证书
┌──[root@]-[~/ansible/k8s-rbac-create]└─$公钥(证书文件)私钥┌──[root@]-[~/ansible/k8s-rbac-create]└─$ls/etc/kubernetes/pki/┌──[root@]-[~/ansible/k8s-rbac-create]└─$cp/etc/kubernetes/pki/
设置集群字段,这里包含集群名字,服务地址和集群证书
┌──[root@]-[~/ansible/k8s-rbac-create]└─$kubectlconfig--kubeconfig=kc1set-clustercluster1--server="cluster1"set.
在上面集群中创建一个上下文context1
┌──[root@]-[~/ansible/k8s-rbac-create]└─$kubectlconfig--kubeconfig=kc1set-contextcontext1--cluster=cluster1--namespace=default--user=liruilongContext"context1"created.
这里–embed-certs=true的意思是把证书内容写入到此kubeconfig文件里。
设置用户字段,包含用户名字,用户证书,用户私钥
┌──[root@]-[~/ansible/k8s-rbac-create]└─$kubectlconfig--kubeconfig=kc1set-credentialsliruilong--client-certificate===trueUser"liruilong"set.
查看创建的kubeconfig文件信息
┌──[root@]-[~/ansible/k8s-rbac-create]└─$catkc1
apiVersion:v1clusters:-cluster:certificate-authority-data:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1USXhNakUyTURBME1sb1hEVE14TVRJeE1ERTJNREEwTWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkdkCisrWnhFRDJRQlR2Rm5ycDRLNFBrd2lsYXUrNjdXNTVobVdwc09KSHF6ckVoWUREY3l4ZTU2Z1VJVDFCUTFwbU0KcGFrM0V4L0JZRStPeHY4ZmxtellGbzRObDZXQjl4VXovTW5HQi96dHZsTGpaVEVHZy9SVlNIZTJweCs2MUlSMQo2Mkh2OEpJbkNDUFhXN0pmR3VXNDdKTXFUNTUrZUNuR00vMCtGdnI2QUJnT2YwNjBSSFFuaVlzeGtpSVJmcjExClVmcnlPK0RFTGJmWjFWeDhnbi9tcGZEZ044cFgrVk9FNFdHSDVLejMyNDJtWGJnL3A0emd3N2NSalpSWUtnVlUKK2VNeVIyK3pwaTBhWW95L2hLYmg4RGRUZ3FZeERDMzR6NHFoQ3RGQnVia1hmb3Ftc3FGNXpQUm1ZS051RUgzVAo2c1FNSFl4emZXRkZvSGQ2Y0JNQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZHRGNLU3V1VjVNNXlaTkJHUDEvNmg3TFk3K2VNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRVE0SUJhM0hBTFB4OUVGWnoyZQpoSXZkcmw1U0xlanppMzkraTdheC8xb01SUGZacElwTzZ2dWlVdHExVTQ2V0RscTd4TlFhbVVQSFJSY1RrZHZhCkxkUzM5Y1UrVzk5K3lDdXdqL1ZrdzdZUkpIY0p1WCtxT1NTcGVzb3lrOU16NmZxNytJUU9lcVRTbGpWWDJDS2sKUFZxd3FVUFNNbHFNOURMa0JmNzZXYVlyWUxCc01EdzNRZ3N1VTdMWmg5bE5TYVduSzFoR0JKTnRndjAxdS9MWAo0TnhKY3pFbzBOZGF1OEJSdUlMZHR1dTFDdEFhT21CQ2ZjeTBoZHkzVTdnQXh5blR6YU1zSFFTamIza0JDMkY5CkpWSnJNN1FULytoMStsOFhJQ3ZLVzlNM1FlR0diYm13Z1lLYnMvekswWmc1TE5sLzFJVThaTUpPREhTVVBlckQKU09ZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==server::""kind:Configpreferences:{}users:-name:liruilonguser:client-certificate-data:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRUC9aR05rUjdzVy9sdHhkQTNGQjBoekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURFeE5qRTFNakV3TWxvWERUSXpNREV4TmpFMQpNakV3TWxvd0pqRVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1ERVNNQkFHQTFVRUF4TUpiR2x5ZFdsc2IyNW5NSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpdXJKUHRjYWkKWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1JvUTJuTzcrcQpnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VmFlMjBxcUFFCnpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvc3hSQUU1eWsKWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTlITk1ZOTB5SApYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUN21LOEp4d0lECkFRQUJvMFl3UkRBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWQKSXdRWU1CYUFGR0RjS1N1dVY1TTV5Wk5CR1AxLzZoN0xZNytlTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCagpOelREMmZ5bTc3bXQ4dzlacXRZN3NQelhmNHJQTXpWUzVqV3NzenpidlhEUzhXcFNMWklIYkQ3VU9vYlYxcFYzClYzRW02RXlpWUEvbjhMYTFRMnZra0EyUDk1d3JqWlBuemZIeUhWVFpCTUY4YU1MSHVpVHZ5WlVVV0JYMTg1UFAKQ2MxRncwanNmVThJMDBzbUNOeURBZjVMejFjRUVrNWlGYUswMDJRblUyNk5lcDF3U3BMcVZWWVptSW9UVU9DOApCNzNpU3J6Y0wyVmdBejRCaUQxdUVlUkFMM20zRTB2VVpsQjduKzF1MllrNDFCajdGYnpWR2w1dFpYT3hDMVhxCjJVc0hSbmkzY1VYZ203QlloZDU3aTFHclRRRFJpckRwVFV1RDB3ZlFYTjZLdEx1TmVDYUc0alc4ZTl4QkQrTjIKOFE4Z25UZjdPSEI3VWZkUzVnMWQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=client-key-data:LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdDlPQm53YUEzVmRGZmpkaXVySlB0Y2FpWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxCndYOU9Eb0p6Q0RCWWVRSUN4dFpublJPV2NQdnVQeitSb1Eybk83K3FnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVgKNnZEQ3ZYMVA0d1ZzRXVzcnZWQXZBeDZnamU2czVveFZhZTIwcXFBRXpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bQppaTRzc2laUEV1NWRWSEVrOXR3QnlGU1dHbGpyRE5Ib3N4UkFFNXlrWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxCmtndFNMQzJVUnMvUFlMMERjUkJvc1FMdHNybm5RUjE5SE5NWTkweUhYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZTgKVmY4QUxabGw1QU5yeUlCam1za2NNUDNpUTM3cVhmVDdtSzhKeHdJREFRQUJBb0lCQUJsS0I3TVErZmw1WUI0VgpFSWdPcjlpYUV3d2tHOUFKWElDSkJEb0l6bVdhdmhNTlZCUjZwd3BuOTl0UWkxdGFZM2RuVjZuTVlBMzdHck9vCjB5Z004TXpQZVczUUh6Z2p5cGFkRkJqR204Mm1iUHNoekVDT0RyeHkyT0txaEV1MS9yWjBxWU1NVzVvckU2NUQKOEJ3NmozaEp1MTlkY251bk1Lb2hyUlJ4MGNGOGJrVHpRcWk1Y0xGZ0lBUlArNklFcnQrS0FVSGFVQ0wvSUtTYgoyblJnSmhvSWszTUJnQnM3eVl0NFpVNlpkSVFLRU56RzRUd2VjNG5ESXE2TkllU1ZpSEVtbmdjRXVOdTNOaWEvCmxwTWd5ZHJKZWJKYStrc0FiZU4zU21TRGc2MXpVWUpHV2FOZUFPemdmbkZRTVp2Y2FyNEQ1b0xCQUE5Rlpic0EKc0hUZjBBRUNnWUVBNWVmdDJSV25kM2pueWJBVVExa3dRTzlzN1BmK241OXF3ekIwaEdrcC9qcjh2dGRYZkxMNgo0THBoNWFhKzlEM0w5TEpMdk8xa0cyaG5UbFE4Q25uVXpVUUUreldiYlRJblR0eE1hRzB5VjJlZ3NaQkFseERYClk1K2tZZ29EVXIyN2dWbE5QZ29SWVkzRG1ZZHplVmp0NEFHOE9JNWRPUlJ6bFE3VHN0Nk9XUUVDZ1lFQXpMQ3kKM2Q0SkRZRjBpeXFFc2FsNFNsckdEc3hmY2xxeUZaVWpmcUcvdGFHeEFTeE9zL0h3SDNwR1cwQXh3c2tPdVNkUwpWcGxOOC9uZjBMQjdPV0hQL2FjTlJLbHdJeUZrNG9EU0VMOVJ5d0FFVEF3NHdrYitoRzNZdUFHU2YvY1dEWXNtCjNJUUxlMVdFS0JSZDVBS1lkYXdyYlJtclFkSndSaFFkalNzOTJzY0NnWUVBck1WSVpwVHhUc1ViV3VQcHRscjEKK2paekl2bVM3WjI5ZTRXVWFsVWxhNW9raWI0R1R2MnBydXdoMlpVZmR5aGhkemZ0MXNLSE1sbVpHTElRbE1iTgpkcHdoS2k4MDZEQ0NmYTdyOUtYcTZPaEZTR3JoUHlVMjEvVUdjVzZZNUxzVWg3WDJhQ0xrd096cUN4eFJXT1hOCmpVT0FrUGZiY3FPOTRFeE9KdU05RWdFQ2dZRUFwNUVqN0xPL0wzcENBVWVlZDU3bjVkN244dWRtWDhSVnM0dHoKRWxDeUU2dzVybDhxVXUrR0J3N2ZtQVkyZG1LSUZoVlZ0NlVyQnNjUmJkTjhIUjZ3MmRNdTduM1RXajhWU3NQdwp0RnNiUjVkTTdVQzRHbnRxRXRtbUtBVEpmTTYzRkFGTm9Bck5KM3Q3aENBZ09PL1RCY29iaHVZVHAvL3hmNzBwCjhBNXRSYk1DZ1lCMkJTb0ZTbW1sVFN5RjdnZnhmM281dTNXM3lwTENIRFV0cFZkYlAxZm9vemJwZUs3V29IY2YKTEhkMG4xeUNLcHdiWU1HZ2hGNGlHbUVHSUlkc0NWWlArRVY2bGR1UEtqcUVtOWtqdUxST0t6UlpIRm9HeUFTTwpLcmIzVlI0Q0tIdm5aQVBWY3R2N1B1KzRKZ01saUpIbDhHVllocU01VXlrYkxSTWROSFNOSVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=┌──[root@]-[~/ansible/k8s-rbac-create]└─$
修改kubeconfig文件当前的上下文为之前创建的上下文
┌──[root@]-[~/ansible/k8s-rbac-create]└─$sed'scurrent-context:"context1"current-context:""'kc1┌──[root@]-[~/ansible/k8s-rbac-create]└─$catkc1|grepcurrent-contextcurrent-context:"context1"
这样kubeconfig文件就创建完毕了,下面开始验证kubeconfig文件。
┌──[root@]-[~/ansible/k8s-rbac-create]└─$kubectlauthcan-ilistpods--asliruilong检查是否具有list命名空间kube-system里pod的权限yes┌──[root@]-[~/ansible/k8s-rbac-create]└─$
拷贝证书到客户机
┌──[root@]-[~/ansible/k8s-rbac-create]└─$scpkc1root@192.168.26.55:~
客户机指定证书访问测试
┌──[root@]-[~]└─$kubectl--kubeconfig=kc1getpods-nkube-systemNAMEREADYSTATUSRESTARTSAGEcalico-kube-controllers-78d6f96c7b-85rv91/1Running194(14hago)33dcalico-node-6nfqv0/1Running255(14hago)35dcalico-node-fv4580/1Running5035dcalico-node-h5lsq1/1Running94(38hago)35d。。。。。。。。。。。。┌──[root@]-[~]└─$
这样一个kubeconfig文件就创建完成
版权声明:本站所有作品(图文、音视频)均由用户自行上传分享,仅供网友学习交流,不声明或保证其内容的正确性,如发现本站有涉嫌抄袭侵权/违法违规的内容。请举报,一经查实,本站将立刻删除。