22.kubernetes(k8s)笔记 认证、授权与准入控制(二) 认证Users Accounts

目录
Users Accounts认证
kubeconfig配置文件
kubeconfig文件3种不同的指定方式
kubeconfig文件查看常用命令
示例1: 使用openssl创建认证帐号kubeconfig配置文件
示例2: kubeconfig证书合并 tom.crt证书在示例1已经完成

Users Accounts认证

kubeconfig配置文件

之前有提到过,K8S间的通信是通过https实现,https通信每次都需要认证,比如我们在命令行输入命令

[root@k8s-master ~]# kubectl get pod

都需要https认证,而且https是无状态链接 意味着每次访问 都需要附带证书,如果这一切都手动指定完成,实际操作肯定非常不方便,为了简化连接和方便使用,K8s使用kubeconfig配置文件来简化使用时文件附带认证信息

kubeconfig配置文件:3种搜索路径

1.指定证书位置 优先级最高
2.通过环境变量 $KUBECONFIG加载config文件
3.读取用户家目录 $HOME/.kube/config

kubeconfig配置文件:

将用户名、认证信息等组织一起,便于认证到API Server上的认证信息文件;支持一个文件中保存m个集群的n个认证信息;


  • kubectl选项中可以看到可以指定证书与秘钥
[root@k8s-master kubernetes]# kubectl options 
The following options can be passed to any command:

      --add-dir-header=false: If true, adds the file directory to the header of the log messages
      --alsologtostderr=false: log to standard error as well as files
      --as='': Username to impersonate for the operation
      --as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --cache-dir='/root/.kube/cache': Default cache directory
      --certificate-authority='': Path to a cert file for the certificate authority
      --client-certificate='': Path to a client certificate file for TLS   #客户端证书
      --client-key='': Path to a client key file for TLS   #指客户端秘钥
      --cluster='': The name of the kubeconfig cluster to use
      --context='': The name of the kubeconfig context to use
      --insecure-skip-tls-verify=false: If true, the server's certificate will not be checked for validity. This will
make your HTTPS connections insecure
...
  • kubeconfig配置文件
  • 大致会包含4种信息;支持一个文件中保存m个集群的n个认证信息;
  1. clusters:配置要访问的kubernetes集群
  2. contexts:配置访问kubernetes集群的具体上下文环境
  3. current-context:配置当前使用的上下文环境
  4. users:配置访问的用户信息,用户名以及证书信息
系统默认几个config配置文件
[root@k8s-master core]# cd /etc/kubernetes/

[root@k8s-master kubernetes]# ll  #kubernetes 安装完成 几个config配置文件 
total 32
-rw------- 1 root root 5565 Jun 29 01:42 admin.conf   #管理员配置文件
-rw------- 1 root root 5601 Jun 29 01:42 controller-manager.conf  #管理控制器配置文件
-rw------- 1 root root 1933 Jun 29 01:43 kubelet.conf    
drwx------ 2 root root  113 Jun 29 01:42 manifests
drwxr-xr-x 3 root root 4096 Jun 29 01:42 pki
-rw------- 1 root root 5541 Jun 29 01:42 scheduler.conf   #调度器的配置文件 

[root@k8s-master kubernetes]# cat admin.conf 
apiVersion: v1
clusters:  # 集群相关的信息
- cluster:   #API service ca证书
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.4.170:6443
  name: kubernetes  #集群名称
contexts:   #通过上下文件 把集群和用户名建立关联关系,所以在一个配置文件中,并不一一对应的,一个用户可以管理 多个集群
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes   
current-context: kubernetes-admin@kubernetes  #建立集群与用户
kind: Config
preferences: {}
users:
- name: kubernetes-admin  #用户相关的信息
  user: #用户token 秘钥
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lJTzB3MXV1SWhEbDR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBMk1qZ3hOelF5TVRCYUZ3MHlNakEyTWpneE56UXnp2V3RsRStRdUc2Ulk0bjB3UEc0OFR1N0JobGgxVTQKYTNVb3p4SHV4MmRBdi9JNHdBMmRrem8xc0FIL1pFUUFFTjNBN0JZL28rWWE1MXErNmNYMjYvN3hkVlhvMjVKTwpzRkdqUjVJbTIvcDYwR2R4N1MraGlDSE9MZzc1ZFBlZVQvOTZRMk15cVFiaHAyYmlERnNtMnRCSjBhWXdhQThyCm9rMHJYcTd4NmZ1M2l1R2NmaWt0azhRWjA5b29WM29Kd21ORVlSY3A5RTd4TjIxM042dFlOcHVtK0dxVWNiVTIKSHB5MmF4YjZhRWNOVk90YTVJdWluZUtmR1NaZ1hmND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeVVSd3hnVmwvNmczRkpiYnh3Y2EwUi9kejdua0lpbGVFcWl1Tm1yTVE3UlhaSnR3Ckh1bEhnTlQvREtENUMxOTg0cGtQZXV5RzZJc3V6VHFtL0REVERMdndBNXArMWNFNksvWDI5LzV3U29TMUtJN2c3dXc2NEZnSHRBazB3aVloYkhQUGVOMVAKa0Y5RDVFUTdySkZ0S3ZDU2ZPKzdueDhYUEVFM01CTWdBNlR0cXdJREFRQUJBb0lCQUdldHVlcElIYUwxSkdxVwp5K0JhNkpXUnROR3RFTGdJVjAyRlZ6anhDd2hWZmk5MVl1eUpmeXYrak9RVWlEWXpta0dnVnprYlh1T3J6eEFwCmhwpdQpOMFFEaE9iZlE3c1BQV08wSWpzeVo0anVKbDlxYTVsS2N6TTNJTWU3aFdYcXpTUXMwblNKRW9QS04zQUh2UllhCkJNdFZBb0dBRnNkUyswcHBIVnllWlVoblRJZXhiOEhSa0ViT2I2Z3lXenM3bThzcllXK2dwU3RJTVBpR3NTNFoKL0xYZ0RvZ2xUQ01VTnJ1Zjd3RjVtRWcrVTFEZGEyTmtSeWZPRmlnZGQybDVyZkRTN1BxMDhIOGdrZmtNWXFYdQppYUg5cnR3QmRCOEF3bktzTjlKaWFTRkV4RXlxOCtRM3ZIaXpGenhkV1IxU0VQZzQ2V0E9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kubeconfig文件3种不同的指定方式
  • 方式1 指定配置文件
[root@k8s-master ~]# kubectl --kubeconfig=/etc/kubernetes/admin.conf get pod   #指定config路径 这个文件也是集群初始化提示我们拷贝到家目录主文件
NAME                                 READY   STATUS    RESTARTS   AGE
centos-deployment-66d8cd5f8b-9x47c   1/1     Running   1          44h
demodb-0                             1/1     Running   0          21h
demodb-1                             1/1     Running   0          19h
  • 方式2 通过环境变量来指定
[root@k8s-master ~]# export KUBECONFIG=/etc/kubernetes/admin.conf  #通过环境变量来
[root@k8s-master ~]# echo $KUBECONFIG
/etc/kubernetes/admin.conf
  • 方式3 拷贝到家目录
  • 集群初始化提示我们拷贝到家目录主文件
To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.4.170:6443 --token abcdef.0123456789abcdef \
    --discovery-token-ca-cert-hash sha256:d31662998938389c1f9e432a0c7bcef7d05678b42c2f5fd67213ed228f356db2
kubeconfig文件查看常用命令
[root@k8s-master ~]# kubectl config -h
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"

 The loading order follows these rules:

  1.  If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once
and no merging takes place.
  2.  If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path
delimiting rules for your system). These paths are merged. When a value is modified, it is modified
in the file that defines the stanza. When a value is created, it is created in the first file that
exists. If no files in the chain exist, then it creates the last file in the list.
  3.  Otherwise, ${HOME}/.kube/config is used and no merging takes place.

Available Commands:
  current-context Displays the current-context
  delete-cluster  Delete the specified cluster from the kubeconfig
  delete-context  Delete the specified context from the kubeconfig
  get-clusters    Display clusters defined in the kubeconfig
  get-contexts    Describe one or many contexts
  rename-context  Renames a context from the kubeconfig file.
  set             Sets an individual value in a kubeconfig file
  set-cluster     Sets a cluster entry in kubeconfig
  set-context     Sets a context entry in kubeconfig
  set-credentials Sets a user entry in kubeconfig
  unset           Unsets an individual value in a kubeconfig file
  use-context     Sets the current-context in a kubeconfig file
  view            Display merged kubeconfig settings or a specified kubeconfig file
  • 显示默认config信息
[root@k8s-master ~]# kubectl config view 
apiVersion: v1
clusters:
- cluster:
    server: ""
  name: /etc/kubernetes/admin.conf
- cluster:
    server: ""
  name: etc/kubernetes/admin.conf
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.4.170:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
  • 查看指定config文件上下文信息
[root@k8s-master ~]# kubectl config get-contexts  --kubeconfig=/etc/kubernetes/scheduler.conf
CURRENT   NAME                               CLUSTER      AUTHINFO                NAMESPACE
*         system:kube-scheduler@kubernetes   kubernetes   system:kube-scheduler 
示例1: 使用openssl创建认证帐号kubeconfig配置文件
  1. 创建私钥
    使用openssl工具做 X509认证 支持双向认证 ,通过k8s自己的CA去签证
  • 在K8S组件目录中可以看到ca.crt只有一个,这是因为所有组件都是通过api-server的ca签发的,如果想让我们自己的key通过api-server认证,那么就需要通过这个ca来签发证书
[root@k8s-master pki]# ls
apiserver.crt              apiserver.key                 ca.crt  front-proxy-ca.crt      front-proxy-client.key
apiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.key  front-proxy-ca.key      sa.key
apiserver-etcd-client.key  apiserver-kubelet-client.key  etcd    front-proxy-client.crt  sa.pub
  • 创建私钥
[root@k8s-master kubernetes]# mkdir usercerts
[root@k8s-master kubernetes]# cd usercerts/
[root@k8s-master usercerts]# (umask 077; openssl genrsa -out tom.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................+++
.......................+++
e is 65537 (0x10001)
[root@k8s-master usercerts]# ls
tom.key
  • 接下来创建证书 基于这个私钥创造一个自签证书是不行的,需要创造一个证书签署请求,通过k8s的ca来签署

  • openssl 常用选项
    -days 时间
    -CA 指定使用的CA
    -CAkey 指定私钥
    -CAcreateserial CA自己创造序列号
    -in 待签文件
    -out 输出

[root@k8s-master usercerts]# openssl x509 -req -days 3655 -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -in tom.csr -out tom.crt
Signature ok
subject=/CN=tom/O=kubeusers
Getting CA Private Key

[root@k8s-master usercerts]# openssl x509 -in tom.crt -text -noout  #查看证书详情
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            bc:c3:53:df:96:10:ec:ed
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Aug 24 00:35:05 2021 GMT
            Not After : Aug 27 00:35:05 2031 GMT
        Subject: CN=tom, O=kubeusers
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:c9:3d:ac:3a:b3:9d:38:58:f1:d9:c6:21:c5:
                    d5:57:d1:a5:5d:0a:92:a1:88:3e:3c:2d:8d:2d:20:
                    b1:a4:d1:07:03:7e:72:48:dd:d9:7e:4b:b6:fc:35:
                    46:b9:60:82:c2:36:30:7d:04:8c:83:b5:7c:8a:b1:
                    20:7d:f4:b3:5c:29:f4:e0:2b:67:96:5d:b8:a6:ba:
                    4a:0c:7e:4f:6b:34:82:5b:7d:1a:8c:26:ed:91:dd:
                    62:9f:37:68:70:14:a4:cf:ea:b0:51:b3:56:9e:d6:
                    1d:64:32:66:8c:c1:9e:40:4b:20:1c:0a:8b:2c:c8:
                    94:be:10:95:29:7f:8b:6e:a1:03:32:11:31:de:c6:
                    d1:8c:64:a8:43:4b:0b:ad:ff:64:e1:17:4d:55:fe:
                    04:9f:a5:59:2b:e5:13:5e:0d:2b:c1:c7:45:f8:b3:
                    a7:ad:da:dc:e8:aa:22:5a:37:e6:ce:75:8e:bc:e3:
                    1e:eb:95:db:be:14:dd:43:1b:51:e6:94:21:10:81:
                    1c:b5:e3:2d:3e:12:b6:78:14:d4:90:8a:06:32:7e:
                    ef:90:7b:e7:26:60:38:6c:52:04:bc:91:e1:3f:db:
                    8b:8a:05:39:ad:74:99:e1:80:ae:58:d6:4a:6d:7d:
                    64:a3:bc:16:b8:7c:d6:08:33:b8:23:56:35:75:18:
                    bb:57
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         40:fe:1b:d7:c1:67:bf:15:21:be:ac:0e:fb:32:a3:1e:58:e5:
         c8:2a:3f:3a:21:87:23:9c:14:dc:05:39:fb:5f:f8:1e:f3:66:
         98:54:48:1c:25:c1:b5:bc:1c:be:7d:d6:86:7d:09:ae:7c:40:
         2d:cd:0b:5d:29:7f:67:ec:51:1b:c3:97:d3:a2:17:d4:96:04:
         17:ba:aa:79:ff:0e:d0:53:2c:81:a3:8e:05:0b:a5:f5:12:0c:
         f8:38:f1:fb:6e:bf:7b:1b:40:f0:dc:b1:5e:b1:a8:c8:fc:ec:
         92:c5:fb:6b:76:ff:7c:ab:f5:ea:94:89:8a:fd:47:cf:c8:8a:
         b6:f3:42:19:b9:b2:74:41:de:bf:66:7e:b3:e2:78:8e:e1:db:
         ac:85:2b:ed:8d:c1:55:16:0f:15:8c:72:7b:0d:7e:31:ce:06:
         ce:2e:d3:9f:77:60:22:4e:11:32:33:b6:28:d5:93:2f:c9:a5:
         4c:f6:1f:4f:7d:e7:66:e0:74:14:c4:c8:de:c1:26:1e:56:db:
         29:54:35:b9:3b:24:8b:5f:f5:81:af:30:27:f4:1f:99:a5:aa:
         8d:f3:91:c4:4f:3e:3d:12:a9:a5:85:44:0b:17:19:2a:ac:ea:
         50:3f:39:31:c5:ef:15:04:f7:bf:11:a3:57:af:8f:ce:8d:d1:
         d7:5e:c4:31

    1. 生成kubeconfig配置文件 配置集群信息 存放在/tmp/mykubeconfig目录
[root@k8s-master core]# kubectl config set-cluster kubernetes --server=https://k8s-master:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/mykubeconfig
Cluster "kubernetes" set.

[root@k8s-master ~]# cat /tmp/mykubeconfig 
apiVersion: v1
clusters:
- cluster:  #集群的认证信息
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXdRCm1DSkowR3VJRGR6WmE4WEFKSXk3QlJVR0JUMG9JMGxWdVdjM1BEMjV3aHIxTUJSeVVydTB1MG43bUtWUVR6YlkKMEc4VVNIendTblg1MU9vTXBVNVl3SEs2V0dMZ0o2Z2RDZmpBWTZ2MTJlN3krcnZqT0tZbnM2bGpVZjJNbmFJTApuckN5MS91NTZMbmgxd0NIMVhrTEVDUDUzOU1GYW1Za1JHeGVTOUZabEZjZ0x2SnA0M1ZYOVY0SVdRZXVtSGQ5CjFhYktWZWkvNDFxYmJ2eURVN2w0bDdrbFVtTFVUR0RsWXBmMUdQVS9KYW9tNFFMUmFFdDJjc1ljTlo4SjN5YVkKR3ZPbG9HTTE1MFJzeDR2TDhEV09xWmNVVWcvdVh1aktnMU1mV1JyRDlLdnFLMVFkUDkySUUrbDZuWFVLWTM0cgp2b0RDbU9jTDhKMG5QeWpieWYwQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPd2kyd3JVYnV2Vm1iaVYycm5uTHR6MGhzZ2NNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCQ0ZrRVU0Z3lvdURzNGhHMHBqZGxySlJrRHcxa0tnMUpWOG0zQ3FjS1VLbUpCVVQ5SAo5UjhMYVUycy82eVM1elgzVlNkVU5nRjFWL2hwalVKNmJTdWQ5WGZubWJ3OGxIS1V1Y1VTSVdVOWErVEdUdmtuCkRxSThGY0M4Z0tzdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://k8s-master:6443
  name: kubernetes
contexts: null
current-context: ""    #上下文件信息为空
kind: Config
preferences: {}
users: null   #用户为空
    1. 配置集群用户tom
[root@k8s-master ~]# kubectl config set-credentials --help  #用户可以使用多种方式认证
...
Usage:
  kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile]
[--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name]
[--auth-provider-arg=key=value] [--exec-command=exec_command] [--exec-api-version=exec_api_version] [--exec-arg=arg]
[--exec-env=key=value] [options]

[root@k8s-master usercerts]# kubectl config set-credentials tom --client-certificate=./tom.crt  --client-key=./tom.key --embed-certs=true  --kubeconfig=/tmp/mykubeconfig
User "tom" set.
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8s-master:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: tom  #添加用户tom
  user:
    client-certificate-data: REDACTED  #信息隐藏--embed-certs=true的作用
    client-key-data: REDACTED  #隐藏信息
  1. 添加上下文 对集群与用户进行绑定
[root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes --kubeconfig=/tmp/mykubeconfig
Context "tom@kubernetes" created.
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8s-master:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: tom
  name: tom@kubernetes   #用户与集群通过进行绑定
current-context: ""
kind: Config
preferences: {}
users:
- name: tom
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    1. 切换上下文切换认证用户为tom
[root@k8s-master usercerts]# kubectl config use-context tom@kubernetes  --kubeconfig=/tmp/mykubeconfig
Switched to context "tom@kubernetes"

[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8s-master:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: tom
  name: tom@kubernetes
current-context: tom@kubernetes  #当前用户
kind: Config
preferences: {}
users:
- name: tom
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

[root@k8s-master usercerts]# kubectl get nodes --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope

- 上面的错误是指授权有问题,认证已经通过,已经完成示例的要求,授权会在下一小节讲到
示例2: kubeconfig证书合并 tom.crt证书在示例1已经完成
  • 集群不用在创建 默认配置文件里已经有了
  • 创建证书
[root@k8s-master usercerts]#  kubectl config set-credentials tom --client-certificate=./tom.crt  --client-key=./tom.key --embed-certs=true
User "tom" set.
  • 在默认kubeconfig中创建contexts
[root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes
Context "tom@kubernetes" created.
[root@k8s-master usercerts]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.4.170:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes  #默认context
- context:  
    cluster: kubernetes
    user: tom
  name: tom@kubernetes    #新建context

current-context: kubernetes-admin@kubernetes    #当前context
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: tom     #新建用户
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
  • 切换当前context 为tom@kubernetes
[root@k8s-master usercerts]# kubectl config use-context tom@kubernetes
Switched to context "tom@kubernetes".
[root@k8s-master usercerts]# kubectl get pod   #提示没有权限
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"
  • 指定使用前context
[root@k8s-master usercerts]# kubectl get nodes --context=kubernetes-admin@kubernetes
NAME         STATUS   ROLES    AGE   VERSION
k8s-master   Ready    master   56d   v1.19.9
k8s-node1    Ready       56d   v1.19.9
k8s-node2    Ready       56d   v1.19.9
k8s-node3    Ready       19d   v1.19.9

[root@k8s-master usercerts]# kubectl config use-context kubernetes-admin@kubernetes  #修改默认context
Switched to context "kubernetes-admin@kubernetes".
[root@k8s-master usercerts]# kubectl get node
NAME         STATUS   ROLES    AGE   VERSION
k8s-master   Ready    master   56d   v1.19.9
k8s-node1    Ready       56d   v1.19.9
k8s-node2    Ready       56d   v1.19.9
k8s-node3    Ready       19d   v1.19.9
  • 删除context
[root@k8s-master usercerts]# kubectl config delete-context tom@kubernetes
[root@k8s-master usercerts]# kubectl config delete-user  tom 
[root@k8s-master usercerts]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.4.170:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

  • 通过环境变量合并配置文件合并配置文件
[root@k8s-master usercerts]# export KUBECONFIG=$HOME/.kube/config:/tmp/mykubeconfig
[root@k8s-master usercerts]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.4.170:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    user: tom
  name: tom@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: tom
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    1. 在通过环境变量合并配置文件基础上 通过 --merge --flatten 选项,可以展平合并重复项,生成新的配置文件
[root@k8s-master usercerts]# kubectl config view --merge --flatten > /tmp/newkubeconfig 
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/newkubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.4.170:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
- context:
    cluster: kubernetes
    user: tom
  name: tom@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: tom
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

你可能感兴趣的:(22.kubernetes(k8s)笔记 认证、授权与准入控制(二) 认证Users Accounts)