目录
Users Accounts认证
kubeconfig配置文件
kubeconfig文件3种不同的指定方式
kubeconfig文件查看常用命令
示例1: 使用openssl创建认证帐号kubeconfig配置文件
示例2: kubeconfig证书合并 tom.crt证书在示例1已经完成
Users Accounts认证
kubeconfig配置文件
之前有提到过,K8S间的通信是通过https实现,https通信每次都需要认证,比如我们在命令行输入命令
[root@k8s-master ~]# kubectl get pod
都需要https认证,而且https是无状态链接 意味着每次访问 都需要附带证书,如果这一切都手动指定完成,实际操作肯定非常不方便,为了简化连接和方便使用,K8s使用kubeconfig配置文件来简化使用时文件附带认证信息
kubeconfig配置文件:3种搜索路径
1.指定证书位置 优先级最高
2.通过环境变量 $KUBECONFIG加载config文件
3.读取用户家目录 $HOME/.kube/config
kubeconfig配置文件:
将用户名、认证信息等组织一起,便于认证到API Server上的认证信息文件;支持一个文件中保存m个集群的n个认证信息;
- kubectl选项中可以看到可以指定证书与秘钥
[root@k8s-master kubernetes]# kubectl options
The following options can be passed to any command:
--add-dir-header=false: If true, adds the file directory to the header of the log messages
--alsologtostderr=false: log to standard error as well as files
--as='': Username to impersonate for the operation
--as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
--cache-dir='/root/.kube/cache': Default cache directory
--certificate-authority='': Path to a cert file for the certificate authority
--client-certificate='': Path to a client certificate file for TLS #客户端证书
--client-key='': Path to a client key file for TLS #指客户端秘钥
--cluster='': The name of the kubeconfig cluster to use
--context='': The name of the kubeconfig context to use
--insecure-skip-tls-verify=false: If true, the server's certificate will not be checked for validity. This will
make your HTTPS connections insecure
...
- kubeconfig配置文件
- 大致会包含4种信息;支持一个文件中保存m个集群的n个认证信息;
- clusters:配置要访问的kubernetes集群
- contexts:配置访问kubernetes集群的具体上下文环境
- current-context:配置当前使用的上下文环境
- users:配置访问的用户信息,用户名以及证书信息
系统默认几个config配置文件
[root@k8s-master core]# cd /etc/kubernetes/
[root@k8s-master kubernetes]# ll #kubernetes 安装完成 几个config配置文件
total 32
-rw------- 1 root root 5565 Jun 29 01:42 admin.conf #管理员配置文件
-rw------- 1 root root 5601 Jun 29 01:42 controller-manager.conf #管理控制器配置文件
-rw------- 1 root root 1933 Jun 29 01:43 kubelet.conf
drwx------ 2 root root 113 Jun 29 01:42 manifests
drwxr-xr-x 3 root root 4096 Jun 29 01:42 pki
-rw------- 1 root root 5541 Jun 29 01:42 scheduler.conf #调度器的配置文件
[root@k8s-master kubernetes]# cat admin.conf
apiVersion: v1
clusters: # 集群相关的信息
- cluster: #API service ca证书
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.4.170:6443
name: kubernetes #集群名称
contexts: #通过上下文件 把集群和用户名建立关联关系,所以在一个配置文件中,并不一一对应的,一个用户可以管理 多个集群
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes #建立集群与用户
kind: Config
preferences: {}
users:
- name: kubernetes-admin #用户相关的信息
user: #用户token 秘钥
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lJTzB3MXV1SWhEbDR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBMk1qZ3hOelF5TVRCYUZ3MHlNakEyTWpneE56UXnp2V3RsRStRdUc2Ulk0bjB3UEc0OFR1N0JobGgxVTQKYTNVb3p4SHV4MmRBdi9JNHdBMmRrem8xc0FIL1pFUUFFTjNBN0JZL28rWWE1MXErNmNYMjYvN3hkVlhvMjVKTwpzRkdqUjVJbTIvcDYwR2R4N1MraGlDSE9MZzc1ZFBlZVQvOTZRMk15cVFiaHAyYmlERnNtMnRCSjBhWXdhQThyCm9rMHJYcTd4NmZ1M2l1R2NmaWt0azhRWjA5b29WM29Kd21ORVlSY3A5RTd4TjIxM042dFlOcHVtK0dxVWNiVTIKSHB5MmF4YjZhRWNOVk90YTVJdWluZUtmR1NaZ1hmND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeVVSd3hnVmwvNmczRkpiYnh3Y2EwUi9kejdua0lpbGVFcWl1Tm1yTVE3UlhaSnR3Ckh1bEhnTlQvREtENUMxOTg0cGtQZXV5RzZJc3V6VHFtL0REVERMdndBNXArMWNFNksvWDI5LzV3U29TMUtJN2c3dXc2NEZnSHRBazB3aVloYkhQUGVOMVAKa0Y5RDVFUTdySkZ0S3ZDU2ZPKzdueDhYUEVFM01CTWdBNlR0cXdJREFRQUJBb0lCQUdldHVlcElIYUwxSkdxVwp5K0JhNkpXUnROR3RFTGdJVjAyRlZ6anhDd2hWZmk5MVl1eUpmeXYrak9RVWlEWXpta0dnVnprYlh1T3J6eEFwCmhwpdQpOMFFEaE9iZlE3c1BQV08wSWpzeVo0anVKbDlxYTVsS2N6TTNJTWU3aFdYcXpTUXMwblNKRW9QS04zQUh2UllhCkJNdFZBb0dBRnNkUyswcHBIVnllWlVoblRJZXhiOEhSa0ViT2I2Z3lXenM3bThzcllXK2dwU3RJTVBpR3NTNFoKL0xYZ0RvZ2xUQ01VTnJ1Zjd3RjVtRWcrVTFEZGEyTmtSeWZPRmlnZGQybDVyZkRTN1BxMDhIOGdrZmtNWXFYdQppYUg5cnR3QmRCOEF3bktzTjlKaWFTRkV4RXlxOCtRM3ZIaXpGenhkV1IxU0VQZzQ2V0E9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kubeconfig文件3种不同的指定方式
- 方式1 指定配置文件
[root@k8s-master ~]# kubectl --kubeconfig=/etc/kubernetes/admin.conf get pod #指定config路径 这个文件也是集群初始化提示我们拷贝到家目录主文件
NAME READY STATUS RESTARTS AGE
centos-deployment-66d8cd5f8b-9x47c 1/1 Running 1 44h
demodb-0 1/1 Running 0 21h
demodb-1 1/1 Running 0 19h
- 方式2 通过环境变量来指定
[root@k8s-master ~]# export KUBECONFIG=/etc/kubernetes/admin.conf #通过环境变量来
[root@k8s-master ~]# echo $KUBECONFIG
/etc/kubernetes/admin.conf
- 方式3 拷贝到家目录
- 集群初始化提示我们拷贝到家目录主文件
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.4.170:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:d31662998938389c1f9e432a0c7bcef7d05678b42c2f5fd67213ed228f356db2
kubeconfig文件查看常用命令
[root@k8s-master ~]# kubectl config -h
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"
The loading order follows these rules:
1. If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once
and no merging takes place.
2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path
delimiting rules for your system). These paths are merged. When a value is modified, it is modified
in the file that defines the stanza. When a value is created, it is created in the first file that
exists. If no files in the chain exist, then it creates the last file in the list.
3. Otherwise, ${HOME}/.kube/config is used and no merging takes place.
Available Commands:
current-context Displays the current-context
delete-cluster Delete the specified cluster from the kubeconfig
delete-context Delete the specified context from the kubeconfig
get-clusters Display clusters defined in the kubeconfig
get-contexts Describe one or many contexts
rename-context Renames a context from the kubeconfig file.
set Sets an individual value in a kubeconfig file
set-cluster Sets a cluster entry in kubeconfig
set-context Sets a context entry in kubeconfig
set-credentials Sets a user entry in kubeconfig
unset Unsets an individual value in a kubeconfig file
use-context Sets the current-context in a kubeconfig file
view Display merged kubeconfig settings or a specified kubeconfig file
- 显示默认config信息
[root@k8s-master ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
server: ""
name: /etc/kubernetes/admin.conf
- cluster:
server: ""
name: etc/kubernetes/admin.conf
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- 查看指定config文件上下文信息
[root@k8s-master ~]# kubectl config get-contexts --kubeconfig=/etc/kubernetes/scheduler.conf
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* system:kube-scheduler@kubernetes kubernetes system:kube-scheduler
示例1: 使用openssl创建认证帐号kubeconfig配置文件
- 创建私钥
使用openssl工具做 X509认证 支持双向认证 ,通过k8s自己的CA去签证
- 在K8S组件目录中可以看到ca.crt只有一个,这是因为所有组件都是通过api-server的ca签发的,如果想让我们自己的key通过api-server认证,那么就需要通过这个ca来签发证书
[root@k8s-master pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
- 创建私钥
[root@k8s-master kubernetes]# mkdir usercerts
[root@k8s-master kubernetes]# cd usercerts/
[root@k8s-master usercerts]# (umask 077; openssl genrsa -out tom.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................+++
.......................+++
e is 65537 (0x10001)
[root@k8s-master usercerts]# ls
tom.key
接下来创建证书 基于这个私钥创造一个自签证书是不行的,需要创造一个证书签署请求,通过k8s的ca来签署
openssl 常用选项
-days 时间
-CA 指定使用的CA
-CAkey 指定私钥
-CAcreateserial CA自己创造序列号
-in 待签文件
-out 输出
[root@k8s-master usercerts]# openssl x509 -req -days 3655 -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -in tom.csr -out tom.crt
Signature ok
subject=/CN=tom/O=kubeusers
Getting CA Private Key
[root@k8s-master usercerts]# openssl x509 -in tom.crt -text -noout #查看证书详情
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
bc:c3:53:df:96:10:ec:ed
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Aug 24 00:35:05 2021 GMT
Not After : Aug 27 00:35:05 2031 GMT
Subject: CN=tom, O=kubeusers
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c5:c9:3d:ac:3a:b3:9d:38:58:f1:d9:c6:21:c5:
d5:57:d1:a5:5d:0a:92:a1:88:3e:3c:2d:8d:2d:20:
b1:a4:d1:07:03:7e:72:48:dd:d9:7e:4b:b6:fc:35:
46:b9:60:82:c2:36:30:7d:04:8c:83:b5:7c:8a:b1:
20:7d:f4:b3:5c:29:f4:e0:2b:67:96:5d:b8:a6:ba:
4a:0c:7e:4f:6b:34:82:5b:7d:1a:8c:26:ed:91:dd:
62:9f:37:68:70:14:a4:cf:ea:b0:51:b3:56:9e:d6:
1d:64:32:66:8c:c1:9e:40:4b:20:1c:0a:8b:2c:c8:
94:be:10:95:29:7f:8b:6e:a1:03:32:11:31:de:c6:
d1:8c:64:a8:43:4b:0b:ad:ff:64:e1:17:4d:55:fe:
04:9f:a5:59:2b:e5:13:5e:0d:2b:c1:c7:45:f8:b3:
a7:ad:da:dc:e8:aa:22:5a:37:e6:ce:75:8e:bc:e3:
1e:eb:95:db:be:14:dd:43:1b:51:e6:94:21:10:81:
1c:b5:e3:2d:3e:12:b6:78:14:d4:90:8a:06:32:7e:
ef:90:7b:e7:26:60:38:6c:52:04:bc:91:e1:3f:db:
8b:8a:05:39:ad:74:99:e1:80:ae:58:d6:4a:6d:7d:
64:a3:bc:16:b8:7c:d6:08:33:b8:23:56:35:75:18:
bb:57
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
40:fe:1b:d7:c1:67:bf:15:21:be:ac:0e:fb:32:a3:1e:58:e5:
c8:2a:3f:3a:21:87:23:9c:14:dc:05:39:fb:5f:f8:1e:f3:66:
98:54:48:1c:25:c1:b5:bc:1c:be:7d:d6:86:7d:09:ae:7c:40:
2d:cd:0b:5d:29:7f:67:ec:51:1b:c3:97:d3:a2:17:d4:96:04:
17:ba:aa:79:ff:0e:d0:53:2c:81:a3:8e:05:0b:a5:f5:12:0c:
f8:38:f1:fb:6e:bf:7b:1b:40:f0:dc:b1:5e:b1:a8:c8:fc:ec:
92:c5:fb:6b:76:ff:7c:ab:f5:ea:94:89:8a:fd:47:cf:c8:8a:
b6:f3:42:19:b9:b2:74:41:de:bf:66:7e:b3:e2:78:8e:e1:db:
ac:85:2b:ed:8d:c1:55:16:0f:15:8c:72:7b:0d:7e:31:ce:06:
ce:2e:d3:9f:77:60:22:4e:11:32:33:b6:28:d5:93:2f:c9:a5:
4c:f6:1f:4f:7d:e7:66:e0:74:14:c4:c8:de:c1:26:1e:56:db:
29:54:35:b9:3b:24:8b:5f:f5:81:af:30:27:f4:1f:99:a5:aa:
8d:f3:91:c4:4f:3e:3d:12:a9:a5:85:44:0b:17:19:2a:ac:ea:
50:3f:39:31:c5:ef:15:04:f7:bf:11:a3:57:af:8f:ce:8d:d1:
d7:5e:c4:31
-
- 生成kubeconfig配置文件 配置集群信息 存放在/tmp/mykubeconfig目录
[root@k8s-master core]# kubectl config set-cluster kubernetes --server=https://k8s-master:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/mykubeconfig
Cluster "kubernetes" set.
[root@k8s-master ~]# cat /tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster: #集群的认证信息
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXdRCm1DSkowR3VJRGR6WmE4WEFKSXk3QlJVR0JUMG9JMGxWdVdjM1BEMjV3aHIxTUJSeVVydTB1MG43bUtWUVR6YlkKMEc4VVNIendTblg1MU9vTXBVNVl3SEs2V0dMZ0o2Z2RDZmpBWTZ2MTJlN3krcnZqT0tZbnM2bGpVZjJNbmFJTApuckN5MS91NTZMbmgxd0NIMVhrTEVDUDUzOU1GYW1Za1JHeGVTOUZabEZjZ0x2SnA0M1ZYOVY0SVdRZXVtSGQ5CjFhYktWZWkvNDFxYmJ2eURVN2w0bDdrbFVtTFVUR0RsWXBmMUdQVS9KYW9tNFFMUmFFdDJjc1ljTlo4SjN5YVkKR3ZPbG9HTTE1MFJzeDR2TDhEV09xWmNVVWcvdVh1aktnMU1mV1JyRDlLdnFLMVFkUDkySUUrbDZuWFVLWTM0cgp2b0RDbU9jTDhKMG5QeWpieWYwQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPd2kyd3JVYnV2Vm1iaVYycm5uTHR6MGhzZ2NNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCQ0ZrRVU0Z3lvdURzNGhHMHBqZGxySlJrRHcxa0tnMUpWOG0zQ3FjS1VLbUpCVVQ5SAo5UjhMYVUycy82eVM1elgzVlNkVU5nRjFWL2hwalVKNmJTdWQ5WGZubWJ3OGxIS1V1Y1VTSVdVOWErVEdUdmtuCkRxSThGY0M4Z0tzdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://k8s-master:6443
name: kubernetes
contexts: null
current-context: "" #上下文件信息为空
kind: Config
preferences: {}
users: null #用户为空
-
- 配置集群用户tom
[root@k8s-master ~]# kubectl config set-credentials --help #用户可以使用多种方式认证
...
Usage:
kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile]
[--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name]
[--auth-provider-arg=key=value] [--exec-command=exec_command] [--exec-api-version=exec_api_version] [--exec-arg=arg]
[--exec-env=key=value] [options]
[root@k8s-master usercerts]# kubectl config set-credentials tom --client-certificate=./tom.crt --client-key=./tom.key --embed-certs=true --kubeconfig=/tmp/mykubeconfig
User "tom" set.
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://k8s-master:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: tom #添加用户tom
user:
client-certificate-data: REDACTED #信息隐藏--embed-certs=true的作用
client-key-data: REDACTED #隐藏信息
- 添加上下文 对集群与用户进行绑定
[root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes --kubeconfig=/tmp/mykubeconfig
Context "tom@kubernetes" created.
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://k8s-master:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes #用户与集群通过进行绑定
current-context: ""
kind: Config
preferences: {}
users:
- name: tom
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
-
- 切换上下文切换认证用户为tom
[root@k8s-master usercerts]# kubectl config use-context tom@kubernetes --kubeconfig=/tmp/mykubeconfig
Switched to context "tom@kubernetes"
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://k8s-master:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes
current-context: tom@kubernetes #当前用户
kind: Config
preferences: {}
users:
- name: tom
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master usercerts]# kubectl get nodes --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope
- 上面的错误是指授权有问题,认证已经通过,已经完成示例的要求,授权会在下一小节讲到
示例2: kubeconfig证书合并 tom.crt证书在示例1已经完成
- 集群不用在创建 默认配置文件里已经有了
- 创建证书
[root@k8s-master usercerts]# kubectl config set-credentials tom --client-certificate=./tom.crt --client-key=./tom.key --embed-certs=true
User "tom" set.
- 在默认kubeconfig中创建contexts
[root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes
Context "tom@kubernetes" created.
[root@k8s-master usercerts]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes #默认context
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes #新建context
current-context: kubernetes-admin@kubernetes #当前context
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tom #新建用户
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- 切换当前context 为tom@kubernetes
[root@k8s-master usercerts]# kubectl config use-context tom@kubernetes
Switched to context "tom@kubernetes".
[root@k8s-master usercerts]# kubectl get pod #提示没有权限
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"
- 指定使用前context
[root@k8s-master usercerts]# kubectl get nodes --context=kubernetes-admin@kubernetes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 56d v1.19.9
k8s-node1 Ready 56d v1.19.9
k8s-node2 Ready 56d v1.19.9
k8s-node3 Ready 19d v1.19.9
[root@k8s-master usercerts]# kubectl config use-context kubernetes-admin@kubernetes #修改默认context
Switched to context "kubernetes-admin@kubernetes".
[root@k8s-master usercerts]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 56d v1.19.9
k8s-node1 Ready 56d v1.19.9
k8s-node2 Ready 56d v1.19.9
k8s-node3 Ready 19d v1.19.9
- 删除context
[root@k8s-master usercerts]# kubectl config delete-context tom@kubernetes
[root@k8s-master usercerts]# kubectl config delete-user tom
[root@k8s-master usercerts]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- 通过环境变量合并配置文件合并配置文件
[root@k8s-master usercerts]# export KUBECONFIG=$HOME/.kube/config:/tmp/mykubeconfig
[root@k8s-master usercerts]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tom
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
-
- 在通过环境变量合并配置文件基础上 通过 --merge --flatten 选项,可以展平合并重复项,生成新的配置文件
[root@k8s-master usercerts]# kubectl config view --merge --flatten > /tmp/newkubeconfig
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/newkubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tom
user:
client-certificate-data: REDACTED
client-key-data: REDACTED