K8s新建用户制作证书绑定角色

Posted 2021-02-21

K8s新建用户制作证书绑定角色
role roulebind clustrrole clustrrloebinding
Kubeadm 创建的k8s集群默认证书有限期为三年，三年后会过期

Kubernetes创建一个集群用户连接API-Server 使用命令模式
#可以用现有用户kubernetes-admin@kubernetes的CA证书 【ca.crt ca.key】 去签署一个新创建的用户，进行绑定 文件默认路径/etc/Kubernetes/pki/

1. 创建私钥
   Cd /etc/Kubernetes/pki/
   Openssl genrsa -out sunwenbo,key 2048

2. 生成证书签署请求
   Openssl req -new -key sunwenbo.key -out sunwenbo.csr -subj “/CN=sunwenbo”

3. 用CA证书签证
   Openssl x509 -req -in sunwenbo.csr -CA ./ca.crt -Cakey ./ca.key -CAcreateserial -out sunwenbo.crt -days 365

4. 查看签署后的证书内容
   Openssl x509 -in sunwenbo.crt -text -noout

5. 创建一个新的集群用户，使用自签证书和私钥 –embed-certs=true 将证书和私钥隐藏

Kubectl config set-credentials sunwenbo –client-certificate=./sunwenbo.crt –client-key=./sunwenbo,key –embed-certs=true
Kubectl config view #查看会多出一个users

6. 设置上下文，让新建sunwenbo的用户也可以去访问kubernetes集群
   Kubectl config set-context sunwenbo@kubernetes –cluster=Kubernetes –user=sunwenbo
   Kubectl config view #查看会多出一个context

7. 切换账号
   Kubectl config use-context sunwenbo@kubernetes
   Kubectl get pods
   #此时会提示 No resources found Error from server (forbiddent): pods is forbiddent: User “sunwenbo”cannot list pods in the namespace “default”
   #原因是我们只是有了一个可登录的用户，但是这个用户并没有任何权限。

1#创建一个自定义的集群
Kubectl config set-cluster mycluster –kubeconfig=/tmp/mycluster.conf –server=”IP:端口号” –certificate-authority=/etc/Kubernetes/pki/car.crt –embed-certs=true
#查看自定义集群的信息
Kubectl config view –kubeconfig=/tmp/mycluster.conf

创建role角色和绑定

1. 创建一个role
   Kubectl create role pods-reader –verb=get,list,watch –resource=pods –dry -run -o yaml >role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
  createionTimestamp: null
  name: pods-reader
rules:
  - apiGroup:
  - ""
resources:
  - pods
verbs:
  - get
  - list 
  - watch

    kubectl apply -f role.yaml
    kubectl get role
    kubectl describe role pods-reader

2. 创建一个rolebinding,将角色绑定到一个用户
   Kubectl create rolebinging sunwenbo-read-pods --role=pods-reader –user=sunwenbo –dry -run -o yaml >rolebanging.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
   creationTimestamp: null
   name: sunwenbo-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io

kubectl apply -f rolebanging.yaml
kubectl describe rolebinding sunwenbo-erad-pods #查看详细内容

3. 切换用户验证
   kubectl config use-context sunwenbo@kubernetes
   kubect get pod #只能查看default 名称空间下的资源，如果是其他名称空间，创建role时指定namespace 即可

创建clusterrole可以访问所有名称空间

1. 创建clusterrole
   Kubectl create clusterrole cluster-reader –verb=get,list,watch –resource=pods –dry -run -o yaml > cluster.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader
rules:
  - apiGroup:
  - ""
resources:
  - pods
verbs:
  - get
  - list 
  - watch

  kubectl apply -f cluster.yaml
    kubectl get role
    kubectl describe role cluster-reader

2. 绑定role
   #如果这个用户已经绑定了其他role需要将rolebanding删掉，删除立即生效
   kubectl delete rolebinding sunwenbo-read-pods

kubectl create clusterrolebinging admin-read-pods --clusterrole=cluster-reder –user=sunwenbo –dry -run -o yaml > clusterrolebinging.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
   name: admin-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: cluster-reder
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: sunwenbo

3. 切换用户验证
   kubectl config use-context sunwenbo@kubernetes
   kubect get pod #可以查看所有名称空间下的资源，但是只有get，list，watch权限

#rolebinding绑定clusterbinding，clusterbinding会自动降级，跟随rolebinding定义的权限规则

#给用户绑定系统默认role,可以指定拥有某个名称空间的权限
kubectl create rolebinging default-ns-admin --clusterrole=admin –user=sunwenbo –dry -run -o yaml > default-user-banding.yaml