生成用户的key
一般来说,用户的key是用户的保密信息,不应该由集群管理员提供,而是用户向集群管理员提供csr文件,不过有时为了方便也由集群管理员统一生成并发放。
linmao@debian-1:/etc/kubernetes/pki$ sudo openssl genrsa -out linmao.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
..........+++++
e is 65537 (0x010001)
生成Csr(证书签署请求)
sudo openssl req -new -key linmao.key -out linmao.csr -subj "/O=linmao_corp/CN=linmao"
签署证书
linmao@debian-1:/etc/kubernetes/pki$ sudo openssl x509 -req -in linmao.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out linmao.crt -days 365
Signature ok
subject=O = linmao_corp, CN = linmao
Getting CA Private Key
复制证书
证书到这一步就已经完成了。现在由集群管理员把证书发放给用户。证书包括:ca.crt,用户名.crt,用户名.key。前边说了,这个用户名.key本来是应该由用户自己生成,然后再把用这个key生成的csr文件给集群管理员进行签署,不过这里假设管理员为了方便,直接帮用户生成了这个key。但这并不是最佳实践。
现在我们通过把证书复制到客户端的电脑来模拟证书发放的过程。
PS C:\Users\marlin\.kube> scp debian1:/etc/kubernetes/pki/ca.crt .
ca.crt 100% 1099 95.3KB/s 00:00
PS C:\Users\marlin\.kube> scp debian1:/etc/kubernetes/pki/linmao.crt .
linmao.crt 100% 1017 248.0KB/s 00:00
PS C:\Users\marlin\.kube> scp debian1:/etc/kubernetes/pki/linmao.key .
linmao.key 100% 1679 819.8KB/s 00:00
创建Role/ClusterRole和RoleBinding/ClusterRoleBinding
Role 和 ClusterRole的区别在于,Role需要指定namespace,也就是说,role是与namespace绑定的。而clusterRole则是集群级别的权限,不受namespace限制。我们这里给出ClusterRule和ClusterRoleBinding的例子:
cluster-role.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-operator
rules:
- apiGroups:
- ""
- "batch"
- "apps"
resources:
- pods
- nodes
- services
- cronjobs
- jobs
- endpoints
- deployments
- namespaces
- pods/log
- persistentvolumes
- configmaps
- secrets
verbs:
- get
- list
- watch
- delete
- create
cluster-role-binding.yaml: 把上边创建的role绑定到用户linmao身上。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-operator
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: linmao
上边两个文件通过sudo kubectl apply -f 文件名 提交到集群中。
配置客户端
到这里,服务端的配置就全部完成了。现在开始配置客户端。还记得刚才从服务端复制出来的三个文件(ca.crt, linmao.crt, linmao.key)吗?这里需要用到他们了。可以先把这几个文件放在HOME目录下的.kube目录下。
1、创建cluster
C:\Users\marlin>kubectl config set-cluster test-cluster --server=https://192.168.1.195:6443 --certificate-authority=C:\Users\marlin\.kube\ca.crt
Cluster "test-cluster" set.
2、创建user
C:\Users\marlin>kubectl config set-credentials linmao --client-certificate=C:\Users\marlin\.kube\linmao.crt --client-key=C:\Users\marlin\.kube\linmao.key
User "linmao" set.
3、创建context,就是把刚才创建的cluster和user关联起来
C:\Users\marlin>kubectl config set-context linmao@test-cluster --cluster=test-cluster --user=linmao
Context "linmao@test-cluster" created.
4、检查刚才创建的内容
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
linmao@test-cluster test-cluster linmao
5、测试一下
C:\Users\marlin>kubectl config use-context linmao@test-cluster
Switched to context "linmao@test-cluster".
C:\Users\marlin>kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
common data-service-589c97fc76-98k5g 1/1 Running 0 133m
default vscode-884887b4d-wfgsv 1/1 Running 0 11h
kube-system coredns-6d8c4cb4d-2vp27 1/1 Running 0 11h
kube-system coredns-6d8c4cb4d-jp5w2 1/1 Running 0 11h
kube-system etcd-debian-1 1/1 Running 11 11h
kube-system kube-apiserver-debian-1 1/1 Running 11 11h
kube-system kube-controller-manager-debian-1 1/1 Running 7 11h
kube-system kube-flannel-ds-57bzc 1/1 Running 0 11h
kube-system kube-flannel-ds-w2f56 1/1 Running 0 11h
kube-system kube-flannel-ds-xxkr7 1/1 Running 0 11h
kube-system kube-proxy-b4dnv 1/1 Running 0 11h
kube-system kube-proxy-rjlwx 1/1 Running 0 11h
kube-system kube-proxy-tl2f4 1/1 Running 0 11h
kube-system kube-scheduler-debian-1 1/1 Running 11 11h
成功!
|