文章目录

  • 环境准备
  • k8s安全框架介绍
  • token验证
    • 说明
      • 启用token验证
      • 测试token验证
  • base-auth【已经被淘汰】
  • kubeconfig验证
    • 说明
    • kubeconfig文件拷贝做测试
    • 创建kubeconfig文件【重要】
      • 申请证书
      • 创建kubeconfig 文件
      • 用户授权
      • 验证kubeconfig 文件
  • oauth【第三方的认证方式】
  • role和clusterrole授权
  • sa、 安装dashboard、 资源限制

环境准备

  • 首先需要有一套完整的集群
[root@master ~]# kubectl get nodes -o wide
NAME     STATUS   ROLES    AGE    VERSION   INTERNAL-IP      EXTERNAL-IP   OS-IMAGE                KERNEL-VERSION          CONTAINER-RUNTIME
master   Ready    master   114d   v1.21.0   192.168.59.142   <none>        CentOS Linux 7 (Core)   3.10.0-957.el7.x86_64   docker://20.10.7
node1    Ready    <none>   114d   v1.21.0   192.168.59.143   <none>        CentOS Linux 7 (Core)   3.10.0-957.el7.x86_64   docker://20.10.7
node2    Ready    <none>   114d   v1.21.0   192.168.59.144   <none>        CentOS Linux 7 (Core)   3.10.0-957.el7.x86_64   docker://20.10.7
[root@master ~]#
[root@master ~]# kubectl cluster-info
Kubernetes control plane is running at https://192.168.59.142:6443
CoreDNS is running at https://192.168.59.142:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://192.168.59.142:6443/api/v1/namespaces/kube-system/services/https:metrics-server:/proxyTo further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[root@master ~]#
  • 然后单独准备一台同网段的虚机用来当客户端使用
[root@master2 ~]# ip a | grep 59inet 192.168.59.151/24 brd 192.168.59.255 scope global noprefixroute ens33
[root@master2 ~]## 安装命令
[root@master2 ~]#yum install -y kubelet-1.21.0-0 --disableexcludes=kubernetes
#--disableexcludes=kubernetes  禁掉除了这个之外的别的仓库# 启动服务
[root@master2 ~]#systemctl enable kubelet && systemctl start kubelet#让其kubectl能使用tab
[root@master2 ~]# head -n3 /etc/profile
# /etc/profilesource <(kubectl completion bash)
[root@master2 ~]## 现在呢是没有集群信息的,报错内容可能会有不一样
[root@master2 ~]# kubectl get nodes
No resources found
[root@master2 ~]#

k8s安全框架介绍

  • Kubernetes作为一个分布式集群的管理工具,保证集群的安全性是其一个重要的任务。API Server是集群内部各个组件通信的中介,也是外部控制的入口。所以Kubernetes的安全机制基本就是围绕保护API Server来设计的。
  • Kubernetes使用了认证(Authentication)、鉴权(Authorization)、准入控制(Admission Control)三步来保证API Server的安全。
  • 普通用户若要安全访问集群API Server,往往需要证书、 Token或者用户名+密码;Pod访问,需要ServiceAccount
  • K8S安全控制框架主要由下面3个阶段进行控制,每一个阶段 都支持插件方式,通过API Server配置来启用插件。
    • 1、 Authentication
    • 2.、Authorization
    • 3.、Admission Control

  • 所以流程就是:
    当kubectl ,ui,程序 等请求某个 k8s 接口,先认证(判断真伪),鉴权(是否有权限这么做?)

token验证

说明

  • 默认情况集群中是支持token的,但是没有开启token验证,所以我们这先在集群上开启token验证【集群master上操作】

启用token验证

# 先生成一个值
[root@master ~]# openssl rand -hex 10
f53309a4a68ce1ae8ead
[root@master ~]## 然后在下面配置文件中添加18行内容,意思就是启用token认证方式了
# 注意csv文件必须放在/etc/kubernetes/文件下,后面pki和bb是自定义的
[root@master ~]# cat -n /etc/kubernetes/manifests/kube-apiserver.yaml | egrep -C1 token-auth-file17      - --allow-privileged=true18      - --token-auth-file=/etc/kubernetes/pki/bb.csv19      - --feature-gates=RemoveSelfLink=false
[root@master ~]## 编辑bb.csv文件
# 文件中内容分别为:  上面生成的id,自定义用户名,id【中间必须用,隔开】
[root@master ~]# cat /etc/kubernetes/pki/bb.csv
f53309a4a68ce1ae8ead,ccx,3
[root@master ~]## 然后重启服务,启用token就算配置完成了
[root@master ~]# systemctl restart kubelet
[root@master ~]#
[root@master ~]# kubectl get nodes # 需要等这能看到下面内容
NAME     STATUS   ROLES    AGE    VERSION
master   Ready    master   114d   v1.21.0
node1    Ready    <none>   114d   v1.21.0
node2    Ready    <none>   114d   v1.21.0
[root@master ~]#

测试token验证

  • 客户端连接集群语法:kubectl -s https://集群master_ip:6443 --token='集群mastre生成的id' get nodeskubectl options可以查看更多参数】
  • 下面我们一步步做认证连接,注意看注释内容
# 此时连接会报证书错误的报错
[root@master2 ~]# kubectl -s https://192.168.59.142:6443 --token='f53309a4a68ce1ae8ead' get nodes -n kube-system
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
[root@master2 ~]## 我们可以加上忽略证书检测 --insecure-skip-tls-verify=true
# 然后又报错说ccx用户没有办法检测nodes的这个命名空间
[root@master2 ~]# kubectl -s https://192.168.59.142:6443 --token='f53309a4a68ce1ae8ead' --insecure-skip-tls-verify=true get nodes -n kube-system
Error from server (Forbidden): nodes is forbidden: User "ccx" cannot list resource "nodes" in API group "" at the cluster scope
[root@master2 ~]## 综上,得到一个结论是:已经认证通过了,只是没有权限查看而已#下面我们吧token值改一位输,就会提示报错了,说没有认证信息
[root@master2 ~]# kubectl -s https://192.168.59.142:6443 --token='f53309a4a68ce1ae8eax' --insecure-skip-tls-verify=true get nodes -n kube-system
error: You must be logged in to the server (Unauthorized)
[root@master2 ~]#
  • 认证过了,就牵扯到授权了,关于授权,看下面授权部分中的说明吧【内容牵扯很多,这只要知道token是啥东西就行】

base-auth【已经被淘汰】

感兴趣的自行百度

kubeconfig验证

说明

  • kubeconfig文件—并不是有一个名字叫做kubeconfig的文件,而是用于做认证的文件我们就叫做kubeconfig
    如:aa.txt里有认证信息,所以aa.txt也就是kubeconfig文件

  • 我们搭建集群的时候有一个流程【如下图】,这就是创建kubeconfig文件的流程

  • 也就是说,安装好kubernetes之后,系统会生成一个管理员权限kubeconfig文件
    做下测试,我们在root下是可以执行查看,但我们切换到其他用户,就没有办法查看了,就是因为其他用户没有这个kuebconfig文件
    而集群默认使用的是:~/.kube/config的kubeconfig文件,而这个文件,是在/root下面的

[root@master ~]# ls /etc/kubernetes/
admin.conf  controller-manager.conf  kubelet.conf  manifests  pki  scheduler.conf
[root@master ~]#
[root@master ~]# kubectl get nodes
NAME     STATUS   ROLES    AGE    VERSION
master   Ready    master   114d   v1.21.0
node1    Ready    <none>   114d   v1.21.0
node2    Ready    <none>   114d   v1.21.0
[root@master ~]#
[root@master ~]# su - ccx
[ccx@master ~]$
[ccx@master ~]$ kubectl get nodes
The connection to the server localhost:8080 was refused - did you specify the right host or port?
[ccx@master ~]$

kubeconfig文件拷贝做测试

  • 现在我们将这个文件拷贝到ccx用户下的这个目录,给予权限以后再次测试【集群master节点】
    测试有点多,是逐步测试的,注意看里面的注释内容。
[root@master ~]#
[root@master ~]# cp /etc/kubernetes/admin.conf ~ccx/
[root@master ~]# chown ccx.ccx ~ccx/admin.conf
[root@master ~]#
[root@master ~]# su - ccx
Last login: Wed Nov  3 12:35:22 CST 2021 on pts/0
[ccx@master ~]$ ls ~/
admin.conf
[ccx@master ~]$ cd ~/
[ccx@master ~]$ pwd
/home/ccx
[ccx@master ~]$ # 此时看呢,还是不行的,因为集群不知道你使用的是哪个kubeconfig文件
[ccx@master ~]$ kubectl get nodes
The connection to the server localhost:8080 was refused - did you specify the right host or port?
[ccx@master ~]$ # 所以,只要我们指定这个文件名就可以查看了【路径是固定的,所以不需要加路径】
[ccx@master ~]$ kubectl --kubeconfig=admin.conf get nodes
NAME     STATUS   ROLES    AGE    VERSION
master   Ready    master   114d   v1.21.0
node1    Ready    <none>   114d   v1.21.0
node2    Ready    <none>   114d   v1.21.0
[ccx@master ~]$ # 综上,所以某用户只要拿到这个文件,不管这个文件的名字是什么,改用户都会具有管理员权限# 但是我们也不能每次都只能这个环境变量啊,挺麻烦的,所以我们可以设置变量的形式,这样就不用指定文件了
# 注意,当前还是在ccx这个普通用户下的
[ccx@master ~]$ export KUBECONFIG=admin.conf
[ccx@master ~]$
[ccx@master ~]$ kubectl get nodes
NAME     STATUS   ROLES    AGE    VERSION
master   Ready    master   114d   v1.21.0
node1    Ready    <none>   114d   v1.21.0
node2    Ready    <none>   114d   v1.21.0
[ccx@master ~]$# 我们取消这个环境变量以后呢,就又不能执行了
[ccx@master ~]$ unset KUBECONFIG
[ccx@master ~]$ kubectl get nodes
The connection to the server localhost:8080 was refused - did you specify the right host or port?
[ccx@master ~]$# 那现在想 不执行环境变量和指定文件的方式是否可以呢,答案也是可以的
# 之前说过,kuebconfig文件是存放在 .kube/config里面的,所以我们只要吧文件放里面就和root一样的使用了
[ccx@master ~]$ cp admin.conf .kube/config
[ccx@master ~]$
[ccx@master ~]$ kubectl get nodes
NAME     STATUS   ROLES    AGE    VERSION
master   Ready    master   114d   v1.21.0
node1    Ready    <none>   114d   v1.21.0
node2    Ready    <none>   114d   v1.21.0
[ccx@master ~]$
  • 同理,我们现在把这个配置文件拷贝到集群外的主机上,做上面测试
# 下面的151ip是集群外的ip【上面的客户测试机】
[root@master ~]# scp /etc/kubernetes/admin.conf 192.168.59.151:~
The authenticity of host '192.168.59.151 (192.168.59.151)' can't be established.
ECDSA key fingerprint is SHA256:+JrT4G9aMhaod/a9gBjUOzX5aONqQ7a4OX0Oj3Z978c.
ECDSA key fingerprint is MD5:7f:4c:cc:5c:10:d2:54:d8:3c:dd:da:39:48:30:12:59.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.59.151' (ECDSA) to the list of known hosts.
root@192.168.59.151's password:
admin.conf                                                    100% 5594     2.9MB/s   00:00
[root@master ~]## 现在去到这台测试机上,可以看到,依然能看到这个集群信息
[root@master2 ~]# ls | grep adm
admin.conf
[root@master2 ~]# kubectl --kubeconfig=admin.conf get nodes
NAME     STATUS   ROLES    AGE    VERSION
master   Ready    master   114d   v1.21.0
node1    Ready    <none>   114d   v1.21.0
node2    Ready    <none>   114d   v1.21.0
[root@master2 ~]#
[root@master2 ~]# kubectl --kubeconfig=admin.conf get nodes -o wide
NAME     STATUS   ROLES    AGE    VERSION   INTERNAL-IP      EXTERNAL-IP   OS-IMAGE                KERNEL-VERSION          CONTAINER-RUNTIME
master   Ready    master   114d   v1.21.0   192.168.59.142   <none>        CentOS Linux 7 (Core)   3.10.0-957.el7.x86_64   docker://20.10.7
node1    Ready    <none>   114d   v1.21.0   192.168.59.143   <none>        CentOS Linux 7 (Core)   3.10.0-957.el7.x86_64   docker://20.10.7
node2    Ready    <none>   114d   v1.21.0   192.168.59.144   <none>        CentOS Linux 7 (Core)   3.10.0-957.el7.x86_64   docker://20.10.7
[root@master2 ~]## 用户能直接通过这个文件访问到这个集群是因为这个文件里面的证书已经和这个集群做了绑定。
  • 因为admin文件权限是最高的,如果把这个文件给别人,别人就可以直接操作这个集群了,这样会带来很大的安全隐患,所以我们平常是不这么做的。

创建kubeconfig文件【重要】

  • 要创建kubeconfig 文件的话,我们需要一个私钥,以及集群CA 授权颁发的证书。如同我们要到公安局(权威机构)去申请身份证,公安局审核之后给我们颁发身份证,这个身份证可以作为证明身份的有效证件,而不能自己随便印一张名片作为有效证件。
  • 同理我们不能直接用私钥生成公钥,而必须是用私钥生成证书请求文件(申请书),然后根据证书请求文件向CA(权威机构)申请证书(身份证),CA 审核通过之后会颁发证书。
  • 下面开始创建创建整个过程。
    因为这个比较重要,所以单独创建文件和ns空间吧~
[root@master ~]# mkdir sefe
[root@master ~]# cd sefe
[root@master sefe]# kubectl create ns safe
namespace/safe created
[root@master sefe]# kubens safe
Context "context" modified.
Active namespace is "safe".
[root@master sefe]#
[root@master sefe]# kubectl get nodes
NAME     STATUS   ROLES    AGE    VERSION
master   Ready    master   114d   v1.21.0
node1    Ready    <none>   114d   v1.21.0
node2    Ready    <none>   114d   v1.21.0
[root@master sefe]#

申请证书

  • 创建私钥,名字ccx
[root@master sefe]# openssl genrsa -out ccx.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................................................................................+++
.............................................................................+++
e is 65537 (0x10001)
[root@master sefe]# ls
ccx.key
  • 利用刚生成的私有john.key 生成证书请求文件ccx.csr:
    特别注意,这里CN 的值ccx,就是后面我们授权的用户。
[root@master sefe]# openssl req -new -key ccx.key -out ccx.csr -subj "/CN=ccx/O=cka2021"
[root@master sefe]# ls
ccx.csr  ccx.key
[root@master sefe]#

  • 客户端连接集群语法:kubectl -s https://集群master_ip:6443 --username=user --password=passwd get nodes

  • 对证书请求文件进行base64 编码
    有很多内容,这个后面需要用的,注意复制完全

[root@master sefe]# cat ccx.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1pUQ0NBVTBDQVFBd0lERU1NQW9HQTFVRUF3d0RZMk40TVJBd0RnWURWUVFLREFkamEyRXlNREl4TUlJQgpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXCmxIM2hVUHRGUHozYWQzZE5NQ1hHNEZrRVdJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeSsKUjF0a2JCNWdidDZuOU1wL2lsUUc3RHozYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNQo3MFRxbkx2a1VWVnRKTWRiQjV2aE1Ra3B0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4ClhKL1FWQkRUNklpMFUxM29GVFEvMlRWeUVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm0KZ0ZEdW9XdHdjc3NSSFNNdzJzcFc5bTJsM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJRApBUUFCb0FBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFEdXJyS1VIMFZ6WDdtNC9LVEFKYnZXZHhLV29lQ1ZpCno5NHhmRmMrR1NZV2R3cFBLYk1Bcnp2TXYrTEswY0VNUUNMd1R3YmRCbmpjdmFmNG1pV2YyQUVteVRZa3ZNaVcKUTJHV0N1S0toVVZ0MTBxVU93YlFZcWpFZmlycFhTNlZtS1R4UHVKM0dCTmtBS2t4eHZGSGJIdG5ibGpYMmM2NQpzQVBaWThKSm5OUXIySUZTa3dGRlVEbHV1RmhaS1EycW8yZ2NxeENNT0JOanRTdVdqL3BnV1pIWDV4NGZCbW85Cm9qb2RIZmdFMm4zREJOMUIyMHZ4ZHRqTVRONzh6ZHoxUXV0WStrYUZXYTNmaEZFQjNMVnVQT3BqUzllVW82Q3AKWUdjL25LdGFVaGdWNmhSVVV0aXdZaFZ4N2FVMXlnQ08rYWc5QjRILzFMbGp3c1YvNEF0YjhtYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==[root@master sefe]#
  • 编写申请证书请求文件的yaml 文件
    注意这里apiVersion 要带beta1,否则signerName 那行就不能注释掉,但这样的话后面的操作就不能获取到证书。这里request 里的是base64 编码之后的证书请求文件。
[root@master sefe]# cat csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:name: ccx
spec:groups:- system:authenticated#signerName: kubernetes.io/legacy-aa #注意这行是被注释掉的#下面request换成上面生成的密钥request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1pUQ0NBVTBDQVFBd0lERU1NQW9HQTFVRUF3d0RZMk40TVJBd0RnWURWUVFLREFkamEyRXlNREl4TUlJQgpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXCmxIM2hVUHRGUHozYWQzZE5NQ1hHNEZrRVdJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeSsKUjF0a2JCNWdidDZuOU1wL2lsUUc3RHozYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNQo3MFRxbkx2a1VWVnRKTWRiQjV2aE1Ra3B0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4ClhKL1FWQkRUNklpMFUxM29GVFEvMlRWeUVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm0KZ0ZEdW9XdHdjc3NSSFNNdzJzcFc5bTJsM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJRApBUUFCb0FBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFEdXJyS1VIMFZ6WDdtNC9LVEFKYnZXZHhLV29lQ1ZpCno5NHhmRmMrR1NZV2R3cFBLYk1Bcnp2TXYrTEswY0VNUUNMd1R3YmRCbmpjdmFmNG1pV2YyQUVteVRZa3ZNaVcKUTJHV0N1S0toVVZ0MTBxVU93YlFZcWpFZmlycFhTNlZtS1R4UHVKM0dCTmtBS2t4eHZGSGJIdG5ibGpYMmM2NQpzQVBaWThKSm5OUXIySUZTa3dGRlVEbHV1RmhaS1EycW8yZ2NxeENNT0JOanRTdVdqL3BnV1pIWDV4NGZCbW85Cm9qb2RIZmdFMm4zREJOMUIyMHZ4ZHRqTVRONzh6ZHoxUXV0WStrYUZXYTNmaEZFQjNMVnVQT3BqUzllVW82Q3AKWUdjL25LdGFVaGdWNmhSVVV0aXdZaFZ4N2FVMXlnQ08rYWc5QjRILzFMbGp3c1YvNEF0YjhtYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==usages:- client auth
[root@master sefe]#
  • 申请证书
[root@master sefe]# kubectl apply -f csr.yaml
Warning: certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
certificatesigningrequest.certificates.k8s.io/ccx created
[root@master sefe]#
  • 查看已经发出证书申请请求:
    此时的状态是pending的
[root@master sefe]# kubectl get csr
NAME   AGE   SIGNERNAME                     REQUESTOR          CONDITION
ccx    7s    kubernetes.io/legacy-unknown   kubernetes-admin   Pending
[root@master sefe]#
  • 批准证书:
[root@master sefe]# kubectl certificate approve ccx
certificatesigningrequest.certificates.k8s.io/ccx approved
[root@master sefe]#
  • 再次查看,此时状态就不是pending了
[root@master sefe]# kubectl get csr
NAME   AGE   SIGNERNAME                     REQUESTOR          CONDITION
ccx    95s   kubernetes.io/legacy-unknown   kubernetes-admin   Approved,Issued
[root@master sefe]#
  • 查看创建成功的csr的全部yaml文件内容
[root@master sefe]# kubectl get csr ccx -o yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: |{"apiVersion":"certificates.k8s.io/v1beta1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"ccx"},"spec":{"groups":["system:authenticated"],"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1pUQ0NBVTBDQVFBd0lERU1NQW9HQTFVRUF3d0RZMk40TVJBd0RnWURWUVFLREFkamEyRXlNREl4TUlJQgpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXCmxIM2hVUHRGUHozYWQzZE5NQ1hHNEZrRVdJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeSsKUjF0a2JCNWdidDZuOU1wL2lsUUc3RHozYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNQo3MFRxbkx2a1VWVnRKTWRiQjV2aE1Ra3B0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4ClhKL1FWQkRUNklpMFUxM29GVFEvMlRWeUVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm0KZ0ZEdW9XdHdjc3NSSFNNdzJzcFc5bTJsM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJRApBUUFCb0FBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFEdXJyS1VIMFZ6WDdtNC9LVEFKYnZXZHhLV29lQ1ZpCno5NHhmRmMrR1NZV2R3cFBLYk1Bcnp2TXYrTEswY0VNUUNMd1R3YmRCbmpjdmFmNG1pV2YyQUVteVRZa3ZNaVcKUTJHV0N1S0toVVZ0MTBxVU93YlFZcWpFZmlycFhTNlZtS1R4UHVKM0dCTmtBS2t4eHZGSGJIdG5ibGpYMmM2NQpzQVBaWThKSm5OUXIySUZTa3dGRlVEbHV1RmhaS1EycW8yZ2NxeENNT0JOanRTdVdqL3BnV1pIWDV4NGZCbW85Cm9qb2RIZmdFMm4zREJOMUIyMHZ4ZHRqTVRONzh6ZHoxUXV0WStrYUZXYTNmaEZFQjNMVnVQT3BqUzllVW82Q3AKWUdjL25LdGFVaGdWNmhSVVV0aXdZaFZ4N2FVMXlnQ08rYWc5QjRILzFMbGp3c1YvNEF0YjhtYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","usages":["client auth"]}}creationTimestamp: "2021-11-03T08:32:11Z"name: ccxresourceVersion: "12652380"selfLink: /apis/certificates.k8s.io/v1/certificatesigningrequests/ccxuid: 49a3aa81-b7a2-432a-a115-d98e065689ab
spec:groups:- system:masters- system:authenticatedrequest: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1pUQ0NBVTBDQVFBd0lERU1NQW9HQTFVRUF3d0RZMk40TVJBd0RnWURWUVFLREFkamEyRXlNREl4TUlJQgpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXCmxIM2hVUHRGUHozYWQzZE5NQ1hHNEZrRVdJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeSsKUjF0a2JCNWdidDZuOU1wL2lsUUc3RHozYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNQo3MFRxbkx2a1VWVnRKTWRiQjV2aE1Ra3B0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4ClhKL1FWQkRUNklpMFUxM29GVFEvMlRWeUVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm0KZ0ZEdW9XdHdjc3NSSFNNdzJzcFc5bTJsM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJRApBUUFCb0FBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFEdXJyS1VIMFZ6WDdtNC9LVEFKYnZXZHhLV29lQ1ZpCno5NHhmRmMrR1NZV2R3cFBLYk1Bcnp2TXYrTEswY0VNUUNMd1R3YmRCbmpjdmFmNG1pV2YyQUVteVRZa3ZNaVcKUTJHV0N1S0toVVZ0MTBxVU93YlFZcWpFZmlycFhTNlZtS1R4UHVKM0dCTmtBS2t4eHZGSGJIdG5ibGpYMmM2NQpzQVBaWThKSm5OUXIySUZTa3dGRlVEbHV1RmhaS1EycW8yZ2NxeENNT0JOanRTdVdqL3BnV1pIWDV4NGZCbW85Cm9qb2RIZmdFMm4zREJOMUIyMHZ4ZHRqTVRONzh6ZHoxUXV0WStrYUZXYTNmaEZFQjNMVnVQT3BqUzllVW82Q3AKWUdjL25LdGFVaGdWNmhSVVV0aXdZaFZ4N2FVMXlnQ08rYWc5QjRILzFMbGp3c1YvNEF0YjhtYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==signerName: kubernetes.io/legacy-unknownusages:- client authusername: kubernetes-admin
status:certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lRWXlYenJkTTVKYS9Ia3lQeGhNME5OekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl4TVRFd016QTRNamd6T1ZvWERUSXlNVEV3TXpBNApNamd6T1Zvd0lERVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1URU1NQW9HQTFVRUF4TURZMk40TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXbEgzaFVQdEYKUHozYWQzZE5NQ1hHNEZrRVdJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeStSMXRrYkI1ZwpidDZuOU1wL2lsUUc3RHozYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNTcwVHFuTHZrClVWVnRKTWRiQjV2aE1Ra3B0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4WEovUVZCRFQKNklpMFUxM29GVFEvMlRWeUVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm1nRkR1b1d0dwpjc3NSSFNNdzJzcFc5bTJsM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJREFRQUJvMFl3ClJEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUEKRk03Q2ZzYW51ZGNURkh0bm9leThoL1pRcUVack1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRRHF3cnNYSEIwVApHTjQwdlcvQmJsL1FuVmFKQUdYU2lTR0wwbHVud0dOd3FRRVY2RVhoM3lsR3drS1pCT2JRNHVxZ1F0Vmt5eFQvCnFEcUFERWh5QUx1VGtkREVxLzRsRmFqaDRlaWtHQkRVU3ZhNVNEb2NQUVhqa0JhUHJHMDQxTTh1dlFySFh3WGsKcEc5UGlmbExMTksyMzBzSGNPaS85MmVndmpEL3JIYkdTejV5cGpuWTZpMkJuSzZOcGpqWDRienEyTGl3bytOYQpLS2RIS3JPWXV3ajI0QVllWkRtWnVFZ3FBMXZlRUtSWXZaNVhSREVnL1lEckd1U2NUbkhLQkNPeHEzUVdSRkZTCm4xWG9hdEU1MkU5d3JDeVFsUXAzbi9KbEFqMmViRjh1SElVY1JFY1ZNSjZ5MU02YzlaTHZjdHh4NjA1SFJmeE0KSm1mazR0bkNLc3QvCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kconditions:- lastTransitionTime: "2021-11-03T08:33:39Z"lastUpdateTime: "2021-11-03T08:33:39Z"message: This CSR was approved by kubectl certificate approve.reason: KubectlApprovestatus: "True"type: Approved
[root@master sefe]## 并且会生成自己的ca文件哈【开头指定的ca名称】
[root@master sefe]# ls /etc/kubernetes/pki/ | grep ca
ca.crt
ca.key
front-proxy-ca.crt
front-proxy-ca.key
[root@master sefe]#
  • 查看证书:
[root@master sefe]# kubectl get csr/ccx -o jsonpath='{.status.certificate}'
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lRWXlYenJkTTVKYS9Ia3lQeGhNME5OekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl4TVRFd016QTRNamd6T1ZvWERUSXlNVEV3TXpBNApNamd6T1Zvd0lERVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1URU1NQW9HQTFVRUF4TURZMk40TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXbEgzaFVQdEYKUHozYWQzZE5NQ1hHNEZrRVdJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeStSMXRrYkI1ZwpidDZuOU1wL2lsUUc3RHozYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNTcwVHFuTHZrClVWVnRKTWRiQjV2aE1Ra3B0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4WEovUVZCRFQKNklpMFUxM29GVFEvMlRWeUVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm1nRkR1b1d0dwpjc3NSSFNNdzJzcFc5bTJsM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJREFRQUJvMFl3ClJEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUEKRk03Q2ZzYW51ZGNURkh0bm9leThoL1pRcUVack1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRRHF3cnNYSEIwVApHTjQwdlcvQmJsL1FuVmFKQUdYU2lTR0wwbHVud0dOd3FRRVY2RVhoM3lsR3drS1pCT2JRNHVxZ1F0Vmt5eFQvCnFEcUFERWh5QUx1VGtkREVxLzRsRmFqaDRlaWtHQkRVU3ZhNVNEb2NQUVhqa0JhUHJHMDQxTTh1dlFySFh3WGsKcEc5UGlmbExMTksyMzBzSGNPaS85MmVndmpEL3JIYkdTejV5cGpuWTZpMkJuSzZOcGpqWDRienEyTGl3bytOYQpLS2RIS3JPWXV3ajI0QVllWkRtWnVFZ3FBMXZlRUtSWXZaNVhSREVnL1lEckd1U2NUbkhLQkNPeHEzUVdSRkZTCm4xWG9hdEU1MkU5d3JDeVFsUXAzbi9KbEFqMmViRjh1SElVY1JFY1ZNSjZ5MU02YzlaTHZjdHh4NjA1SFJmeE0KSm1mazR0bkNLc3QvCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K[root@master sefe]#
[root@master sefe]#
  • 导出证书文件:
[root@master sefe]# kubectl get csr/ccx -o jsonpath='{.status.certificate}' | base64 -d > ccx.crt
[root@master sefe]# ls
ccx.crt  ccx.csr  ccx.key  csr.yaml
[root@master sefe]#
  • 此时公钥和私钥都有了

    • ccx.key:私钥
    • ccx.csr:公钥
[root@master sefe]# ls
ccx.crt  ccx.csr  ccx.key  csr.yaml
[root@master sefe]#

创建kubeconfig 文件

  • 拷贝CA 证书
[root@master sefe]# cp /etc/kubernetes/pki/ca.crt .
[root@master sefe]# ls
ca.crt  ccx.crt  ccx.csr  ccx.key  csr.yaml
[root@master sefe]# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIxMDcwMjAxMzUyOFoXDTMxMDYzMDAxMzUyOFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPaA
t0hnK8BSad5VhNcT4skCYK95XVRwOCtIwojUsgSisO2Rk9yhma2yv8NDi9fbjsCK
hgxT2dd26garjjWq3WicfrScVnLWFWcPY8qrCxHc1al8y7kzbs/jIabElNnP1uEc
kBjEakL2r37G19zr3pOqGuKju9DTPling+F9OA4GiDVE/o65W3VPcxEfl85RzDJ8
iZDh/n3bKf+8FRu7BdwiX0btUlPr32Uq5tNW3lKyI68lJCBse/gfgbJdlPWf45IE
En7QEj6S2VmI0sHIP71CX6Zd0o7FSOEjfljFgn1uaqvymtQO7YXqonZ4vliCx09M
pOuFi6egauBCXeiSmKECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFM7CfsanudcTFHtnoey8h/ZQqEZrMA0GCSqGSIb3
DQEBCwUAA4IBAQBgPE6dyUXyt12IgrU4JLApBfcQns81OxUVVInLXE/hGBVUcF0j
wwqxpoEQTYp1iO+Ps9Y7CAk5Rw2o2rd6XRp5atYeeZ8WVyavWphl/91wguwV+voh
c00SfXLgTJdlfJcntMSsELZBE9vZkdUIkgBMyNzU1VM0vzrH5xXA/Lrf5oKRESue
6NbDg22bsBY92zH5Lg6a+ilJE5r+8/KREmTT/eeRfEuTR2s0HsxdItpCLzYvFwbr
+/jD+O8DydpQK1LVh4Do+vdT/VPXohMSNhzBSW9fux49eu3wlk9+/nfRthyh7N6G
4sMP48eZqBlNnIG4suMOAoTz7Ly9JgbRYwyY
-----END CERTIFICATE-----
[root@master sefe]#
  • 设置集群字段
 kubectl config --kubeconfig=kc1 set-cluster cluster1 --server=https://192.168.59.142:6443 --certificate-authority=ca.crt --embed-certs=true
# --kubeconfig=kc1——kc1自定义名称
# set-cluster cluster1——上文自定义名称cluster1
#--server=https://192.168.59.142:6443——masterIP替换
# --certificate-authority=ca.crt——下文指定ca.crt文件下面
#--embed-certs=true 的意思是把证书内容写入到此kubeconfig 文件里。[root@master sefe]#  kubectl config --kubeconfig=kc1 set-cluster cluster1 --server=https://192.168.59.142:6443 --certificate-authority=ca.crt --embed-certs=true
Cluster "cluster1" set.
[root@master sefe]# ls
ca.crt  ccx.crt  ccx.csr  ccx.key  csr.yaml  kc1
[root@master sefe]# cat kc1
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EY3dNakF4TXpVeU9Gb1hEVE14TURZek1EQXhNelV5T0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUGFBCnQwaG5LOEJTYWQ1VmhOY1Q0c2tDWUs5NVhWUndPQ3RJd29qVXNnU2lzTzJSazl5aG1hMnl2OE5EaTlmYmpzQ0sKaGd4VDJkZDI2Z2FyampXcTNXaWNmclNjVm5MV0ZXY1BZOHFyQ3hIYzFhbDh5N2t6YnMvaklhYkVsTm5QMXVFYwprQmpFYWtMMnIzN0cxOXpyM3BPcUd1S2p1OURUUGxpbmcrRjlPQTRHaURWRS9vNjVXM1ZQY3hFZmw4NVJ6REo4CmlaRGgvbjNiS2YrOEZSdTdCZHdpWDBidFVsUHIzMlVxNXROVzNsS3lJNjhsSkNCc2UvZ2ZnYkpkbFBXZjQ1SUUKRW43UUVqNlMyVm1JMHNISVA3MUNYNlpkMG83RlNPRWpmbGpGZ24xdWFxdnltdFFPN1lYcW9uWjR2bGlDeDA5TQpwT3VGaTZlZ2F1QkNYZWlTbUtFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNN0Nmc2FudWRjVEZIdG5vZXk4aC9aUXFFWnJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCZ1BFNmR5VVh5dDEySWdyVTRKTEFwQmZjUW5zODFPeFVWVkluTFhFL2hHQlZVY0Ywagp3d3F4cG9FUVRZcDFpTytQczlZN0NBazVSdzJvMnJkNlhScDVhdFllZVo4V1Z5YXZXcGhsLzkxd2d1d1Yrdm9oCmMwMFNmWExnVEpkbGZKY250TVNzRUxaQkU5dlprZFVJa2dCTXlOelUxVk0wdnpySDV4WEEvTHJmNW9LUkVTdWUKNk5iRGcyMmJzQlk5MnpINUxnNmEraWxKRTVyKzgvS1JFbVRUL2VlUmZFdVRSMnMwSHN4ZEl0cENMell2RndicgorL2pEK084RHlkcFFLMUxWaDREbyt2ZFQvVlBYb2hNU05oekJTVzlmdXg0OWV1M3dsazkrL25mUnRoeWg3TjZHCjRzTVA0OGVacUJsTm5JRzRzdU1PQW9UejdMeTlKZ2JSWXd5WQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==server: https://192.168.59.142:6443name: cluster1
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
[root@master sefe]#
  • 设置用户字段
    主要是写入各种秘钥信息的
# 啥都不用修改
kubectl config --kubeconfig=kc1 set-credentials ccx  --client-certificate=ccx.crt --client-key=ccx.key --embed-certs=true[root@master sefe]# kubectl config --kubeconfig=kc1 set-credentials ccx  --client-certificate=ccx.crt --client-key=ccx.key --embed-certs=true
User "ccx" set.
[root@master sefe]# cat kc1
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EY3dNakF4TXpVeU9Gb1hEVE14TURZek1EQXhNelV5T0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUGFBCnQwaG5LOEJTYWQ1VmhOY1Q0c2tDWUs5NVhWUndPQ3RJd29qVXNnU2lzTzJSazl5aG1hMnl2OE5EaTlmYmpzQ0sKaGd4VDJkZDI2Z2FyampXcTNXaWNmclNjVm5MV0ZXY1BZOHFyQ3hIYzFhbDh5N2t6YnMvaklhYkVsTm5QMXVFYwprQmpFYWtMMnIzN0cxOXpyM3BPcUd1S2p1OURUUGxpbmcrRjlPQTRHaURWRS9vNjVXM1ZQY3hFZmw4NVJ6REo4CmlaRGgvbjNiS2YrOEZSdTdCZHdpWDBidFVsUHIzMlVxNXROVzNsS3lJNjhsSkNCc2UvZ2ZnYkpkbFBXZjQ1SUUKRW43UUVqNlMyVm1JMHNISVA3MUNYNlpkMG83RlNPRWpmbGpGZ24xdWFxdnltdFFPN1lYcW9uWjR2bGlDeDA5TQpwT3VGaTZlZ2F1QkNYZWlTbUtFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNN0Nmc2FudWRjVEZIdG5vZXk4aC9aUXFFWnJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCZ1BFNmR5VVh5dDEySWdyVTRKTEFwQmZjUW5zODFPeFVWVkluTFhFL2hHQlZVY0Ywagp3d3F4cG9FUVRZcDFpTytQczlZN0NBazVSdzJvMnJkNlhScDVhdFllZVo4V1Z5YXZXcGhsLzkxd2d1d1Yrdm9oCmMwMFNmWExnVEpkbGZKY250TVNzRUxaQkU5dlprZFVJa2dCTXlOelUxVk0wdnpySDV4WEEvTHJmNW9LUkVTdWUKNk5iRGcyMmJzQlk5MnpINUxnNmEraWxKRTVyKzgvS1JFbVRUL2VlUmZFdVRSMnMwSHN4ZEl0cENMell2RndicgorL2pEK084RHlkcFFLMUxWaDREbyt2ZFQvVlBYb2hNU05oekJTVzlmdXg0OWV1M3dsazkrL25mUnRoeWg3TjZHCjRzTVA0OGVacUJsTm5JRzRzdU1PQW9UejdMeTlKZ2JSWXd5WQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==server: https://192.168.59.142:6443name: cluster1
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: ccxuser:client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lRWXlYenJkTTVKYS9Ia3lQeGhNME5OekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl4TVRFd016QTRNamd6T1ZvWERUSXlNVEV3TXpBNApNamd6T1Zvd0lERVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1URU1NQW9HQTFVRUF4TURZMk40TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXbEgzaFVQdEYKUHozYWQzZE5NQ1hHNEZrRVdJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeStSMXRrYkI1ZwpidDZuOU1wL2lsUUc3RHozYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNTcwVHFuTHZrClVWVnRKTWRiQjV2aE1Ra3B0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4WEovUVZCRFQKNklpMFUxM29GVFEvMlRWeUVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm1nRkR1b1d0dwpjc3NSSFNNdzJzcFc5bTJsM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJREFRQUJvMFl3ClJEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUEKRk03Q2ZzYW51ZGNURkh0bm9leThoL1pRcUVack1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRRHF3cnNYSEIwVApHTjQwdlcvQmJsL1FuVmFKQUdYU2lTR0wwbHVud0dOd3FRRVY2RVhoM3lsR3drS1pCT2JRNHVxZ1F0Vmt5eFQvCnFEcUFERWh5QUx1VGtkREVxLzRsRmFqaDRlaWtHQkRVU3ZhNVNEb2NQUVhqa0JhUHJHMDQxTTh1dlFySFh3WGsKcEc5UGlmbExMTksyMzBzSGNPaS85MmVndmpEL3JIYkdTejV5cGpuWTZpMkJuSzZOcGpqWDRienEyTGl3bytOYQpLS2RIS3JPWXV3ajI0QVllWkRtWnVFZ3FBMXZlRUtSWXZaNVhSREVnL1lEckd1U2NUbkhLQkNPeHEzUVdSRkZTCm4xWG9hdEU1MkU5d3JDeVFsUXAzbi9KbEFqMmViRjh1SElVY1JFY1ZNSjZ5MU02YzlaTHZjdHh4NjA1SFJmeE0KSm1mazR0bkNLc3QvCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kclient-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXbEgzaFVQdEZQejNhZDNkTk1DWEc0RmtFCldJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeStSMXRrYkI1Z2J0Nm45TXAvaWxRRzdEejMKYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNTcwVHFuTHZrVVZWdEpNZGJCNXZoTVFrcAp0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4WEovUVZCRFQ2SWkwVTEzb0ZUUS8yVFZ5CkVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm1nRkR1b1d0d2Nzc1JIU013MnNwVzltMmwKM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJREFRQUJBb0lCQUVqR29SNVJoUGtRd0JrOQpJblJkTWVxeU05NEZ3TmVranNjTzJ5ak03QlFHSTkwOXl4RDlTZTdEcnYrbGRMSzkvNi9XTXA5dk5maVBReENmCnNZWDNKdCtzSWJNNVFiaHJwWXZjbmdjdVhPRy9DaFNSNEhpMjlYb0phZE14a3FZMnRNMmp1eVpCcnU2MnJ5eU0Kbmo3WUlYdnhEaUNuR0c1ZXNXdVdQb3RqUEhTYm53L0JOKzgwaFJYSitrUHlyK2pYMjVtRTlUcTh0emtEQUdXWQpMd0psb0dQenhPdG9lREJjb1hNWkgyWlJhRmhjd1VWRkJmcUlaMFY4UzZLVDkyTkYwVzVWdUlWR1RMNDJ0Mjl5CjBtQVdqM3ZrdDcyajZhUk9Wd0pkemQwVU43c3p6SFJJQjhhNTJCcTZybzl6UE1NTDRRcmtnamFSeXRsczduZ2kKZFp0SGY0RUNnWUVBK1ZTa1VvR2pZdWZ4eHQ5RjlKeVFsWVZUTmNlOTM4cXBQSnUrVDdEUVVLZ0V2MmVZMXF3cQpvTWJqb1JTVGpUbUFUZU9tWWEzS2d5SWR6VkszT000MWprcU1remlwb3VyK3NwSVJhbVBLQ0F2clo5Yi9rbm5lCnNrcTZweisxUjJwYVVqaEozZGtkZXBEUE05cmtxWjRQTG9mVkczT3JOZ1VJR3JhaGJ1TmhKN0VDZ1lFQTdsa0oKNlp3d2pKWENldGlxaXRZaHV1QWtwZXlTUGprWHMyaFQrQk0vQUY0SnJncGR1Y2E5VlhNQUlDSys2SlJSdDE5cAovaXpQN3Jucm1hWmNaM0cxWmdkUTFGZytTSkxxNFMzTk8yejRJaHVFWlYwSy91YjdxenZRdDBlSlVEMTdqNFQrCkxVRnhnZmE4WklybzhDWjIreStYazh5Nlh0Slp5Qy9aNU8ydElyVUNnWUVBMFhYVEttRXdjcm5xdXlqOWF4ZFEKdTl3cTRJWnlOQnpjZWtkWTVUZmtlYTM5ZHhOQUtqQ3ZDeXlyTkxyRmpxSWM4TkpzQjZscDlTcG5JUVA1V3VhWgp4WFZKamJEUGlrZWpPejlORkRUTEdHRnpIV1JZaHFTTmV2a2V2N3pjdlNkU3c3bjRERUVHNjkzVnhIbURHaC9vCkh5NEwwU2ttVDVhQWpYaWFQRDhYY3JFQ2dZQTlkWUlqMWQyQzhyN3lORnBOY0lmRUN6WUgvdWQ2MmZmdGtCSk8KM28rWlJhWlRWV0x6bTNhSXlSMllLNzEwZFlKWXVXYTRYcy9ESy9lL1ovRmR6eWxLUk1xbjVwVXcyNGxyUlFjdApzcHlORnZGZHZjOHZDVnFOdmQvRTB0SnFlV0FhRXQ0RHgyTkFjdUlEUHZwdnFrdDEyOERISUx4UjVRVzNvL2NZCm05elFIUUtCZ0dNZkVKUnh4Sk51ZllmcXNMa1QwQktWTEhCMDZsUHAxSGlLWVZuMXJkMmNZRkl2M3VNR2RrUXYKKzlYNVFIdkpsaWYzdUg1Wnp0TnZFdEVEY3lzcjdWN1RzNXo2Z1BGcUdrdDlKS1o2c1ZkcWNuYjRoSlhONXQzaQpBVWZtWkdrN0pFeVlSRXdPUm1jM3FBNld2RG9iUWtINGhXeXg4azN5R3NwTmNzcHgzd2ZGCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
[root@master sefe]#
  • 设置上下文字段
    上面是定义上下文,这呢,是定义contexts,吧上面内容中的cluster和user绑定在一起用的
# 啥都不用修改
kubectl config --kubeconfig=kc1 set-context context1 --cluster=cluster1 --namespace=default --user=ccx[root@master sefe]# kubectl config --kubeconfig=kc1 set-context context1 --cluster=cluster1 --namespace=default --user=ccx
Context "context1" created.
[root@master sefe]# cat ck1
cat: ck1: No such file or directory
[root@master sefe]# cat kc1
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EY3dNakF4TXpVeU9Gb1hEVE14TURZek1EQXhNelV5T0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUGFBCnQwaG5LOEJTYWQ1VmhOY1Q0c2tDWUs5NVhWUndPQ3RJd29qVXNnU2lzTzJSazl5aG1hMnl2OE5EaTlmYmpzQ0sKaGd4VDJkZDI2Z2FyampXcTNXaWNmclNjVm5MV0ZXY1BZOHFyQ3hIYzFhbDh5N2t6YnMvaklhYkVsTm5QMXVFYwprQmpFYWtMMnIzN0cxOXpyM3BPcUd1S2p1OURUUGxpbmcrRjlPQTRHaURWRS9vNjVXM1ZQY3hFZmw4NVJ6REo4CmlaRGgvbjNiS2YrOEZSdTdCZHdpWDBidFVsUHIzMlVxNXROVzNsS3lJNjhsSkNCc2UvZ2ZnYkpkbFBXZjQ1SUUKRW43UUVqNlMyVm1JMHNISVA3MUNYNlpkMG83RlNPRWpmbGpGZ24xdWFxdnltdFFPN1lYcW9uWjR2bGlDeDA5TQpwT3VGaTZlZ2F1QkNYZWlTbUtFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNN0Nmc2FudWRjVEZIdG5vZXk4aC9aUXFFWnJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCZ1BFNmR5VVh5dDEySWdyVTRKTEFwQmZjUW5zODFPeFVWVkluTFhFL2hHQlZVY0Ywagp3d3F4cG9FUVRZcDFpTytQczlZN0NBazVSdzJvMnJkNlhScDVhdFllZVo4V1Z5YXZXcGhsLzkxd2d1d1Yrdm9oCmMwMFNmWExnVEpkbGZKY250TVNzRUxaQkU5dlprZFVJa2dCTXlOelUxVk0wdnpySDV4WEEvTHJmNW9LUkVTdWUKNk5iRGcyMmJzQlk5MnpINUxnNmEraWxKRTVyKzgvS1JFbVRUL2VlUmZFdVRSMnMwSHN4ZEl0cENMell2RndicgorL2pEK084RHlkcFFLMUxWaDREbyt2ZFQvVlBYb2hNU05oekJTVzlmdXg0OWV1M3dsazkrL25mUnRoeWg3TjZHCjRzTVA0OGVacUJsTm5JRzRzdU1PQW9UejdMeTlKZ2JSWXd5WQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==server: https://192.168.59.142:6443name: cluster1
contexts:
- context:cluster: cluster1namespace: defaultuser: ccxname: context1
current-context: ""
kind: Config
preferences: {}
users:
- name: ccxuser:client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lRWXlYenJkTTVKYS9Ia3lQeGhNME5OekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl4TVRFd016QTRNamd6T1ZvWERUSXlNVEV3TXpBNApNamd6T1Zvd0lERVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1URU1NQW9HQTFVRUF4TURZMk40TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXbEgzaFVQdEYKUHozYWQzZE5NQ1hHNEZrRVdJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeStSMXRrYkI1ZwpidDZuOU1wL2lsUUc3RHozYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNTcwVHFuTHZrClVWVnRKTWRiQjV2aE1Ra3B0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4WEovUVZCRFQKNklpMFUxM29GVFEvMlRWeUVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm1nRkR1b1d0dwpjc3NSSFNNdzJzcFc5bTJsM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJREFRQUJvMFl3ClJEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUEKRk03Q2ZzYW51ZGNURkh0bm9leThoL1pRcUVack1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRRHF3cnNYSEIwVApHTjQwdlcvQmJsL1FuVmFKQUdYU2lTR0wwbHVud0dOd3FRRVY2RVhoM3lsR3drS1pCT2JRNHVxZ1F0Vmt5eFQvCnFEcUFERWh5QUx1VGtkREVxLzRsRmFqaDRlaWtHQkRVU3ZhNVNEb2NQUVhqa0JhUHJHMDQxTTh1dlFySFh3WGsKcEc5UGlmbExMTksyMzBzSGNPaS85MmVndmpEL3JIYkdTejV5cGpuWTZpMkJuSzZOcGpqWDRienEyTGl3bytOYQpLS2RIS3JPWXV3ajI0QVllWkRtWnVFZ3FBMXZlRUtSWXZaNVhSREVnL1lEckd1U2NUbkhLQkNPeHEzUVdSRkZTCm4xWG9hdEU1MkU5d3JDeVFsUXAzbi9KbEFqMmViRjh1SElVY1JFY1ZNSjZ5MU02YzlaTHZjdHh4NjA1SFJmeE0KSm1mazR0bkNLc3QvCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kclient-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNkNObzJWVWtTbFQ5bTRvR3Z6cTIyLzRXbEgzaFVQdEZQejNhZDNkTk1DWEc0RmtFCldJVG9nRnRISXlyWFc4TlRiZGcxZjN5dzA4aHNwZi9na20vQUYxeStSMXRrYkI1Z2J0Nm45TXAvaWxRRzdEejMKYjF2bi9XVC9ieldHaWV3bTFFWEk4OFpaeEFOMllrZmFkdGpCYlhRNTcwVHFuTHZrVVZWdEpNZGJCNXZoTVFrcAp0TVdvL3ovN2EweGYvbGYxOUgxQURWbXZsNVIvbGU4QVp6RXEwUWQ4WEovUVZCRFQ2SWkwVTEzb0ZUUS8yVFZ5CkVJOG5XU2N4K3NxSlBVUXpWL1dwZmJQOHl1SHloV2xNZHZ3RjJnbm1nRkR1b1d0d2Nzc1JIU013MnNwVzltMmwKM1UwYjczaGZsUmtpaDgyQ1Z5M1owK3ZrTFFkVHJOcWtXcE9TSlFJREFRQUJBb0lCQUVqR29SNVJoUGtRd0JrOQpJblJkTWVxeU05NEZ3TmVranNjTzJ5ak03QlFHSTkwOXl4RDlTZTdEcnYrbGRMSzkvNi9XTXA5dk5maVBReENmCnNZWDNKdCtzSWJNNVFiaHJwWXZjbmdjdVhPRy9DaFNSNEhpMjlYb0phZE14a3FZMnRNMmp1eVpCcnU2MnJ5eU0Kbmo3WUlYdnhEaUNuR0c1ZXNXdVdQb3RqUEhTYm53L0JOKzgwaFJYSitrUHlyK2pYMjVtRTlUcTh0emtEQUdXWQpMd0psb0dQenhPdG9lREJjb1hNWkgyWlJhRmhjd1VWRkJmcUlaMFY4UzZLVDkyTkYwVzVWdUlWR1RMNDJ0Mjl5CjBtQVdqM3ZrdDcyajZhUk9Wd0pkemQwVU43c3p6SFJJQjhhNTJCcTZybzl6UE1NTDRRcmtnamFSeXRsczduZ2kKZFp0SGY0RUNnWUVBK1ZTa1VvR2pZdWZ4eHQ5RjlKeVFsWVZUTmNlOTM4cXBQSnUrVDdEUVVLZ0V2MmVZMXF3cQpvTWJqb1JTVGpUbUFUZU9tWWEzS2d5SWR6VkszT000MWprcU1remlwb3VyK3NwSVJhbVBLQ0F2clo5Yi9rbm5lCnNrcTZweisxUjJwYVVqaEozZGtkZXBEUE05cmtxWjRQTG9mVkczT3JOZ1VJR3JhaGJ1TmhKN0VDZ1lFQTdsa0oKNlp3d2pKWENldGlxaXRZaHV1QWtwZXlTUGprWHMyaFQrQk0vQUY0SnJncGR1Y2E5VlhNQUlDSys2SlJSdDE5cAovaXpQN3Jucm1hWmNaM0cxWmdkUTFGZytTSkxxNFMzTk8yejRJaHVFWlYwSy91YjdxenZRdDBlSlVEMTdqNFQrCkxVRnhnZmE4WklybzhDWjIreStYazh5Nlh0Slp5Qy9aNU8ydElyVUNnWUVBMFhYVEttRXdjcm5xdXlqOWF4ZFEKdTl3cTRJWnlOQnpjZWtkWTVUZmtlYTM5ZHhOQUtqQ3ZDeXlyTkxyRmpxSWM4TkpzQjZscDlTcG5JUVA1V3VhWgp4WFZKamJEUGlrZWpPejlORkRUTEdHRnpIV1JZaHFTTmV2a2V2N3pjdlNkU3c3bjRERUVHNjkzVnhIbURHaC9vCkh5NEwwU2ttVDVhQWpYaWFQRDhYY3JFQ2dZQTlkWUlqMWQyQzhyN3lORnBOY0lmRUN6WUgvdWQ2MmZmdGtCSk8KM28rWlJhWlRWV0x6bTNhSXlSMllLNzEwZFlKWXVXYTRYcy9ESy9lL1ovRmR6eWxLUk1xbjVwVXcyNGxyUlFjdApzcHlORnZGZHZjOHZDVnFOdmQvRTB0SnFlV0FhRXQ0RHgyTkFjdUlEUHZwdnFrdDEyOERISUx4UjVRVzNvL2NZCm05elFIUUtCZ0dNZkVKUnh4Sk51ZllmcXNMa1QwQktWTEhCMDZsUHAxSGlLWVZuMXJkMmNZRkl2M3VNR2RrUXYKKzlYNVFIdkpsaWYzdUg1Wnp0TnZFdEVEY3lzcjdWN1RzNXo2Z1BGcUdrdDlKS1o2c1ZkcWNuYjRoSlhONXQzaQpBVWZtWkdrN0pFeVlSRXdPUm1jM3FBNld2RG9iUWtINGhXeXg4azN5R3NwTmNzcHgzd2ZGCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
[root@master sefe]#
  • 设置默认context
    下面13行的""里面新增12行内容
[root@master sefe]# cat -n kc1 | grep context7  contexts:8  - context:12    name: context113  current-context: ""
[root@master sefe]# vi kc1
[root@master sefe]# cat -n kc1 | grep context7  contexts:8  - context:12    name: context113  current-context: "context1"
[root@master sefe]#
  • 这样kubeconfig 文件就创建完毕了

用户授权

  • 并且此时我们可以把这个文件拷贝到其他主机上做下测试或在当前master上做测试,可以看到名称已经变成ccx了,只是此时没有权限访问罢了
[root@master sefe]# kubectl --kubeconfig=kc1 get nodes
Error from server (Forbidden): nodes is forbidden: User "ccx" cannot list resource "nodes" in API group "" at the cluster scope
[root@master sefe]#
[root@master sefe]# scp kc1 192.168.59.151:~
root@192.168.59.151's password:
kc1                                                           100% 5495     3.0MB/s   00:00
[root@master sefe]## 客户端上
[root@master2 ~]# kubectl --kubeconfig=kc1 get nodes
Error from server (Forbidden): nodes is forbidden: User "ccx" cannot list resource "nodes" in API group "" at the cluster scope
[root@master2 ~]#
  • 现在开始对ccx这个用户授权【授权实际上就是创建1个clusterrolebinding】
    我对ccx用户授权了,而kc1里存储的是ccx的证书和秘钥,所以kc1里具备ccx的权限
kubectl create clusterrolebinding test1 --clusterrole=cluster-admin --user=ccx
#clusterrolebinding test1——test1是名称
# --clusterrole=cluster-admin——给与cluster-admin的权限
# --user=ccx——给哪个用户名[root@master sefe]# kubectl create clusterrolebinding test1 --clusterrole=cluster-admin --user=ccx
clusterrolebinding.rbac.authorization.k8s.io/test1 created
[root@master sefe]#
[root@master sefe]# kubectl get clusterrolebindings.rbac.authorization.k8s.io test1
NAME    ROLE                        AGE
test1   ClusterRole/cluster-admin   2m43s
[root@master sefe]#
  • 现在再次测试
    给了权限以后下面就自然都能看到了
[root@master sefe]# kubectl --kubeconfig=kc1 get nodes
NAME     STATUS   ROLES    AGE    VERSION
master   Ready    master   114d   v1.21.0
node1    Ready    <none>   114d   v1.21.0
node2    Ready    <none>   114d   v1.21.0
[root@master sefe]#[root@master2 ~]# kubectl --kubeconfig=kc1 get nodes
NAME     STATUS   ROLES    AGE    VERSION
master   Ready    master   114d   v1.21.0
node1    Ready    <none>   114d   v1.21.0
node2    Ready    <none>   114d   v1.21.0
[root@master2 ~]#
  • 然后将这个clusterrolebinding删除,可以看到又不通了【因为权限没了】
[root@master sefe]# kubectl delete clusterrolebindings.rbac.authorization.k8s.io test1
clusterrolebinding.rbac.authorization.k8s.io "test1" deleted
[root@master sefe]#
[root@master sefe]# kubectl --kubeconfig=kc1 get nodes
Error from server (Forbidden): nodes is forbidden: User "ccx" cannot list resource "nodes" in API group "" at the cluster scope
[root@master sefe]#

验证kubeconfig 文件

  • 因为我上面把权限删了,所以现在创建一个哈
[root@master sefe]# kubectl create clusterrolebinding test1 --clusterrole=cluster-admin --user=ccx
clusterrolebinding.rbac.authorization.k8s.io/test1 created
[root@master sefe]#
  • 检查ccx是否具有list 当前命名空间里的pod 的权限
[root@master sefe]# kubectl auth can-i list pods --as ccx
yes
[root@master sefe]#
  • 检查ccx 是否具有list 命名空间kube-system 里pod 的权限
[root@master sefe]# kubectl auth can-i list pods -n kube-system --as ccx
yes
[root@master sefe]## 正常情况所有命名空间都是yes
[root@master sefe]# kubectl auth can-i list pods -n ds --as ccx
yes
[root@master sefe]#
  • 只有为yes 的时候这个文件才能正常使用哦。

oauth【第三方的认证方式】

这个基本上不用了,想了解的自行百度下吧。。。.我这就不折腾了

role和clusterrole授权

内容过多,分开发布,授权去这篇博客
【Kubernetes】k8s的安全管理详细说明【role赋权和clusterrole赋权详细配置说明】

sa、 安装dashboard、 资源限制

内容过多,分开发布,SA、安装dashboard和资源限制去这篇博客:
【Kubernetes】k8s的安全管理详细说明【SA配置、k8s安装dashboard、资源限制(resource、limit、resourcequota)】

【Kubernetes】k8s的安全管理详细说明【k8s框架说明、token验证和kubeconfig验证详细说明】相关推荐

  1. 【Kubernetes】k8s的安全管理详细说明【SA配置、k8s安装dashboard、资源限制(resource、limit、resourcequota)】

    文章目录 环境准备 token验证&&kubeconfig验证 role和clusterrole赋权 sa[Service Account] sa总结 1.service accoun ...

  2. 【Kubernetes】k8s的安全管理详细说明【role赋权和clusterrole赋权详细配置说明】

    文章目录 环境准备 token验证&&kubeconfig验证 授权 了解authorization-mode授权模式 AlwaysAllow&&AlwaysDeny ...

  3. 最详细的 K8S 学习笔记总结(2021最新版)

    虽然 Docker 已经很强大了,但是在实际使用上还是有诸多不便,比如集群管理.资源调度.文件管理等等.那么在这样一个百花齐放的容器时代涌现出了很多解决方案,比如 Mesos.Swarm.Kubern ...

  4. 超详细!K8s 面试知识点

    标题超详细!K8s 知识点 简述ETCD及其特点? etcd 是 CoreOS 团队发起的开源项目,是一个管理配置信息和服务发现(service discovery)的项目,它的目标是构建一个高可用的 ...

  5. Kubernetes(k8s)集群部署(k8s企业级Docker容器集群管理)系列目录

    0.目录 整体架构目录:ASP.NET Core分布式项目实战-目录 k8s架构目录:Kubernetes(k8s)集群部署(k8s企业级Docker容器集群管理)系列目录 一.感谢 在此感谢.net ...

  6. Ratel-Kubernetes Dashboard 一键式 Kubernetes多集群资源管理平台 k8s 管理平台

    github开源项目:https://github.com/dotbalo/ratel-doc 1.介绍 Ratel是什么? Ratel是一个Kubernetes多集群资源管理平台,基于管理Kuber ...

  7. 超详细的k8s对接ceph RBD存储

    前期准备 对接方式 有两种方式可以使用k8s对接ceph 使用第三方的rbd provisioner,但是由于官方已经不再进行维护因此随着版本越来越高,其对应的rbd provisioner内置的ce ...

  8. kubernetes云原生纪元:资源管理(k8s)Resource(上)

    kubernetes云原生纪元:资源管理(k8s)Resource(上) 文章目录 kubernetes云原生纪元:资源管理(k8s)Resource(上) 初识 核心设计 如何使用 极限测试 内存过 ...

  9. k8s dashboard_ASP.NET Core on K8S深入学习(2)部署过程解析与部署Dashboard

    文章转载于公众号[恰同学骚年],作者Edison Zhou 上一篇<K8S集群部署>中搭建好了一个最小化的K8S集群,这一篇我们来部署一个ASP.NET Core WebAPI项目来介绍一 ...

最新文章

  1. 浅析Python3中的bytes和str类型
  2. python array的应用
  3. 使用jstat的JVM统计信息
  4. 初学大数据之Python中5个最佳的数据科学库的学习
  5. 中国信通院金融科技负责人韩涵:大数据是生产资料的变革,区块链是生产关系的变革...
  6. [Python] L1-025. 正整数A+B-PAT团体程序设计天梯赛GPLT
  7. Python 字典(Dictionary) items()方法
  8. discuz admin.php无法登录,Discuz x3.1论坛管理员无法登录后台的各种解决方法总结
  9. en55032最新标准下载_欧盟CE认证EN55032标准
  10. C++:关于类以及h/cpp文件的一些实用知识
  11. 电脑DNS被劫持怎么办
  12. ABB机器人——设置定时检测机器人状态
  13. 我在日本最大的房地产信息网站做重构
  14. 6.17 C语言练习(百钱百鸡问题:中国古代数学家张丘建在他的《算经》中提出了著名的“百钱买百鸡问题”:鸡翁一,值钱五,鸡母一,值钱三,鸡雏三,值钱一,百钱买百鸡,问翁、母、雏各几何?)
  15. spring restTemplate的坑----会对String类型的url中的特殊字符进行转义
  16. 支付宝支付异步回调的一些问题
  17. 制作价目表,用小程序快速制作属于自己的价目表
  18. linux符号链接怎么复制,如何复制符号链接?
  19. mysql 免安装配置问题
  20. Excel中做图表,但周围的空白很多,如何将周围的空白剪切掉

热门文章

  1. Matlab求正态函数积分,积分对应的分位点
  2. 程序员是学历与能力,哪个重要呢?本文告诉你!
  3. 应广单片机芯片PMS132B -SOP8/SOP14/SOP16
  4. c++语言drawtext字体旋转,使用DrawText函数对文本进行换行处理的实现
  5. Ubuntu鼠标一直闪烁,win10鼠标正常
  6. 10 个令人惊叹的3D 图形网站,绝对会激发你的创作灵感
  7. 头歌 CC++基本输入输出
  8. python在abaqus中的应用光盘文件下载_Python语言在Abaqus中的应用DVD光盘
  9. 孩子不上学在家玩游戏打骂父母
  10. 微信小程序 - - 授权登录退出和缓存