配置证书
- /etc/kubernetes/pki/
- 二进制手动安装请到指定目录下操作
## 生成私钥
(umask 077;openssl genrsa -out devops.key 2048)
## 证书生成签署请求 CN=用户账号名称
openssl req -new -key devops.key -out devops.csr -subj "/CN=devops"
## 签证由ca 签署
openssl x509 -req -in devops.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out devops.crt -days 7200
## 查看证书
openssl x509 -in devops.crt -text -noout
添加用户
- 复制admin.conf 到配置目录为: devops.kubeconfig
- 这样就无需配置集群参数信息,后面配置完成后再删除admin 所有信息即可
- 生成 config 配置文件
//客户端证书
# kubectl config set-credentials devops --client-certificate=/etc/kubernetes/pki/devops.crt --client-key=/etc/kubernetes/pki/devops.key --embed-certs=true --kubeconfig=devops.kubeconfig
// 配置上下文
# kubectl config set-context devops@kubernetes --cluster=kubernetes --user=devops --namespace=devops --kubeconfig=devops.kubeconfig
// 默认上下文
# kubectl config use-context devops@kubernetes --kubeconfig=devops.kubeconfig
namespace 权限
role
# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pods-reader
## 定义名称空间
namespace: devops
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
# - delete
# - deletecollection
- get
- list
- watch
# - update
rolebinding
# kubectl create rolebinding devops-podsreader --role=pods-reader --user=devops --dry-run -o yaml >> role-demo2.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: devops-podsreader
## 定义名称空间
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: devops
创建
kubectl create -f role-demo.yaml
kubectl create -f role-demo2.yaml
kube config
mkdir -p ~/.kuber
cp devops.kubeconfig ~/.kube/config
Cluster 权限
- 创建集群角色并绑定到对应的用户;
- 可编辑生成的yaml 文件来增加删除权限配置等;
kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods,pods/exec,pods/attach,svc --dry-run -o yaml > clusterrole-demo.yaml
kubectl create clusterrolebinding devops-readallpods --clusterrole=cluster-reader --user=devops --dry-run -o yaml >> clusterrole-demo.yaml