共计 58241 个字符,预计需要花费 146 分钟才能阅读完成。
想想自己是如何管理公司中的用户的?如何在集群中给不同职能员工不同的权限?是集群范围?还是命名空间范围?又或者是只和写?在我的职业生涯中,经历过形形色色的公司,在人员协作方面,运维是至关重要的一环,从独揽大权(光杆司令),到权分中枢十三省(团队太大了)。。。。权限的规划走了一版又一版,越来越复杂,人员的协调性也越来越差,流程审批又丑又长。这个终究还是看公司体制╮(╯▽╰)╭
简述
笔者目前的k8s集群中使用的集群中授权认证,dashboard也是用k8s自带的那套,虽然想用其他第三方的dashboard,但是公司不允许呀┑( ̄Д  ̄)┍。所以此处就简单讲下k8s集群中的用户管理。
所有k8s集群都有两类用户
- k8s管理的服务账号
- 普通用户
在k8s集群中并无用来代表普通用户账号的对象,找不到创建kind为user类型的资源来声明并创建用户,且普通用户的信息无法通过API调用添加到集群中。但是k8s集群认为只要能够提供由集群证书机构签名的合法证书的用户是,则作为通过身份认证的用户。即k8s集群中使用证书中的‘subject’的CN字段来确定用户名(/CN=xadocker),接着配合基于RBAC子系统确定用户是否有针对某资源的操作权限。普通用户的创建需要用户通过CSR请求来让集群信任用户证书,从而创建用户。
而服务账号(SA)是k8s API所管理的用户,可以通过API来创建。SA通常是被绑定到指定的命名空间,且用Rolebinding或Clusterrolebinding来关联角色和Secret,至此该SA才拥有特定权限执行操作。通常SA可以被用户所使用,也可以被各种组件使用。
访问k8s集群资源需要三个关卡:
- Authentication 认证
- Authorization 授权
- Admission Control 准入控制
三种常见的客户端认证方式:
- https证书认证:基于ca证书签名的数字证书认证
- http token认证:通过一个token来识别用户
- http base认证:用户名+密码的方式认证
- 其他:OIDC/LDAP等
本篇只讲前两种的方式o(* ̄▽ ̄*)o
创建一个普通用户
创建用户证书
# 创建私钥
[root@k8s-master ~]# mkdir k8s-user
[root@k8s-master ~]# cd k8s-user/
[root@k8s-master k8s-user]# openssl genrsa -out myuser.key 2048
Generating RSA private key, 2048 bit long modulus
....................................+++
...........................................+++
e is 65537 (0x10001)
[root@k8s-master k8s-user]# cat myuser.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA3Qv2/aO0AqeM8vlAj6Idd7aaawKGaXZfthkfjNavhJj6GyWH
IEAarX8HJQ0WEvoXXu/xJqoTG7VDZjio8pIVBgLP+jBFVc2yohAb4b/BI49aJsal
6XTUUGm37Dz4EnuzmcbyIKWPHR68r4LtZ/ffg5o6H53ifILnheLtgMlasJvaq02c
rgCA7awLKdQ8foWwMwqX/EY4zuuCrnIa555KcEBFZy3JPfHmniUfoITumMn1Ixhw
C4VAx/s+cdn5wealbwLMOsSxLFdC2Cqt8r2QDIwz/gFxZIk/npFS0tM+DuTo48QA
J7R/78T80PBobCdAYwM/r8W3nMMkHxFmkdYzNQIDAQABAoIBAHEtFhoJfjo5tVYW
PnMMKxBHQ0r08QMAY8LlnBzNMvKuLKhHj6b4i3A3cN4MlDfFKsAmFA+a1svCBC9L
ZV1FZFQ+jmPn4SgseIC3xL7SIj5lwF/IJ9yfP7GoX04qbU1xXqSmkwQaIGtleHBY
lds8s4k7JvVXLkZX89i+NqJQ9gkj35MWSEBiCsLLWJPrd2951r+RAj2c/ZgDEN3j
Rej8ApfgkekAgSf/bfNzHTS0+OvtOX/ouqhSWQwtg0DlyZgQouT07sebyGOdsQ/t
Jioi9SA9d0RBCRixmbNg0cP5zSVjEySYHEOAJg29YnWL4sihcNJkc/nzDKl1wTFR
2sFNO0ECgYEA9n9efE1ywPR7EyMzU5GFzgc2pKkWBh/7vyBzZqUmo3GiLZAG/qA8
m/dhNvUJ4weDGs877sVW0XfLEbD0qbLutHLe5ie0RB0q2jM3xXWghBQoRD8FIyBP
uxovDZOefRFz1mAl6HiiRYdW5mofijmB6wTopBr95D6inCOctxGVPYUCgYEA5ZFt
Y2M2zkGy8iBejjD9TZaSImClAB3Wkq6UFjHOQV2zKL4WExUlwUegua68qtY4qL50
qKIVXq9fzwRoJKwF15kLhnXb3jangHVLe7Ve6IAUeU3HvMdKRrCRkC7gB6qEfBka
eywmXXz29HuA+rozbsY53qG4OBnCD4XxHkjL9fECgYEAnIp+4sn8mnWow5qTOfss
0o7aMPAAwJsHMXXWU9WGGD5OFElnZ8UzOIl9/3zWbouSwy/gi95fKF+/YtjSSAMO
fSKGU/vbC3bKhBAK1yfAbKCwgcbT6F7Yw6X5Q9H/0MWInxgoet5Bj45HrcSviwTC
cRKI+874dj8g3a/wEoLkGFECgYAFC0z8AhISNh9Ycp2hQjJOoiBT4Qu/FOjCEFPw
qOd/SC/HlWWmxbAurwQ5ED3VAx/7lTO7ANS3X+MbCV3AcIcwVYyLR8us9kZ37Bvc
e/+53BaXE75vx3E6XGbWZDFH+dcvYt3SFwZAx54lgRE0cSLwLCrZWXRSxz4cWTUT
FUZmAQKBgGzTeei+U9gmDhy3SPXhcb03vAgSUudXGjHOvSX1glkDlWr1ArTdyNkZ
nDRUSLAIFrj2mTS61wJXjReRIQ25hR7DaDa6vvfhffH9RLeliEqV1yYP6pWVvXkz
+0r8bDAxAEee6YQDE34eW81jFB+oFUDitEXxJ7kgqPZvC9M8W9fU
-----END RSA PRIVATE KEY-----
# 创建签署请求
[root@k8s-master k8s-user]# openssl req -new -key myuser.key -out myuser.csr -subj "/O=mygroup/CN=myuser"
[root@k8s-master k8s-user]# cat myuser.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICaDCCAVACAQAwIzEQMA4GA1UECgwHbXlncm91cDEPMA0GA1UEAwwGbXl1c2Vy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Qv2/aO0AqeM8vlAj6Id
d7aaawKGaXZfthkfjNavhJj6GyWHIEAarX8HJQ0WEvoXXu/xJqoTG7VDZjio8pIV
BgLP+jBFVc2yohAb4b/BI49aJsal6XTUUGm37Dz4EnuzmcbyIKWPHR68r4LtZ/ff
g5o6H53ifILnheLtgMlasJvaq02crgCA7awLKdQ8foWwMwqX/EY4zuuCrnIa555K
cEBFZy3JPfHmniUfoITumMn1IxhwC4VAx/s+cdn5wealbwLMOsSxLFdC2Cqt8r2Q
DIwz/gFxZIk/npFS0tM+DuTo48QAJ7R/78T80PBobCdAYwM/r8W3nMMkHxFmkdYz
NQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAH979avlJFp5FTAWSm+ktFstGGFn
EFY7jC/JiAWRn/L9Qs3AjYAYhDxWvdv9grEwJxOWQUsWIEOsVS4X5dKzn98F/N2l
gYlRhaZ6YMuUBgHm15V0ihIlPclzDtTV9cDiHko+7azZm83Ym+ERqneu77W/pPzO
MUHpCg1hR34ww4L9rH7gMnE8AsoulKxVkTskr1MzH/mFTDZVV/9638YfVgOX7a77
nMe0AgAeNOvTAQD+c6zW8FrfVjBiAZfDQFj4yyCePivR8GerrnAMODECno8Ic7uC
VHZmZLICTgOX4OOKPHUseDw+clvxenvSEQXRiovgqdAGDMfuwegCRqetExI=
-----END CERTIFICATE REQUEST-----
创建CSR
# usage 字段必须是 'client auth'
# expirationSeconds 可以设置为更长(例如 864000 是十天)或者更短(例如 3600 是一个小时)
# request 字段是 CSR 文件内容的 base64 编码值。 要得到该值,可以执行命令 cat myuser.csr | base64 | tr -d "\n"
[root@k8s-master k8s-user]# cat myuser.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FEQ0NBVkFDQVFBd0l6RVFNQTRHQTFVRUNnd0hiWGxuY205MWNERVBNQTBHQTFVRUF3d0diWGwxYzJWeQpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNRdjIvYU8wQXFlTTh2bEFqNklkCmQ3YWFhd0tHYVhaZnRoa2ZqTmF2aEpqNkd5V0hJRUFhclg4SEpRMFdFdm9YWHUveEpxb1RHN1ZEWmppbzhwSVYKQmdMUCtqQkZWYzJ5b2hBYjRiL0JJNDlhSnNhbDZYVFVVR20zN0R6NEVudXptY2J5SUtXUEhSNjhyNEx0Wi9mZgpnNW82SDUzaWZJTG5oZUx0Z01sYXNKdmFxMDJjcmdDQTdhd0xLZFE4Zm9Xd013cVgvRVk0enV1Q3JuSWE1NTVLCmNFQkZaeTNKUGZIbW5pVWZvSVR1bU1uMUl4aHdDNFZBeC9zK2NkbjV3ZWFsYndMTU9zU3hMRmRDMkNxdDhyMlEKREl3ei9nRnhaSWsvbnBGUzB0TStEdVRvNDhRQUo3Ui83OFQ4MFBCb2JDZEFZd00vcjhXM25NTWtIeEZta2RZegpOUUlEQVFBQm9BQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSDk3OWF2bEpGcDVGVEFXU20ra3RGc3RHR0ZuCkVGWTdqQy9KaUFXUm4vTDlRczNBallBWWhEeFd2ZHY5Z3JFd0p4T1dRVXNXSUVPc1ZTNFg1ZEt6bjk4Ri9OMmwKZ1lsUmhhWjZZTXVVQmdIbTE1VjBpaElsUGNsekR0VFY5Y0RpSGtvKzdhelptODNZbStFUnFuZXU3N1cvcFB6TwpNVUhwQ2cxaFIzNHd3NEw5ckg3Z01uRThBc291bEt4VmtUc2tyMU16SC9tRlREWlZWLzk2MzhZZlZnT1g3YTc3Cm5NZTBBZ0FlTk92VEFRRCtjNnpXOEZyZlZqQmlBWmZEUUZqNHl5Q2VQaXZSOEdlcnJuQU1PREVDbm84SWM3dUMKVkhabVpMSUNUZ09YNE9PS1BIVXNlRHcrY2x2eGVudlNFUVhSaW92Z3FkQUdETWZ1d2VnQ1JxZXRFeEk9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
# 查看自己集群的api版本,不同版本语法不一样!
[root@k8s-master k8s-user]# kubectl api-versions | grep cer
certificates.k8s.io/v1beta1
[root@k8s-master k8s-user]# cat >myuser-csr.yaml<<'EOF'
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FEQ0NBVkFDQVFBd0l6RVFNQTRHQTFVRUNnd0hiWGxuY205MWNERVBNQTBHQTFVRUF3d0diWGwxYzJWeQpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNRdjIvYU8wQXFlTTh2bEFqNklkCmQ3YWFhd0tHYVhaZnRoa2ZqTmF2aEpqNkd5V0hJRUFhclg4SEpRMFdFdm9YWHUveEpxb1RHN1ZEWmppbzhwSVYKQmdMUCtqQkZWYzJ5b2hBYjRiL0JJNDlhSnNhbDZYVFVVR20zN0R6NEVudXptY2J5SUtXUEhSNjhyNEx0Wi9mZgpnNW82SDUzaWZJTG5oZUx0Z01sYXNKdmFxMDJjcmdDQTdhd0xLZFE4Zm9Xd013cVgvRVk0enV1Q3JuSWE1NTVLCmNFQkZaeTNKUGZIbW5pVWZvSVR1bU1uMUl4aHdDNFZBeC9zK2NkbjV3ZWFsYndMTU9zU3hMRmRDMkNxdDhyMlEKREl3ei9nRnhaSWsvbnBGUzB0TStEdVRvNDhRQUo3Ui83OFQ4MFBCb2JDZEFZd00vcjhXM25NTWtIeEZta2RZegpOUUlEQVFBQm9BQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSDk3OWF2bEpGcDVGVEFXU20ra3RGc3RHR0ZuCkVGWTdqQy9KaUFXUm4vTDlRczNBallBWWhEeFd2ZHY5Z3JFd0p4T1dRVXNXSUVPc1ZTNFg1ZEt6bjk4Ri9OMmwKZ1lsUmhhWjZZTXVVQmdIbTE1VjBpaElsUGNsekR0VFY5Y0RpSGtvKzdhelptODNZbStFUnFuZXU3N1cvcFB6TwpNVUhwQ2cxaFIzNHd3NEw5ckg3Z01uRThBc291bEt4VmtUc2tyMU16SC9tRlREWlZWLzk2MzhZZlZnT1g3YTc3Cm5NZTBBZ0FlTk92VEFRRCtjNnpXOEZyZlZqQmlBWmZEUUZqNHl5Q2VQaXZSOEdlcnJuQU1PREVDbm84SWM3dUMKVkhabVpMSUNUZ09YNE9PS1BIVXNlRHcrY2x2eGVudlNFUVhSaW92Z3FkQUdETWZ1d2VnQ1JxZXRFeEk9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
[root@k8s-master k8s-user]# kubectl apply -f myuser-csr.yaml
certificatesigningrequest.certificates.k8s.io/myuser created
批准证书签名请求
# 查看证书请求
[root@k8s-master k8s-user]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
myuser 3m22s kubernetes.io/kube-apiserver-client kubernetes-admin Pending
# 批准证书请求
[root@k8s-master k8s-user]# kubectl certificate approve myuser
certificatesigningrequest.certificates.k8s.io/myuser approved
[root@k8s-master k8s-user]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
myuser 4m16s kubernetes.io/kube-apiserver-client kubernetes-admin Approved,Issued
# 拒绝证书请求
[root@k8s-master k8s-user]# kubectl certificate deny myuser
查看证书
# 证书的内容使用 base64 编码,存放在字段 status.certificate
[root@k8s-master k8s-user]# kubectl get csr/myuser -o yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"certificates.k8s.io/v1beta1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"myuser"},"spec":{"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FEQ0NBVkFDQVFBd0l6RVFNQTRHQTFVRUNnd0hiWGxuY205MWNERVBNQTBHQTFVRUF3d0diWGwxYzJWeQpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNRdjIvYU8wQXFlTTh2bEFqNklkCmQ3YWFhd0tHYVhaZnRoa2ZqTmF2aEpqNkd5V0hJRUFhclg4SEpRMFdFdm9YWHUveEpxb1RHN1ZEWmppbzhwSVYKQmdMUCtqQkZWYzJ5b2hBYjRiL0JJNDlhSnNhbDZYVFVVR20zN0R6NEVudXptY2J5SUtXUEhSNjhyNEx0Wi9mZgpnNW82SDUzaWZJTG5oZUx0Z01sYXNKdmFxMDJjcmdDQTdhd0xLZFE4Zm9Xd013cVgvRVk0enV1Q3JuSWE1NTVLCmNFQkZaeTNKUGZIbW5pVWZvSVR1bU1uMUl4aHdDNFZBeC9zK2NkbjV3ZWFsYndMTU9zU3hMRmRDMkNxdDhyMlEKREl3ei9nRnhaSWsvbnBGUzB0TStEdVRvNDhRQUo3Ui83OFQ4MFBCb2JDZEFZd00vcjhXM25NTWtIeEZta2RZegpOUUlEQVFBQm9BQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSDk3OWF2bEpGcDVGVEFXU20ra3RGc3RHR0ZuCkVGWTdqQy9KaUFXUm4vTDlRczNBallBWWhEeFd2ZHY5Z3JFd0p4T1dRVXNXSUVPc1ZTNFg1ZEt6bjk4Ri9OMmwKZ1lsUmhhWjZZTXVVQmdIbTE1VjBpaElsUGNsekR0VFY5Y0RpSGtvKzdhelptODNZbStFUnFuZXU3N1cvcFB6TwpNVUhwQ2cxaFIzNHd3NEw5ckg3Z01uRThBc291bEt4VmtUc2tyMU16SC9tRlREWlZWLzk2MzhZZlZnT1g3YTc3Cm5NZTBBZ0FlTk92VEFRRCtjNnpXOEZyZlZqQmlBWmZEUUZqNHl5Q2VQaXZSOEdlcnJuQU1PREVDbm84SWM3dUMKVkhabVpMSUNUZ09YNE9PS1BIVXNlRHcrY2x2eGVudlNFUVhSaW92Z3FkQUdETWZ1d2VnQ1JxZXRFeEk9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}
creationTimestamp: "2022-07-20T14:41:20Z"
managedFields:
- apiVersion: certificates.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:certificate: {}
manager: kube-controller-manager
operation: Update
time: "2022-07-20T14:45:23Z"
- apiVersion: certificates.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:spec:
f:request: {}
f:signerName: {}
f:usages: {}
f:status:
f:conditions: {}
manager: kubectl
operation: Update
time: "2022-07-20T14:45:23Z"
name: myuser
resourceVersion: "12197"
selfLink: /apis/certificates.k8s.io/v1beta1/certificatesigningrequests/myuser
uid: 171a8210-2fd6-45e4-9781-cd4525261276
spec:
groups:
- system:masters
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FEQ0NBVkFDQVFBd0l6RVFNQTRHQTFVRUNnd0hiWGxuY205MWNERVBNQTBHQTFVRUF3d0diWGwxYzJWeQpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNRdjIvYU8wQXFlTTh2bEFqNklkCmQ3YWFhd0tHYVhaZnRoa2ZqTmF2aEpqNkd5V0hJRUFhclg4SEpRMFdFdm9YWHUveEpxb1RHN1ZEWmppbzhwSVYKQmdMUCtqQkZWYzJ5b2hBYjRiL0JJNDlhSnNhbDZYVFVVR20zN0R6NEVudXptY2J5SUtXUEhSNjhyNEx0Wi9mZgpnNW82SDUzaWZJTG5oZUx0Z01sYXNKdmFxMDJjcmdDQTdhd0xLZFE4Zm9Xd013cVgvRVk0enV1Q3JuSWE1NTVLCmNFQkZaeTNKUGZIbW5pVWZvSVR1bU1uMUl4aHdDNFZBeC9zK2NkbjV3ZWFsYndMTU9zU3hMRmRDMkNxdDhyMlEKREl3ei9nRnhaSWsvbnBGUzB0TStEdVRvNDhRQUo3Ui83OFQ4MFBCb2JDZEFZd00vcjhXM25NTWtIeEZta2RZegpOUUlEQVFBQm9BQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSDk3OWF2bEpGcDVGVEFXU20ra3RGc3RHR0ZuCkVGWTdqQy9KaUFXUm4vTDlRczNBallBWWhEeFd2ZHY5Z3JFd0p4T1dRVXNXSUVPc1ZTNFg1ZEt6bjk4Ri9OMmwKZ1lsUmhhWjZZTXVVQmdIbTE1VjBpaElsUGNsekR0VFY5Y0RpSGtvKzdhelptODNZbStFUnFuZXU3N1cvcFB6TwpNVUhwQ2cxaFIzNHd3NEw5ckg3Z01uRThBc291bEt4VmtUc2tyMU16SC9tRlREWlZWLzk2MzhZZlZnT1g3YTc3Cm5NZTBBZ0FlTk92VEFRRCtjNnpXOEZyZlZqQmlBWmZEUUZqNHl5Q2VQaXZSOEdlcnJuQU1PREVDbm84SWM3dUMKVkhabVpMSUNUZ09YNE9PS1BIVXNlRHcrY2x2eGVudlNFUVhSaW92Z3FkQUdETWZ1d2VnQ1JxZXRFeEk9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
username: kubernetes-admin
status:
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lRRWZjVUFjOFhDdk1TQTZpQ1djdllWakFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURjeU1ERTBOREF5TTFvWERUSXpNRGN5TURFMApOREF5TTFvd0l6RVFNQTRHQTFVRUNoTUhiWGxuY205MWNERVBNQTBHQTFVRUF4TUdiWGwxYzJWeU1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNRdjIvYU8wQXFlTTh2bEFqNklkZDdhYWF3S0cKYVhaZnRoa2ZqTmF2aEpqNkd5V0hJRUFhclg4SEpRMFdFdm9YWHUveEpxb1RHN1ZEWmppbzhwSVZCZ0xQK2pCRgpWYzJ5b2hBYjRiL0JJNDlhSnNhbDZYVFVVR20zN0R6NEVudXptY2J5SUtXUEhSNjhyNEx0Wi9mZmc1bzZINTNpCmZJTG5oZUx0Z01sYXNKdmFxMDJjcmdDQTdhd0xLZFE4Zm9Xd013cVgvRVk0enV1Q3JuSWE1NTVLY0VCRlp5M0oKUGZIbW5pVWZvSVR1bU1uMUl4aHdDNFZBeC9zK2NkbjV3ZWFsYndMTU9zU3hMRmRDMkNxdDhyMlFESXd6L2dGeApaSWsvbnBGUzB0TStEdVRvNDhRQUo3Ui83OFQ4MFBCb2JDZEFZd00vcjhXM25NTWtIeEZta2RZek5RSURBUUFCCm95VXdJekFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCYmxERnp2T3RLRXZyZ1dHZlBsdTR1eldsZGxIQTh2TjFqaUJXUHF2aFFjYms0eUhuUgpiWEVxR3lTZUVJeERYV0xuaXhhbURld1dtOWNHMk1WQTM5Znhpd091dVZ6d3J0S1ljMDdNWDlMVFYyYnlLOVFmCnMrbDA2UVhtMzkzK2I1ajJCS0FaRVBMZERmTTRHenl6TGdQVkNzTVRQWmhvOUJOOTlpd3N4blAvdGVtbWhDRXoKQ2ZLUlBYNEtORUpnU1hid1BzQnQyeVZ2OGx4dlZKTmx6TzlaNDZSOWE5TTBjbkZvWFhSYWtPU2Jib1NCYkNRSQpzbHNaQ0t2SFlQMkFZcEpoTTdJVHN2czEwQzcxOFJPRisvUFZJaFZ6SjZyMENSYzdrZ1RBdzZFYVFKT0J4ZGNYCmpZUlRMS1cwU0kzbFZlRXFNT2pkQmJSR2xFQVBzcVJTZ3kwWAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
conditions:
- lastUpdateTime: "2022-07-20T14:45:23Z"
message: This CSR was approved by kubectl certificate approve.
reason: KubectlApprove
type: Approved
导出集群颁发的证书
[root@k8s-master k8s-user]# kubectl get csr myuser -o jsonpath='{.status.certificate}'| base64 -d > myuser.crt
[root@k8s-master k8s-user]# cat myuser.crt
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIQEfcUAc8XCvMSA6iCWcvYVjANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDEwprdWJlcm5ldGVzMB4XDTIyMDcyMDE0NDAyM1oXDTIzMDcyMDE0
NDAyM1owIzEQMA4GA1UEChMHbXlncm91cDEPMA0GA1UEAxMGbXl1c2VyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Qv2/aO0AqeM8vlAj6Idd7aaawKG
aXZfthkfjNavhJj6GyWHIEAarX8HJQ0WEvoXXu/xJqoTG7VDZjio8pIVBgLP+jBF
Vc2yohAb4b/BI49aJsal6XTUUGm37Dz4EnuzmcbyIKWPHR68r4LtZ/ffg5o6H53i
fILnheLtgMlasJvaq02crgCA7awLKdQ8foWwMwqX/EY4zuuCrnIa555KcEBFZy3J
PfHmniUfoITumMn1IxhwC4VAx/s+cdn5wealbwLMOsSxLFdC2Cqt8r2QDIwz/gFx
ZIk/npFS0tM+DuTo48QAJ7R/78T80PBobCdAYwM/r8W3nMMkHxFmkdYzNQIDAQAB
oyUwIzATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3
DQEBCwUAA4IBAQBblDFzvOtKEvrgWGfPlu4uzWldlHA8vN1jiBWPqvhQcbk4yHnR
bXEqGySeEIxDXWLnixamDewWm9cG2MVA39fxiwOuuVzwrtKYc07MX9LTV2byK9Qf
s+l06QXm393+b5j2BKAZEPLdDfM4GzyzLgPVCsMTPZho9BN99iwsxnP/temmhCEz
CfKRPX4KNEJgSXbwPsBt2yVv8lxvVJNlzO9Z46R9a9M0cnFoXXRakOSbboSBbCQI
slsZCKvHYP2AYpJhM7ITsvs10C718ROF+/PVIhVzJ6r0CRc7kgTAw6EaQJOBxdcX
jYRTLKW0SI3lVeEqMOjdBbRGlEAPsqRSgy0X
-----END CERTIFICATE-----
至此,普通用户是已经创建好了,但是该用户毫无权限,无法调用API的,需要为这个普通股用户绑定角色才行
创建角色和角色绑定
创建角色
[root@k8s-master k8s-user]# cat >myuser-role.yaml<<'EOF'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- get
- list
- update
- delete
EOF
[root@k8s-master k8s-user]# kubectl apply -f myuser-role.yaml
role.rbac.authorization.k8s.io/developer created
创建角色绑定
[root@k8s-master k8s-user]# cat >myuser-rolebinding.yaml<<'EOF'
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding-myuser
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: developer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: myuser
EOF
[root@k8s-master k8s-user]# kubectl apply -f myuser-rolebinding.yaml
rolebinding.rbac.authorization.k8s.io/developer-binding-myuser created
至此该用户则拥有defalt空间的pod的create/list/get/update/delete权限,接着我们创建该用户的kubeconfig文件
创建用户的kubeconfig文件
为kubeconfig配置集群信息
# 查询集群名称
[root@k8s-master k8s-user]# kubectl config get-clusters
NAME
kubernetes
[root@k8s-master k8s-user]# kubectl config set-cluster kubernetes --server=https://apiserver.demo:6443 --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --kubeconfig=config.myuser
Cluster "kubernetes" set.
[root@k8s-master k8s-user]# cat config.myuser
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hPVEV6TXpVeE0xb1hEVE15TURjeE5qRXpNelV4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDJJCmsxNlIwbVpBVnZMZDFYYlM1aVplV2RKck9SL1NQbUtVV1h3OU1lRndTdWRVOGJLeUcrSmpMYWpFMGhrbUh2RVMKekkvTGVCbXNRZ2Y1Uk9SNnA0V2tRNG1hMkdOV2xvMXh2V2hYR3BjejFjV1BOaVpXd3l3WEt0RmdOM3c0K1lvTQp4bkJoQW9rWFBxNU5XU1NGTXdUREYweGJzeGhBKzJDTlMxTWxxYlhvc05WRFlzVWJBZERnVkphRlVzOFA5R1FoCnVFSVd1Yk81c1Arc3FUUTZxWHd0anZJb1BRK0ozaFVKRVBDQTl6Ry83d2c0L2VZbzFZTnVCOXJMK2k0YWhWMU4KRTBHZExKSDJuR0lLRVFvUzNDQ1ZpUUlzL0JvbDU3bmdwc1lPUm56RVUvdHhhOE1wdGIzSjBuaGw1dmw5aXZEVwoxVWh4OHhtdTR1WUx4bXNTYXJNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCM2pKV1Vab0x5eDBCeWIrTnJ4N3JxQkRrd2UKMkp5OG4zeC9ISE5TWjNBUWdhTUVDYldrY21wbTZMWnoyUzBpb2NuRVdqUVBYSk03dWliVUNLWkMrRmMwZ09sTgpudHFNa2lxY3BhamJ6SEx3R3lkV3hrVlBUaXF0a0NlODI2cVdUWURjeXpUN1dNYUNTU1FEckJmMkJ2TEFMTWZCCkljZTFYMkRZMXhFZFJrbC9jQjlnWmtIN21WalRNZUcyMGN1Ui9kcTNLdWd6Y0s1WFhwU051OWE1WFdHYk9udXEKajdvTEtKVjhPYTVnMDhmbFJEZlpCL01td3NaMW02RmRmbDZzbDBTR21zNDFvUDFQeHRRVXB2V0d6dVZWT1BxMgpLUUt3dG8wWkhQaVhTNXd0ZFJoQzV2M0tLdVpiUzZoWkV3cS80bjhuZktBN1oyblpLYXVhbGEwR2hZRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://apiserver.demo:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
为kubeconfig配置用户信息
[root@k8s-master k8s-user]# kubectl config set-credentials myuser --client-certificate=myuser.crt --client-key=myuser.key --embed-certs=true --kubeconfig=config.myuser
User "myuser" set.
[root@k8s-master k8s-user]# cat config.myuser
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hPVEV6TXpVeE0xb1hEVE15TURjeE5qRXpNelV4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDJJCmsxNlIwbVpBVnZMZDFYYlM1aVplV2RKck9SL1NQbUtVV1h3OU1lRndTdWRVOGJLeUcrSmpMYWpFMGhrbUh2RVMKekkvTGVCbXNRZ2Y1Uk9SNnA0V2tRNG1hMkdOV2xvMXh2V2hYR3BjejFjV1BOaVpXd3l3WEt0RmdOM3c0K1lvTQp4bkJoQW9rWFBxNU5XU1NGTXdUREYweGJzeGhBKzJDTlMxTWxxYlhvc05WRFlzVWJBZERnVkphRlVzOFA5R1FoCnVFSVd1Yk81c1Arc3FUUTZxWHd0anZJb1BRK0ozaFVKRVBDQTl6Ry83d2c0L2VZbzFZTnVCOXJMK2k0YWhWMU4KRTBHZExKSDJuR0lLRVFvUzNDQ1ZpUUlzL0JvbDU3bmdwc1lPUm56RVUvdHhhOE1wdGIzSjBuaGw1dmw5aXZEVwoxVWh4OHhtdTR1WUx4bXNTYXJNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCM2pKV1Vab0x5eDBCeWIrTnJ4N3JxQkRrd2UKMkp5OG4zeC9ISE5TWjNBUWdhTUVDYldrY21wbTZMWnoyUzBpb2NuRVdqUVBYSk03dWliVUNLWkMrRmMwZ09sTgpudHFNa2lxY3BhamJ6SEx3R3lkV3hrVlBUaXF0a0NlODI2cVdUWURjeXpUN1dNYUNTU1FEckJmMkJ2TEFMTWZCCkljZTFYMkRZMXhFZFJrbC9jQjlnWmtIN21WalRNZUcyMGN1Ui9kcTNLdWd6Y0s1WFhwU051OWE1WFdHYk9udXEKajdvTEtKVjhPYTVnMDhmbFJEZlpCL01td3NaMW02RmRmbDZzbDBTR21zNDFvUDFQeHRRVXB2V0d6dVZWT1BxMgpLUUt3dG8wWkhQaVhTNXd0ZFJoQzV2M0tLdVpiUzZoWkV3cS80bjhuZktBN1oyblpLYXVhbGEwR2hZRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://apiserver.demo:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: myuser
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lRRWZjVUFjOFhDdk1TQTZpQ1djdllWakFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURjeU1ERTBOREF5TTFvWERUSXpNRGN5TURFMApOREF5TTFvd0l6RVFNQTRHQTFVRUNoTUhiWGxuY205MWNERVBNQTBHQTFVRUF4TUdiWGwxYzJWeU1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNRdjIvYU8wQXFlTTh2bEFqNklkZDdhYWF3S0cKYVhaZnRoa2ZqTmF2aEpqNkd5V0hJRUFhclg4SEpRMFdFdm9YWHUveEpxb1RHN1ZEWmppbzhwSVZCZ0xQK2pCRgpWYzJ5b2hBYjRiL0JJNDlhSnNhbDZYVFVVR20zN0R6NEVudXptY2J5SUtXUEhSNjhyNEx0Wi9mZmc1bzZINTNpCmZJTG5oZUx0Z01sYXNKdmFxMDJjcmdDQTdhd0xLZFE4Zm9Xd013cVgvRVk0enV1Q3JuSWE1NTVLY0VCRlp5M0oKUGZIbW5pVWZvSVR1bU1uMUl4aHdDNFZBeC9zK2NkbjV3ZWFsYndMTU9zU3hMRmRDMkNxdDhyMlFESXd6L2dGeApaSWsvbnBGUzB0TStEdVRvNDhRQUo3Ui83OFQ4MFBCb2JDZEFZd00vcjhXM25NTWtIeEZta2RZek5RSURBUUFCCm95VXdJekFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCYmxERnp2T3RLRXZyZ1dHZlBsdTR1eldsZGxIQTh2TjFqaUJXUHF2aFFjYms0eUhuUgpiWEVxR3lTZUVJeERYV0xuaXhhbURld1dtOWNHMk1WQTM5Znhpd091dVZ6d3J0S1ljMDdNWDlMVFYyYnlLOVFmCnMrbDA2UVhtMzkzK2I1ajJCS0FaRVBMZERmTTRHenl6TGdQVkNzTVRQWmhvOUJOOTlpd3N4blAvdGVtbWhDRXoKQ2ZLUlBYNEtORUpnU1hid1BzQnQyeVZ2OGx4dlZKTmx6TzlaNDZSOWE5TTBjbkZvWFhSYWtPU2Jib1NCYkNRSQpzbHNaQ0t2SFlQMkFZcEpoTTdJVHN2czEwQzcxOFJPRisvUFZJaFZ6SjZyMENSYzdrZ1RBdzZFYVFKT0J4ZGNYCmpZUlRMS1cwU0kzbFZlRXFNT2pkQmJSR2xFQVBzcVJTZ3kwWAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM1F2Mi9hTzBBcWVNOHZsQWo2SWRkN2FhYXdLR2FYWmZ0aGtmak5hdmhKajZHeVdICklFQWFyWDhISlEwV0V2b1hYdS94SnFvVEc3VkRaamlvOHBJVkJnTFArakJGVmMyeW9oQWI0Yi9CSTQ5YUpzYWwKNlhUVVVHbTM3RHo0RW51em1jYnlJS1dQSFI2OHI0THRaL2ZmZzVvNkg1M2lmSUxuaGVMdGdNbGFzSnZhcTAyYwpyZ0NBN2F3TEtkUThmb1d3TXdxWC9FWTR6dXVDcm5JYTU1NUtjRUJGWnkzSlBmSG1uaVVmb0lUdW1NbjFJeGh3CkM0VkF4L3MrY2RuNXdlYWxid0xNT3NTeExGZEMyQ3F0OHIyUURJd3ovZ0Z4WklrL25wRlMwdE0rRHVUbzQ4UUEKSjdSLzc4VDgwUEJvYkNkQVl3TS9yOFczbk1Na0h4Rm1rZFl6TlFJREFRQUJBb0lCQUhFdEZob0pmam81dFZZVwpQbk1NS3hCSFEwcjA4UU1BWThMbG5Cek5Ndkt1TEtoSGo2YjRpM0EzY040TWxEZkZLc0FtRkErYTFzdkNCQzlMClpWMUZaRlEram1QbjRTZ3NlSUMzeEw3U0lqNWx3Ri9JSjl5ZlA3R29YMDRxYlUxeFhxU21rd1FhSUd0bGVIQlkKbGRzOHM0azdKdlZYTGtaWDg5aStOcUpROWdrajM1TVdTRUJpQ3NMTFdKUHJkMjk1MXIrUkFqMmMvWmdERU4zagpSZWo4QXBmZ2tla0FnU2YvYmZOekhUUzArT3Z0T1gvb3VxaFNXUXd0ZzBEbHlaZ1FvdVQwN3NlYnlHT2RzUS90Ckppb2k5U0E5ZDBSQkNSaXhtYk5nMGNQNXpTVmpFeVNZSEVPQUpnMjlZbldMNHNpaGNOSmtjL256REtsMXdURlIKMnNGTk8wRUNnWUVBOW45ZWZFMXl3UFI3RXlNelU1R0Z6Z2MycEtrV0JoLzd2eUJ6WnFVbW8zR2lMWkFHL3FBOAptL2RoTnZVSjR3ZURHczg3N3NWVzBYZkxFYkQwcWJMdXRITGU1aWUwUkIwcTJqTTN4WFdnaEJRb1JEOEZJeUJQCnV4b3ZEWk9lZlJGejFtQWw2SGlpUllkVzVtb2Zpam1CNndUb3BCcjk1RDZpbkNPY3R4R1ZQWVVDZ1lFQTVaRnQKWTJNMnprR3k4aUJlampEOVRaYVNJbUNsQUIzV2txNlVGakhPUVYyektMNFdFeFVsd1VlZ3VhNjhxdFk0cUw1MApxS0lWWHE5Znp3Um9KS3dGMTVrTGhuWGIzamFuZ0hWTGU3VmU2SUFVZVUzSHZNZEtSckNSa0M3Z0I2cUVmQmthCmV5d21YWHoyOUh1QStyb3pic1k1M3FHNE9CbkNENFh4SGtqTDlmRUNnWUVBbklwKzRzbjhtbldvdzVxVE9mc3MKMG83YU1QQUF3SnNITVhYV1U5V0dHRDVPRkVsblo4VXpPSWw5LzN6V2JvdVN3eS9naTk1ZktGKy9ZdGpTU0FNTwpmU0tHVS92YkMzYktoQkFLMXlmQWJLQ3dnY2JUNkY3WXc2WDVROUgvME1XSW54Z29ldDVCajQ1SHJjU3Zpd1RDCmNSS0krODc0ZGo4ZzNhL3dFb0xrR0ZFQ2dZQUZDMHo4QWhJU05oOVljcDJoUWpKT29pQlQ0UXUvRk9qQ0VGUHcKcU9kL1NDL0hsV1dteGJBdXJ3UTVFRDNWQXgvN2xUTzdBTlMzWCtNYkNWM0FjSWN3Vll5TFI4dXM5a1ozN0J2YwplLys1M0JhWEU3NXZ4M0U2WEdiV1pERkgrZGN2WXQzU0Z3WkF4NTRsZ1JFMGNTTHdMQ3JaV1hSU3h6NGNXVFVUCkZVWm1BUUtCZ0d6VGVlaStVOWdtRGh5M1NQWGhjYjAzdkFnU1V1ZFhHakhPdlNYMWdsa0RsV3IxQXJUZHlOa1oKbkRSVVNMQUlGcmoybVRTNjF3SlhqUmVSSVEyNWhSN0RhRGE2dnZmaGZmSDlSTGVsaUVxVjF5WVA2cFdWdlhregorMHI4YkRBeEFFZWU2WVFERTM0ZVc4MWpGQitvRlVEaXRFWHhKN2tncVBadkM5TThXOWZVCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
为kubeconfig配置用户context
[root@k8s-master k8s-user]# kubectl config set-context myuser@kubernetes --cluster=kubernetes --user=myuser --kubeconfig=config.myuser
Context "myuser@kubernetes" created.
[root@k8s-master k8s-user]# cat config.myuser
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hPVEV6TXpVeE0xb1hEVE15TURjeE5qRXpNelV4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDJJCmsxNlIwbVpBVnZMZDFYYlM1aVplV2RKck9SL1NQbUtVV1h3OU1lRndTdWRVOGJLeUcrSmpMYWpFMGhrbUh2RVMKekkvTGVCbXNRZ2Y1Uk9SNnA0V2tRNG1hMkdOV2xvMXh2V2hYR3BjejFjV1BOaVpXd3l3WEt0RmdOM3c0K1lvTQp4bkJoQW9rWFBxNU5XU1NGTXdUREYweGJzeGhBKzJDTlMxTWxxYlhvc05WRFlzVWJBZERnVkphRlVzOFA5R1FoCnVFSVd1Yk81c1Arc3FUUTZxWHd0anZJb1BRK0ozaFVKRVBDQTl6Ry83d2c0L2VZbzFZTnVCOXJMK2k0YWhWMU4KRTBHZExKSDJuR0lLRVFvUzNDQ1ZpUUlzL0JvbDU3bmdwc1lPUm56RVUvdHhhOE1wdGIzSjBuaGw1dmw5aXZEVwoxVWh4OHhtdTR1WUx4bXNTYXJNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCM2pKV1Vab0x5eDBCeWIrTnJ4N3JxQkRrd2UKMkp5OG4zeC9ISE5TWjNBUWdhTUVDYldrY21wbTZMWnoyUzBpb2NuRVdqUVBYSk03dWliVUNLWkMrRmMwZ09sTgpudHFNa2lxY3BhamJ6SEx3R3lkV3hrVlBUaXF0a0NlODI2cVdUWURjeXpUN1dNYUNTU1FEckJmMkJ2TEFMTWZCCkljZTFYMkRZMXhFZFJrbC9jQjlnWmtIN21WalRNZUcyMGN1Ui9kcTNLdWd6Y0s1WFhwU051OWE1WFdHYk9udXEKajdvTEtKVjhPYTVnMDhmbFJEZlpCL01td3NaMW02RmRmbDZzbDBTR21zNDFvUDFQeHRRVXB2V0d6dVZWT1BxMgpLUUt3dG8wWkhQaVhTNXd0ZFJoQzV2M0tLdVpiUzZoWkV3cS80bjhuZktBN1oyblpLYXVhbGEwR2hZRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://apiserver.demo:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: myuser
name: myuser@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: myuser
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lRRWZjVUFjOFhDdk1TQTZpQ1djdllWakFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURjeU1ERTBOREF5TTFvWERUSXpNRGN5TURFMApOREF5TTFvd0l6RVFNQTRHQTFVRUNoTUhiWGxuY205MWNERVBNQTBHQTFVRUF4TUdiWGwxYzJWeU1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNRdjIvYU8wQXFlTTh2bEFqNklkZDdhYWF3S0cKYVhaZnRoa2ZqTmF2aEpqNkd5V0hJRUFhclg4SEpRMFdFdm9YWHUveEpxb1RHN1ZEWmppbzhwSVZCZ0xQK2pCRgpWYzJ5b2hBYjRiL0JJNDlhSnNhbDZYVFVVR20zN0R6NEVudXptY2J5SUtXUEhSNjhyNEx0Wi9mZmc1bzZINTNpCmZJTG5oZUx0Z01sYXNKdmFxMDJjcmdDQTdhd0xLZFE4Zm9Xd013cVgvRVk0enV1Q3JuSWE1NTVLY0VCRlp5M0oKUGZIbW5pVWZvSVR1bU1uMUl4aHdDNFZBeC9zK2NkbjV3ZWFsYndMTU9zU3hMRmRDMkNxdDhyMlFESXd6L2dGeApaSWsvbnBGUzB0TStEdVRvNDhRQUo3Ui83OFQ4MFBCb2JDZEFZd00vcjhXM25NTWtIeEZta2RZek5RSURBUUFCCm95VXdJekFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCYmxERnp2T3RLRXZyZ1dHZlBsdTR1eldsZGxIQTh2TjFqaUJXUHF2aFFjYms0eUhuUgpiWEVxR3lTZUVJeERYV0xuaXhhbURld1dtOWNHMk1WQTM5Znhpd091dVZ6d3J0S1ljMDdNWDlMVFYyYnlLOVFmCnMrbDA2UVhtMzkzK2I1ajJCS0FaRVBMZERmTTRHenl6TGdQVkNzTVRQWmhvOUJOOTlpd3N4blAvdGVtbWhDRXoKQ2ZLUlBYNEtORUpnU1hid1BzQnQyeVZ2OGx4dlZKTmx6TzlaNDZSOWE5TTBjbkZvWFhSYWtPU2Jib1NCYkNRSQpzbHNaQ0t2SFlQMkFZcEpoTTdJVHN2czEwQzcxOFJPRisvUFZJaFZ6SjZyMENSYzdrZ1RBdzZFYVFKT0J4ZGNYCmpZUlRMS1cwU0kzbFZlRXFNT2pkQmJSR2xFQVBzcVJTZ3kwWAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM1F2Mi9hTzBBcWVNOHZsQWo2SWRkN2FhYXdLR2FYWmZ0aGtmak5hdmhKajZHeVdICklFQWFyWDhISlEwV0V2b1hYdS94SnFvVEc3VkRaamlvOHBJVkJnTFArakJGVmMyeW9oQWI0Yi9CSTQ5YUpzYWwKNlhUVVVHbTM3RHo0RW51em1jYnlJS1dQSFI2OHI0THRaL2ZmZzVvNkg1M2lmSUxuaGVMdGdNbGFzSnZhcTAyYwpyZ0NBN2F3TEtkUThmb1d3TXdxWC9FWTR6dXVDcm5JYTU1NUtjRUJGWnkzSlBmSG1uaVVmb0lUdW1NbjFJeGh3CkM0VkF4L3MrY2RuNXdlYWxid0xNT3NTeExGZEMyQ3F0OHIyUURJd3ovZ0Z4WklrL25wRlMwdE0rRHVUbzQ4UUEKSjdSLzc4VDgwUEJvYkNkQVl3TS9yOFczbk1Na0h4Rm1rZFl6TlFJREFRQUJBb0lCQUhFdEZob0pmam81dFZZVwpQbk1NS3hCSFEwcjA4UU1BWThMbG5Cek5Ndkt1TEtoSGo2YjRpM0EzY040TWxEZkZLc0FtRkErYTFzdkNCQzlMClpWMUZaRlEram1QbjRTZ3NlSUMzeEw3U0lqNWx3Ri9JSjl5ZlA3R29YMDRxYlUxeFhxU21rd1FhSUd0bGVIQlkKbGRzOHM0azdKdlZYTGtaWDg5aStOcUpROWdrajM1TVdTRUJpQ3NMTFdKUHJkMjk1MXIrUkFqMmMvWmdERU4zagpSZWo4QXBmZ2tla0FnU2YvYmZOekhUUzArT3Z0T1gvb3VxaFNXUXd0ZzBEbHlaZ1FvdVQwN3NlYnlHT2RzUS90Ckppb2k5U0E5ZDBSQkNSaXhtYk5nMGNQNXpTVmpFeVNZSEVPQUpnMjlZbldMNHNpaGNOSmtjL256REtsMXdURlIKMnNGTk8wRUNnWUVBOW45ZWZFMXl3UFI3RXlNelU1R0Z6Z2MycEtrV0JoLzd2eUJ6WnFVbW8zR2lMWkFHL3FBOAptL2RoTnZVSjR3ZURHczg3N3NWVzBYZkxFYkQwcWJMdXRITGU1aWUwUkIwcTJqTTN4WFdnaEJRb1JEOEZJeUJQCnV4b3ZEWk9lZlJGejFtQWw2SGlpUllkVzVtb2Zpam1CNndUb3BCcjk1RDZpbkNPY3R4R1ZQWVVDZ1lFQTVaRnQKWTJNMnprR3k4aUJlampEOVRaYVNJbUNsQUIzV2txNlVGakhPUVYyektMNFdFeFVsd1VlZ3VhNjhxdFk0cUw1MApxS0lWWHE5Znp3Um9KS3dGMTVrTGhuWGIzamFuZ0hWTGU3VmU2SUFVZVUzSHZNZEtSckNSa0M3Z0I2cUVmQmthCmV5d21YWHoyOUh1QStyb3pic1k1M3FHNE9CbkNENFh4SGtqTDlmRUNnWUVBbklwKzRzbjhtbldvdzVxVE9mc3MKMG83YU1QQUF3SnNITVhYV1U5V0dHRDVPRkVsblo4VXpPSWw5LzN6V2JvdVN3eS9naTk1ZktGKy9ZdGpTU0FNTwpmU0tHVS92YkMzYktoQkFLMXlmQWJLQ3dnY2JUNkY3WXc2WDVROUgvME1XSW54Z29ldDVCajQ1SHJjU3Zpd1RDCmNSS0krODc0ZGo4ZzNhL3dFb0xrR0ZFQ2dZQUZDMHo4QWhJU05oOVljcDJoUWpKT29pQlQ0UXUvRk9qQ0VGUHcKcU9kL1NDL0hsV1dteGJBdXJ3UTVFRDNWQXgvN2xUTzdBTlMzWCtNYkNWM0FjSWN3Vll5TFI4dXM5a1ozN0J2YwplLys1M0JhWEU3NXZ4M0U2WEdiV1pERkgrZGN2WXQzU0Z3WkF4NTRsZ1JFMGNTTHdMQ3JaV1hSU3h6NGNXVFVUCkZVWm1BUUtCZ0d6VGVlaStVOWdtRGh5M1NQWGhjYjAzdkFnU1V1ZFhHakhPdlNYMWdsa0RsV3IxQXJUZHlOa1oKbkRSVVNMQUlGcmoybVRTNjF3SlhqUmVSSVEyNWhSN0RhRGE2dnZmaGZmSDlSTGVsaUVxVjF5WVA2cFdWdlhregorMHI4YkRBeEFFZWU2WVFERTM0ZVc4MWpGQitvRlVEaXRFWHhKN2tncVBadkM5TThXOWZVCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
切换kubeconfig中的context
[root@k8s-master k8s-user]# kubectl config use-context myuser@kubernetes --kubeconfig=config.myuser
Switched to context "myuser@kubernetes".
[root@k8s-master k8s-user]# cat config.myuser
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hPVEV6TXpVeE0xb1hEVE15TURjeE5qRXpNelV4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDJJCmsxNlIwbVpBVnZMZDFYYlM1aVplV2RKck9SL1NQbUtVV1h3OU1lRndTdWRVOGJLeUcrSmpMYWpFMGhrbUh2RVMKekkvTGVCbXNRZ2Y1Uk9SNnA0V2tRNG1hMkdOV2xvMXh2V2hYR3BjejFjV1BOaVpXd3l3WEt0RmdOM3c0K1lvTQp4bkJoQW9rWFBxNU5XU1NGTXdUREYweGJzeGhBKzJDTlMxTWxxYlhvc05WRFlzVWJBZERnVkphRlVzOFA5R1FoCnVFSVd1Yk81c1Arc3FUUTZxWHd0anZJb1BRK0ozaFVKRVBDQTl6Ry83d2c0L2VZbzFZTnVCOXJMK2k0YWhWMU4KRTBHZExKSDJuR0lLRVFvUzNDQ1ZpUUlzL0JvbDU3bmdwc1lPUm56RVUvdHhhOE1wdGIzSjBuaGw1dmw5aXZEVwoxVWh4OHhtdTR1WUx4bXNTYXJNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCM2pKV1Vab0x5eDBCeWIrTnJ4N3JxQkRrd2UKMkp5OG4zeC9ISE5TWjNBUWdhTUVDYldrY21wbTZMWnoyUzBpb2NuRVdqUVBYSk03dWliVUNLWkMrRmMwZ09sTgpudHFNa2lxY3BhamJ6SEx3R3lkV3hrVlBUaXF0a0NlODI2cVdUWURjeXpUN1dNYUNTU1FEckJmMkJ2TEFMTWZCCkljZTFYMkRZMXhFZFJrbC9jQjlnWmtIN21WalRNZUcyMGN1Ui9kcTNLdWd6Y0s1WFhwU051OWE1WFdHYk9udXEKajdvTEtKVjhPYTVnMDhmbFJEZlpCL01td3NaMW02RmRmbDZzbDBTR21zNDFvUDFQeHRRVXB2V0d6dVZWT1BxMgpLUUt3dG8wWkhQaVhTNXd0ZFJoQzV2M0tLdVpiUzZoWkV3cS80bjhuZktBN1oyblpLYXVhbGEwR2hZRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://apiserver.demo:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: myuser
name: myuser@kubernetes
current-context: myuser@kubernetes
kind: Config
preferences: {}
users:
- name: myuser
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lRRWZjVUFjOFhDdk1TQTZpQ1djdllWakFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURjeU1ERTBOREF5TTFvWERUSXpNRGN5TURFMApOREF5TTFvd0l6RVFNQTRHQTFVRUNoTUhiWGxuY205MWNERVBNQTBHQTFVRUF4TUdiWGwxYzJWeU1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNRdjIvYU8wQXFlTTh2bEFqNklkZDdhYWF3S0cKYVhaZnRoa2ZqTmF2aEpqNkd5V0hJRUFhclg4SEpRMFdFdm9YWHUveEpxb1RHN1ZEWmppbzhwSVZCZ0xQK2pCRgpWYzJ5b2hBYjRiL0JJNDlhSnNhbDZYVFVVR20zN0R6NEVudXptY2J5SUtXUEhSNjhyNEx0Wi9mZmc1bzZINTNpCmZJTG5oZUx0Z01sYXNKdmFxMDJjcmdDQTdhd0xLZFE4Zm9Xd013cVgvRVk0enV1Q3JuSWE1NTVLY0VCRlp5M0oKUGZIbW5pVWZvSVR1bU1uMUl4aHdDNFZBeC9zK2NkbjV3ZWFsYndMTU9zU3hMRmRDMkNxdDhyMlFESXd6L2dGeApaSWsvbnBGUzB0TStEdVRvNDhRQUo3Ui83OFQ4MFBCb2JDZEFZd00vcjhXM25NTWtIeEZta2RZek5RSURBUUFCCm95VXdJekFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCYmxERnp2T3RLRXZyZ1dHZlBsdTR1eldsZGxIQTh2TjFqaUJXUHF2aFFjYms0eUhuUgpiWEVxR3lTZUVJeERYV0xuaXhhbURld1dtOWNHMk1WQTM5Znhpd091dVZ6d3J0S1ljMDdNWDlMVFYyYnlLOVFmCnMrbDA2UVhtMzkzK2I1ajJCS0FaRVBMZERmTTRHenl6TGdQVkNzTVRQWmhvOUJOOTlpd3N4blAvdGVtbWhDRXoKQ2ZLUlBYNEtORUpnU1hid1BzQnQyeVZ2OGx4dlZKTmx6TzlaNDZSOWE5TTBjbkZvWFhSYWtPU2Jib1NCYkNRSQpzbHNaQ0t2SFlQMkFZcEpoTTdJVHN2czEwQzcxOFJPRisvUFZJaFZ6SjZyMENSYzdrZ1RBdzZFYVFKT0J4ZGNYCmpZUlRMS1cwU0kzbFZlRXFNT2pkQmJSR2xFQVBzcVJTZ3kwWAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM1F2Mi9hTzBBcWVNOHZsQWo2SWRkN2FhYXdLR2FYWmZ0aGtmak5hdmhKajZHeVdICklFQWFyWDhISlEwV0V2b1hYdS94SnFvVEc3VkRaamlvOHBJVkJnTFArakJGVmMyeW9oQWI0Yi9CSTQ5YUpzYWwKNlhUVVVHbTM3RHo0RW51em1jYnlJS1dQSFI2OHI0THRaL2ZmZzVvNkg1M2lmSUxuaGVMdGdNbGFzSnZhcTAyYwpyZ0NBN2F3TEtkUThmb1d3TXdxWC9FWTR6dXVDcm5JYTU1NUtjRUJGWnkzSlBmSG1uaVVmb0lUdW1NbjFJeGh3CkM0VkF4L3MrY2RuNXdlYWxid0xNT3NTeExGZEMyQ3F0OHIyUURJd3ovZ0Z4WklrL25wRlMwdE0rRHVUbzQ4UUEKSjdSLzc4VDgwUEJvYkNkQVl3TS9yOFczbk1Na0h4Rm1rZFl6TlFJREFRQUJBb0lCQUhFdEZob0pmam81dFZZVwpQbk1NS3hCSFEwcjA4UU1BWThMbG5Cek5Ndkt1TEtoSGo2YjRpM0EzY040TWxEZkZLc0FtRkErYTFzdkNCQzlMClpWMUZaRlEram1QbjRTZ3NlSUMzeEw3U0lqNWx3Ri9JSjl5ZlA3R29YMDRxYlUxeFhxU21rd1FhSUd0bGVIQlkKbGRzOHM0azdKdlZYTGtaWDg5aStOcUpROWdrajM1TVdTRUJpQ3NMTFdKUHJkMjk1MXIrUkFqMmMvWmdERU4zagpSZWo4QXBmZ2tla0FnU2YvYmZOekhUUzArT3Z0T1gvb3VxaFNXUXd0ZzBEbHlaZ1FvdVQwN3NlYnlHT2RzUS90Ckppb2k5U0E5ZDBSQkNSaXhtYk5nMGNQNXpTVmpFeVNZSEVPQUpnMjlZbldMNHNpaGNOSmtjL256REtsMXdURlIKMnNGTk8wRUNnWUVBOW45ZWZFMXl3UFI3RXlNelU1R0Z6Z2MycEtrV0JoLzd2eUJ6WnFVbW8zR2lMWkFHL3FBOAptL2RoTnZVSjR3ZURHczg3N3NWVzBYZkxFYkQwcWJMdXRITGU1aWUwUkIwcTJqTTN4WFdnaEJRb1JEOEZJeUJQCnV4b3ZEWk9lZlJGejFtQWw2SGlpUllkVzVtb2Zpam1CNndUb3BCcjk1RDZpbkNPY3R4R1ZQWVVDZ1lFQTVaRnQKWTJNMnprR3k4aUJlampEOVRaYVNJbUNsQUIzV2txNlVGakhPUVYyektMNFdFeFVsd1VlZ3VhNjhxdFk0cUw1MApxS0lWWHE5Znp3Um9KS3dGMTVrTGhuWGIzamFuZ0hWTGU3VmU2SUFVZVUzSHZNZEtSckNSa0M3Z0I2cUVmQmthCmV5d21YWHoyOUh1QStyb3pic1k1M3FHNE9CbkNENFh4SGtqTDlmRUNnWUVBbklwKzRzbjhtbldvdzVxVE9mc3MKMG83YU1QQUF3SnNITVhYV1U5V0dHRDVPRkVsblo4VXpPSWw5LzN6V2JvdVN3eS9naTk1ZktGKy9ZdGpTU0FNTwpmU0tHVS92YkMzYktoQkFLMXlmQWJLQ3dnY2JUNkY3WXc2WDVROUgvME1XSW54Z29ldDVCajQ1SHJjU3Zpd1RDCmNSS0krODc0ZGo4ZzNhL3dFb0xrR0ZFQ2dZQUZDMHo4QWhJU05oOVljcDJoUWpKT29pQlQ0UXUvRk9qQ0VGUHcKcU9kL1NDL0hsV1dteGJBdXJ3UTVFRDNWQXgvN2xUTzdBTlMzWCtNYkNWM0FjSWN3Vll5TFI4dXM5a1ozN0J2YwplLys1M0JhWEU3NXZ4M0U2WEdiV1pERkgrZGN2WXQzU0Z3WkF4NTRsZ1JFMGNTTHdMQ3JaV1hSU3h6NGNXVFVUCkZVWm1BUUtCZ0d6VGVlaStVOWdtRGh5M1NQWGhjYjAzdkFnU1V1ZFhHakhPdlNYMWdsa0RsV3IxQXJUZHlOa1oKbkRSVVNMQUlGcmoybVRTNjF3SlhqUmVSSVEyNWhSN0RhRGE2dnZmaGZmSDlSTGVsaUVxVjF5WVA2cFdWdlhregorMHI4YkRBeEFFZWU2WVFERTM0ZVc4MWpGQitvRlVEaXRFWHhKN2tncVBadkM5TThXOWZVCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
至此,一个完整的配置kubeconfig已经配置好了
[root@k8s-master k8s-user]# kubectl config view --kubeconfig=config.myuser
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://apiserver.demo:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: myuser
name: myuser@kubernetes
current-context: myuser@kubernetes
kind: Config
preferences: {}
users:
- name: myuser
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
验证该用户的kubeconfig文件
[root@k8s-master k8s-user]# useradd myuser
[root@k8s-master k8s-user]# cp myuser /home/
[root@k8s-master k8s-user]# mkdir /home/myuser/.kube
[root@k8s-master k8s-user]# cp config.myuser /home/myuser/.kube/config
[root@k8s-master k8s-user]# chown myuser:myuser /home/myuser/.kube -R
[myuser@k8s-master ~]$ ll .kube/
total 8
-rw------- 1 myuser myuser 5390 Jul 20 23:25 config
[myuser@k8s-master ~]$ kubectl get pods
No resources found in default namespace.
[myuser@k8s-master ~]$ cat >test-pod.yaml<<'EOF'
apiVersion: v1
kind: Pod
metadata:
name: static-web
labels:
app: static
spec:
containers:
- name: web
image: nginx:1.14.2
ports:
- name: web
containerPort: 80
EOF
[myuser@k8s-master ~]$ kubectl apply -f test-pod.yaml
pod/static-web created
[myuser@k8s-master ~]$ kubectl get -f test-pod.yaml
NAME READY STATUS RESTARTS AGE
static-web 1/1 Running 0 2m36s
# 无其他空间权限
[myuser@k8s-master ~]$ kubectl get pods -n kube-system
Error from server (Forbidden): pods is forbidden: User "myuser" cannot list resource "pods" in API group "" in the namespace "kube-system"
至此我们的kubeconfig算是基本创建完了,有的人可能会觉得繁琐,所以此处扩展一下快捷生成方式,那就是用kubeadm生成
使用kubeadm快速创建kubeconfig
# 目前小编的集群为1.18.9,kubeadm只能设置user/group/token,没有时间限制参数可以设置(默认为一年),高版本则可以
[root@k8s-master k8s-user]# kubeadm alpha kubeconfig user --help
Output a kubeconfig file for an additional user.
Alpha Disclaimer: this command is currently alpha.
Usage:
kubeadm alpha kubeconfig user [flags]
Examples:
# Output a kubeconfig file for an additional user named foo
kubeadm alpha kubeconfig user --client-name=foo
Flags:
--apiserver-advertise-address string The IP address the API server is accessible on
--apiserver-bind-port int32 The port the API server is accessible on (default 6443)
--cert-dir string The path where certificates are stored (default "/etc/kubernetes/pki")
--client-name string The name of user. It will be used as the CN if client certificates are created
-h, --help help for user
--org strings The orgnizations of the client certificate. It will be used as the O if client certificates are created
--token string The token that should be used as the authentication mechanism for this kubeconfig, instead of client certificates
Global Flags:
--add-dir-header If true, adds the file directory to the header
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
创建用户
# 创建一个用户名为johndoe,用户组为appdevs的kubeconfig(因为没有给该用户绑定role,所以是一个没有任何权限的kubeconfig)
# 该命令会直接打印一个kubeconfig,可以自己重定向到xxxx文件
[root@k8s-master k8s-user]# kubeadm alpha kubeconfig user --org appdevs --client-name johndoe --v=5
I0724 00:20:20.355529 104106 initconfiguration.go:103] detected and using CRI socket: /var/run/dockershim.sock
I0724 00:20:20.355837 104106 interface.go:400] Looking for default routes with IPv4 addresses
I0724 00:20:20.355850 104106 interface.go:405] Default route transits interface "eth0"
I0724 00:20:20.356676 104106 interface.go:208] Interface eth0 is up
I0724 00:20:20.356737 104106 interface.go:256] Interface "eth0" has 1 addresses :[192.168.44.151/24].
I0724 00:20:20.356856 104106 interface.go:223] Checking addr 192.168.44.151/24.
I0724 00:20:20.356867 104106 interface.go:230] IP found 192.168.44.151
I0724 00:20:20.356879 104106 interface.go:262] Found valid IPv4 address 192.168.44.151 for interface "eth0".I0724 00:20:20.356890 104106 interface.go:411] Found active IP 192.168.44.151
I0724 00:20:20.356943 104106 version.go:183] fetching Kubernetes version from URL: https://dl.k8s.io/release/stable-1.txt
I0724 00:20:21.908037 104106 version.go:252] remote version is much newer: v1.24.3; falling back to: stable-1.18
I0724 00:20:21.908145 104106 version.go:183] fetching Kubernetes version from URL: https://dl.k8s.io/release/stable-1.18.txt
W0724 00:20:22.959806 104106 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hPVEV6TXpVeE0xb1hEVE15TURjeE5qRXpNelV4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDJJCmsxNlIwbVpBVnZMZDFYYlM1aVplV2RKck9SL1NQbUtVV1h3OU1lRndTdWRVOGJLeUcrSmpMYWpFMGhrbUh2RVMKekkvTGVCbXNRZ2Y1Uk9SNnA0V2tRNG1hMkdOV2xvMXh2V2hYR3BjejFjV1BOaVpXd3l3WEt0RmdOM3c0K1lvTQp4bkJoQW9rWFBxNU5XU1NGTXdUREYweGJzeGhBKzJDTlMxTWxxYlhvc05WRFlzVWJBZERnVkphRlVzOFA5R1FoCnVFSVd1Yk81c1Arc3FUUTZxWHd0anZJb1BRK0ozaFVKRVBDQTl6Ry83d2c0L2VZbzFZTnVCOXJMK2k0YWhWMU4KRTBHZExKSDJuR0lLRVFvUzNDQ1ZpUUlzL0JvbDU3bmdwc1lPUm56RVUvdHhhOE1wdGIzSjBuaGw1dmw5aXZEVwoxVWh4OHhtdTR1WUx4bXNTYXJNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCM2pKV1Vab0x5eDBCeWIrTnJ4N3JxQkRrd2UKMkp5OG4zeC9ISE5TWjNBUWdhTUVDYldrY21wbTZMWnoyUzBpb2NuRVdqUVBYSk03dWliVUNLWkMrRmMwZ09sTgpudHFNa2lxY3BhamJ6SEx3R3lkV3hrVlBUaXF0a0NlODI2cVdUWURjeXpUN1dNYUNTU1FEckJmMkJ2TEFMTWZCCkljZTFYMkRZMXhFZFJrbC9jQjlnWmtIN21WalRNZUcyMGN1Ui9kcTNLdWd6Y0s1WFhwU051OWE1WFdHYk9udXEKajdvTEtKVjhPYTVnMDhmbFJEZlpCL01td3NaMW02RmRmbDZzbDBTR21zNDFvUDFQeHRRVXB2V0d6dVZWT1BxMgpLUUt3dG8wWkhQaVhTNXd0ZFJoQzV2M0tLdVpiUzZoWkV3cS80bjhuZktBN1oyblpLYXVhbGEwR2hZRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://192.168.44.151:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: johndoe
name: johndoe@kubernetes
current-context: johndoe@kubernetes
kind: Config
preferences: {}
users:
- name: johndoe
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lJVzFjcmNOR2NSRzR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBM01Ua3hNek0xTVROYUZ3MHlNekEzTWpNeE5qSXdNak5hTUNReApFREFPQmdOVkJBb1RCMkZ3Y0dSbGRuTXhFREFPQmdOVkJBTVRCMnB2YUc1a2IyVXdnZ0VpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREJRVDVYVENWSWFTazJhMnkxaVQ5WVY0ZkV3SSt6bnYyWGQyb1EKdmhxSlhPZVBzZWUxaWw5ckp6Y29ac3JyMzJyeG9hS201aEhtTGVQY1diV1lNQ2ZHdWdIN3RuakxoaGs0bVRIdgpOWW51K1VTS2I1RHoxRXhjTnY3U1E4em1rSEsyVUR1VW9vbUlNU28wVDVNbERIOVRHdGJSTnpxenRCeTlQS1czCnNES0k1NFkwZDkzSTUwYmJXbkhTMm5nS0U3d0pxR1dqZnoxQzU5cm1xUHh4ZUI5ellSNEZNTndtcFc2bmtld1AKVmhwdUVFYUZha29ZSjJxaE5pRHdUQVVpenFzRnNVMU9Ca043Y2FoazJRREloOEoxVlZVM3RxZW1jOU1qQmRBMApzbkszbXpjdjNWVGpkZG9qUlQ0dDZ5a0FRWm1ZQzJ3NUo2SlA1UUxQN1VYSW5lS0ZBZ01CQUFHakp6QWxNQTRHCkExVWREd0VCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQWpBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFMYWpzdi9OTEtnSXZiNFpQeWl1NHVlS1VrbUN4S1R4T2ZhMXFKU1N5UzZ5aDZSMkNDL0RNVDhlQQpxV0E2REtabWF1TENxMm5kRmlWOHBMTHFjUENwaURRd0pyL2pQTVVLZnhIWUJzVTQyTVI0WEVhNVNQTFQzZGhCCmJuNmlMNTdrRThMQTRqWlJHRzB4N0ZZWXQwa0s0amFNejBrd2UrTkNIQWQxN3lxKzlzVnlHc1BORGdPNktJM1AKeEJ3V1RmWWtsT1JuN1Q1UkZXZVVneUxubGlpOG03eTVSUlR6RjY2QSttTVVZWTh1d1hYZ2Q1YTZLQkxwN1dnVgpmem4rZ2dhUlV1bFV1Wks1SDJRZm1MWkszRWh0by80M0JCS0NYbGJVS2JsOTJTSkNvYXFGSURCcFNyYnRSZlhCCjV4VWJzc29BUG5weG9ZSzRHSXdlR0s1RitaSjBBdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd1VFK1Ywd2xTR2twTm10c3RZay9XRmVIeE1DUHM1NzlsM2RxRUw0YWlWem5qN0huCnRZcGZheWMzS0diSzY5OXE4YUdpcHVZUjVpM2ozRm0xbURBbnhyb0IrN1o0eTRZWk9Ka3g3eldKN3ZsRWltK1EKODlSTVhEYiswa1BNNXBCeXRsQTdsS0tKaURFcU5FK1RKUXgvVXhyVzBUYzZzN1FjdlR5bHQ3QXlpT2VHTkhmZAp5T2RHMjFweDB0cDRDaE84Q2FobG8zODlRdWZhNXFqOGNYZ2ZjMkVlQlREY0pxVnVwNUhzRDFZYWJoQkdoV3BLCkdDZHFvVFlnOEV3RklzNnJCYkZOVGdaRGUzR29aTmtBeUlmQ2RWVlZON2FucG5QVEl3WFFOTEp5dDVzM0w5MVUKNDNYYUkwVStMZXNwQUVHWm1BdHNPU2VpVCtVQ3orMUZ5SjNpaFFJREFRQUJBb0lCQUVDYUl0RGo3NEtwUk5HZwpUNUxQOHBFQmthMUFBY20xMkdnTnp6TVJtYVZablQ3MzVkRldGRmVwb0ZLdEtpQjNhelNqSjlCTEVLaTFwbm8rCnN1blJEenJyYTBaTjFVdVQ1Rko3UTZvSFo3aXZNeTVqNVR6ZE56bU1XTnJKTjNITHo4MEtQU0NPeFJMMS9IbkkKTUJRdWZWRzJveUVGS1daeFN6b25UKzU3eENqblJ4S0NiN3lzUXpjdVhLbFljYmNUWWtuWDladzVMWXlvMVlyNAorSEN4bnpzb2xsN2lBd0huUUwra1NNbnVLOE85bzh2elhDbCs3eDVYWmZxMG9JTS96aDFnMzV6QXpwaExPYTJ0CjR4azN2ZmxkVXlWWG44M2V6bG5samZLcVhNcUhYby9iVlUvVk14SDRhRkUrYjZLdk4rRVZPUmpmQjBialQ1UXUKN1UyWlUzRUNnWUVBOVlENm94ZWRWQjV4R3oreDUrdlJJbDJiblpyTndYME9yYWJQbW9aUmVQT0NGZnpNc3VJcQovQjdlQnU0WUtIeVVka1NVM1UzUmgwM2I0T2dRck5VRW5DT3VxTC9tZDhlU2wyenRQcGhqS2xiZ2RsbzdYSkw4CnE4MVNCK1UyV0ROQ3Y1TDBXeE5EZGY2d0I1LytsYmVaY3FOejlvSnlscnd1cXVuTDZRdHpqQU1DZ1lFQXlZUm4KU0JJaTA4MU1raXhFempJY3VXVVNLYmhvRkZ4SGpaV3V6dklYWGZMUEt4ZzdZWXRubEc4ZmxNR2ZTVitLeHFjYwoyQUVJYmwxclRvdERUTTZhZ2JZaDVxQzQ0VHpCRlJJeHhIRXNVTjkxUFJCTnFTWGx5V3lQUjVWYjI5TzFzOTc2CnhUMU91cCtRZHkyREhoZGJ5MWIzNkZnK0NvYThIRU54VVkvTHhOY0NnWUVBaXhCamFPemdkcHpEenY2V2hOdkUKWENZUUZ3ZHdVNURHTnNGTnlhY2FFVnhHTExSRk0zTC9qRTdqejZNZzFoWXpkb2JFbUZNVFJBUnJiNHVrbm5JUApxVzVnNmovQmljbm5sSlRrRWxmNW5Dc1gvSktDRzU4N053b1gxRmNYSUlEdzUxbVR4dDh6a0d3VFJFNXh4RmI2CnVjQXkyTWp0cGNxMDJLV1VsczZneGdjQ2dZQUpNWjg4ckljbVBxR1ZzYXRaOVBOV2lnUHdIMWV3UmgyRm1pU2wKa0duOGdVMXVXK2FwcHFDTkp4eTd2ckd6dVVZdGxnWTgzSjh6MmROQmZCMFA3Z1Vpa2RxdUdQc1dXNTA3aHQ3NgpaV2R1TVNPNkszby9rMWtPZllOejhwNkVRdjV4UEdVWWhwbUc3aXk3SXpwdUx3YWpHazZwTFExM2tYb1htQVFkCmduLzdkUUtCZ1FDTnIyRFJYMlVmZVlaYTArbXBNMjV6bWM5ZCs1UzhTU21iMU9MTmFXTEhpOVdBZml2eXBkNkcKeVp6Z200STBpZGgzR0RPSEtPU2E0MlY2ZkxIeWxueXVydHl3V2ErRFVvZHdlUkJlYlE2azRYa3FweUlRK1ljNwpRbUd5WlQ5VnpUUmlFb0k5Y05RaWM0QVoxVDJ6RGh5bE1PYVRaZFd0OU55KzBzaHpSTTQ0c0E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
查看用户证书信息
# 查看该用户证书信息
[root@k8s-master k8s-user]# echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0akNDQWNxZ0F3SUJBZ0lJVzFjcmNOR2NSRzR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBM01Ua3hNek0xTVROYUZ3MHlNekEzTWpNeE5qSXdNak5hTUNReApFREFPQmdOVkJBb1RCMkZ3Y0dSbGRuTXhFREFPQmdOVkJBTVRCMnB2YUc1a2IyVXdnZ0VpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREJRVDVYVENWSWFTazJhMnkxaVQ5WVY0ZkV3SSt6bnYyWGQyb1EKdmhxSlhPZVBzZWUxaWw5ckp6Y29ac3JyMzJyeG9hS201aEhtTGVQY1diV1lNQ2ZHdWdIN3RuakxoaGs0bVRIdgpOWW51K1VTS2I1RHoxRXhjTnY3U1E4em1rSEsyVUR1VW9vbUlNU28wVDVNbERIOVRHdGJSTnpxenRCeTlQS1czCnNES0k1NFkwZDkzSTUwYmJXbkhTMm5nS0U3d0pxR1dqZnoxQzU5cm1xUHh4ZUI5ellSNEZNTndtcFc2bmtld1AKVmhwdUVFYUZha29ZSjJxaE5pRHdUQVVpenFzRnNVMU9Ca043Y2FoazJRREloOEoxVlZVM3RxZW1jOU1qQmRBMApzbkszbXpjdjNWVGpkZG9qUlQ0dDZ5a0FRWm1ZQzJ3NUo2SlA1UUxQN1VYSW5lS0ZBZ01CQUFHakp6QWxNQTRHCkExVWREd0VCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQWpBTkJna3Foa2lHOXcwQkFRc0YKQUFPQ0FRRUFMYWpzdi9OTEtnSXZiNFpQeWl1NHVlS1VrbUN4S1R4T2ZhMXFKU1N5UzZ5aDZSMkNDL0RNVDhlQQpxV0E2REtabWF1TENxMm5kRmlWOHBMTHFjUENwaURRd0pyL2pQTVVLZnhIWUJzVTQyTVI0WEVhNVNQTFQzZGhCCmJuNmlMNTdrRThMQTRqWlJHRzB4N0ZZWXQwa0s0amFNejBrd2UrTkNIQWQxN3lxKzlzVnlHc1BORGdPNktJM1AKeEJ3V1RmWWtsT1JuN1Q1UkZXZVVneUxubGlpOG03eTVSUlR6RjY2QSttTVVZWTh1d1hYZ2Q1YTZLQkxwN1dnVgpmem4rZ2dhUlV1bFV1Wks1SDJRZm1MWkszRWh0by80M0JCS0NYbGJVS2JsOTJTSkNvYXFGSURCcFNyYnRSZlhCCjV4VWJzc29BUG5weG9ZSzRHSXdlR0s1RitaSjBBdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K | base64 -d >johndoe.crt
[root@k8s-master k8s-user]# openssl x509 -in johndoe.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6581777143978280046 (0x5b572b70d19c446e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Jul 19 13:35:13 2022 GMT
Not After : Jul 23 16:20:23 2023 GMT
Subject: O=appdevs, CN=johndoe
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c1:41:3e:57:4c:25:48:69:29:36:6b:6c:b5:89:
3f:58:57:87:c4:c0:8f:b3:9e:fd:97:77:6a:10:be:
1a:89:5c:e7:8f:b1:e7:b5:8a:5f:6b:27:37:28:66:
ca:eb:df:6a:f1:a1:a2:a6:e6:11:e6:2d:e3:dc:59:
b5:98:30:27:c6:ba:01:fb:b6:78:cb:86:19:38:99:
31:ef:35:89:ee:f9:44:8a:6f:90:f3:d4:4c:5c:36:
fe:d2:43:cc:e6:90:72:b6:50:3b:94:a2:89:88:31:
2a:34:4f:93:25:0c:7f:53:1a:d6:d1:37:3a:b3:b4:
1c:bd:3c:a5:b7:b0:32:88:e7:86:34:77:dd:c8:e7:
46:db:5a:71:d2:da:78:0a:13:bc:09:a8:65:a3:7f:
3d:42:e7:da:e6:a8:fc:71:78:1f:73:61:1e:05:30:
dc:26:a5:6e:a7:91:ec:0f:56:1a:6e:10:46:85:6a:
4a:18:27:6a:a1:36:20:f0:4c:05:22:ce:ab:05:b1:
4d:4e:06:43:7b:71:a8:64:d9:00:c8:87:c2:75:55:
55:37:b6:a7:a6:73:d3:23:05:d0:34:b2:72:b7:9b:
37:2f:dd:54:e3:75:da:23:45:3e:2d:eb:29:00:41:
99:98:0b:6c:39:27:a2:4f:e5:02:cf:ed:45:c8:9d:
e2:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
2d:a8:ec:bf:f3:4b:2a:02:2f:6f:86:4f:ca:2b:b8:b9:e2:94:
92:60:b1:29:3c:4e:7d:ad:6a:25:24:b2:4b:ac:a1:e9:1d:82:
0b:f0:cc:4f:c7:80:a9:60:3a:0c:a6:66:6a:e2:c2:ab:69:dd:
16:25:7c:a4:b2:ea:70:f0:a9:88:34:30:26:bf:e3:3c:c5:0a:
7f:11:d8:06:c5:38:d8:c4:78:5c:46:b9:48:f2:d3:dd:d8:41:
6e:7e:a2:2f:9e:e4:13:c2:c0:e2:36:51:18:6d:31:ec:56:18:
b7:49:0a:e2:36:8c:cf:49:30:7b:e3:42:1c:07:75:ef:2a:be:
f6:c5:72:1a:c3:cd:0e:03:ba:28:8d:cf:c4:1c:16:4d:f6:24:
94:e4:67:ed:3e:51:15:67:94:83:22:e7:96:28:bc:9b:bc:b9:
45:14:f3:17:ae:80:fa:63:14:61:8f:2e:c1:75:e0:77:96:ba:
28:12:e9:ed:68:15:7f:39:fe:82:06:91:52:e9:54:b9:92:b9:
1f:64:1f:98:b6:4a:dc:48:6d:a3:fe:37:04:12:82:5e:56:d4:
29:b9:7d:d9:22:42:a1:aa:85:20:30:69:4a:b6:ed:45:f5:c1:
e7:15:1b:b2:ca:00:3e:7a:71:a1:82:b8:18:8c:1e:18:ae:45:
f9:92:74:03
创建ServiceAccount
登录dashboard一般可以用secret对应的token,或者使用kubeconfig文件,但是上面的kubeconfig文件目前依然不能用来登录dashboard,因为缺少token字段,让我们看下如何创建token
使用token登录
# 创建SA
[root@k8s-master k8s-user]# cat myuser-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: myuser
namespace: default
[root@k8s-master k8s-user]# kubectl apply -f myuser-sa.yaml
serviceaccount/myuser created
# 当我们创建了一个SA后,其会自动有生成一个secret
[root@k8s-master k8s-user]# kubectl get secret
NAME TYPE DATA AGE
default-token-rsfvm kubernetes.io/service-account-token 3 2d
myuser-token-5lm29 kubernetes.io/service-account-token 3 14m
[root@k8s-master k8s-user]# kubectl get secret myuser-token-5lm29 -o yaml
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hPVEV6TXpVeE0xb1hEVE15TURjeE5qRXpNelV4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDJJCmsxNlIwbVpBVnZMZDFYYlM1aVplV2RKck9SL1NQbUtVV1h3OU1lRndTdWRVOGJLeUcrSmpMYWpFMGhrbUh2RVMKekkvTGVCbXNRZ2Y1Uk9SNnA0V2tRNG1hMkdOV2xvMXh2V2hYR3BjejFjV1BOaVpXd3l3WEt0RmdOM3c0K1lvTQp4bkJoQW9rWFBxNU5XU1NGTXdUREYweGJzeGhBKzJDTlMxTWxxYlhvc05WRFlzVWJBZERnVkphRlVzOFA5R1FoCnVFSVd1Yk81c1Arc3FUUTZxWHd0anZJb1BRK0ozaFVKRVBDQTl6Ry83d2c0L2VZbzFZTnVCOXJMK2k0YWhWMU4KRTBHZExKSDJuR0lLRVFvUzNDQ1ZpUUlzL0JvbDU3bmdwc1lPUm56RVUvdHhhOE1wdGIzSjBuaGw1dmw5aXZEVwoxVWh4OHhtdTR1WUx4bXNTYXJNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCM2pKV1Vab0x5eDBCeWIrTnJ4N3JxQkRrd2UKMkp5OG4zeC9ISE5TWjNBUWdhTUVDYldrY21wbTZMWnoyUzBpb2NuRVdqUVBYSk03dWliVUNLWkMrRmMwZ09sTgpudHFNa2lxY3BhamJ6SEx3R3lkV3hrVlBUaXF0a0NlODI2cVdUWURjeXpUN1dNYUNTU1FEckJmMkJ2TEFMTWZCCkljZTFYMkRZMXhFZFJrbC9jQjlnWmtIN21WalRNZUcyMGN1Ui9kcTNLdWd6Y0s1WFhwU051OWE1WFdHYk9udXEKajdvTEtKVjhPYTVnMDhmbFJEZlpCL01td3NaMW02RmRmbDZzbDBTR21zNDFvUDFQeHRRVXB2V0d6dVZWT1BxMgpLUUt3dG8wWkhQaVhTNXd0ZFJoQzV2M0tLdVpiUzZoWkV3cS80bjhuZktBN1oyblpLYXVhbGEwR2hZRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
namespace: ZGVmYXVsdA==
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklsRklVR1JMYm1oVWVWaFFVMGMzTFV4dlVrOVZkSFZ3Vlc5bGJHRkhZemxXTTJKUFFtbzFkMUZKUlc4aWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbTE1ZFhObGNpMTBiMnRsYmkwMWJHMHlPU0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG01aGJXVWlPaUp0ZVhWelpYSWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTNabVEyTWpBd015MDFNRFF3TFRRMU9EY3RZalk1TmkwM1lUYzFOMk0yTUdZNE56QWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2WkdWbVlYVnNkRHB0ZVhWelpYSWlmUS5jRXdOSXJSV1pVWEt4V2o5ZmdQQ2NZdjNvQjIxbmlYX1NzdGFHU041S0ZkSm9FQ1F0emxfaU50SWRZeGNVQ0o4SnUtYllYY3ZNZWlBN2VwajZnbnZ2UkkzcjhUQldWQl83S0xubGd6akx0dkNTQnJrdTlyZ3F1NENyd1R4M0xfdHlhUTNKRmRfTURTUVd0aWZUeTVscVdxT3NhbDNjUzFJOFJ4NTBvSTNCRXZrMTVaY0FsckR2cmpKOUw3THZ3Wnd6VUMyeE1uR1NxMDdueV9JcFlIbDNZRHduUzM5WW1BVmhRLThFeWNockI1LWg2al94SFBacGZpVTN4S1dZR0FFb3ZmZW15NG9md1NfNzA3OWI1ZWU3OGs0Y3V0OWNPaFA1aXdLRTExb1FEUjlicjVzT1B3ZlBwN0R6Nmc5OGFHTFp0NVVkTEZ1bndYQTVpMXlzbmIxTVE=
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: myuser
kubernetes.io/service-account.uid: 7fd62003-5040-4587-b696-7a757c60f870
creationTimestamp: "2022-07-21T13:40:31Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ca.crt: {}
f:namespace: {}
f:token: {}
f:metadata:
f:annotations:
.: {}
f:kubernetes.io/service-account.name: {}
f:kubernetes.io/service-account.uid: {}
f:type: {}
manager: kube-controller-manager
operation: Update
time: "2022-07-21T13:40:31Z"
name: myuser-token-5lm29
namespace: default
resourceVersion: "21026"
selfLink: /api/v1/namespaces/default/secrets/myuser-token-5lm29
uid: 8d07078c-0f40-4ecf-85f3-770cdf40f996
type: kubernetes.io/service-account-token
获取SA对应secret的token
[root@k8s-master k8s-user]# myuser_token=$(kubectl -n default get secrets myuser-token-5lm29 -o jsonpath={.data.token} |base64 -d)
[root@k8s-master k8s-user]# echo $myuser_token
eyJhbGciOiJSUzI1NiIsImtpZCI6IlFIUGRLbmhUeVhQU0c3LUxvUk9VdHVwVW9lbGFHYzlWM2JPQmo1d1FJRW8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15dXNlci10b2tlbi01bG0yOSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3ZmQ2MjAwMy01MDQwLTQ1ODctYjY5Ni03YTc1N2M2MGY4NzAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXVzZXIifQ.cEwNIrRWZUXKxWj9fgPCcYv3oB21niX_SstaGSN5KFdJoECQtzl_iNtIdYxcUCJ8Ju-bYXcvMeiA7epj6gnvvRI3r8TBWVB_7KLnlgzjLtvCSBrku9rgqu4CrwTx3L_tyaQ3JFd_MDSQWtifTy5lqWqOsal3cS1I8Rx50oI3BEvk15ZcAlrDvrjJ9L7LvwZwzUC2xMnGSq07ny_IpYHl3YDwnS39YmAVhQ-8EychrB5-h6j_xHPZpfiU3xKWYGAEovfemy4ofwS_7079b5ee78k4cut9cOhP5iwKE11oQDR9br5sOPwfPp7Dz6g98aGLZt5UdLFunwXA5i1ysnb1MQ
将token配置到kubeconfig中
[root@k8s-master k8s-user]# kubectl config set-credentials myuser --token=$myuser_token --kubeconfig=config.myuser
User "myuser" set.
[root@k8s-master k8s-user]# cat config.myuser
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EY3hPVEV6TXpVeE0xb1hEVE15TURjeE5qRXpNelV4TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDJJCmsxNlIwbVpBVnZMZDFYYlM1aVplV2RKck9SL1NQbUtVV1h3OU1lRndTdWRVOGJLeUcrSmpMYWpFMGhrbUh2RVMKekkvTGVCbXNRZ2Y1Uk9SNnA0V2tRNG1hMkdOV2xvMXh2V2hYR3BjejFjV1BOaVpXd3l3WEt0RmdOM3c0K1lvTQp4bkJoQW9rWFBxNU5XU1NGTXdUREYweGJzeGhBKzJDTlMxTWxxYlhvc05WRFlzVWJBZERnVkphRlVzOFA5R1FoCnVFSVd1Yk81c1Arc3FUUTZxWHd0anZJb1BRK0ozaFVKRVBDQTl6Ry83d2c0L2VZbzFZTnVCOXJMK2k0YWhWMU4KRTBHZExKSDJuR0lLRVFvUzNDQ1ZpUUlzL0JvbDU3bmdwc1lPUm56RVUvdHhhOE1wdGIzSjBuaGw1dmw5aXZEVwoxVWh4OHhtdTR1WUx4bXNTYXJNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCM2pKV1Vab0x5eDBCeWIrTnJ4N3JxQkRrd2UKMkp5OG4zeC9ISE5TWjNBUWdhTUVDYldrY21wbTZMWnoyUzBpb2NuRVdqUVBYSk03dWliVUNLWkMrRmMwZ09sTgpudHFNa2lxY3BhamJ6SEx3R3lkV3hrVlBUaXF0a0NlODI2cVdUWURjeXpUN1dNYUNTU1FEckJmMkJ2TEFMTWZCCkljZTFYMkRZMXhFZFJrbC9jQjlnWmtIN21WalRNZUcyMGN1Ui9kcTNLdWd6Y0s1WFhwU051OWE1WFdHYk9udXEKajdvTEtKVjhPYTVnMDhmbFJEZlpCL01td3NaMW02RmRmbDZzbDBTR21zNDFvUDFQeHRRVXB2V0d6dVZWT1BxMgpLUUt3dG8wWkhQaVhTNXd0ZFJoQzV2M0tLdVpiUzZoWkV3cS80bjhuZktBN1oyblpLYXVhbGEwR2hZRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://apiserver.demo:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: myuser
name: myuser@kubernetes
current-context: myuser@kubernetes
kind: Config
preferences: {}
users:
- name: myuser
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lRRWZjVUFjOFhDdk1TQTZpQ1djdllWakFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURjeU1ERTBOREF5TTFvWERUSXpNRGN5TURFMApOREF5TTFvd0l6RVFNQTRHQTFVRUNoTUhiWGxuY205MWNERVBNQTBHQTFVRUF4TUdiWGwxYzJWeU1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNRdjIvYU8wQXFlTTh2bEFqNklkZDdhYWF3S0cKYVhaZnRoa2ZqTmF2aEpqNkd5V0hJRUFhclg4SEpRMFdFdm9YWHUveEpxb1RHN1ZEWmppbzhwSVZCZ0xQK2pCRgpWYzJ5b2hBYjRiL0JJNDlhSnNhbDZYVFVVR20zN0R6NEVudXptY2J5SUtXUEhSNjhyNEx0Wi9mZmc1bzZINTNpCmZJTG5oZUx0Z01sYXNKdmFxMDJjcmdDQTdhd0xLZFE4Zm9Xd013cVgvRVk0enV1Q3JuSWE1NTVLY0VCRlp5M0oKUGZIbW5pVWZvSVR1bU1uMUl4aHdDNFZBeC9zK2NkbjV3ZWFsYndMTU9zU3hMRmRDMkNxdDhyMlFESXd6L2dGeApaSWsvbnBGUzB0TStEdVRvNDhRQUo3Ui83OFQ4MFBCb2JDZEFZd00vcjhXM25NTWtIeEZta2RZek5RSURBUUFCCm95VXdJekFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCYmxERnp2T3RLRXZyZ1dHZlBsdTR1eldsZGxIQTh2TjFqaUJXUHF2aFFjYms0eUhuUgpiWEVxR3lTZUVJeERYV0xuaXhhbURld1dtOWNHMk1WQTM5Znhpd091dVZ6d3J0S1ljMDdNWDlMVFYyYnlLOVFmCnMrbDA2UVhtMzkzK2I1ajJCS0FaRVBMZERmTTRHenl6TGdQVkNzTVRQWmhvOUJOOTlpd3N4blAvdGVtbWhDRXoKQ2ZLUlBYNEtORUpnU1hid1BzQnQyeVZ2OGx4dlZKTmx6TzlaNDZSOWE5TTBjbkZvWFhSYWtPU2Jib1NCYkNRSQpzbHNaQ0t2SFlQMkFZcEpoTTdJVHN2czEwQzcxOFJPRisvUFZJaFZ6SjZyMENSYzdrZ1RBdzZFYVFKT0J4ZGNYCmpZUlRMS1cwU0kzbFZlRXFNT2pkQmJSR2xFQVBzcVJTZ3kwWAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM1F2Mi9hTzBBcWVNOHZsQWo2SWRkN2FhYXdLR2FYWmZ0aGtmak5hdmhKajZHeVdICklFQWFyWDhISlEwV0V2b1hYdS94SnFvVEc3VkRaamlvOHBJVkJnTFArakJGVmMyeW9oQWI0Yi9CSTQ5YUpzYWwKNlhUVVVHbTM3RHo0RW51em1jYnlJS1dQSFI2OHI0THRaL2ZmZzVvNkg1M2lmSUxuaGVMdGdNbGFzSnZhcTAyYwpyZ0NBN2F3TEtkUThmb1d3TXdxWC9FWTR6dXVDcm5JYTU1NUtjRUJGWnkzSlBmSG1uaVVmb0lUdW1NbjFJeGh3CkM0VkF4L3MrY2RuNXdlYWxid0xNT3NTeExGZEMyQ3F0OHIyUURJd3ovZ0Z4WklrL25wRlMwdE0rRHVUbzQ4UUEKSjdSLzc4VDgwUEJvYkNkQVl3TS9yOFczbk1Na0h4Rm1rZFl6TlFJREFRQUJBb0lCQUhFdEZob0pmam81dFZZVwpQbk1NS3hCSFEwcjA4UU1BWThMbG5Cek5Ndkt1TEtoSGo2YjRpM0EzY040TWxEZkZLc0FtRkErYTFzdkNCQzlMClpWMUZaRlEram1QbjRTZ3NlSUMzeEw3U0lqNWx3Ri9JSjl5ZlA3R29YMDRxYlUxeFhxU21rd1FhSUd0bGVIQlkKbGRzOHM0azdKdlZYTGtaWDg5aStOcUpROWdrajM1TVdTRUJpQ3NMTFdKUHJkMjk1MXIrUkFqMmMvWmdERU4zagpSZWo4QXBmZ2tla0FnU2YvYmZOekhUUzArT3Z0T1gvb3VxaFNXUXd0ZzBEbHlaZ1FvdVQwN3NlYnlHT2RzUS90Ckppb2k5U0E5ZDBSQkNSaXhtYk5nMGNQNXpTVmpFeVNZSEVPQUpnMjlZbldMNHNpaGNOSmtjL256REtsMXdURlIKMnNGTk8wRUNnWUVBOW45ZWZFMXl3UFI3RXlNelU1R0Z6Z2MycEtrV0JoLzd2eUJ6WnFVbW8zR2lMWkFHL3FBOAptL2RoTnZVSjR3ZURHczg3N3NWVzBYZkxFYkQwcWJMdXRITGU1aWUwUkIwcTJqTTN4WFdnaEJRb1JEOEZJeUJQCnV4b3ZEWk9lZlJGejFtQWw2SGlpUllkVzVtb2Zpam1CNndUb3BCcjk1RDZpbkNPY3R4R1ZQWVVDZ1lFQTVaRnQKWTJNMnprR3k4aUJlampEOVRaYVNJbUNsQUIzV2txNlVGakhPUVYyektMNFdFeFVsd1VlZ3VhNjhxdFk0cUw1MApxS0lWWHE5Znp3Um9KS3dGMTVrTGhuWGIzamFuZ0hWTGU3VmU2SUFVZVUzSHZNZEtSckNSa0M3Z0I2cUVmQmthCmV5d21YWHoyOUh1QStyb3pic1k1M3FHNE9CbkNENFh4SGtqTDlmRUNnWUVBbklwKzRzbjhtbldvdzVxVE9mc3MKMG83YU1QQUF3SnNITVhYV1U5V0dHRDVPRkVsblo4VXpPSWw5LzN6V2JvdVN3eS9naTk1ZktGKy9ZdGpTU0FNTwpmU0tHVS92YkMzYktoQkFLMXlmQWJLQ3dnY2JUNkY3WXc2WDVROUgvME1XSW54Z29ldDVCajQ1SHJjU3Zpd1RDCmNSS0krODc0ZGo4ZzNhL3dFb0xrR0ZFQ2dZQUZDMHo4QWhJU05oOVljcDJoUWpKT29pQlQ0UXUvRk9qQ0VGUHcKcU9kL1NDL0hsV1dteGJBdXJ3UTVFRDNWQXgvN2xUTzdBTlMzWCtNYkNWM0FjSWN3Vll5TFI4dXM5a1ozN0J2YwplLys1M0JhWEU3NXZ4M0U2WEdiV1pERkgrZGN2WXQzU0Z3WkF4NTRsZ1JFMGNTTHdMQ3JaV1hSU3h6NGNXVFVUCkZVWm1BUUtCZ0d6VGVlaStVOWdtRGh5M1NQWGhjYjAzdkFnU1V1ZFhHakhPdlNYMWdsa0RsV3IxQXJUZHlOa1oKbkRSVVNMQUlGcmoybVRTNjF3SlhqUmVSSVEyNWhSN0RhRGE2dnZmaGZmSDlSTGVsaUVxVjF5WVA2cFdWdlhregorMHI4YkRBeEFFZWU2WVFERTM0ZVc4MWpGQitvRlVEaXRFWHhKN2tncVBadkM5TThXOWZVCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlFIUGRLbmhUeVhQU0c3LUxvUk9VdHVwVW9lbGFHYzlWM2JPQmo1d1FJRW8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15dXNlci10b2tlbi01bG0yOSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3ZmQ2MjAwMy01MDQwLTQ1ODctYjY5Ni03YTc1N2M2MGY4NzAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXVzZXIifQ.cEwNIrRWZUXKxWj9fgPCcYv3oB21niX_SstaGSN5KFdJoECQtzl_iNtIdYxcUCJ8Ju-bYXcvMeiA7epj6gnvvRI3r8TBWVB_7KLnlgzjLtvCSBrku9rgqu4CrwTx3L_tyaQ3JFd_MDSQWtifTy5lqWqOsal3cS1I8Rx50oI3BEvk15ZcAlrDvrjJ9L7LvwZwzUC2xMnGSq07ny_IpYHl3YDwnS39YmAVhQ-8EychrB5-h6j_xHPZpfiU3xKWYGAEovfemy4ofwS_7079b5ee78k4cut9cOhP5iwKE11oQDR9br5sOPwfPp7Dz6g98aGLZt5UdLFunwXA5i1ysnb1MQ
为SA创建绑定关系
# 创建绑定关系
[root@k8s-master k8s-user]# cat myuser-rolebinding-sa.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: developer-binding-sa-myuser
namespace: default
subjects:
- kind: ServiceAccount
name: myuser
namespace: default
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
[root@k8s-master k8s-user]# kubectl apply -f myuser-rolebinding-sa.yaml
rolebinding.rbac.authorization.k8s.io/myuser-rolebinding-sa-myuser created
现在我们就可以使用该kubeconfig登录dashboard了,也可以用刚才SA对应secret的token登录。