SundayHK

k8s 创建只读pod权限用户kubeconfig

2022-07-20 64 0

Kubernetes 内置没有 kind: User 不用创建用户
如kubectl get user 看到有数据那是第三方的如kubesphere

步骤 1: 创建角色权限

用户名:dev-user1

# dev-user1-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dev-user1
rules:
  - apiGroups: [""] # 核心 API 组,用于 Pods
    resources: ["pods"]
    verbs: ["get", "list", "watch"] # 允许只读操作
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dev-user1
subjects:
  - kind: User
    name: dev-user1
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: dev-user1 # 关联
  apiGroup: rbac.authorization.k8s.io
kubectl apply -f dev-user1-clusterrole.yaml

步骤 2: 为用户生成私钥

# 定义用户名,例如 'dev-user1'
USER_NAME="dev-user1"

# 定义证书和私钥的存放路径
CERT_DIR="./user-certs/${USER_NAME}"
mkdir -p "${CERT_DIR}"

# 生成用户私钥
openssl genrsa -out "${CERT_DIR}/${USER_NAME}.key" 2048

步骤 3: 为用户生成证书签名请求 (CSR)

# 生成 CSR, CN (Common Name) 是用户名,O (Organization) 是用户组
openssl req -new -key "${CERT_DIR}/${USER_NAME}.key" -out "${CERT_DIR}/${USER_NAME}.csr" -subj "/CN=${USER_NAME}/O=devs"

步骤 4: 使用集群 CA 签署用户的 CSR

使用集群 CA 证书和 CA 私钥来签署用户的 CSR。

# 定义集群 CA 的路径
CA_CERT="/etc/kubernetes/pki/ca.crt"
CA_KEY="/etc/kubernetes/pki/ca.key"

# 签署用户证书 有效期1年
openssl x509 -req -in "${CERT_DIR}/${USER_NAME}.csr" \
  -CA "${CA_CERT}" \
  -CAkey "${CA_KEY}" \
  -CAcreateserial \
  -out "${CERT_DIR}/${USER_NAME}.crt" -days 365

步骤 5: 生成用户 kubeconfig 文件

生成 kubeconfig 文件,该文件将包含集群信息、用户证书和私钥。

# 获取集群名称 
CLUSTER_NAME=$(kubectl config view --minify -o jsonpath='{.clusters[0].name}')

# 获取API Server 地址
API_SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')

# 创建 kubeconfig 文件
KUBECONFIG_FILE="${CERT_DIR}/kubeconfig-${USER_NAME}"

# 设置集群信息
kubectl config set-cluster "${CLUSTER_NAME}" \
  --certificate-authority="${CA_CERT}" \
  --embed-certs=true \
  --server="${API_SERVER}" \
  --kubeconfig="${KUBECONFIG_FILE}"

# 设置用户信息 (使用我们刚刚签发的用户证书和私钥)
kubectl config set-credentials "${USER_NAME}" \
  --client-certificate="${CERT_DIR}/${USER_NAME}.crt" \
  --client-key="${CERT_DIR}/${USER_NAME}.key" \
  --embed-certs=true \
  --kubeconfig="${KUBECONFIG_FILE}"

# 设置上下文 (将用户和集群关联起来)
kubectl config set-context "${USER_NAME}@${CLUSTER_NAME}" \
  --cluster="${CLUSTER_NAME}" \
  --user="${USER_NAME}" \
  --kubeconfig="${KUBECONFIG_FILE}"

# 设置默认上下文
kubectl config use-context "${USER_NAME}@${CLUSTER_NAME}" --kubeconfig="${KUBECONFIG_FILE}"

echo "Kubeconfig: ${KUBECONFIG_FILE}"
echo "证书路径: ${CERT_DIR}/${USER_NAME}.crt"
echo "密钥路径: ${CERT_DIR}/${USER_NAME}.key"

6: 测试

结果:只可以查看pod,其他都没权限,无法进入pod或查看pod日志

root@k8s-ms-master:~# KUBECONFIG=${KUBECONFIG_FILE} kubectl get pods 
NAME                              READY   STATUS    RESTARTS      AGE
details-v1-649d7678b5-jn5m9       2/2     Running   0             34d

root@k8s-ms-master:~# KUBECONFIG=${KUBECONFIG_FILE} kubectl get deployment
Error from server (Forbidden): deployments.apps is forbidden: User "dev-user1" cannot list resource "deployments" in API group "apps" in the namespace "default"

root@k8s-ms-master:~# KUBECONFIG=${KUBECONFIG_FILE} kubectl logs details-v1-649d7678b5-jn5m9 
Error from server (Forbidden): pods "details-v1-649d7678b5-jn5m9" is forbidden: User "dev-user1" cannot get resource "pods/log" in API group "" in the namespace "default"

root@k8s-ms-master:~# KUBECONFIG=${KUBECONFIG_FILE} kubectl logs details-v1-649d7678b5-jn5m9 
Error from server (Forbidden): pods "details-v1-649d7678b5-jn5m9" is forbidden: User "dev-user1" cannot get resource "pods/log" in API group "" in the namespace "default"
sunday
Kubernetes
0 0

相关文章

KubeSphere DevOps 流水线JAVA项目配置
虚拟机热添加内存 Kubernetes未生效
Containerd镜像加速及私有仓库配置(用户密码和忽略HTTPS)
在Kubernetes集群部署kubesphere
使用KubeKey快速部署Kubernetes集群1.28.8
Rancher 快速创建RKE K8S集群

发布评论

sunday

文章163 评论0