k8s不同的用户签发不同的证书

为用户 std-01 签发证书

mkdir /data/pkg/k8s-key
cd /data/pkg/k8s-key
# 生成 RSA 私钥
openssl genrsa -out std-01.key 2048
# 生成证书签名请求,,注意: CN位置对应的后面的用户名 O位置对应的是group
openssl req -new -key std-01.key -out std-01.csr -subj "/CN=std-01/O=students"


# 将k8s容器内的ca文件先复制出来.(代表签发机构)
docker cp ha-control-plane:/etc/kubernetes/pki/ca.crt /data/pkg/k8s-key/clusterCA/
docker cp ha-control-plane:/etc/kubernetes/pki/ca.key /data/pkg/k8s-key/clusterCA/
# 生成std-01的证书文件
openssl x509 -req -in std-01.csr -CA /data/pkg/k8s-key/clusterCA/ca.crt -CAkey /data/pkg/k8s-key/clusterCA/ca.key -days 3650 -CAcreateserial -out std-01.crt 


# 验证证书是否可用
openssl verify -CAfile /data/pkg/k8s-key/clusterCA/ca.crt std-01.crt

生成用户 std-01 单个命名空间std-01 的 kubeconfig文件(选用)

# 生成cluster的信息（ca、server）
kubectl config --kubeconfig=/data/pkg/k8s-key/std-01-kcfg set-cluster std-01-cluster --server=https://172.18.0.3:6443  --certificate-authority=/data/pkg/k8s-key/clusterCA/ca.crt --embed-certs=true

# 生成std-01用户的信息（用户名、证书、私钥）
kubectl config --kubeconfig=/data/pkg/k8s-key/std-01-kcfg set-credentials std-01 --client-key=/data/pkg/k8s-key/std-01.key --client-certificate=/data/pkg/k8s-key/std-01.crt --embed-certs=true

# 生成context信息（即将集群与用户“关联”起来）
kubectl config --kubeconfig=/data/pkg/k8s-key/std-01-kcfg set-context std-01@std-01-cluster  --cluster=std-01-cluster  --user=std-01  

# 指定要使用的context
kubectl config --kubeconfig=/data/pkg/k8s-key/std-01-kcfg use-context std-01@std-01-cluster --user=std-01

测试

kubectl get po --kubeconfig=/data/pkg/k8s-key/std-01-kcfg

提示资源访问没权限，说明认证已经通过了

[root@lqz-test-demo k8s-key]# kubectl get po --kubeconfig=/data/pkg/k8s-key/std-01-kcfg
Error from server (Forbidden): pods is forbidden: User "std-01" cannot list resource "pods" in API group "" in the namespace "default": RBAC: role.rbac.authorization.k8s.io "role-std-01" not found
[root@lqz-test-demo k8s-key]#

RBAC授权(单个命名空间default)

# 创建命名空间
kubectl create namespace std-01
# 创建角色 需要指定命名空间 std-01 
kubectl create role role-std-01 --verb=* --resource=*  -n std-01 
# 角色绑定 需要指定命名空间 std-01 
kubectl create rolebinding rolebinding-std-01 --role=role-std-01 --user=std-01 -n std-01

# kubectl delete role role-std-01 -n std-01 
# kubectl delete rolebinding rolebinding-std-01  -n std-01

测试

kubectl get po –kubeconfig=/data/pkg/k8s-key/std-01-kcfg -n std-01

如果需要默认使用 std-01 访问(选择-未测试)

查看当前的上下文

[root@lqz-test-demo k8s-key]# kubectl config  get-contexts
CURRENT   NAME             CLUSTER           AUTHINFO   NAMESPACE
*         kind-ha          kind-ha           kind-ha    

创建上下文

kubectl config set-context std-01-context --cluster=std-01-cluster --user=std-01 --namespace=std-01

[root@lqz-test-demo k8s-key]# kubectl config  get-contexts
CURRENT   NAME             CLUSTER           AUTHINFO   NAMESPACE
*         kind-ha          kind-ha           kind-ha    
          std-01-context   std-01-cluster   std-01     std-01
[root@lqz-test-demo k8s-key]# 

切换上下文

[root@lqz-test-demo k8s-key]# kubectl config use-context std-01-context
Switched to context "std-01-context".
[root@lqz-test-demo k8s-key]# kubectl config  get-contexts
CURRENT   NAME             CLUSTER           AUTHINFO   NAMESPACE
          kind-ha          kind-ha           kind-ha    
*         std-01-context   std-01-cluster   std-01     std-01
[root@lqz-test-demo k8s-key]#

RBAC授权(所有命名空间 clusterrole) —未验证

对system命名空间只有List权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kube-system
  name: get-system-pods
rules:
  - apiGroups: [""]
    resources: ["*"]
    verbs: ["get"]

有get node的权限

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: get-nodes
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get"]

对std-01 命名空间有所有权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: std-01
  name: std-01-full-access
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["*"]

权限绑定

kubectl create rolebinding get-system-pods-binding --role=get-system-pods --user=std-01 -n kube-system
kubectl create clusterrolebinding  get-nodes-binding --clusterrole=get-nodes --user=std-01
kubectl create rolebinding std-01-full-access-binding --role=std-01-full-access --user=std-01 -n std-01