k8s没有用户管理组件,通过提取client传递过来的证书中的CN为用户名,O字段为组名
安装cfssl
https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
cp cfssl_linux-amd64 /usr/local/bin/cfssl
cp cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
cfssljson_linux-amd64 /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl*新建用户ceph的证书
- 准备json,实际使用中,请将#后面的删除
cat <<EOF>> ceph.json { "CN": "ceph", # 用户 "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "shanghai", "L": "shanghai", "O": "k8s", #组 "OU": "System" } ] } EOF - 生成crt
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt \
-ca-key=/etc/kubernetes/pki/ca.key \
-profile=kubernetes ./ceph.json | cfssljson -bare ceph
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt \
-ca-key=/etc/kubernetes/pki/ca.key \
./ceph.json | cfssljson -bare ceph到此已经为ceph用户生成了证书
创建名为ceph的namespace,ceph可能完全管理这个namespace
这里将将cla***ole的admin作rolebinding绑定至ceph,这个命令需要在能管理k8s的用户下执行
kubectl create rolebinding ceph-admin-binding \
--clusterrole=admin \
--user=ceph \
--namespace=ceph验证证书
centos7中的curl 7.29.0 似乎不能将ceph.pem的公有证书提交到api,造成api认为是匿名访问,curl 7.64.0可以正常访问api
curl -X GET --cert ceph.pem --key ceph-key.pem --cacert cacrt https://192.168.254.99:6444/api/v1/namespaces/ceph/pods生成config
- 生成集群信息
export KUBE_APISERVER=https://192.168.254.99:6444
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=ceph.kubeconfig- 设置客服端谁参数
kubectl config set-credentials ceph \
--client-certificate=ceph.pem \
--client-key=ceph-key.pem \
--embed-certs=true \
--kubeconfig=ceph.kubeconfig- 设置上下文参数
kubectl config set-context ceph \ #这个是上下文名称,可随意取
--cluster=kubernetes \
--user=ceph \
--namespace=ceph \
--kubeconfig=ceph.kubeconfig- 设置默认上下文,注意不能写成~/.kub/config这样样式,否则执行不成功
kubectl config use-context ceph --kubeconfig=ceph.kubeconfig使用kubeconfig
kubectl --kubeconfig=ceph.kubeconfig get pod也可以复制到.kube中使用
cp ceph.kubeconfig ~/.kube/config