k8s 1.19.1 create user

Enterprise 2020-09-19 06:25:41 views: null

K8s does not have a user management component. The CN in the certificate passed by the client is extracted as the user name, and the O field is the group name.

Install cfssl

https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

cp cfssl_linux-amd64  /usr/local/bin/cfssl
cp cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
cfssljson_linux-amd64 /usr/local/bin/cfssljson
chmod +x  /usr/local/bin/cfssl*

New user ceph certificate

  • Prepare json, in actual use, please delete after # 
    cat <<EOF>> ceph.json 
{
"CN": "ceph", # 用户
"hosts": [],
"key": {
    "algo": "rsa",
    "size": 2048
},
"names": [
    {
        "C": "CN",
        "ST": "shanghai",
        "L": "shanghai",
        "O": "k8s", #组
        "OU": "System"
    }
]
}
EOF
  • Generate crt
cfssl  gencert -ca=/etc/kubernetes/pki/ca.crt \
    -ca-key=/etc/kubernetes/pki/ca.key \
   -profile=kubernetes ./ceph.json | cfssljson -bare ceph

cfssl  gencert -ca=/etc/kubernetes/pki/ca.crt \
    -ca-key=/etc/kubernetes/pki/ca.key \
    ./ceph.json | cfssljson -bare ceph

So far, a certificate has been generated for the ceph user

Create a namespace named ceph, ceph may fully manage this namespace

Here will bind cla***ole's admin as rolebinding to ceph. This command needs to be executed under a user who can manage k8s

kubectl create  rolebinding ceph-admin-binding \
    --clusterrole=admin \
    --user=ceph \
    --namespace=ceph

Verification certificate

The curl 7.29.0 in centos7 seems to be unable to submit the public certificate of ceph.pem to the api, causing the api to be considered anonymous access, and curl 7.64.0 can access the api normally

curl    -X GET  --cert ceph.pem --key ceph-key.pem --cacert cacrt  https://192.168.254.99:6444/api/v1/namespaces/ceph/pods

Generate config

  • Generate cluster information
export KUBE_APISERVER=https://192.168.254.99:6444

kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/pki/ca.crt \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=ceph.kubeconfig
  • Set who parameter on the customer service side
kubectl config set-credentials ceph \
  --client-certificate=ceph.pem \
  --client-key=ceph-key.pem \
  --embed-certs=true \
  --kubeconfig=ceph.kubeconfig
  • Set context parameters
kubectl config set-context ceph \ #这个是上下文名称,可随意取
  --cluster=kubernetes \
  --user=ceph \
  --namespace=ceph \
  --kubeconfig=ceph.kubeconfig
  • Set the default context, note that it cannot be written in the style of ~/.kub/config, otherwise the execution will not succeed
kubectl config use-context  ceph --kubeconfig=ceph.kubeconfig

Use kubeconfig

kubectl  --kubeconfig=ceph.kubeconfig  get pod

It can also be copied to .kube and used

cp ceph.kubeconfig ~/.kube/config

Guess you like

Origin blog.51cto.com/penguintux/2535461
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com