K8s does not have a user management component. The CN in the certificate passed by the client is extracted as the user name, and the O field is the group name.
Install cfssl
https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
cp cfssl_linux-amd64 /usr/local/bin/cfssl
cp cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
cfssljson_linux-amd64 /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl*
New user ceph certificate
- Prepare json, in actual use, please delete after #
cat <<EOF>> ceph.json { "CN": "ceph", # 用户 "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "shanghai", "L": "shanghai", "O": "k8s", #组 "OU": "System" } ] } EOF
- Generate crt
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt \
-ca-key=/etc/kubernetes/pki/ca.key \
-profile=kubernetes ./ceph.json | cfssljson -bare ceph
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt \
-ca-key=/etc/kubernetes/pki/ca.key \
./ceph.json | cfssljson -bare ceph
So far, a certificate has been generated for the ceph user
Create a namespace named ceph, ceph may fully manage this namespace
Here will bind cla***ole's admin as rolebinding to ceph. This command needs to be executed under a user who can manage k8s
kubectl create rolebinding ceph-admin-binding \
--clusterrole=admin \
--user=ceph \
--namespace=ceph
Verification certificate
The curl 7.29.0 in centos7 seems to be unable to submit the public certificate of ceph.pem to the api, causing the api to be considered anonymous access, and curl 7.64.0 can access the api normally
curl -X GET --cert ceph.pem --key ceph-key.pem --cacert cacrt https://192.168.254.99:6444/api/v1/namespaces/ceph/pods
Generate config
- Generate cluster information
export KUBE_APISERVER=https://192.168.254.99:6444
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=ceph.kubeconfig
- Set who parameter on the customer service side
kubectl config set-credentials ceph \
--client-certificate=ceph.pem \
--client-key=ceph-key.pem \
--embed-certs=true \
--kubeconfig=ceph.kubeconfig
- Set context parameters
kubectl config set-context ceph \ #这个是上下文名称,可随意取
--cluster=kubernetes \
--user=ceph \
--namespace=ceph \
--kubeconfig=ceph.kubeconfig
- Set the default context, note that it cannot be written in the style of ~/.kub/config, otherwise the execution will not succeed
kubectl config use-context ceph --kubeconfig=ceph.kubeconfig
Use kubeconfig
kubectl --kubeconfig=ceph.kubeconfig get pod
It can also be copied to .kube and used
cp ceph.kubeconfig ~/.kube/config