# 官方提供@yunTaoScripts 账户管理 🔥🔥
# 用户账号登录K8S
- 出现如下报错信息,就代表没有正确登录K8S。
登录报错
The connection to the server localhost:8080 was refused - did you specify the right host or port?
- 登录了主机还不够,还需要登录到K8S。
# 令牌登录
- token令牌,将令牌和用户绑定,默认没有开启可以手动创建,手动写认证文件。
openssl rand -hex 10 ## 生成 10 个字节
cd /etc/kubernetes/pki
echo "ddf74fa304304569f157,yuntao,1" > xxxx.csv
vim /etc/kubernetes/manifests/kube-apiserver.yaml
# 增加 apiserver.yaml --token-auth-file=/etc/kubernetes/pki/xxxx.csv
systemctl restart kubelet
kubectl options
- 在其他随便一台机器上运行
kubectl get nodes -s https://10.211.55.111:6443 --insecure-skip-tls-verify=true --token=ddf74fa304304569f157
- 这个说明: 没有登录成功。
error: You must be logged in to the server (Unauthorized)
- 这个说明: 登录成功,但是没有权限。
Error from server (Forbidden): nodes is forbidden: User "xxxx" cannot list resource "nodes" in API group "" at the cluster scope
- 对用户授权
kubectl create clusterrolebinding xxxx-clusterRoleBinding --clusterrole=cluster-admin --user=xxxx
授完权,就可以访问了。
# kubeconfig文件登录
# 默认kubeconfig文件
- 安装好集群之后,系统会自动生成管理员可用的kubeconfig文件
cat /etc/kubernetes/admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data:
server: https://10.211.55.111:6443
name: cluster_cts
- cluster:
certificate-authority-data:
server: https://10.211.55.121:6443
name: cluster_yts
contexts:
- context:
cluster: cluster_cts
namespace: 14-devops
user: xxxx_cts
name: context_cts
- context:
cluster: cluster_yts
user: xxxx_yts
name: context_yts
current-context: context_cts
kind: Config
preferences: {}
users:
- name: xxxx_cts
user:
client-certificate-data: ## 用户公钥
client-key-data: ###用户私钥
- name: xxxx_yts
user:
client-certificate-data:
client-key-data:
- 指定kubeconfig文件,优先级高 → 低,从上到下。
- 手动指定kubeconfig文件。先把文件拷贝过去,再指定。
kubectl get node --kubeconfig=./admin.conf
- 使用
KUBECONFIG
环境变量。
export KUBECONFIG=~/admin.conf
- 使用默认值
~/.kube/config
cp ../admin.conf ./;mv admin.conf config
# 自定义kubeconfig文件
openssl genrsa -out xxxx.key 1024 #创建私钥
openssl req -new -key xxxx.key -out xxxx.csr -subj "/CN=xxxx/O=cka2022" ## 创建证书请求文件
cat xxxx.csr | base64 | tr -d "\n" ##将请求文件内容加密后添加到csr.yaml中
- csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: xxxx
spec:
groups:
- system:authenticated
signerName: kubernetes.io/kube-apiserver-client
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQllqQ0J6QUlCQURBak1ROHdEUVlEVlFRRERBWjVkVzUwWVc4eEVEQU9CZ05WQkFvTUIyTnJZVEl3TWpJdwpnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JBT0E5M3lOdlZ4QTBWL3VKbUVKeS9MNGR1UnRXCjR5bTRNT1pVU0RISy9sc2NRTVRxOGtPWDgyeFZKRjdRUTR4UVQ2dmhDcjhXQXNWT1UyUWVwZE1nQjZSd3RZU2kKbVZ6V0ZsdjM4Q0tzODlOZno2bXAwR2h1UEdaN3RPT2VSQ2ZwWlZIQTlVSDRSdzh1Y2NRY1NrdjhVRTdZWm14YQp6bFBZMWNGcitKUXptcXV4QWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRkFBT0JnUUJkZVAxQWc4UVAzejZZCk5nRHNFS1NjeVBCSUloZjhqWXAwSTdKZjRTNmNQcUxBWXhmaEhKbFpoc0MvOFF5Nk1oQk1JVVpSbTFacll4VWQKWXZiVzBhTU4rY2ViR1dEUFZhdGliNTQ0SzFodVMrY09SYnIzM2doNlpDY2lySzNqNHp5RSs0cm1wWnRLczZIcAo5bE1DR0JMWUdqSSs2cmNOcEJOdHhHd25lVU91RUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
usages:
- client auth
kubectl apply -f csr.yaml #生效请求文件
kubectl get certificatesigningrequests.certificates.k8s.io
kubectl certificate approve xxxx ##批准证书请求
kubectl get csr xxxx -o jsonpath='{.status.certificate}'| base64 -d > xxxx.crt ##生成证书
vim xxxx-config
kubectl config --kubeconfig=xxxx-config set-cluster cluster1 --server=https://10.211.55.111:6443 --certificate-authoritcrt --embed-certs=true
kubectl config --kubeconfig=xxxx-config set-credentials xxxx --client-certificate=xxxx.crt --client-key=xxxx.keybed-certs=true
kubectl config --kubeconfig=xxxx-config set-context context1 --cluster=cluster1 --namespace=default --user=xxxx
- xxxx-config
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdOREE0TlRjME1sb1hEVE15TURVd01UQTROVGMwTWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSit2CmE5S1pUMW5TZ25wNkg0bkI4L1lBcEVOaFhqL2k0b2hzN3MvVFIraFNISmlxNXlHY1FVb25UWmxuOGJaZmNETy8KaTVqZXN4WitrTkVkYWJtd3pVUHJRUGRXN0dKZkgxUjhaN1BUL0JUVDdmNG9MS3BEbWgyanpSbmRHdnBEVzlyYgo1djc3TXQ0R2plOTJpemgzbDF5STF6Q1ZhL09YRXNTNnhuTTVJRVVYWmloM2tGT0RpMXlyNVdYclQ3VnIxbk41CmE1VlYyV2plWHVaaG8xZTd4aU50QzkvN2FKOG5rSWdoekh4cyswNFoxNldQdGlJT0E1aDh4b3VYckVsL3VlZ2YKTzM2QmRJQ1Yyc3QyamVrUnZpenZ1L2UvdWs1K0ptZ0JvajUxRWRpdVR6ZWVHYmtTdHI2b3VNNGFwVXNHa3dsVgpjQW1ZN3JiSEFxdzhKU200eHJzQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFTTh6S3RyT1d3dzJvcCtFem55T3YwbXFpVGxNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSGlZYWhnQVJ0c3NZTzkyVThnWgpFaStjalJ6bkhHNGhkVUVGQXBlTUt5SEhpelcrTEVxMmNVMlFwVk1tNWJQZEY4L01taFluZjd4UHBaWmNmNmZhCkNvTjJaNlQ5amU2bjRXR1VJQ0xkdytoYitHVWpUdnlucGxtVWxjUE5mY0cxTFhjUjJSMG9FM3VKbTlyUEFRY3IKVEZ6enZ4a1FGUTdyUlFReVRsNjhLWTlHZ1QzNFBVcG5NbHdTTmE0bFZ4T3VYODFZUENLVXQwb0FUb0w2VlZUVgpyQVZ5WmxoNWlrYWYzd2NMQ3pGRkV4d0lvZVQ0Q21tbWQvNFNEZURjeUl5TFlmbFFHS3lpRHRjZWxOQlJzSlZmCnpBMGY0a2RKeG9RL0lkQWcxNDAyUFdZUWlOa1RHVWQ5VFFpTDkyamhxM0ZFak53c09JSks4b1g4aFBoR1NaVSsKWDRVPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://10.211.55.111:6443
name: cluster1
contexts:
- context:
cluster: cluster1
user: xxxx
name: context1
current-context: context1
preferences: {}
users:
- name: xxxx
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNoVENDQVcyZ0F3SUJBZ0lSQUlpRGF3UlY5WFozbEx4ODhkN09BTEV3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBMk1EY3dNalV5TWpkYUZ3MHlNekEyTURjdwpNalV5TWpkYU1DTXhFREFPQmdOVkJBb1RCMk5yWVRJd01qSXhEekFOQmdOVkJBTVRCbmwxYm5SaGJ6Q0JuekFOCkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBNEQzZkkyOVhFRFJYKzRtWVFuTDh2aDI1RzFiaktiZ3cKNWxSSU1jcitXeHhBeE9yeVE1ZnpiRlVrWHRCRGpGQlBxK0VLdnhZQ3hVNVRaQjZsMHlBSHBIQzFoS0taWE5ZVwpXL2Z3SXF6ejAxL1BxYW5RYUc0OFpudTA0NTVFSitsbFVjRDFRZmhIRHk1eHhCeEtTL3hRVHRobWJGck9VOWpWCndXdjRsRE9hcTdFQ0F3RUFBYU5HTUVRd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC8KQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlJEUE15cmF6bHNNTnFLZmhNNThqcjlKcW9rNVRBTkJna3Foa2lHOXcwQgpBUXNGQUFPQ0FRRUFkVnlrWTYzc041d2h5ZDhwbTlCUUFHY3hGNWlmWUdWdlQyUVlOcTZobEdVRjI1UDZCbENpCnlrQjc4cWJoSDArSXA5cGplUHEyenB6UmFqd2hnd3dJS0pVamVwWmNKOEFEWmxGUW92MjF5dEJJblB6b3ZjYkIKUkZKdDhJRS8vRlRuL0ZKNzd6NWxrL3E0aTE3akpKYTFXOHF2M3NrY3VpeUFpMTk4dGF0b1NPUmF6TUpFcU1ucwp0dlA0Z3FxL0lzOFFIUzdjYkJWVHk1ZVMvUkFKTUZ1NDZ1TFpnWTNvTFJ2QUZUeHVlVjlxRjZRM0NxSW5mUjdZClJ6OCtlQVVEYzhrYnExZXN3bG5WM2tHWWNkT3NYM24yMmFBaTlLcExKVlR1eldaKzN2bFl6eFFHTU14M0ZSSSsKOHp5eVhwZ0tiN1lTRWF1b1BVSFBMZ1gxTHFUcUtJdllHdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWFFJQkFBS0JnUURnUGQ4amIxY1FORmY3aVpoQ2N2eStIYmtiVnVNcHVERG1WRWd4eXY1YkhFREU2dkpECmwvTnNWU1JlMEVPTVVFK3I0UXEvRmdMRlRsTmtIcVhUSUFla2NMV0VvcGxjMWhaYjkvQWlyUFBUWDgrcHFkQm8KYmp4bWU3VGpua1FuNldWUndQVkIrRWNQTG5IRUhFcEwvRkJPMkdac1dzNVQyTlhCYS9pVU01cXJzUUlEQVFBQgpBb0dCQU1BeXg4cXJaOGd2MVNsM3FkVnFrVTZ5VXpJbnF0VGJWcTVVbHZ4MnJNU1Mxc0R4VDJ5NEZLQko2YjZLCmF4c2N5dXpiR2tibUtzSEtmSmRYM1hHMEJsZEV0RXo4YWFPa2tiaUVGemErWmlsejV6SWpNMUMyK01pUEpiRWMKNXlEbXpGZUV5ZERyWTlneGJPeFVCRmdwcUg2d3ZFd20yV2lrMXo2L09lelppTE5CQWtFQThrQ3NRMnlhQnE0ZQpxdjdxdWQ3UUkzLzVUMW9vTjdpUXR2a0dHQnJSVUNRcjBWejQ2dGtzcE5ld0p0dzNvRkRRSExoMm1VMnprT3lyCjZNTVl5VVBWbFFKQkFPejNpMnU5eStEbXlRWHJwVVFON0FVTjFYVktHVXpnUXdtckhHeEsyc0ZmV0NLcklJcGYKVFpPZmhVbmludzlwZG56WXBtTTJFWitCT3k2ZXRDWVVmcTBDUUdSTGpFWlo1eWNPM1ptVDhxQkRkRTdPUSt5cgplZTBmMTZJNVZXR1RjTWRLUW0zcW5RKzJIRHFmSmNuZzhKTEtBbTl4bTRCNjMvWUhWbUVHclBOZXgwVUNRQmxVCkdFM3Eyb2p1Z2h3azVPUlNUS0Q1cXBBLzNGWndQaG9oZFFkS05QbW9WRVpZWGtFTUVNR3ZzbEtFYTVYOUl0SVQKWWkyR2tQbW9tWWZSSk5aUktIMENRUURDMWhhRTg0SkNrNDJKRGVtUTZlWUZmNG9yNFVYTVFaQnNzOEZoK0xUWAprTVBqZU4rdDBXdU9tdTlmT3BEMUc1MDNPOGI1akg5U05QbnhPVmQ1NXFaegotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
- 复制配置文件到目标节点
scp xxxx-config root@10.211.55.122:~/.kube/config
# 其他认证方式
- oauth2 整合第三方认证系统
- base authentication 账号密码方式登录(1.19 已废除)
# 权限管理
- 如何对用户进行授权或者鉴权。
# RBAC 基于角色的权限控制
# 查看管理员权限
kubectl describe clusterrole admin
# 创建role 和 clusterrole
- 命令行方式创建
kubectl create role role1 --resource=pod,deployment --verb=list,watch,get,create --dry-run=client -oyaml
kubectl create clusterrole crole1 --resource=pod,svc --verb=create,list,get --dry-run=client -oyaml
- yaml文件方式创建
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: role1
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- get
- create
- apiGroups:
- apps
resources:
- deployments
verbs:
- list
- watch
- get
- create
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: crole1
rules:
- apiGroups:
- ""
resources:
- pods # - "*" ##对所有资源授权
- services
verbs:
- create
- list
- get
# 创建 rolebinding 和 clusterrolebinding
- 通过rolebinding绑定role
kubectl create rolebinding bind1 --role=role1 --user=xxxx
kubectl get rolebindings.rbac.authorization.k8s.io -owide
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS
bind1 Role/role1 27s xxxx
- 通过rolebinding绑定clusterrole
kubectl create rolebinding bind-crole1 --clusterrole=crole1 --user=xxxx
kubectl get rolebindings.rbac.authorization.k8s.io -owide
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS
bind1 Role/role1 27s xxxx
只要是通过rolebinding控制权限的,适用范围都是基于命名空间,其他命名空间看不见。
kubectl get pod --kubeconfig=xxxx-config -n 13-account
No resources found in 13-account namespace.
kubectl get pod --kubeconfig=xxxx-config -n default
Error from server (Forbidden): pods is forbidden: User "xxxx" cannot list resource "pods" in API group "" in the namespace "default"
- 通过clusterrolebinding绑定clusterrole
kubectl create clusterrolebinding cbind-crole1 --clusterrole=crole1 --user=xxxx
kubectl get clusterrolebindings.rbac.authorization.k8s.io cbind-crole1 -owide
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS
cbind-crole1 ClusterRole/crole1 108s xxxx
通过clusterrolebinding实现的绑定,不限于单个命名空间。
kubectl get pod --kubeconfig=xxxx-config -n 13-account
NAME READY STATUS RESTARTS AGE
pod 1/1 Running 0 32m
kubectl get pod --kubeconfig=xxxx-config -n default
No resources found in default namespace.
- 查看自己是否有权限
kubectl auth can-i get pod
kubectl --as=xxxx auth can-i delete pod
# 服务账号ServiceAccount
- 系统中有两种账户,useraccount用于登录K8S,serviceaccount用于pod中进程对其他资源的控制。
kubectl create serviceaccount sa1
kubectl create rolebinding rbind-sa1 --role=role1 --serviceaccount=13-account:sa1
kubectl get rolebindings.rbac.authorization.k8s.io -owide
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS
bind-crole1 ClusterRole/crole1 8h xxxx
bind1 Role/role1 8h xxxx
rbind-sa1 Role/role1 26s 13-account/sa1
关于sa的注意点
- 每创建一个sa,都会生成一个token。
- 对sa赋权,token就会有权限,pod带着token去操作资源就会有权限。
- 每个ns 都有默认sa账户,删不掉。
# 安装Dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.0/aio/deploy/recommended.yaml
kubectl create sa sa1
kubectl describe secrets sa1-token-77j8m
- 将token 粘到 浏览器,dashboard就有权限访问其他资源。
← 快速链接