# 官方提供@yunTaoScripts 账户管理 🔥🔥

loading

# 用户账号登录K8S

  • 出现如下报错信息,就代表没有正确登录K8S。

登录报错

The connection to the server localhost:8080 was refused - did you specify the right host or port?

  • 登录了主机还不够,还需要登录到K8S。

# 令牌登录

  • token令牌,将令牌和用户绑定,默认没有开启可以手动创建,手动写认证文件。
openssl rand -hex 10 ## 生成 10 个字节
cd /etc/kubernetes/pki
echo "ddf74fa304304569f157,yuntao,1" > xxxx.csv

vim /etc/kubernetes/manifests/kube-apiserver.yaml
# 增加 apiserver.yaml --token-auth-file=/etc/kubernetes/pki/xxxx.csv
systemctl restart kubelet
kubectl options
  • 在其他随便一台机器上运行
kubectl get nodes -s https://10.211.55.111:6443 --insecure-skip-tls-verify=true --token=ddf74fa304304569f157
  • 这个说明: 没有登录成功。
error: You must be logged in to the server (Unauthorized)
  • 这个说明: 登录成功,但是没有权限。
Error from server (Forbidden): nodes is forbidden: User "xxxx" cannot list resource "nodes" in API group "" at the cluster scope
  • 对用户授权
kubectl create clusterrolebinding xxxx-clusterRoleBinding --clusterrole=cluster-admin --user=xxxx

授完权,就可以访问了。

# kubeconfig文件登录

# 默认kubeconfig文件

  • 安装好集群之后,系统会自动生成管理员可用的kubeconfig文件
cat /etc/kubernetes/admin.conf
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: 
    server: https://10.211.55.111:6443
  name: cluster_cts
- cluster:
    certificate-authority-data: 
    server: https://10.211.55.121:6443
  name: cluster_yts
contexts:
- context:
    cluster: cluster_cts
    namespace: 14-devops
    user: xxxx_cts
  name: context_cts
- context:
    cluster: cluster_yts
    user: xxxx_yts
  name: context_yts
current-context: context_cts
kind: Config
preferences: {}
users:
- name: xxxx_cts
  user:
    client-certificate-data: ## 用户公钥
    client-key-data:  ###用户私钥
- name: xxxx_yts
  user:
    client-certificate-data: 
    client-key-data: 
  • 指定kubeconfig文件,优先级高 → 低,从上到下。
    • 手动指定kubeconfig文件。先把文件拷贝过去,再指定。
    kubectl get node --kubeconfig=./admin.conf
    
    • 使用KUBECONFIG环境变量。
    export KUBECONFIG=~/admin.conf
    
    • 使用默认值 ~/.kube/config
    cp ../admin.conf ./;mv admin.conf config
    
    

# 自定义kubeconfig文件

openssl genrsa -out xxxx.key 1024  #创建私钥
openssl req -new -key xxxx.key -out xxxx.csr -subj "/CN=xxxx/O=cka2022" ## 创建证书请求文件
cat xxxx.csr | base64 | tr -d "\n" ##将请求文件内容加密后添加到csr.yaml中
  • csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: xxxx
spec:
  groups:
  - system:authenticated
  signerName: kubernetes.io/kube-apiserver-client 
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQllqQ0J6QUlCQURBak1ROHdEUVlEVlFRRERBWjVkVzUwWVc4eEVEQU9CZ05WQkFvTUIyTnJZVEl3TWpJdwpnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JBT0E5M3lOdlZ4QTBWL3VKbUVKeS9MNGR1UnRXCjR5bTRNT1pVU0RISy9sc2NRTVRxOGtPWDgyeFZKRjdRUTR4UVQ2dmhDcjhXQXNWT1UyUWVwZE1nQjZSd3RZU2kKbVZ6V0ZsdjM4Q0tzODlOZno2bXAwR2h1UEdaN3RPT2VSQ2ZwWlZIQTlVSDRSdzh1Y2NRY1NrdjhVRTdZWm14YQp6bFBZMWNGcitKUXptcXV4QWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRkFBT0JnUUJkZVAxQWc4UVAzejZZCk5nRHNFS1NjeVBCSUloZjhqWXAwSTdKZjRTNmNQcUxBWXhmaEhKbFpoc0MvOFF5Nk1oQk1JVVpSbTFacll4VWQKWXZiVzBhTU4rY2ViR1dEUFZhdGliNTQ0SzFodVMrY09SYnIzM2doNlpDY2lySzNqNHp5RSs0cm1wWnRLczZIcAo5bE1DR0JMWUdqSSs2cmNOcEJOdHhHd25lVU91RUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K 
  usages:
  - client auth
kubectl apply -f csr.yaml  #生效请求文件
kubectl get certificatesigningrequests.certificates.k8s.io 
kubectl certificate approve xxxx  ##批准证书请求
kubectl get csr xxxx -o jsonpath='{.status.certificate}'| base64 -d > xxxx.crt  ##生成证书
vim xxxx-config
kubectl config --kubeconfig=xxxx-config set-cluster cluster1 --server=https://10.211.55.111:6443 --certificate-authoritcrt --embed-certs=true
kubectl config --kubeconfig=xxxx-config set-credentials xxxx --client-certificate=xxxx.crt --client-key=xxxx.keybed-certs=true
kubectl config --kubeconfig=xxxx-config set-context context1 --cluster=cluster1 --namespace=default --user=xxxx
  • xxxx-config
apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdOREE0TlRjME1sb1hEVE15TURVd01UQTROVGMwTWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSit2CmE5S1pUMW5TZ25wNkg0bkI4L1lBcEVOaFhqL2k0b2hzN3MvVFIraFNISmlxNXlHY1FVb25UWmxuOGJaZmNETy8KaTVqZXN4WitrTkVkYWJtd3pVUHJRUGRXN0dKZkgxUjhaN1BUL0JUVDdmNG9MS3BEbWgyanpSbmRHdnBEVzlyYgo1djc3TXQ0R2plOTJpemgzbDF5STF6Q1ZhL09YRXNTNnhuTTVJRVVYWmloM2tGT0RpMXlyNVdYclQ3VnIxbk41CmE1VlYyV2plWHVaaG8xZTd4aU50QzkvN2FKOG5rSWdoekh4cyswNFoxNldQdGlJT0E1aDh4b3VYckVsL3VlZ2YKTzM2QmRJQ1Yyc3QyamVrUnZpenZ1L2UvdWs1K0ptZ0JvajUxRWRpdVR6ZWVHYmtTdHI2b3VNNGFwVXNHa3dsVgpjQW1ZN3JiSEFxdzhKU200eHJzQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFTTh6S3RyT1d3dzJvcCtFem55T3YwbXFpVGxNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSGlZYWhnQVJ0c3NZTzkyVThnWgpFaStjalJ6bkhHNGhkVUVGQXBlTUt5SEhpelcrTEVxMmNVMlFwVk1tNWJQZEY4L01taFluZjd4UHBaWmNmNmZhCkNvTjJaNlQ5amU2bjRXR1VJQ0xkdytoYitHVWpUdnlucGxtVWxjUE5mY0cxTFhjUjJSMG9FM3VKbTlyUEFRY3IKVEZ6enZ4a1FGUTdyUlFReVRsNjhLWTlHZ1QzNFBVcG5NbHdTTmE0bFZ4T3VYODFZUENLVXQwb0FUb0w2VlZUVgpyQVZ5WmxoNWlrYWYzd2NMQ3pGRkV4d0lvZVQ0Q21tbWQvNFNEZURjeUl5TFlmbFFHS3lpRHRjZWxOQlJzSlZmCnpBMGY0a2RKeG9RL0lkQWcxNDAyUFdZUWlOa1RHVWQ5VFFpTDkyamhxM0ZFak53c09JSks4b1g4aFBoR1NaVSsKWDRVPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://10.211.55.111:6443
  name: cluster1
contexts:
- context:
    cluster: cluster1
    user: xxxx
  name: context1
current-context: context1
preferences: {}
users:
- name: xxxx
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNoVENDQVcyZ0F3SUJBZ0lSQUlpRGF3UlY5WFozbEx4ODhkN09BTEV3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBMk1EY3dNalV5TWpkYUZ3MHlNekEyTURjdwpNalV5TWpkYU1DTXhFREFPQmdOVkJBb1RCMk5yWVRJd01qSXhEekFOQmdOVkJBTVRCbmwxYm5SaGJ6Q0JuekFOCkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBNEQzZkkyOVhFRFJYKzRtWVFuTDh2aDI1RzFiaktiZ3cKNWxSSU1jcitXeHhBeE9yeVE1ZnpiRlVrWHRCRGpGQlBxK0VLdnhZQ3hVNVRaQjZsMHlBSHBIQzFoS0taWE5ZVwpXL2Z3SXF6ejAxL1BxYW5RYUc0OFpudTA0NTVFSitsbFVjRDFRZmhIRHk1eHhCeEtTL3hRVHRobWJGck9VOWpWCndXdjRsRE9hcTdFQ0F3RUFBYU5HTUVRd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC8KQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlJEUE15cmF6bHNNTnFLZmhNNThqcjlKcW9rNVRBTkJna3Foa2lHOXcwQgpBUXNGQUFPQ0FRRUFkVnlrWTYzc041d2h5ZDhwbTlCUUFHY3hGNWlmWUdWdlQyUVlOcTZobEdVRjI1UDZCbENpCnlrQjc4cWJoSDArSXA5cGplUHEyenB6UmFqd2hnd3dJS0pVamVwWmNKOEFEWmxGUW92MjF5dEJJblB6b3ZjYkIKUkZKdDhJRS8vRlRuL0ZKNzd6NWxrL3E0aTE3akpKYTFXOHF2M3NrY3VpeUFpMTk4dGF0b1NPUmF6TUpFcU1ucwp0dlA0Z3FxL0lzOFFIUzdjYkJWVHk1ZVMvUkFKTUZ1NDZ1TFpnWTNvTFJ2QUZUeHVlVjlxRjZRM0NxSW5mUjdZClJ6OCtlQVVEYzhrYnExZXN3bG5WM2tHWWNkT3NYM24yMmFBaTlLcExKVlR1eldaKzN2bFl6eFFHTU14M0ZSSSsKOHp5eVhwZ0tiN1lTRWF1b1BVSFBMZ1gxTHFUcUtJdllHdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWFFJQkFBS0JnUURnUGQ4amIxY1FORmY3aVpoQ2N2eStIYmtiVnVNcHVERG1WRWd4eXY1YkhFREU2dkpECmwvTnNWU1JlMEVPTVVFK3I0UXEvRmdMRlRsTmtIcVhUSUFla2NMV0VvcGxjMWhaYjkvQWlyUFBUWDgrcHFkQm8KYmp4bWU3VGpua1FuNldWUndQVkIrRWNQTG5IRUhFcEwvRkJPMkdac1dzNVQyTlhCYS9pVU01cXJzUUlEQVFBQgpBb0dCQU1BeXg4cXJaOGd2MVNsM3FkVnFrVTZ5VXpJbnF0VGJWcTVVbHZ4MnJNU1Mxc0R4VDJ5NEZLQko2YjZLCmF4c2N5dXpiR2tibUtzSEtmSmRYM1hHMEJsZEV0RXo4YWFPa2tiaUVGemErWmlsejV6SWpNMUMyK01pUEpiRWMKNXlEbXpGZUV5ZERyWTlneGJPeFVCRmdwcUg2d3ZFd20yV2lrMXo2L09lelppTE5CQWtFQThrQ3NRMnlhQnE0ZQpxdjdxdWQ3UUkzLzVUMW9vTjdpUXR2a0dHQnJSVUNRcjBWejQ2dGtzcE5ld0p0dzNvRkRRSExoMm1VMnprT3lyCjZNTVl5VVBWbFFKQkFPejNpMnU5eStEbXlRWHJwVVFON0FVTjFYVktHVXpnUXdtckhHeEsyc0ZmV0NLcklJcGYKVFpPZmhVbmludzlwZG56WXBtTTJFWitCT3k2ZXRDWVVmcTBDUUdSTGpFWlo1eWNPM1ptVDhxQkRkRTdPUSt5cgplZTBmMTZJNVZXR1RjTWRLUW0zcW5RKzJIRHFmSmNuZzhKTEtBbTl4bTRCNjMvWUhWbUVHclBOZXgwVUNRQmxVCkdFM3Eyb2p1Z2h3azVPUlNUS0Q1cXBBLzNGWndQaG9oZFFkS05QbW9WRVpZWGtFTUVNR3ZzbEtFYTVYOUl0SVQKWWkyR2tQbW9tWWZSSk5aUktIMENRUURDMWhhRTg0SkNrNDJKRGVtUTZlWUZmNG9yNFVYTVFaQnNzOEZoK0xUWAprTVBqZU4rdDBXdU9tdTlmT3BEMUc1MDNPOGI1akg5U05QbnhPVmQ1NXFaegotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
  • 复制配置文件到目标节点
scp xxxx-config root@10.211.55.122:~/.kube/config

# 其他认证方式

  • oauth2 整合第三方认证系统
  • base authentication 账号密码方式登录(1.19 已废除)

# 权限管理

  • 如何对用户进行授权或者鉴权。

# RBAC 基于角色的权限控制

# 查看管理员权限

kubectl describe clusterrole admin

# 创建role 和 clusterrole

  • 命令行方式创建
kubectl create role role1 --resource=pod,deployment --verb=list,watch,get,create --dry-run=client -oyaml
kubectl create clusterrole crole1 --resource=pod,svc --verb=create,list,get --dry-run=client -oyaml
  • yaml文件方式创建
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: role1
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
  - watch
  - get
  - create
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - list
  - watch
  - get
  - create
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: crole1
rules:
- apiGroups:
  - ""
  resources:
  - pods             # - "*" ##对所有资源授权
  - services
  verbs:
  - create
  - list
  - get

# 创建 rolebinding 和 clusterrolebinding

  • 通过rolebinding绑定role
kubectl create rolebinding bind1 --role=role1 --user=xxxx
  • kubectl get rolebindings.rbac.authorization.k8s.io -owide
NAME    ROLE         AGE   USERS    GROUPS   SERVICEACCOUNTS
bind1   Role/role1   27s   xxxx            
  • 通过rolebinding绑定clusterrole
kubectl create rolebinding bind-crole1 --clusterrole=crole1  --user=xxxx
  • kubectl get rolebindings.rbac.authorization.k8s.io -owide
NAME    ROLE         AGE   USERS    GROUPS   SERVICEACCOUNTS
bind1   Role/role1   27s   xxxx            

只要是通过rolebinding控制权限的,适用范围都是基于命名空间,其他命名空间看不见。

kubectl get pod --kubeconfig=xxxx-config -n 13-account
No resources found in 13-account namespace.
kubectl get pod --kubeconfig=xxxx-config -n default
Error from server (Forbidden): pods is forbidden: User "xxxx" cannot list resource "pods" in API group "" in the namespace "default"
  • 通过clusterrolebinding绑定clusterrole
kubectl create clusterrolebinding cbind-crole1 --clusterrole=crole1  --user=xxxx
  • kubectl get clusterrolebindings.rbac.authorization.k8s.io cbind-crole1 -owide
NAME           ROLE                 AGE    USERS    GROUPS   SERVICEACCOUNTS
cbind-crole1   ClusterRole/crole1   108s   xxxx           

通过clusterrolebinding实现的绑定,不限于单个命名空间。

kubectl get pod --kubeconfig=xxxx-config -n 13-account
NAME   READY   STATUS    RESTARTS   AGE
pod    1/1     Running   0          32m
kubectl get pod --kubeconfig=xxxx-config -n default
No resources found in default namespace.
  • 查看自己是否有权限
kubectl auth can-i get pod
kubectl --as=xxxx auth can-i delete pod

# 服务账号ServiceAccount

  • 系统中有两种账户,useraccount用于登录K8S,serviceaccount用于pod中进程对其他资源的控制。
kubectl create serviceaccount sa1
kubectl create rolebinding rbind-sa1 --role=role1 --serviceaccount=13-account:sa1
  • kubectl get rolebindings.rbac.authorization.k8s.io -owide
NAME          ROLE                 AGE   USERS    GROUPS   SERVICEACCOUNTS
bind-crole1   ClusterRole/crole1   8h    xxxx            
bind1         Role/role1           8h    xxxx            
rbind-sa1     Role/role1           26s                     13-account/sa1

关于sa的注意点

  • 每创建一个sa,都会生成一个token。
  • 对sa赋权,token就会有权限,pod带着token去操作资源就会有权限。
  • 每个ns 都有默认sa账户,删不掉。

# 安装Dashboard

dashboard (opens new window)

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.0/aio/deploy/recommended.yaml
kubectl create sa sa1
kubectl describe secrets sa1-token-77j8m
  • 将token 粘到 浏览器,dashboard就有权限访问其他资源。