k8s API account基本操作

创建cert key

#创建key密钥
openssl genrsa -out vbear.key 2048

#创建证书
openssl req -new -key vbear.key -out vbear.csr -subj "/CN=vbear/O=it"

#申请签名
udo openssl x509 -req -in vbear.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key  -CAcreateserial -out vbear.crt -days 365
Certificate request self-signature ok
subject=CN = vbear, O = it

#查看contexts
ubuntu@master01:/k8s/cert$ kubectl config get-contexts
CURRENT   NAME                          CLUSTER                       AUTHINFO           NAMESPACE
*         devops-context                kubernetes                    vbear              

#指定证书为用户vbear
 
ubuntu@master01:/k8s/cert$ kubectl config set-credentials vbear --client-certificate=/k8s/cert/vbear.crt --client-key=vbear.key
User "vbear" set.

#查看当前的context
ubuntu@master01:/k8s/cert$ kubectl config current-context
devops-context
ubuntu@master01:/k8s/cert$ kubectl get pods -n devops
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          10m
ubuntu@master01:/k8s/cert$

在devops namespace里面创建账号api-access

#创建namespace
ubuntu@master01:/k8s/cert$ kubectl create namespace devops
namespace/devops created

#创建服务账号api-access
ubuntu@master01:/k8s/cert$ kubectl create serviceaccount api-access -n devops
serviceaccount/api-access created
ubuntu@master01:/k8s/cert$

创建角色,并绑定资源

ubuntu@master01:/k8s/cert$ kubectl create role api-clusterrole --verb=watch,list,get  --resource=pods,deployments,services -n devops
role.rbac.authorization.k8s.io/api-clusterrole created
ubuntu@master01:/k8s/cert$ 

ubuntu@master01:/k8s/cert$ kubectl create rolebinding api-clusterrolebinding --role=api-clusterrole --user=vbear -n devops
rolebinding.rbac.authorization.k8s.io/api-clusterrolebinding created

验证结果

ubuntu@master01:/k8s/cert$ curl --cert ./vbear.crt --key ./vbear.key --cacert /etc/kubernetes/pki/ca.crt -s https://192.168.64.84:6443/api/v1/namespaces/devops/pods
{
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "resourceVersion": "125896"
  },
  "items": [
    {
      "metadata": {
        "name": "nginx",
        "namespace": "devops",
        "uid": "c666e438-6d4f-4103-ac8b-ca057ffe3f2b",
        "resourceVersion": "125837",
        "creationTimestamp": "2023-02-23T13:32:57Z",
        "labels": {
          "run": "nginx"
        },
posted @ 2023-02-23 21:45  菜熊熊  阅读(63)  评论(0)    收藏  举报