Role-based access control
How does kubectl connection server authenticate? If you don’t use the token method to authenticate through serviceAccount, we should configure it as a configuration file. All the components of the k8s cluster except apiserver components such as controller-manager need to be connected to the apiserver and must be authenticated by the apiserver, so they are counted. The above is the client of apiserver, including kubectl. In order for each component to connect to the correct cluster and provide the correct account, certificate, private key and other authentication information, we need to save this configuration information to a file. This configuration The file has a name called kubeconfig. This kubeconfig is the client configuration file in the authentication format used when the apiserver client connects to the apiserver. Our kubectl is also such a client. It also has its own configuration file. You can print the content of the configuration file. Use the kubectl config view command to view, you can see that it is also a standard k8s resource object.
You can see that this configuration file not only allows you to access a k8s cluster, if you have multiple The k8s cluster has only one host as the client. In order to allow us to control multiple clusters with one kubectl, we can do this and provide the configuration file first called the cluster list, so that we have multiple clusters, for each cluster Say we may use multiple accounts, or may all use admin, so we define several accounts in advance, so we next define the context, which indicates which account we use to access which cluster. A context contains a user name and cluster, which is used to specify which account is used to access which cluster
We make a certificate and private key as another account to authenticate to k8s apiserver, let’s find out what he is How it was generated.
- First create a private key to generate a signed certificate. The certificate holder and user name in the certificate must be the same, because the name of the certificate holder is our user account name, our server The account is the subject of the certificate.
- First, we make a private key
cd /etc/kubernetes /pki/
ls
(umask 077; openssl genrsa -out wohaoshuai.key 2048)
ls
Next, we generate a certificate based on this private key, signed by our ca.crt (the name is your user account name)
openssl req -new -key wohaoshuai.key -out wohaoshuai.csr -subj "/CN=wohaoshuai"
Connect You can get the visa after you come down. Use the certificate to sign
openssl x509 -req -in wohaoshuai.csr -CA /etc /kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out wohaoshuai.crt -days 365
Use There is a problem with kubeadm deploying clusters. The certificate is valid for 1000 days or three years. It is more troublesome if the certificate expires.
Now the certificate is already available, self-signed certificate, of course, you can also check the certificate information
< div class="Highlighter">
openssl x509 -in wohaoshuai.crt -text -noout
< /p>
Next, we add this user account information to him to authenticate as the information to connect to the k8s cluster. And he is authorized by the CA of the same k8s cluster, so there is no problem with the certificate authentication he created.
We will create a user next
- wohaoshuai (identifier of the user)
- –embed-certs=true (Hide the corresponding information)
kubectl config set-credentials wohaoshuai --client-certificate=/etc/kubernetes/pki/ wohaoshuai.crt --client-key=/etc/kubernetes/pki/wohaoshuai.key --embed-certs=true
< /p>
View configuration
Set Set the context so that wohaoshuai can also access kubernetes
kubectl config set-context [emailprotected] --cluster=kubernetes- -user=wohaoshuai
< /p>
View the configuration again
Now Switch to wohaoshuai account, this account does not have administrator rights
kubectl config use-context [email protected]
< /p>
Perform some operations (you can see that there is no permission)
< /p>
Of course, we will show you one step less, which is to set up the cluster. If we generate a new configuration file or define a new cluster in the current configuration file, the method of setting up the cluster is actually relatively simple. First, specify Cluster name, and then specify the certificate of the CA of the cluster. Because we want to use this CA certificate to verify the certificate sent by the cluster APIserver, then how do we trust this server certificate? So when we specify the certificate, the apiserver can only complete the authentication when it sends the information for authentication. So the most important thing is to set which cluster specifies the cluster name, specify the access address of the cluster service, and specify the cluster certificate. That is, the certificate of the higher authority serving the service. That is, ca.crt under the current pki path, so our easiest way is to specify who the server is, specify who the ca certificate is, and specify to hide the certificate (–embed-certs=true).
First change the user to the default kubernetes-admin
Sets a cluster entry in kubeconfig.
Specifying a name that already exists will merge new fields on top of existing values for those fields.
Examples:
# Set only the server field on the e2e cluster entry without touching other values.
kubectl config set-cluster e2e --server=https:// 1.2.3.4
# Embed certificate authority data for the e2e cluster entry
kubectl config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
# Disable cert checking for the dev cluster entry
kubectl config set-cluster e2e --insecure-skip-tls-verify=true
Options:
--embed-certs=false: embed-certs for span> the cluster entry in kubeconfig
Usage:
kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/ authority]
[--insecure-skip-tls-verify=true] [ options]
Use "kubectl options" for a list of global command- line options (applies to all commands).
[[email protected] ~]# cd /etc/kubernetes/pki/ && ls
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-client.crt sa.key wohaoshuai.crt wohaoshuai.key
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.key sa.pub wohaoshuai.csr< /pre>
kubectl config set-cluster --help Execute command
kubectl config use-context [email protected]
Now We set up a cluster, we define a new configuration file, we do not use the default configuration file, we just saved all the settings in the default configuration file. By default, kubectl loads the configuration file path as the config file in the .kube directory in the current user's home directory. If you want to save it in another location, you can use the --kubeconfig option.
kubectl config set-cluster mycluster --kubeconfig=/tmp/test.config --server="https: //192.168.10.10:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-cer
kubectl config view --kubeconfig=/tmp/test.config
< /p>
kubectl config view
cd /etc/kubernetes/pki/
ls
(umask 077; openssl genrsa -out wohaoshuai.key 2048)
ls
openssl req -new -key wohaoshuai.key -out wohaoshuai.csr -subj "/CN=wohaoshuai"
openssl x509 -req -in wohaoshuai.csr -CA /etc/kubernetes/pki/ca.crt -CAkey / etc/kubernetes/pki/ca.key -CAcreateserial -out wohaoshuai.crt -days 365
openssl x509 -in wohaoshuai.crt -text -noout
kubectl config set-credentials wohaoshuai --client-certificate=/etc/kubernetes/pki/wohaoshuai.crt - client-key=/etc/kubernetes/pki/wohaoshuai.key --embed-certs=true
kubectl config view
kubectl config set-context [emailprotected] --cluster=kubernetes --user=wohaoshuai
kubectl config view
kubectl config use-context [emailprotected]
kubectl get pods
Sets a cluster entry in kubeconfig.
Specifying a name that already exists will merge new fields on top of existing values for those fields.
Examples:
# Set only the server field on the e2e cluster entry without touching other values.
kubectl config set-cluster e2e --server=https:// 1.2.3.4
# Embed certificate authority data for the e2e cluster entry
kubectl config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
# Disable cert checking for the dev cluster entry
kubectl config set-cluster e2e --insecure-skip-tls-verify=true
Options:
--embed-certs=false: embed-certs for span> the cluster entry in kubeconfig
Usage:
kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/ authority]
[--insecure-skip-tls-verify=true] [ options]
Use "kubectl options" for a list of global command- line options (applies to all commands).
[[email protected] ~]# cd /etc/kubernetes/pki/ && ls
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-client.crt sa.key wohaoshuai.crt wohaoshuai.key
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.key sa.pub wohaoshuai.csr< /pre>
kubectl config set-cluster --helpSets a cluster entry in kubeconfig.
Specifying a name that already exists will merge new fields on top of existing values for those fields.
Examples:
# Set only the server field on the e2e cluster entry without touching other values.
kubectl config set-cluster e2e --server=https:// 1.2.3.4
# Embed certificate authority data for the e2e cluster entry
kubectl config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
# Disable cert checking for the dev cluster entry
kubectl config set-cluster e2e --insecure-skip-tls-verify=true
Options:
--embed-certs=false: embed-certs for span> the cluster entry in kubeconfig
Usage:
kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/ authority]
[--insecure-skip-tls-verify=true] [ options]
Use "kubectl options" for a list of global command- line options (applies to all commands).
[[email protected] ~]# cd /etc/kubernetes/pki/ && ls
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-client.crt sa.key wohaoshuai.crt wohaoshuai.key
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.key sa.pub wohaoshuai.csr< /pre>kubectl config use-context [emailprotected]
kubectl config set-cluster mycluster --kubeconfig=/tmp/test.config --server="https:/ /192.168.10.10:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-cer
kubectl config view --kubeconfig=/tmp/test.config