使用cfssl创建kubeconfig文件为kubernetes认证授权

作者: root007 分类: kubernetes,未分类 发布时间: 2019-08-07 18:15

RBAC基础 *

目的为开发人员访问使用kubectl做身份进行认证和对其权限做出限制。步骤和部署k8s时候创建admin一样只是绑定权限不一样而已

创建一个devuser用户并且给对应的命名空间所有权限

1、安装CFSSL:
http://pkg.cfssl.org/

curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 
curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 
chmod +x /bin/cfssl*

创建 CA 证书和秘钥

生成ca配置:如果没有ca-config.json
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

创建 dev-user-csr.json 文件

默认生成 证书CN名称为账号名称
cfssl print-defaults csr > devuser-csr.json 修改

{
  "CN": "devuser",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

切换到/etc/kubernetes/ssl目录下面确保目录下面包含以下文件

ca-key.pem  ca.pem ca-config.json  devuser-csr.json
[root@dev-k8s-m1 ssl]# cfssl gencert -ca=kube-ca.pem -ca-key=kube-ca-key.pem  -config=ca-config.json -profile=kubernetes dev-user-csr.json | cfssljson -bare devuser

查看生成的文件

[root@dev-k8s-m1 ssl]# ls devuser*
devuser.csr  devuser-key.pem  devuser.pem

创建 kubeconfig 文件

# 设置集群参数
export KUBE_APISERVER="https://172.20.0.113:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=devuser.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials devuser \
--client-certificate=/etc/kubernetes/ssl/devuser.pem \
--client-key=/etc/kubernetes/ssl/devuser-key.pem \
--embed-certs=true \
--kubeconfig=devuser.kubeconfig

# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=devuser \
--namespace=dev \
--kubeconfig=devuser.kubeconfig

# 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig

至此证书和kubeconfig文件完成 devuser.kubeconfig文件就是/root/.kube/config文件 但是k8s还没有对应的用户和权限

RoleBinding

通过 RBAC创建角色绑定以将该用户的限制在某个或某几个 namespace 空间范围内,例如:

[root@dev-k8s-m1 ssl]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=dev
rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created
[root@dev-k8s-m1 ssl]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=sit1
rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created
[root@dev-k8s-m1 ssl]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=sit2
rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created
[root@dev-k8s-m1 ssl]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=istio-test
rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created
[root@dev-k8s-m1 ssl]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=istio-uat
rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created
[root@dev-k8s-m1 ssl]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=istio-dev
rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created
[root@dev-k8s-m1 ssl]# kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=uat
rolebinding.rbac.authorization.k8s.io/devuser-admin-binding created

验证

如果通过eip连接会提示如下错误因为ca证书没有添加eip

Unable to connect to the server: x509: certificate is valid for 192.168.x.x, 127.0.0.1, 10.43.0.1, not 119.x.x.x

解决方法不要验证证书安全性

kubectl -insecure-skip-tls-verify
或者
config添加
- cluster:
    server: https://119.x.x.x:6443
    insecure-skip-tls-verify: true
  name: kubernetes

给dashboard创建一个只读角色权限

kubectl create serviceaccount dashboard-read -n kube-system

kubectl create clusterrolebinding dashboard-read -n kube-system --clusterrole=view --serviceaccount=kube-system:dashboard-read

kubectl get secret $(kubectl get serviceaccount dashboard-read -n kube-system -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" -n kube-system | base64 --decode

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注