目录
1.创建用户
1.1证书创建
1.2创建用户
1.3允许用户登陆
1.4切换用户
1.5删除用户
2.RBAC
2.1允许user1用户查看pod日志
3.使用用户
1.创建用户
1.1证书创建
进入证书目录
# cd /etc/kubernetes/pki
创建key
# openssl genrsa -out user1.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................+++
........+++
e is 65537 (0x10001)
创建csr
# openssl req -new -key user1.key -out user1.csr -subj "/CN=user1"
查看创建结果
# ll
total 72
-rw-r--r-- 1 root root 1310 Jun 12 14:52 apiserver.crt
-rw-r--r-- 1 root root 1155 Jun 12 14:52 apiserver-etcd-client.crt
-rw------- 1 root root 1679 Jun 12 14:52 apiserver-etcd-client.key
-rw------- 1 root root 1679 Jun 12 14:52 apiserver.key
-rw-r--r-- 1 root root 1164 Jun 12 14:52 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 Jun 12 14:52 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1099 Jun 12 14:52 ca.crt
-rw------- 1 root root 1675 Jun 12 14:52 ca.key
-rw-r--r-- 1 root root 17 Oct 10 18:07 ca.srl
drwxr-xr-x 2 root root 4096 Jun 12 14:52 etcd
-rw-r--r-- 1 root root 1115 Jun 12 14:52 front-proxy-ca.crt
-rw------- 1 root root 1675 Jun 12 14:52 front-proxy-ca.key
-rw-r--r-- 1 root root 1119 Jun 12 14:52 front-proxy-client.crt
-rw------- 1 root root 1679 Jun 12 14:52 front-proxy-client.key
-rw------- 1 root root 1679 Jun 12 14:52 sa.key
-rw------- 1 root root 451 Jun 12 14:52 sa.pub
-rw-r--r-- 1 root root 883 Oct 10 18:27 user1.csr
-rw-r--r-- 1 root root 1679 Oct 10 18:26 user1.key
修改权限
# chmod 600 user1.key
使用集群证书签发
# openssl x509 -req -in user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user1.crt -days 1095
Signature ok
subject=/CN=user1
Getting CA Private Key查看签发的证书
# openssl x509 -in user1.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
fc:aa:fd:55:13:43:c3:62
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Oct 10 10:30:34 2023 GMT
Not After : Oct 9 10:30:34 2026 GMT
Subject: CN=user1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:c0:f2:4c:35:42:32:97:12:0f:c1:c2:0f:16:
........篇幅省略
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
8d:92:df:d1:53:cf:0c:e6:97:10:cc:53:37:16:01:0c:69:c3:
......篇幅省略1.2创建用户
# kubectl config set-credentials user1 --client-certificate=./user1.crt --client-key=./user1.key --embed-certs=true
User "user1" set.1.3允许用户登陆
# kubectl config set-context user1@kubernetes --cluster=kubernetes --user=user1
Context "user1@kubernetes" created.查看集群信息
# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://master01:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: user1
name: user1@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
- name: user1
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED可以看到user1已经存在并可以登陆
1.4切换用户
# kubectl config use-context user1@kubernetes
Switched to context "user1@kubernetes".但此时用户没有任何权限,需要配置rbac
# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" in the namespace "default"1.5删除用户
# kubectl config delete-context user1@kubernetes
deleted context user1@kubernetes from /root/.kube/config
# kubectl config unset users.user1
Property "users.user1" unset.2.RBAC
2.1允许user1用户查看pod日志
# cat user1_pod_get.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-log-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"] # 允许 "user1" 用户获取和列出 Pod 以及日志
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-log-reader-binding
namespace: default
subjects:
- kind: User
name: user1 # 这里的 "user1" 是您之前创建的用户名称
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-log-reader
apiGroup: rbac.authorization.k8s.io再次使用user1用户就可以查看pod和日志了
# kubectl get pod -n default
# kubectl logs -f pod/free-study-questionnaire-5c7f8c878d-859wl3.使用用户
默认需要切换,但给开发人员或者相关人员时他们是不需要切换的,所以需要配置kubectl
首先需要按照kubectl命令
安装完成后有几种方式配置:
1、拷贝创建当初创建用户的kubectl命令所在服务器下的'$HOME/.kube/config'到新kubectl命令所在服务器的'$HOME/.kube/config',然后删除admin和其他不需要的用户后即可
2、手动编写
需要拷贝ca.crt、user1.crt、user1.key到新kubectl服务器
编写如下文件
apiVersion: v1
clusters:
- cluster:
certificate-authority: ca.crt
server: https://master01:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: user1
name: user1@kubernetes
current-context: user1@kubernetes
kind: Config
preferences: {}
users:
- name: user1
user:
client-certificate: user1.crt
client-key: user1.key如果将该文件名称定义为 config, 则可以直接使用kubectl命令进行操作
如果改名称为其他,如 user1.yaml,则使用命令需要指定文件文章来源:https://www.toymoban.com/news/detail-727211.html
kubectl --kubeconfig=$HOME/.kube/user1.yaml get pods当然你可以有多个yaml,放在任何目录下,就可以操作多个环境文章来源地址https://www.toymoban.com/news/detail-727211.html
到了这里,关于kubernetes pod日志查看用户创建的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
