方法一

cfssl工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

生成用户的认证文件

• 配置文件

cat devuser-csr.json 
{
  "CN": "devuser",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
[root@node43 ssl]# pwd
/etc/kubernetes/ssl

• 生成对应的认证文件

cfssl gencert -ca=kube-ca.pem -ca-key=kube-ca-key.pem  -profile=kubernetes devuser-csr.json | cfssljson -bare devuser

kubectl config set-credentials devuser --client-certificate=/etc/kubernetes/ssl/devuser.pem --client-key=/etc/kubernetes/ssl/devuser-key.pem --embed-certs=true

kubectl create ns dev

kubectl config set-context dev-context --user=devuser --cluster=test-node43 --namespace=dev

• 配置RBAC

kubectl create clusterrolebinding dev-binding --clusterrole=cluter-admin --user=devuser


kubectl config use-context dev-context

[root@node43 ssl]# kubectl get pod 
No resources found in dev namespace.
[root@node43 ssl]# kubectl get pod  -n default 
NAME                                      READY   STATUS      RESTARTS   AGE
nb-cpu-root-test-0                        1/1     Running     1          6d6h
nfs-client-provisioner-6847759999-4wgbg   1/1     Running     11         113d
pg-deploy-5698ccd66c-7k6kg                0/1     Pending     0          16d
test-pod                                  0/1     Completed   0          113d
test-psp                                  1/1     Running     0          125m

在实际使用过程种,可以设置role,clusterrole，rolebinding,clusterrolebinding对资源进行设置

方法二

## kubeadm/minikube安装的k8s，在/etc/kubernetes/pki下面有认证的相关信息
cd /etc/kubernetes/pki

openssl genrsa -out user.key 2048

## user与用户名相同
openssl req -new -key user.key -out user.csr -subj "/CN=user"

openssl x509 -req -in user.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out user.crt -days 365

kubectl config set-credentials user --client-certificate=./user.crt --client-key=./user.key --embed-certs=true

kubectl  create clusterrolebinding user-context-binding --clusterrole=cluster-admin --user=user

kubectl config set-context user-context --cluster=kubernetes --user=user

kubectl  config use-context user-context