准备证书签发环境:
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64
mv cfssl-certinfo_1.6.1_linux_amd64 cfssl-certinfo
mv cfssl_1.6.1_linux_amd64 cfssl
cfssljson_1.6.1_linux_amd64 cfssljson
cp cfssl-certinfo cfssl cfssljson /usr/local/bin/
chmod a+x /usr/local/bin/cfssl*
#验证cfssl
cfssl version
复制集群ca证书到新建目录
mkdir catest
cd catest/
cp /etc/kubernetes/pki/ca.crt .
cp /etc/kubernetes/pki/ca.key .
生成ca-config用于定义签发证书时间,90年
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "788400h"
},
"profiles": {
"www": {
"expiry": "788400h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
生成请求签发csr文件,CN代表用户名,O代表group名
cat > test-csr.json << EOF
{
"CN": "test",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
执行证书签发,生成证书test.pem,test-key.pem
cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=www test-csr.json | cfssljson -bare test
生成集群认证config文件:
export KUBE_APISERVER="https://10.83.23.230:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=./ca.crt \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=./test.kubeconfig
设置客户端证书认证:
kubectl config set-credentials test \
--client-certificate=./test.pem \
--client-key=./test-key.pem \
--embed-certs=true \
--kubeconfig=./test.kubeconfig
设置上下文参数:
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=test \
--kubeconfig=./test.kubeconfig
设置默认上下文:
kubectl config use-context kubernetes --kubeconfig=./test.kubeconfig
k8s集群中为test账户绑定rbac:
kubectl create clusterrolebinding test --clusterrole=cluster-admin --user=test
测试新建用户配置文件是否可用
kubectl --kubeconfig=test.kubeconfig get pods
