共计 18047 个字符,预计需要花费 46 分钟才能阅读完成。
Users Accounts 认证
kubeconfig 配置文件
之前有提到过,K8S 间的通信是通过 https 实现,https 通信每次都须要认证, 比方咱们在命令行输出命令
[root@k8s-master ~]# kubectl get pod都须要 https 认证, 而且 https 是无状态链接 意味着每次拜访 都须要附带证书, 如果这所有都手动指定实现, 实际操作必定十分不不便, 为了简化连贯和方便使用,K8s 应用 kubeconfig 配置文件来简化应用时文件附带认证信息
kubeconfig 配置文件:3 种搜寻门路
1. 指定证书地位 优先级最高
2. 通过环境变量 $KUBECONFIG 加载 config 文件
3. 读取用户家目录 $HOME/.kube/config
kubeconfig 配置文件:
将用户名、认证信息等组织一起,便于认证到 API Server 上的认证信息文件; 反对一个文件中保留 m 个集群的 n 个认证信息;
- kubectl 选项中能够看到能够指定证书与秘钥
[root@k8s-master kubernetes]# kubectl options
The following options can be passed to any command:
--add-dir-header=false: If true, adds the file directory to the header of the log messages
--alsologtostderr=false: log to standard error as well as files
--as='': Username to impersonate for the operation
--as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
--cache-dir='/root/.kube/cache': Default cache directory
--certificate-authority='': Path to a cert file for the certificate authority
--client-certificate='': Path to a client certificate file for TLS #客户端证书
--client-key='': Path to a client key file for TLS #指客户端秘钥
--cluster='': The name of the kubeconfig cluster to use
--context='': The name of the kubeconfig context to use
--insecure-skip-tls-verify=false: If true, the server's certificate will not be checked for validity. This will
make your HTTPS connections insecure
...kubeconfig 配置文件
- 大抵会蕴含 4 种信息; 反对一个文件中保留 m 个集群的 n 个认证信息;
- clusters:配置要拜访的 kubernetes 集群
- contexts:配置拜访 kubernetes 集群的具体上下文环境
- current-context:配置以后应用的上下文环境
- users:配置拜访的用户信息,用户名以及证书信息
零碎默认的几个 config 配置文件
[root@k8s-master core]# cd /etc/kubernetes/
[root@k8s-master kubernetes]# ll #kubernetes 装置实现 几个 config 配置文件
total 32
-rw------- 1 root root 5565 Jun 29 01:42 admin.conf #管理员配置文件
-rw------- 1 root root 5601 Jun 29 01:42 controller-manager.conf #治理控制器配置文件
-rw------- 1 root root 1933 Jun 29 01:43 kubelet.conf
drwx------ 2 root root 113 Jun 29 01:42 manifests
drwxr-xr-x 3 root root 4096 Jun 29 01:42 pki
-rw------- 1 root root 5541 Jun 29 01:42 scheduler.conf #调度器的配置文件
[root@k8s-master kubernetes]# cat admin.conf
apiVersion: v1
clusters: # 集群相干的信息
- cluster: #API service ca 证书
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.4.170:6443
name: kubernetes #集群名称
contexts: #通过高低文件 把集群和用户名建设关联关系, 所以在一个配置文件中, 并不一一对应的, 一个用户能够治理 多个集群
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes #建设集群与用户
kind: Config
preferences: {}
users:
- name: kubernetes-admin #用户相干的信息
user: #用户 token 秘钥
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lJTzB3MXV1SWhEbDR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBMk1qZ3hOelF5TVRCYUZ3MHlNakEyTWpneE56UXnp2V3RsRStRdUc2Ulk0bjB3UEc0OFR1N0JobGgxVTQKYTNVb3p4SHV4MmRBdi9JNHdBMmRrem8xc0FIL1pFUUFFTjNBN0JZL28rWWE1MXErNmNYMjYvN3hkVlhvMjVKTwpzRkdqUjVJbTIvcDYwR2R4N1MraGlDSE9MZzc1ZFBlZVQvOTZRMk15cVFiaHAyYmlERnNtMnRCSjBhWXdhQThyCm9rMHJYcTd4NmZ1M2l1R2NmaWt0azhRWjA5b29WM29Kd21ORVlSY3A5RTd4TjIxM042dFlOcHVtK0dxVWNiVTIKSHB5MmF4YjZhRWNOVk90YTVJdWluZUtmR1NaZ1hmND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeVVSd3hnVmwvNmczRkpiYnh3Y2EwUi9kejdua0lpbGVFcWl1Tm1yTVE3UlhaSnR3Ckh1bEhnTlQvREtENUMxOTg0cGtQZXV5RzZJc3V6VHFtL0REVERMdndBNXArMWNFNksvWDI5LzV3U29TMUtJN2c3dXc2NEZnSHRBazB3aVloYkhQUGVOMVAKa0Y5RDVFUTdySkZ0S3ZDU2ZPKzdueDhYUEVFM01CTWdBNlR0cXdJREFRQUJBb0lCQUdldHVlcElIYUwxSkdxVwp5K0JhNkpXUnROR3RFTGdJVjAyRlZ6anhDd2hWZmk5MVl1eUpmeXYrak9RVWlEWXpta0dnVnprYlh1T3J6eEFwCmhwpdQpOMFFEaE9iZlE3c1BQV08wSWpzeVo0anVKbDlxYTVsS2N6TTNJTWU3aFdYcXpTUXMwblNKRW9QS04zQUh2UllhCkJNdFZBb0dBRnNkUyswcHBIVnllWlVoblRJZXhiOEhSa0ViT2I2Z3lXenM3bThzcllXK2dwU3RJTVBpR3NTNFoKL0xYZ0RvZ2xUQ01VTnJ1Zjd3RjVtRWcrVTFEZGEyTmtSeWZPRmlnZGQybDVyZkRTN1BxMDhIOGdrZmtNWXFYdQppYUg5cnR3QmRCOEF3bktzTjlKaWFTRkV4RXlxOCtRM3ZIaXpGenhkV1IxU0VQZzQ2V0E9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==kubeconfig 文件 3 种不同的指定形式
- 形式 1 指定配置文件
[root@k8s-master ~]# kubectl --kubeconfig=/etc/kubernetes/admin.conf get pod #指定 config 门路 这个文件也是集群初始化提醒咱们拷贝到家目录主文件
NAME READY STATUS RESTARTS AGE
centos-deployment-66d8cd5f8b-9x47c 1/1 Running 1 44h
demodb-0 1/1 Running 0 21h
demodb-1 1/1 Running 0 19h-
- 形式 2 通过环境变量来指定
[root@k8s-master ~]# export KUBECONFIG=/etc/kubernetes/admin.conf #通过环境变量来
[root@k8s-master ~]# echo $KUBECONFIG
/etc/kubernetes/admin.conf- 形式 3 拷贝到家目录
- 集群初始化提醒咱们拷贝到家目录主文件
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.4.170:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:d31662998938389c1f9e432a0c7bcef7d05678b42c2f5fd67213ed228f356db2kubeconfig 文件查看常用命令
[root@k8s-master ~]# kubectl config -h
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"
The loading order follows these rules:
1. If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once
and no merging takes place.
2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path
delimiting rules for your system). These paths are merged. When a value is modified, it is modified
in the file that defines the stanza. When a value is created, it is created in the first file that
exists. If no files in the chain exist, then it creates the last file in the list.
3. Otherwise, ${HOME}/.kube/config is used and no merging takes place.
Available Commands:
current-context Displays the current-context
delete-cluster Delete the specified cluster from the kubeconfig
delete-context Delete the specified context from the kubeconfig
get-clusters Display clusters defined in the kubeconfig
get-contexts Describe one or many contexts
rename-context Renames a context from the kubeconfig file.
set Sets an individual value in a kubeconfig file
set-cluster Sets a cluster entry in kubeconfig
set-context Sets a context entry in kubeconfig
set-credentials Sets a user entry in kubeconfig
unset Unsets an individual value in a kubeconfig file
use-context Sets the current-context in a kubeconfig file
view Display merged kubeconfig settings or a specified kubeconfig file- 显示默认 config 信息
[root@k8s-master ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
server: ""
name: /etc/kubernetes/admin.conf
- cluster:
server: ""
name: etc/kubernetes/admin.conf
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED- 查看指定 config 文件上下文信息
[root@k8s-master ~]# kubectl config get-contexts --kubeconfig=/etc/kubernetes/scheduler.conf
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* system:kube-scheduler@kubernetes kubernetes system:kube-scheduler 示例 1: 应用 openssl 创立认证帐号 kubeconfig 配置文件
- 创立私钥
应用 openssl 工具做 X509 认证 反对双向认证 , 通过 k8s 本人的 CA 去签证 - 在 K8S 组件目录中能够看到 ca.crt 只有一个,这是因为所有组件都是通过 api-server 的 ca 签发的,如果想让咱们本人的 key 通过 api-server 认证,那么就须要通过这个 ca 来签发证书
[root@k8s-master pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub- 创立私钥
[root@k8s-master kubernetes]# mkdir usercerts
[root@k8s-master kubernetes]# cd usercerts/
[root@k8s-master usercerts]# (umask 077; openssl genrsa -out tom.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................+++
.......................+++
e is 65537 (0x10001)
[root@k8s-master usercerts]# ls
tom.key- 接下来创立证书 基于这个私钥发明一个自签证书是不行的,须要发明一个证书签订申请,通过 k8s 的 ca 来签订
- openssl 罕用选项
-days 工夫
-CA 指定应用的 CA
-CAkey 指定私钥
-CAcreateserial CA 本人发明序列号
-in 待签文件
-out 输入
[root@k8s-master usercerts]# openssl x509 -req -days 3655 -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -in tom.csr -out tom.crt
Signature ok
subject=/CN=tom/O=kubeusers
Getting CA Private Key
[root@k8s-master usercerts]# openssl x509 -in tom.crt -text -noout #查看证书详情
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
bc:c3:53:df:96:10:ec:ed
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Aug 24 00:35:05 2021 GMT
Not After : Aug 27 00:35:05 2031 GMT
Subject: CN=tom, O=kubeusers
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c5:c9:3d:ac:3a:b3:9d:38:58:f1:d9:c6:21:c5:
d5:57:d1:a5:5d:0a:92:a1:88:3e:3c:2d:8d:2d:20:
b1:a4:d1:07:03:7e:72:48:dd:d9:7e:4b:b6:fc:35:
46:b9:60:82:c2:36:30:7d:04:8c:83:b5:7c:8a:b1:
20:7d:f4:b3:5c:29:f4:e0:2b:67:96:5d:b8:a6:ba:
4a:0c:7e:4f:6b:34:82:5b:7d:1a:8c:26:ed:91:dd:
62:9f:37:68:70:14:a4:cf:ea:b0:51:b3:56:9e:d6:
1d:64:32:66:8c:c1:9e:40:4b:20:1c:0a:8b:2c:c8:
94:be:10:95:29:7f:8b:6e:a1:03:32:11:31:de:c6:
d1:8c:64:a8:43:4b:0b:ad:ff:64:e1:17:4d:55:fe:
04:9f:a5:59:2b:e5:13:5e:0d:2b:c1:c7:45:f8:b3:
a7:ad:da:dc:e8:aa:22:5a:37:e6:ce:75:8e:bc:e3:
1e:eb:95:db:be:14:dd:43:1b:51:e6:94:21:10:81:
1c:b5:e3:2d:3e:12:b6:78:14:d4:90:8a:06:32:7e:
ef:90:7b:e7:26:60:38:6c:52:04:bc:91:e1:3f:db:
8b:8a:05:39:ad:74:99:e1:80:ae:58:d6:4a:6d:7d:
64:a3:bc:16:b8:7c:d6:08:33:b8:23:56:35:75:18:
bb:57
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
40:fe:1b:d7:c1:67:bf:15:21:be:ac:0e:fb:32:a3:1e:58:e5:
c8:2a:3f:3a:21:87:23:9c:14:dc:05:39:fb:5f:f8:1e:f3:66:
98:54:48:1c:25:c1:b5:bc:1c:be:7d:d6:86:7d:09:ae:7c:40:
2d:cd:0b:5d:29:7f:67:ec:51:1b:c3:97:d3:a2:17:d4:96:04:
17:ba:aa:79:ff:0e:d0:53:2c:81:a3:8e:05:0b:a5:f5:12:0c:
f8:38:f1:fb:6e:bf:7b:1b:40:f0:dc:b1:5e:b1:a8:c8:fc:ec:
92:c5:fb:6b:76:ff:7c:ab:f5:ea:94:89:8a:fd:47:cf:c8:8a:
b6:f3:42:19:b9:b2:74:41:de:bf:66:7e:b3:e2:78:8e:e1:db:
ac:85:2b:ed:8d:c1:55:16:0f:15:8c:72:7b:0d:7e:31:ce:06:
ce:2e:d3:9f:77:60:22:4e:11:32:33:b6:28:d5:93:2f:c9:a5:
4c:f6:1f:4f:7d:e7:66:e0:74:14:c4:c8:de:c1:26:1e:56:db:
29:54:35:b9:3b:24:8b:5f:f5:81:af:30:27:f4:1f:99:a5:aa:
8d:f3:91:c4:4f:3e:3d:12:a9:a5:85:44:0b:17:19:2a:ac:ea:
50:3f:39:31:c5:ef:15:04:f7:bf:11:a3:57:af:8f:ce:8d:d1:
d7:5e:c4:31
-
- 生成 kubeconfig 配置文件 配置集群信息 寄存在 /tmp/mykubeconfig 目录
[root@k8s-master core]# kubectl config set-cluster kubernetes --server=https://k8s-master:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/mykubeconfig
Cluster "kubernetes" set.
[root@k8s-master ~]# cat /tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster: #集群的认证信息
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXdRCm1DSkowR3VJRGR6WmE4WEFKSXk3QlJVR0JUMG9JMGxWdVdjM1BEMjV3aHIxTUJSeVVydTB1MG43bUtWUVR6YlkKMEc4VVNIendTblg1MU9vTXBVNVl3SEs2V0dMZ0o2Z2RDZmpBWTZ2MTJlN3krcnZqT0tZbnM2bGpVZjJNbmFJTApuckN5MS91NTZMbmgxd0NIMVhrTEVDUDUzOU1GYW1Za1JHeGVTOUZabEZjZ0x2SnA0M1ZYOVY0SVdRZXVtSGQ5CjFhYktWZWkvNDFxYmJ2eURVN2w0bDdrbFVtTFVUR0RsWXBmMUdQVS9KYW9tNFFMUmFFdDJjc1ljTlo4SjN5YVkKR3ZPbG9HTTE1MFJzeDR2TDhEV09xWmNVVWcvdVh1aktnMU1mV1JyRDlLdnFLMVFkUDkySUUrbDZuWFVLWTM0cgp2b0RDbU9jTDhKMG5QeWpieWYwQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPd2kyd3JVYnV2Vm1iaVYycm5uTHR6MGhzZ2NNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCQ0ZrRVU0Z3lvdURzNGhHMHBqZGxySlJrRHcxa0tnMUpWOG0zQ3FjS1VLbUpCVVQ5SAo5UjhMYVUycy82eVM1elgzVlNkVU5nRjFWL2hwalVKNmJTdWQ5WGZubWJ3OGxIS1V1Y1VTSVdVOWErVEdUdmtuCkRxSThGY0M4Z0tzdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://k8s-master:6443
name: kubernetes
contexts: null
current-context: "" #高低文件信息为空
kind: Config
preferences: {}
users: null #用户为空 -
- 配置集群用户 tom
[root@k8s-master ~]# kubectl config set-credentials --help #用户能够应用多种形式认证
...
Usage:
kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile]
[--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name]
[--auth-provider-arg=key=value] [--exec-command=exec_command] [--exec-api-version=exec_api_version] [--exec-arg=arg]
[--exec-env=key=value] [options]
[root@k8s-master usercerts]# kubectl config set-credentials tom --client-certificate=./tom.crt --client-key=./tom.key --embed-certs=true --kubeconfig=/tmp/mykubeconfig
User "tom" set.
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://k8s-master:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: tom #增加用户 tom
user:
client-certificate-data: REDACTED #信息暗藏 --embed-certs=true 的作用
client-key-data: REDACTED #暗藏信息 - 增加上下文 对集群与用户进行绑定
[root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes --kubeconfig=/tmp/mykubeconfig
Context "tom@kubernetes" created.
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://k8s-master:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes #用户与集群通过进行绑定
current-context: ""
kind: Config
preferences: {}
users:
- name: tom
user:
client-certificate-data: REDACTED
client-key-data: REDACTED-
- 切换上下文切换认证用户为 tom
[root@k8s-master usercerts]# kubectl config use-context tom@kubernetes --kubeconfig=/tmp/mykubeconfig
Switched to context "tom@kubernetes"
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://k8s-master:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes
current-context: tom@kubernetes #以后用户
kind: Config
preferences: {}
users:
- name: tom
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master usercerts]# kubectl get nodes --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope
- 下面的谬误是指受权有问题, 认证曾经通过, 曾经实现示例的要求, 受权会在下一大节讲到 示例 2: kubeconfig 证书合并 tom.crt 证书在示例 1 曾经实现
- 集群不必在创立 默认配置文件里曾经有了
[root@k8s-master usercerts]# kubectl config set-credentials tom --client-certificate=./tom.crt --client-key=./tom.key --embed-certs=true
User "tom" set.- 在默认 kubeconfig 中创立 contexts
[root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes
Context "tom@kubernetes" created.
[root@k8s-master usercerts]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes #默认 context
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes #新建 context
current-context: kubernetes-admin@kubernetes #以后 context
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tom #新建用户
user:
client-certificate-data: REDACTED
client-key-data: REDACTED- 切换以后 context 为 tom@kubernetes
[root@k8s-master usercerts]# kubectl config use-context tom@kubernetes
Switched to context "tom@kubernetes".
[root@k8s-master usercerts]# kubectl get pod #提醒没有权限
Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group ""in the namespace"default"- 指定应用前 context
[root@k8s-master usercerts]# kubectl get nodes --context=kubernetes-admin@kubernetes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 56d v1.19.9
k8s-node1 Ready <none> 56d v1.19.9
k8s-node2 Ready <none> 56d v1.19.9
k8s-node3 Ready <none> 19d v1.19.9
[root@k8s-master usercerts]# kubectl config use-context kubernetes-admin@kubernetes #批改默认 context
Switched to context "kubernetes-admin@kubernetes".
[root@k8s-master usercerts]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 56d v1.19.9
k8s-node1 Ready <none> 56d v1.19.9
k8s-node2 Ready <none> 56d v1.19.9
k8s-node3 Ready <none> 19d v1.19.9- 删除 context
[root@k8s-master usercerts]# kubectl config delete-context tom@kubernetes
[root@k8s-master usercerts]# kubectl config delete-user tom
[root@k8s-master usercerts]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- 通过环境变量合并配置文件合并配置文件
[root@k8s-master usercerts]# export KUBECONFIG=$HOME/.kube/config:/tmp/mykubeconfig
[root@k8s-master usercerts]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tom
user:
client-certificate-data: REDACTED
client-key-data: REDACTED-
- 在通过环境变量合并配置文件根底上 通过 –merge –flatten 选项, 能够展平合并反复项, 生成新的配置文件
[root@k8s-master usercerts]# kubectl config view --merge --flatten > /tmp/newkubeconfig
[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/newkubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.4.170:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: tom
name: tom@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tom
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
正文完
发表至: kubernetes
2021-12-01
