如何在Kubernetes集群中创建用户?
[英]How to create a user in a Kubernetes cluster?
问题描述
I'm trying to create a user in a Kubernetes cluster. 
我正在尝试在Kubernetes集群中创建用户。
I spinned up 2 droplets on DigitalOcean using a Terraform script of mine. 我使用我的Terraform脚本在DigitalOcean上旋转了2个水滴。
Then I logged in the master node droplet using ssh : 然后我使用ssh登录主节点ssh :
doctl compute ssh droplet1
Following this, I created a new cluster and a namespace in it: 在此之后,我在其中创建了一个新的集群和命名空间:
kubectl create namespace thalasoft
I created a user role in the role-deployment-manager.yml file: 我在role-deployment-manager.yml文件中创建了一个用户角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: thalasoft
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
and executed the command: 并执行命令:
kubectl create -f role-deployment-manager.yml
I created a role grant in the rolebinding-deployment-manager.yml file: 我在rolebinding-deployment-manager.yml文件中创建了角色授权:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployment-manager-binding
namespace: thalasoft
subjects:
- kind: User
name: stephane
apiGroup: ""
roleRef:
kind: Role
name: deployment-manager
apiGroup: ""
and executed the command: kubectl create -f rolebinding-deployment-manager.yml 并执行命令:kubectl create -f rolebinding-deployment-manager.yml
Here is my terminal output: 这是我的终端输出:
Last login: Wed Dec 19 10:48:48 2018 from 90.191.151.182
root@droplet1:~# kubectl create namespace thalasoft
namespace/thalasoft created
root@droplet1:~# vi role-deployment-manager.yml
root@droplet1:~# kubectl create -f role-deployment-manager.yml
role.rbac.authorization.k8s.io/deployment-manager created
root@droplet1:~# vi rolebinding-deployment-manager.yml
root@droplet1:~# kubectl create -f rolebinding-deployment-manager.yml
rolebinding.rbac.authorization.k8s.io/deployment-manager-binding created
root@droplet1:~#
Now I'd like to first create a user in the cluster, and then configure the client kubectl with this user so as to operate from my laptop and avoid logging via ssh̀ to the droplet. 现在我想首先在集群中创建一个用户,然后使用该用户配置客户端kubectl ,以便从我的笔记本电脑进行操作,并避免通过ssh̀到kubectl 。
I know I can configure a user in the kubectl client: 我知道我可以在kubectl客户端中配置用户:
# Create a context, that is, a user against a namespace of a cluster, in the client configuration
kubectl config set-context digital-ocean-context --cluster=digital-ocean-cluster --namespace=digital-ocean-namespace --user=stephane
# Configure the client with a user credentials
cd;
kubectl config set-credentials stephane --client-certificate=.ssh/id_rsa.pub --client-key=.ssh/id_rsa
But this is only some client side configuration as I understand. 但据我所知,这只是一些客户端配置。
UPDATE: I could add a user credentials with a certificate signed by the Kubernetes CA, running the following commands on the droplet hosting the Kubernetes master node: 更新:我可以使用Kubernetes CA签名的证书添加用户凭据,在托管Kubernetes主节点的Droplet上运行以下命令:
# Create a private key
openssl genrsa -out .ssh/thalasoft.key 4096
# Create a certificate signing request
openssl req -new -key .ssh/thalasoft.key -out .ssh/thalasoft.csr -subj "/CN=stephane/O=thalasoft"
# Sign the certificate
export CA_LOCATION=/etc/kubernetes/pki/
openssl x509 -req -in .ssh/thalasoft.csr -CA $CA_LOCATION/ca.crt -CAkey $CA_LOCATION/ca.key -CAcreateserial -out .ssh/thalasoft.crt -days 1024
# Configure a cluster in the client
kubectl config set-cluster digital-ocean-cluster --server=https://${MASTER_IP}:6443 --insecure-skip-tls-verify=true
# Configure a user in the client
# Copy the key and the certificate to the client
scp -o "StrictHostKeyChecking no" root@165.227.171.72:.ssh/thalasoft.* .
# Configure the client with a user credentials
kubectl config set-credentials stephane --client-certificate=.ssh/thalasoft.crt --client-key=.ssh/thalasoft.key
# Create a context, that is, a user against a namespace of a cluster, in the client configuration
kubectl config set-context digital-ocean-context --cluster=digital-ocean-cluster --namespace=digital-ocean-namespace --user=stephane
1 个解决方案
解决方案1
3 已采纳 2018-12-19 13:03:22
But this is only some client side configuration as I understand.
What command I should use to create the user ?
Kubernetes doesn't provide user management. Kubernetes不提供用户管理。 This is handled through x509 certificates that can be signed by your cluster CA. 这是通过可由群集CA签名的x509证书来处理的。
First, you'll need to create a Key: 首先,您需要创建一个密钥:
openssl genrsa -out my-user.key 4096
Second, you'll need to create a signing request: 其次,您需要创建签名请求:
openssl req -new -key my-user.key -out my-user.csr -subj "/CN=my-user/O=my-organisation"
Third, sign the certificate request: 三,签署证书申请:
openssl x509 -req -in my-user.csr -CA CA_LOCATION/ca.crt -CAkey CA_LOCATION/ca.key -CAcreateserial -out my-user.crt -days 500
ca.crt and ca.key is the same cert/key provided by kubeadm or within your master configuration. ca.crt和ca.key是kubeadm或主配置中提供的相同证书/密钥。
You can then give this signed certificate to your user, along with their key, and then can configure access with: 然后,您可以将此签名证书及其密钥提供给用户,然后可以使用以下命令配置访问权限:
kubectl config set-credentials my-user --client-certificate=my-user.crt --client-key=my-user.key
kubectl config set-context my-k8s-cluster --cluster=cluster-name --namespace=whatever --user=my-user
Bitnami provide a great resource that explains all of this: Bitnami提供了一个很好的资源来解释所有这些:
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.