[英]How to create a user in a Kubernetes cluster?
I'm trying to create a user in a Kubernetes cluster. 我正在尝试在Kubernetes集群中创建用户。
I spinned up 2 droplets on DigitalOcean using a Terraform script of mine. 我使用我的Terraform脚本在DigitalOcean上旋转了2个水滴。
Then I logged in the master node droplet using ssh
: 然后我使用
ssh
登录主节点ssh
:
doctl compute ssh droplet1
Following this, I created a new cluster and a namespace in it: 在此之后,我在其中创建了一个新的集群和命名空间:
kubectl create namespace thalasoft
I created a user role in the role-deployment-manager.yml
file: 我在
role-deployment-manager.yml
文件中创建了一个用户角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: thalasoft
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
and executed the command: 并执行命令:
kubectl create -f role-deployment-manager.yml
I created a role grant in the rolebinding-deployment-manager.yml
file: 我在
rolebinding-deployment-manager.yml
文件中创建了角色授权:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployment-manager-binding
namespace: thalasoft
subjects:
- kind: User
name: stephane
apiGroup: ""
roleRef:
kind: Role
name: deployment-manager
apiGroup: ""
and executed the command: kubectl create -f rolebinding-deployment-manager.yml 并执行命令:kubectl create -f rolebinding-deployment-manager.yml
Here is my terminal output: 这是我的终端输出:
Last login: Wed Dec 19 10:48:48 2018 from 90.191.151.182
root@droplet1:~# kubectl create namespace thalasoft
namespace/thalasoft created
root@droplet1:~# vi role-deployment-manager.yml
root@droplet1:~# kubectl create -f role-deployment-manager.yml
role.rbac.authorization.k8s.io/deployment-manager created
root@droplet1:~# vi rolebinding-deployment-manager.yml
root@droplet1:~# kubectl create -f rolebinding-deployment-manager.yml
rolebinding.rbac.authorization.k8s.io/deployment-manager-binding created
root@droplet1:~#
Now I'd like to first create a user in the cluster, and then configure the client kubectl
with this user so as to operate from my laptop and avoid logging via ssh̀
to the droplet. 现在我想首先在集群中创建一个用户,然后使用该用户配置客户端
kubectl
,以便从我的笔记本电脑进行操作,并避免通过ssh̀
到kubectl
。
I know I can configure a user in the kubectl
client: 我知道我可以在
kubectl
客户端中配置用户:
# Create a context, that is, a user against a namespace of a cluster, in the client configuration
kubectl config set-context digital-ocean-context --cluster=digital-ocean-cluster --namespace=digital-ocean-namespace --user=stephane
# Configure the client with a user credentials
cd;
kubectl config set-credentials stephane --client-certificate=.ssh/id_rsa.pub --client-key=.ssh/id_rsa
But this is only some client side configuration as I understand. 但据我所知,这只是一些客户端配置。
UPDATE: I could add a user credentials with a certificate signed by the Kubernetes CA, running the following commands on the droplet hosting the Kubernetes master node: 更新:我可以使用Kubernetes CA签名的证书添加用户凭据,在托管Kubernetes主节点的Droplet上运行以下命令:
# Create a private key
openssl genrsa -out .ssh/thalasoft.key 4096
# Create a certificate signing request
openssl req -new -key .ssh/thalasoft.key -out .ssh/thalasoft.csr -subj "/CN=stephane/O=thalasoft"
# Sign the certificate
export CA_LOCATION=/etc/kubernetes/pki/
openssl x509 -req -in .ssh/thalasoft.csr -CA $CA_LOCATION/ca.crt -CAkey $CA_LOCATION/ca.key -CAcreateserial -out .ssh/thalasoft.crt -days 1024
# Configure a cluster in the client
kubectl config set-cluster digital-ocean-cluster --server=https://${MASTER_IP}:6443 --insecure-skip-tls-verify=true
# Configure a user in the client
# Copy the key and the certificate to the client
scp -o "StrictHostKeyChecking no" root@165.227.171.72:.ssh/thalasoft.* .
# Configure the client with a user credentials
kubectl config set-credentials stephane --client-certificate=.ssh/thalasoft.crt --client-key=.ssh/thalasoft.key
# Create a context, that is, a user against a namespace of a cluster, in the client configuration
kubectl config set-context digital-ocean-context --cluster=digital-ocean-cluster --namespace=digital-ocean-namespace --user=stephane
But this is only some client side configuration as I understand.
但据我所知,这只是一些客户端配置。
What command I should use to create the user ?
我应该用什么命令来创建用户?
Kubernetes doesn't provide user management. Kubernetes不提供用户管理。 This is handled through x509 certificates that can be signed by your cluster CA.
这是通过可由群集CA签名的x509证书来处理的。
First, you'll need to create a Key: 首先,您需要创建一个密钥:
openssl genrsa -out my-user.key 4096
Second, you'll need to create a signing request: 其次,您需要创建签名请求:
openssl req -new -key my-user.key -out my-user.csr -subj "/CN=my-user/O=my-organisation"
Third, sign the certificate request: 三,签署证书申请:
openssl x509 -req -in my-user.csr -CA CA_LOCATION/ca.crt -CAkey CA_LOCATION/ca.key -CAcreateserial -out my-user.crt -days 500
ca.crt
and ca.key
is the same cert/key provided by kubeadm
or within your master configuration. ca.crt
和ca.key
是kubeadm
或主配置中提供的相同证书/密钥。
You can then give this signed certificate to your user, along with their key, and then can configure access with: 然后,您可以将此签名证书及其密钥提供给用户,然后可以使用以下命令配置访问权限:
kubectl config set-credentials my-user --client-certificate=my-user.crt --client-key=my-user.key
kubectl config set-context my-k8s-cluster --cluster=cluster-name --namespace=whatever --user=my-user
Bitnami provide a great resource that explains all of this: Bitnami提供了一个很好的资源来解释所有这些:
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.