格力vrv空調(diào)故障代碼E5(格力vrv空調(diào)啟動(dòng)不了)

前沿拓展：

---

寫在前面本文偏實(shí)戰(zhàn)，內(nèi)容涉及：token方式的API Server認(rèn)證DemoKubeconfig文件方式的API Server認(rèn)證DemoKubeconfig文件的創(chuàng)建Demo

只有能做到“盡人事而聽天命”，一個(gè)人才能永遠(yuǎn)保持心情的平衡。 ----- 《季羨林談人生》

API Server認(rèn)證管理

Kubernetes集群中所有資源的訪問和變更都是通過Kubernetes API Server的REST API來實(shí)現(xiàn)的,所以集群安全的關(guān)鍵點(diǎn)就在于如何鑒權(quán)和授權(quán)

一個(gè)簡單的Demo,在master節(jié)點(diǎn)上,我們通過root用戶可以直接通kubectl來請(qǐng)求API Service從而獲取集群信息,但是我們通過其他用戶登錄就沒有這個(gè)權(quán)限,這就涉及到k8s的一個(gè)認(rèn)證問題.

root用戶可以正常訪問

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$kubectl get podsNAME READY STATUS RESTARTS AGEliruilong-grafana-5955564c75-zpbjq 3/3 Terminating 0 8hliruilong-kube-prometheus-operator-5cb699b469-fbkw5 1/1 Terminating 0 8hliruilong-prometheus-node-exporter-vm7s9 1/1 Terminating 2 (109m ago) 8hprometheus-liruilong-kube-prometheus-prometheus-0 2/2 Terminating 0 8h┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$

切換tom用戶來訪問，沒有權(quán)限，報(bào)錯(cuò)找不到集群ＡＰＩ的位置，那么為什么會(huì)這樣呢？

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$su tom[tom@vms81 k8s-helm-create]$ kubectl get podsThe connection to the server localhost:8080 was refused - did you specify the right host or port?[tom@vms81 k8s-helm-create]$ exitexit

為了演示認(rèn)證，我們需要在集群外的機(jī)器上安裝一個(gè)客戶端工具kubectl，用于和集群的入口api-Service交互

┌──[root@liruilongs.github.io]-[~]└─$ yum install -y kubectl-1.22.2-0 --disableexcludes=kubernetes

可以通過kubectl cluster-info來查看集群的相關(guān)信息

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$kubectl cluster-infoKubernetes control plane is running at https://192.168.26.81:6443CoreDNS is running at https://192.168.26.81:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxyMetrics-server is running at https://192.168.26.81:6443/api/v1/namespaces/kube-system/services/https:metrics-server:/proxyTo further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$

Kubernetes集群提供了3種級(jí)別的客戶端身份認(rèn)證方式

HTTP Token認(rèn)證：通過一個(gè)Token來識(shí)別合法用戶。HTTPS 證書認(rèn)證：基于CA根證書簽名的雙向數(shù)字證書認(rèn)證方式HTTP Base認(rèn)證：通過用戶名+密碼的方式認(rèn)證，這個(gè)只有1.19之前的版本適用，之后的版本不在支持

下面就Token和SSL和小伙伴分享下，Bash因?yàn)樵诟甙姹镜腒8s中不在支持，所以我們這里不聊。關(guān)于上面的普通用戶范圍集群的問題，我們也會(huì)改出解答

HTTP Token認(rèn)證

HTTP Token的認(rèn)證是用一個(gè)很長的特殊編碼方式的并且難以被模仿的字符串Token來表明客戶身份的一種方式。

每個(gè)Token對(duì)應(yīng)一個(gè)用戶名,存儲(chǔ)在APIServer能訪問的一個(gè)文件中。當(dāng)客戶端發(fā)起API調(diào)用請(qǐng)求時(shí),需要在HTTP Header里放入Token,這樣一來, API Server就能識(shí)別合法用戶和非法用戶了。

當(dāng) API 服務(wù)器的命令行設(shè)置了--token-auth-file=SOMEFILE選項(xiàng)時(shí)，會(huì)從文件中 讀取持有者令牌。目前，令牌會(huì)長期有效，并且在不重啟 API 服務(wù)器的情況下 無法更改令牌列表。下面我們一個(gè)通過Demo來演示通過靜態(tài)Token的用戶認(rèn)證,

通過openssl生成一個(gè)令牌

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$openssl rand -hex 104bf636c8214b7ff0a0fb

令牌文件是一個(gè) CSV 文件，包含至少 3 個(gè)列：令牌、用戶名和用戶的 UID。 其余列被視為可選的組名。這里需要注意的是，令牌文件要放到/etc/kubernetes/pki目錄下才可以，可能默認(rèn)讀取令牌的位置即是這個(gè)位置

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$echo "4bf636c8214b7ff0a0fb,admin2,3" > /etc/kubernetes/pki/liruilong.csv┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$cat /etc/kubernetes/pki/liruilong.csv4bf636c8214b7ff0a0fb,admin2,3

通過Sed添加kube-apiserver服務(wù)啟動(dòng)參數(shù)，- --token-auth-file=/etc/kubernetes/pki/liruilong.csv

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$sed '17a \ \ \ \ - --token-auth-file=/etc/kubernetes/pki/liruilong.csv' /etc/kubernetes/manifests/kube-apiserver.yaml | grep -A 5 command - command: - kube-apiserver - --advertise-address=192.168.26.81 - --allow-privileged=true - --token-auth-file=/etc/kubernetes/liruilong.csv - --authorization-mode=Node,RBAC┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$sed -i '17a \ \ \ \ - --token-auth-file=/etc/kubernetes/pki/liruilong.csv' /etc/kubernetes/manifests/kube-apiserver.yaml

檢查修改的啟動(dòng)參數(shù)

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$cat -n /etc/kubernetes/manifests/kube-apiserver.yaml | grep -A 5 command 14 - command: 15 - kube-apiserver 16 - --advertise-address=192.168.26.81 17 - --allow-privileged=true 18 - --token-auth-file=/etc/kubernetes/pki/liruilong.csv 19 - --authorization-mode=Node,RBAC┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$

重啟kubelet服務(wù)

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$systemctl restart kubelet┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-helm-create]└─$

確認(rèn)集群能夠正常訪問

┌──[root@vms81.liruilongs.github.io]-[/etc/kubernetes/pki]└─$kubectl get nodesNAME STATUS ROLES AGE VERSIONvms81.liruilongs.github.io Ready control-plane,master 34d v1.22.2vms82.liruilongs.github.io Ready <none> 34d v1.22.2vms83.liruilongs.github.io NotReady <none> 34d v1.22.2┌──[root@vms81.liruilongs.github.io]-[/etc/kubernetes/pki]└─$

在集群外的客戶機(jī)訪問集群信息，這里提示我們admin2用戶沒有訪問的權(quán)限，說明已經(jīng)認(rèn)證成功了，只是沒有權(quán)限

┌──[root@liruilongs.github.io]-[~]└─$ kubectl -s="https://192.168.26.81:6443" --insecure-skip-tls-verify=true --token="4bf636c8214b7ff0a0fb" get pods -n kube-systemError from server (Forbidden): pods is forbidden: User "admin2" cannot list resource "pods" in API group "" in the namespace "kube-system"┌──[root@liruilongs.github.io]-[~]└─$

這里我們修改一些token的字符串，Token和集群的Token文件不對(duì)應(yīng)，會(huì)提示我們沒有獲得授權(quán)，即認(rèn)證失敗

┌──[root@liruilongs.github.io]-[~]└─$ kubectl -s="https://192.168.26.81:6443" --insecure-skip-tls-verify=true --token="4bf636c8214b7ff0a0f" get pods -n kube-systemerror: You must be logged in to the server (Unauthorized)kubeconfig文件認(rèn)證

在回到我們之前的那個(gè)問題，為什么使用root用戶可以訪問集群信息，但是通過tom用戶去不能夠訪問集群信息，這里就涉及到一個(gè)kubeconfig 文件認(rèn)證的問題

在通過kubeadm創(chuàng)建集群的時(shí)候，不知道小伙伴沒還記不記得下面這個(gè)文件admin.conf，這個(gè)文件就是kubeadm幫我們生成的kubeconfig文件

┌──[root@vms81.liruilongs.github.io]-[~/.kube]└─$ll /etc/kubernetes/admin.conf-rw------- 1 root root 5676 12月 13 02:13 /etc/kubernetes/admin.conf┌──[root@vms81.liruilongs.github.io]-[~/.kube]└─$

我們把這個(gè)文件拷貝到tom用戶的目錄下，修改權(quán)限

┌──[root@vms81.liruilongs.github.io]-[~/.kube]└─$cp /etc/kubernetes/admin.conf ~tom/┌──[root@vms81.liruilongs.github.io]-[~/.kube]└─$chown tom:tom ~tom/admin.conf

這個(gè)時(shí)候發(fā)現(xiàn)通過 --kubeconfig=admin.conf 指定這個(gè)文件，就可以訪問集群信息

[tom@vms81 home]$ cd tom/[tom@vms81 ~]$ lsadmin.conf[tom@vms81 ~]$ kubectl get podsThe connection to the server localhost:8080 was refused - did you specify the right host or port?[tom@vms81 ~]$ kubectl get pods -A --kubeconfig=admin.confNAMESPACE NAME READY STATUS RESTARTS AGEingress-nginx ingress-nginx-controller-744d4fc6b7-t9n4l 1/1 Running 6 (8h ago) 44hkube-system calico-kube-controllers-78d6f96c7b-85rv9 1/1 Running 193 31dkube-system calico-node-6nfqv 1/1 Running 254 34dkube-system calico-node-fv458 0/1 Running 50 34dkube-system calico-node-h5lsq 1/1 Running 94 (7h10m ago) 34dkube-system ..........................

那個(gè)，kubeconfig文件是個(gè)什么東西，官方文檔中這樣描述：

使用 kubeconfig 文件來組織有關(guān)集群、用戶、命名空間和身份認(rèn)證機(jī)制的信息。kubectl 命令行工具使用 kubeconfig 文件來查找選擇集群所需的信息，并與集群的 API 服務(wù)器進(jìn)行通信。

換句話講，通過kubeconfig與集群的 API 服務(wù)器進(jìn)行通信，類似上面的Token的作用，我們要說的HTTPS證書認(rèn)證就是放到這里

默認(rèn)情況下，kubectl 在 $HOME/.kube 目錄下查找名為 config 的文件。

┌──[root@vms81.liruilongs.github.io]-[~]└─$ls ~/.kube/config/root/.kube/config┌──[root@vms81.liruilongs.github.io]-[~]└─$ll ~/.kube/config-rw------- 1 root root 5663 1月 16 02:33 /root/.kube/config

將kubeconfig文件復(fù)制到 $HOME/.kube 目錄下改名為 config 發(fā)現(xiàn)tom用戶依舊可以訪問

[tom@vms81 ~]$ lsadmin.conf[tom@vms81 ~]$ cp admin.conf .kube/config[tom@vms81 ~]$ kubectl get pods -n kube-systemNAME READY STATUS RESTARTS AGEcalico-kube-controllers-78d6f96c7b-85rv9 1/1 Running 193 31dcalico-node-6nfqv 1/1 Running 254 34dcalico-node-fv458 0/1 Running 50 34dcalico-node-h5lsq 1/1 Running 94 (7h13m ago) 34d。。。。。。。

也可以通過設(shè)置 KUBECONFIG 環(huán)境變量或者設(shè)置 --kubeconfig參數(shù)來指定其他kubeconfig文件。

[tom@vms81 ~]$ export KUBECONFIG=admin.conf[tom@vms81 ~]$ kubectl get pods -n kube-systemNAME READY STATUS RESTARTS AGEcalico-kube-controllers-78d6f96c7b-85rv9 1/1 Running 193 31dcalico-node-6nfqv 1/1 Running 254 34dcalico-node-fv458 0/1 Running 50 34dcalico-node-h5lsq 1/1 Running 94 (7h11m ago) 34d..............

當(dāng)我們什么都不設(shè)置時(shí)，tom用戶獲取不到kubeconfig文件，沒有認(rèn)證信息，無法訪問

[tom@vms81 ~]$ unset KUBECONFIG[tom@vms81 ~]$ kubectl get pods -n kube-systemThe connection to the server localhost:8080 was refused - did you specify the right host or port?

查看kubeconfig文件的配置信息

┌──[root@vms81.liruilongs.github.io]-[~/.kube]└─$kubectl config viewapiVersion: v1clusters:- cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.26.81:6443 name: kubernetescontexts:- context: cluster: kubernetes namespace: liruilong-rbac-create user: kubernetes-admin name: kubernetes-admin@kubernetescurrent-context: kubernetes-admin@kuberneteskind: Configpreferences: {}users:- name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED┌──[root@vms81.liruilongs.github.io]-[~/.kube]└─$

所以我們要想訪問集群信息，只需要把這個(gè)kubeconfig 文件拷貝到客戶機(jī)上就OK了

創(chuàng)建 kubeconfig 文件

一個(gè)kubeconfig 文件包括一下幾部分：

集群信息：集群CA證書集群地址上下文信息所有上下文信息當(dāng)前上下文用戶信息用戶CA證書用戶私鑰

要?jiǎng)?chuàng)建 kubeconfig 文件的話，我們需要一個(gè)私鑰，以及集群 CA 授權(quán)頒發(fā)的證書。同理我們不能直接用私鑰生成公鑰，而必須是用私鑰生成證書請(qǐng)求文件(申請(qǐng)書)，然后根據(jù)證書請(qǐng)求文件向 CA(權(quán)威機(jī)構(gòu))申請(qǐng)證書(身份證)，CA 審核通過之后會(huì)頒發(fā)證書。

環(huán)境準(zhǔn)備

┌──[root@vms81.liruilongs.github.io]-[~/ansible]└─$kubectl create ns liruilong-rbac-createnamespace/liruilong-rbac-create created┌──[root@vms81.liruilongs.github.io]-[~/ansible]└─$mkdir k8s-rbac-create;cd k8s-rbac-create┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl config set-context $(kubectl config current-context) --namespace=liruilong-rbac-createContext "kubernetes-admin@kubernetes" modified.┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$申請(qǐng)證書

生成一個(gè) 2048 位的 私鑰 iruilong.key 文件

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$openssl genrsa -out liruilong.key 2048Generating RSA private key, 2048 bit long modulus....................+++...........................................................................................................+++e is 65537 (0x10001)

查看私鑰文件

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$cat liruilong.key-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAt9OBnwaA3VdFfjdiurJPtcaiXOGPc1AWFmrlgocq4vT5WZgq................................................................LHd0n1yCKpwbYMGghF4iGmEGIIdsCVZP+EV6lduPKjqEm9kjuLROKzRZHFoGyASOKrb3VR4CKHvnZAPVctv7Pu+4JgMliJHl8GVYhqM5UykbLRMdNHSNIQ==-----END RSA PRIVATE KEY-----┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$

利用剛生成的私有 liruilong.key 生成證書請(qǐng)求文件 liruilong.key：這里CN的值 liruilong，就是后面我們授權(quán)的用戶。

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$openssl req -new -key liruilong.key -out liruilong.csr -subj "/CN=liruilong/O=cka2020"┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$lsliruilong.csr liruilong.key

對(duì)證書請(qǐng)求文件進(jìn)行 base64 編碼

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$cat liruilong.csr | base64 |tr -d "\n"LS0tLS1CRUdJTiBDRVJUSUZJ...............

編寫申請(qǐng)證書請(qǐng)求文件的 yaml 文件:cat csr.yaml

apiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata: name: liruilongspec: signerName: kubernetes.io/kube-apiserver-client request: LS0tLS1CRUdJTiBDRVJUSUZJ............... usages: - client auth

這里 request 里的是 base64 編碼之后的證書請(qǐng)求文件。申請(qǐng)證書

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl apply -f csr.yamlcertificatesigningrequest.certificates.k8s.io/liruilong created

查看已經(jīng)發(fā)出證書申請(qǐng)請(qǐng)求：

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl get csrNAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITIONliruilong 15s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pending

批準(zhǔn)證書：

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl certificate approve liruilongcertificatesigningrequest.certificates.k8s.io/liruilong approved

查看審批通過的證書：

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl get csr/liruilong -o yamlapiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"liruilong"},"spec":{"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2F6Q0NBVk1DQVFBd0pqRVNNQkFHQTFVRUF3d0piR2x5ZFdsc2IyNW5NUkF3RGdZRFZRUUtEQWRqYTJFeQpNREl3TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpCnVySlB0Y2FpWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1IKb1Eybk83K3FnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VgphZTIwcXFBRXpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvCnN4UkFFNXlrWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTkKSE5NWTkweUhYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUNwptSzhKeHdJREFRQUJvQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUFwa09aUUNTTGxGYWJTVk9zNmtzL1ZyCmd3b3FTdjFOM1YzUC84SmNzR1pFUTc4TkpJb2R0REExS3EwN25DWjJWUktselZDN1kyMCszZUVzTXZNWnFMc1MKbUtaS0w2SFE3N2RHa1liUjhzKzRMaFo4YXR6cXVMSnlqZUZKODQ2N1ZrUXF5T1R6by9wZ3E4YWJJY01XNzlKMgoxWEkybi92RWlIMEgvWU9DaWExVHRqTnpSWGtlL2hPQTZ4Y29CcVRpdWtkUHBqZDJSaWFTRUNUS1h4ZGNOS0xLCmZVbFhkb2s5UkVkQ2V3bU9ISUdvVG9qUGRWdWlPdkYzZkFqUXZNNDJ3UjJDdklHMWs1YUQzdWVlbzcwd0pnUlQKYzhZNnUwY2padEI5ZW5xUStmRFFqdUUyZElrMDJLbm5HQVppK0wxUnRnSnA2Tm1udEg5WUc3RlBLSXYrakFZPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}} creationTimestamp: "2022-01-16T15:25:24Z" name: liruilong resourceVersion: "1185668" uid: 51837659-7214-4dec-bcd4-b7a9129ee2bbspec: groups: - system:masters - system:authenticated request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2F6Q0NBVk1DQVFBd0pqRVNNQkFHQTFVRUF3d0piR2x5ZFdsc2IyNW5NUkF3RGdZRFZRUUtEQWRqYTJFeQpNREl3TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpCnVySlB0Y2FpWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1IKb1Eybk83K3FnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VgphZTIwcXFBRXpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvCnN4UkFFNXlrWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTkKSE5NWTkweUhYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUNwptSzhKeHdJREFRQUJvQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUFwa09aUUNTTGxGYWJTVk9zNmtzL1ZyCmd3b3FTdjFOM1YzUC84SmNzR1pFUTc4TkpJb2R0REExS3EwN25DWjJWUktselZDN1kyMCszZUVzTXZNWnFMc1MKbUtaS0w2SFE3N2RHa1liUjhzKzRMaFo4YXR6cXVMSnlqZUZKODQ2N1ZrUXF5T1R6by9wZ3E4YWJJY01XNzlKMgoxWEkybi92RWlIMEgvWU9DaWExVHRqTnpSWGtlL2hPQTZ4Y29CcVRpdWtkUHBqZDJSaWFTRUNUS1h4ZGNOS0xLCmZVbFhkb2s5UkVkQ2V3bU9ISUdvVG9qUGRWdWlPdkYzZkFqUXZNNDJ3UjJDdklHMWs1YUQzdWVlbzcwd0pnUlQKYzhZNnUwY2padEI5ZW5xUStmRFFqdUUyZElrMDJLbm5HQVppK0wxUnRnSnA2Tm1udEg5WUc3RlBLSXYrakFZPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K signerName: kubernetes.io/kube-apiserver-client usages: - client auth username: kubernetes-adminstatus: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRUC9aR05rUjdzVy9sdHhkQTNGQjBoekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURFeE5qRTFNakV3TWxvWERUSXpNREV4TmpFMQpNakV3TWxvd0pqRVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1ERVNNQkFHQTFVRUF4TUpiR2x5ZFdsc2IyNW5NSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpdXJKUHRjYWkKWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1JvUTJuTzcrcQpnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VmFlMjBxcUFFCnpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvc3hSQUU1eWsKWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTlITk1ZOTB5SApYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUN21LOEp4d0lECkFRQUJvMFl3UkRBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWQKSXdRWU1CYUFGR0RjS1N1dVY1TTV5Wk5CR1AxLzZoN0xZNytlTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCagpOelREMmZ5bTc3bXQ4dzlacXRZN3NQelhmNHJQTXpWUzVqV3NzenpidlhEUzhXcFNMWklIYkQ3VU9vYlYxcFYzClYzRW02RXlpWUEvbjhMYTFRMnZra0EyUDk1d3JqWlBuemZIeUhWVFpCTUY4YU1MSHVpVHZ5WlVVV0JYMTg1UFAKQ2MxRncwanNmVThJMDBzbUNOeURBZjVMejFjRUVrNWlGYUswMDJRblUyNk5lcDF3U3BMcVZWWVptSW9UVU9DOApCNzNpU3J6Y0wyVmdBejRCaUQxdUVlUkFMM20zRTB2VVpsQjduKzF1MllrNDFCajdGYnpWR2w1dFpYT3hDMVhxCjJVc0hSbmkzY1VYZ203QlloZDU3aTFHclRRRFJpckRwVFV1RDB3ZlFYTjZLdEx1TmVDYUc0alc4ZTl4QkQrTjIKOFE4Z25UZjdPSEI3VWZkUzVnMWQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= conditions: - lastTransitionTime: "2022-01-16T15:26:02Z" lastUpdateTime: "2022-01-16T15:26:01Z" message: This CSR was approved by kubectl certificate approve. reason: KubectlApprove status: "True" type: Approved

導(dǎo)出證書文件：

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl get csr liruilong -o jsonpath='{.status.certificate}'| base64 -d > liruilong.crt

給用戶授權(quán)，這里給 liruilong 一個(gè)集群角色 cluster-role(類似于root一樣的角色)，這樣 liruilong 具有管理員權(quán)限

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl create clusterrolebinding test --clusterrole=cluster-admin --user=liruilongclusterrolebinding.rbac.authorization.k8s.io/test created┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$創(chuàng)建 kubeconfig 文件

拷貝 CA 證書

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$lscsr.yaml #(申請(qǐng)證書請(qǐng)求文件yaml) liruilong.crt #公鑰(證書文件) liruilong.csr #(證書請(qǐng)求文件) liruilong.key #私鑰┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$ls /etc/kubernetes/pki/apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key sa.pubapiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key liruilong.csvapiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.key┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$cp /etc/kubernetes/pki/ca.crt .

設(shè)置集群字段，這里包含集群名字，服務(wù)地址和集群證書

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl config --kubeconfig=kc1 set-cluster cluster1 --server=https://192.168.26.81:6443 --certificate-authority=ca.crt --embed-certs=trueCluster "cluster1" set.

在上面集群中創(chuàng)建一個(gè)上下文context1

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl config --kubeconfig=kc1 set-context context1 --cluster=cluster1 --namespace=default --user=liruilongContext "context1" created.

這里–embed-certs=true 的意思是把證書內(nèi)容寫入到此 kubeconfig 文件里。設(shè)置用戶字段，包含用戶名字，用戶證書，用戶私鑰

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl config --kubeconfig=kc1 set-credentials liruilong --client-certificate=liruilong.crt --client-key=liruilong.key --embed-certs=trueUser "liruilong" set.

查看創(chuàng)建的kubeconfig文件信息

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$cat kc1apiVersion: v1clusters:- cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1USXhNakUyTURBME1sb1hEVE14TVRJeE1ERTJNREEwTWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkdkCisrWnhFRDJRQlR2Rm5ycDRLNFBrd2lsYXUrNjdXNTVobVdwc09KSHF6ckVoWUREY3l4ZTU2Z1VJVDFCUTFwbU0KcGFrM0V4L0JZRStPeHY4ZmxtellGbzRObDZXQjl4VXovTW5HQi96dHZsTGpaVEVHZy9SVlNIZTJweCs2MUlSMQo2Mkh2OEpJbkNDUFhXN0pmR3VXNDdKTXFUNTUrZUNuR00vMCtGdnI2QUJnT2YwNjBSSFFuaVlzeGtpSVJmcjExClVmcnlPK0RFTGJmWjFWeDhnbi9tcGZEZ044cFgrVk9FNFdHSDVLejMyNDJtWGJnL3A0emd3N2NSalpSWUtnVlUKK2VNeVIyK3pwaTBhWW95L2hLYmg4RGRUZ3FZeERDMzR6NHFoQ3RGQnVia1hmb3Ftc3FGNXpQUm1ZS051RUgzVAo2c1FNSFl4emZXRkZvSGQ2Y0JNQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZHRGNLU3V1VjVNNXlaTkJHUDEvNmg3TFk3K2VNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRVE0SUJhM0hBTFB4OUVGWnoyZQpoSXZkcmw1U0xlanppMzkraTdheC8xb01SUGZacElwTzZ2dWlVdHExVTQ2V0RscTd4TlFhbVVQSFJSY1RrZHZhCkxkUzM5Y1UrVzk5K3lDdXdqL1ZrdzdZUkpIY0p1WCtxT1NTcGVzb3lrOU16NmZxNytJUU9lcVRTbGpWWDJDS2sKUFZxd3FVUFNNbHFNOURMa0JmNzZXYVlyWUxCc01EdzNRZ3N1VTdMWmg5bE5TYVduSzFoR0JKTnRndjAxdS9MWAo0TnhKY3pFbzBOZGF1OEJSdUlMZHR1dTFDdEFhT21CQ2ZjeTBoZHkzVTdnQXh5blR6YU1zSFFTamIza0JDMkY5CkpWSnJNN1FULytoMStsOFhJQ3ZLVzlNM1FlR0diYm13Z1lLYnMvekswWmc1TE5sLzFJVThaTUpPREhTVVBlckQKU09ZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== server: https://192.168.26.81:6443 name: cluster1contexts:- context: cluster: cluster1 namespace: default user: liruilong name: context1current-context: ""kind: Configpreferences: {}users:- name: liruilong user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRUC9aR05rUjdzVy9sdHhkQTNGQjBoekFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl5TURFeE5qRTFNakV3TWxvWERUSXpNREV4TmpFMQpNakV3TWxvd0pqRVFNQTRHQTFVRUNoTUhZMnRoTWpBeU1ERVNNQkFHQTFVRUF4TUpiR2x5ZFdsc2IyNW5NSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0OU9CbndhQTNWZEZmamRpdXJKUHRjYWkKWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxd1g5T0RvSnpDREJZZVFJQ3h0Wm5uUk9XY1B2dVB6K1JvUTJuTzcrcQpnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVg2dkRDdlgxUDR3VnNFdXNydlZBdkF4NmdqZTZzNW94VmFlMjBxcUFFCnpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bWlpNHNzaVpQRXU1ZFZIRWs5dHdCeUZTV0dsanJETkhvc3hSQUU1eWsKWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxa2d0U0xDMlVScy9QWUwwRGNSQm9zUUx0c3JublFSMTlITk1ZOTB5SApYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZThWZjhBTFpsbDVBTnJ5SUJqbXNrY01QM2lRMzdxWGZUN21LOEp4d0lECkFRQUJvMFl3UkRBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWQKSXdRWU1CYUFGR0RjS1N1dVY1TTV5Wk5CR1AxLzZoN0xZNytlTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCagpOelREMmZ5bTc3bXQ4dzlacXRZN3NQelhmNHJQTXpWUzVqV3NzenpidlhEUzhXcFNMWklIYkQ3VU9vYlYxcFYzClYzRW02RXlpWUEvbjhMYTFRMnZra0EyUDk1d3JqWlBuemZIeUhWVFpCTUY4YU1MSHVpVHZ5WlVVV0JYMTg1UFAKQ2MxRncwanNmVThJMDBzbUNOeURBZjVMejFjRUVrNWlGYUswMDJRblUyNk5lcDF3U3BMcVZWWVptSW9UVU9DOApCNzNpU3J6Y0wyVmdBejRCaUQxdUVlUkFMM20zRTB2VVpsQjduKzF1MllrNDFCajdGYnpWR2w1dFpYT3hDMVhxCjJVc0hSbmkzY1VYZ203QlloZDU3aTFHclRRRFJpckRwVFV1RDB3ZlFYTjZLdEx1TmVDYUc0alc4ZTl4QkQrTjIKOFE4Z25UZjdPSEI3VWZkUzVnMWQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdDlPQm53YUEzVmRGZmpkaXVySlB0Y2FpWE9HUGMxQVdGbXJsZ29jcTR2VDVXWmdxCndYOU9Eb0p6Q0RCWWVRSUN4dFpublJPV2NQdnVQeitSb1Eybk83K3FnNUNjZzlWZmVOWFRwUDB0VXZsQ21ZVVgKNnZEQ3ZYMVA0d1ZzRXVzcnZWQXZBeDZnamU2czVveFZhZTIwcXFBRXpTUXJhczhPeldsZ1Frd0xjNU5MZ2k3bQppaTRzc2laUEV1NWRWSEVrOXR3QnlGU1dHbGpyRE5Ib3N4UkFFNXlrWjBnODBWSzN1U1JNNmFHSEJ0QmVpbysxCmtndFNMQzJVUnMvUFlMMERjUkJvc1FMdHNybm5RUjE5SE5NWTkweUhYN3Jta3ZqcHdOdkRZWjNIWUVvbGJQZTgKVmY4QUxabGw1QU5yeUlCam1za2NNUDNpUTM3cVhmVDdtSzhKeHdJREFRQUJBb0lCQUJsS0I3TVErZmw1WUI0VgpFSWdPcjlpYUV3d2tHOUFKWElDSkJEb0l6bVdhdmhNTlZCUjZwd3BuOTl0UWkxdGFZM2RuVjZuTVlBMzdHck9vCjB5Z004TXpQZVczUUh6Z2p5cGFkRkJqR204Mm1iUHNoekVDT0RyeHkyT0txaEV1MS9yWjBxWU1NVzVvckU2NUQKOEJ3NmozaEp1MTlkY251bk1Lb2hyUlJ4MGNGOGJrVHpRcWk1Y0xGZ0lBUlArNklFcnQrS0FVSGFVQ0wvSUtTYgoyblJnSmhvSWszTUJnQnM3eVl0NFpVNlpkSVFLRU56RzRUd2VjNG5ESXE2TkllU1ZpSEVtbmdjRXVOdTNOaWEvCmxwTWd5ZHJKZWJKYStrc0FiZU4zU21TRGc2MXpVWUpHV2FOZUFPemdmbkZRTVp2Y2FyNEQ1b0xCQUE5Rlpic0EKc0hUZjBBRUNnWUVBNWVmdDJSV25kM2pueWJBVVExa3dRTzlzN1BmK241OXF3ekIwaEdrcC9qcjh2dGRYZkxMNgo0THBoNWFhKzlEM0w5TEpMdk8xa0cyaG5UbFE4Q25uVXpVUUUreldiYlRJblR0eE1hRzB5VjJlZ3NaQkFseERYClk1K2tZZ29EVXIyN2dWbE5QZ29SWVkzRG1ZZHplVmp0NEFHOE9JNWRPUlJ6bFE3VHN0Nk9XUUVDZ1lFQXpMQ3kKM2Q0SkRZRjBpeXFFc2FsNFNsckdEc3hmY2xxeUZaVWpmcUcvdGFHeEFTeE9zL0h3SDNwR1cwQXh3c2tPdVNkUwpWcGxOOC9uZjBMQjdPV0hQL2FjTlJLbHdJeUZrNG9EU0VMOVJ5d0FFVEF3NHdrYitoRzNZdUFHU2YvY1dEWXNtCjNJUUxlMVdFS0JSZDVBS1lkYXdyYlJtclFkSndSaFFkalNzOTJzY0NnWUVBck1WSVpwVHhUc1ViV3VQcHRscjEKK2paekl2bVM3WjI5ZTRXVWFsVWxhNW9raWI0R1R2MnBydXdoMlpVZmR5aGhkemZ0MXNLSE1sbVpHTElRbE1iTgpkcHdoS2k4MDZEQ0NmYTdyOUtYcTZPaEZTR3JoUHlVMjEvVUdjVzZZNUxzVWg3WDJhQ0xrd096cUN4eFJXT1hOCmpVT0FrUGZiY3FPOTRFeE9KdU05RWdFQ2dZRUFwNUVqN0xPL0wzcENBVWVlZDU3bjVkN244dWRtWDhSVnM0dHoKRWxDeUU2dzVybDhxVXUrR0J3N2ZtQVkyZG1LSUZoVlZ0NlVyQnNjUmJkTjhIUjZ3MmRNdTduM1RXajhWU3NQdwp0RnNiUjVkTTdVQzRHbnRxRXRtbUtBVEpmTTYzRkFGTm9Bck5KM3Q3aENBZ09PL1RCY29iaHVZVHAvL3hmNzBwCjhBNXRSYk1DZ1lCMkJTb0ZTbW1sVFN5RjdnZnhmM281dTNXM3lwTENIRFV0cFZkYlAxZm9vemJwZUs3V29IY2YKTEhkMG4xeUNLcHdiWU1HZ2hGNGlHbUVHSUlkc0NWWlArRVY2bGR1UEtqcUVtOWtqdUxST0t6UlpIRm9HeUFTTwpLcmIzVlI0Q0tIdm5aQVBWY3R2N1B1KzRKZ01saUpIbDhHVllocU01VXlrYkxSTWROSFNOSVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$

修改kubeconfig文件當(dāng)前的上下文為之前創(chuàng)建的上下文

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$sed 's#current-context: ""#current-context: "context1"#' kc1 | grep current-contextcurrent-context: "context1"┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$sed -i 's#current-context: ""#current-context: "context1"#' kc1┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$cat kc1 | grep current-contextcurrent-context: "context1"

這樣 kubeconfig 文件就創(chuàng)建完畢了，下面開始驗(yàn)證 kubeconfig 文件。

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl auth can-i list pods --as liruilong #檢查是否具有 list 當(dāng)前命名空間里的 pod 的權(quán)限yes┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$kubectl auth can-i list pods -n kube-system --as liruilong #檢查 是否具有 list 命名空間 kube-system 里 pod 的權(quán)限yes┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$

拷貝證書到客戶機(jī)

┌──[root@vms81.liruilongs.github.io]-[~/ansible/k8s-rbac-create]└─$scp kc1 root@192.168.26.55:~

客戶機(jī)指定證書訪問測試

┌──[root@liruilongs.github.io]-[~]└─$ kubectl --kubeconfig=kc1 get pods -n kube-systemNAME READY STATUS RESTARTS AGEcalico-kube-controllers-78d6f96c7b-85rv9 1/1 Running 194 (14h ago) 33dcalico-node-6nfqv 0/1 Running 255 (14h ago) 35dcalico-node-fv458 0/1 Running 50 35dcalico-node-h5lsq 1/1 Running 94 (38h ago) 35d。。。。。。。。。。。。┌──[root@liruilongs.github.io]-[~]└─$

這樣一個(gè)kubeconfig文件就創(chuàng)建完成

拓展知識(shí)：