1 安装cfssl
1
2
3
4
5
6
7
8
9
| mkdir -p /nfs/k8s-backup/readonly
cd /nfs/k8s-backup/readonly
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 cfssl-certinfo
chmod +x *
|
2 签发客户端证书
根据ca证书和秘钥签发用户证书,kubeadm工具安装是默认生成存放在/etc/kubernetes/pki目录下
2.1 准备客户端秘钥证书配置信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| cat << EOF > readonly.json
{
"CN": "readonly",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "HangZhou",
"L": "HangZhou",
"O": "develop:readonly",
"OU": "develop"
}
]
}
EOF
cat << EOF > ca-config-readonly.json
{
"signing": {
"default": {
"expiry": "2160h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "2160h"
}
}
}
}
EOF
|
2.2 生成只读用户证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| # ./cfssl gencert --ca /etc/kubernetes/pki/ca.crt --ca-key /etc/kubernetes/pki/ca.key --config ca-config-readonly.json --profile=kubernetes readonly.json |./cfssljson --bare readonly
2020/03/08 11:17:57 [INFO] generate received request
2020/03/08 11:17:57 [INFO] received CSR
2020/03/08 11:17:57 [INFO] generating key: rsa-2048
2020/03/08 11:17:57 [INFO] encoded CSR
2020/03/08 11:17:57 [INFO] signed certificate with serial number 144939808458130834730761969493502017713428328313
2020/03/08 11:17:57 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master01 readonly]# ll
总用量 18832
-rw-r--r-- 1 root root 386 3月 8 11:17 ca-config-readonly.json
-rwxr-xr-x 1 root root 10376657 3月 30 2016 cfssl
-rwxr-xr-x 1 root root 6595195 3月 30 2016 cfssl-certinfo
-rwxr-xr-x 1 root root 2277873 3月 30 2016 cfssljson
-rw-r--r-- 1 root root 1021 3月 8 11:17 readonly.csr
-rw-r--r-- 1 root root 237 3月 8 11:17 readonly.json
-rw------- 1 root root 1679 3月 8 11:17 readonly-key.pem
-rw-r--r-- 1 root root 1257 3月 8 11:17 readonly.pem
[root@master01 readonly]#
|
3 生成Kubernetes只读配置文件
3.1 初始化配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| KUBE_API_SERVER="https://192.168.19.20:6443"
# kubectl config set-cluster kubernetes --server=${KUBE_API_SERVER} \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--kubeconfig=readonly.kubeconfig
Cluster "kubernetes" set.
# ls -l readonly.kubeconfig
-rw------- 1 root root 1571 3月 8 11:20 readonly.kubeconfig
kubectl config set-credentials develop-readonly \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--client-key=readonly-key.pem \
--client-certificate=readonly.pem \
--kubeconfig=readonly.kubeconfig
kubectl config set-context default-system --cluster=kubernetes \
--user=develop-readonly \
--kubeconfig=readonly.kubeconfig
kubectl config use-context default-system --kubeconfig=readonly.kubeconfig
|
3.2 设置集群参数
1
2
3
4
5
6
| kubectl config set-cluster kubernetes --server=${KUBE_API_SERVER} \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--kubeconfig=readonly.kubeconfig
# ls -l readonly.kubeconfig
-rw------- 1 root root 1571 3月 8 11:20 readonly.kubeconfig
|
3.3 设置客户端认证参数
1
2
3
4
5
6
7
8
| kubectl config set-credentials develop-readonly \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--client-key=readonly-key.pem \
--client-certificate=readonly.pem \
--kubeconfig=readonly.kubeconfig
# ls -l readonly.kubeconfig
-rw------- 1 root root 5567 3月 8 11:23 readonly.kubeconfig
|
3.4 设置上下文参数
1
2
3
4
5
6
| kubectl config set-context default-system --cluster=kubernetes \
--user=develop-readonly \
--kubeconfig=readonly.kubeconfig
# ls -l readonly.kubeconfig
-rw------- 1 root root 5647 3月 8 11:27 readonly.kubeconfig
|
3.5 设置默认上下文
1
2
3
| kubectl config use-context default-system --kubeconfig=readonly.kubeconfig
# ls -l readonly.kubeconfig
-rw------- 1 root root 5659 3月 8 11:28 readonly.kubeconfig
|
可以看到上面每个操作readonly.kubeconfig文件大小都是变化,可以具体查看文件内容也是有不同
- cluster: 集群信息,包含集群地址与公钥
- user: 用户信息,客户端证书与私钥,正真的信息是从证书里读取出来的,人能看到的只是给人看的。
- context: 维护一个三元组,namespace cluster 与 use
4 创建角色
4.1 创建cluster-readonly角色
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
| cat << EOF > readonly-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cluster-readonly
rules:
- apiGroups:
- ""
resources: ## 允许访问的资源
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- pods/log
- pods/status
verbs: ## 允许访问的操作权限
- get
- list
- watch
- create
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- namespaces/status
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- replicasets
verbs:
- get
- list
- watch
EOF
kubectl apply -f readonly-rbac.yaml
|
- apiGroups: 资源对象所属的 apiGroups,可以通过kubectl api-versions查看
- resources: 资源对象, 可以通过kubectl api-resources查看
- verbs: 对资源对象所具备的权限
如果需要访问命令行终端,需要增加 pods/exec 的 get、create 权限
4.2 绑定用户角色
创建一个角色绑定,把cluster-readonly角色绑定到 develop:readonly上
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| cat << EOF > clusterroleing.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: develop:readonly
EOF
kubectl apply -f clusterroleing.yaml
|
