X509认证
1.创建出用户的私钥
# 创建放用户证书的目录
root@k8s-master01:~# cd /etc/kubernetes
root@k8s-master01:/etc/kubernetes# mkdir usercerts
root@k8s-master01:/etc/kubernetes# cd usercerts/
# 创建一个私钥
root@k8s-master01:/etc/kubernetes/usercerts# (umask 077; openssl genrsa -out darius.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................+++++
.....................+++++
e is 65537 (0x010001)
2.基于私钥创建一个证书签署请求,此签署请求需要被k8s的CA所签署
# 生成证书签署请求,需要注意此处CN将会被做为用户名,O将会被作为组名使用
root@k8s-master01:/etc/kubernetes/usercerts# openssl req -new -key darius.key -out darius.csr -subj "/CN=darius/O=kubeusers"
root@k8s-master01:/etc/kubernetes/usercerts# ls
darius.csr darius.key
3.将用户的证书签署请求,使用k8s的CA签署成证书
# 签署时需要指定k8s CA的证书,CA的私钥,以及CA自己维护的序列号。
root@k8s-master01:/etc/kubernetes/usercerts# openssl x509 -req -days 3655 -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -in darius.csr -out darius.crt
Signature ok
subject=CN = darius, O = kubeusers
Getting CA Private Key
# 可以使用以下命令查看证书的详细信息
root@k8s-master01:/etc/kubernetes/usercerts# openssl x509 -in darius.crt -text -noout
自制kubeconfig文件尝试认证到k8s
1.设定集群信息
# 设定集群信息,需要指定集群名字,指定集群服务器地址,指定k8s的ca证书,最后指定生成的kubeconfig文件。
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config set-cluster kubernetes --server=https://kube-api:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/mykubeconfig
Cluster "kubernetes" set.
# 查看kubeconfig内信息
root@k8s-master01:/etc/kubernetes/usercerts# cat /tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EY3hOVEEyTVRNek5Gb1hEVE14TURjeE16QTJNVE16TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnZjCkc0NytMTUUydkxsNzJXNUpWYSt1S2VLY1htWVNFVjVXSmtCSkl4VjBZK0JkRExtb044WWxSWUdVaDVxTmxRRUQKOFhRSzgzOUNOUUl4ZGRSQWc3c1M4Z2I2SWdabGxCRXNobGRGb0JEcjNDUUlzMWxGMEFsVEFyV2RpK0NUbHdZYwpyYTRTREN6ZHVQUDZhdzFHWVBTNE9zOUtsUEpVZHpPMXRkUjdGNVBHVkY3SWpsWE1EMWc3NW1yL2d6NkgrcTVOCkN0S1UraFJ2WGd5QXN1TDY1TFlROUVEMyt1K0lJSE5xQWR4S1lXRkFmZ2tNT3Bqa0V3Z2xRWUUzenhWREdZR0EKdFI5clg5STNQUHF0UkkwWVdqb2EveGtxY1lhUTNRckhzU3ZBTjU5b2FyV3plS2xuMS8wWVdVeEd0cEZtdy92ZQpRMTYzYkVlc21YaDdSMERhMGhzQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZIWmV1cEFHdnZ4c0pkSHl5N3hTVUNoZFNGY1hNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFBTVUySkVrdU1QZ0ltSDlaSzk2OHRsY05HNVRsVFVseFVYRm9Uc1VTSWhyU1pycGhmRApKelBOTE5rcTJxMCtUV3ZTbHZxbzFyM2dLckhNWWZDY1AwTnFIU2VYVWNhaW1WeUhwUm12M3AzODBoTlJONnNyCkJZSmZ4RUE0aWJsWEpvYnNVR0tDcmdZeHk5SFJYbE9ud0QvMHdrTVVBZHFuSG90MlRPbGJZSVU3aUNTNklCajMKaWZLeHlGdkdDTWJ6NFhIY0xjajY4L3AzaC9VRDgxRjNGc2ZqdmV6L1A3Nk42L2hCL090TkhKK3pTWGVmdjJjcQpMUXBxYXA5aW9IUGZTVFpnTm5BUndSWUNaMW9DdmI0WitnbzdkQTROM3M2K3NOTUpYZFFERWkxb1dWeDVKUXgyClgzejNtY1hhZHROTVgwOEN0UHorTlQwZGZGOUNhaDVWMTkzWgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://kube-api:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
2.设定用户信息
# 设定用户信息时需要指定用户名,此处使用的x509认证,所以还需要指定用户的证书,用户的私钥,embed-certs表示是否将用户的证书信息嵌入kubeconfig文件,最后指定kubeconfig文件目录
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config set-credentials darius --client-certificate=darius.crt --client-key=darius.key --embed-certs=true --kubeconfig=/tmp/mykubeconfig
User "darius" set.
# 查看kubeconfig文件
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://kube-api:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: darius
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
3.设定用户和集群的关联关系
# 设定关联关系的名称,指定用户,指定集群,指定kubeconfig文件
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config set-context 'darius@kubernetes' --user=darius --cluster=kubernetes --kubeconfig=/tmp/mykubeconfig
Context "darius@kubernetes" created.
# 查看kubeconfig信息
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://kube-api:6443
name: kubernetes
contexts:
- context: # context信息被建立
cluster: kubernetes
user: darius
name: darius@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: darius
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
4.设定当前使用的context
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config use-context darius@kubernetes --kubeconfig=/tmp/mykubeconfig
Switched to context "darius@kubernetes".
# 查看kubeconfig信息
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://kube-api:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: darius
name: darius@kubernetes
current-context: darius@kubernetes # 当前使用的为darius@kubernetes
kind: Config
preferences: {}
users:
- name: darius
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
5.kubeconfig文件已经创建完毕,尝试使用此文件进行认证
root@k8s-master01:/etc/kubernetes/usercerts# kubectl get nodes --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "darius" cannot list resource "nodes" in API group "" at the cluster scope
# 认证已经没有问题,报错是因为用户没有权限导致的。