k8s 创建普通用户访问dashboard

签发用户证书

创建私钥

# (umask 077; openssl genrsa -out user1.key 2048)

创建CSR文件

下面的脚本展示了如何生成 PKI 私钥和 CSR。 设置 CSR 的 CN 和 O 属性很重要。CN 是用户名，O 是该用户归属的组。

# openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=developers"

获取CSR文件base64编码

# cat user1.csr | base64 | tr -d "\n"

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FqQ0NBVklDQVFBd0pURU9NQXdHQTFVRUF3d0ZkWE5sY2pFeEV6QVJCZ05WQkFvTUNtUmxkbVZzYjNCbApjbk13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzNGZkdGRm9hWnRxVFVnQUxiCmdZSjJBNU9ncmRHczJhK0FHWTl6NzNRcU1lczg2dUg5dForcTJiSk44TXZRYXlPUk9IVnJBQ3J2STBJQkxoK3IKbENESllRVms3YytkL0JaTWhDa3M2em5RU0ZMQndzdGJNRkIySVY5OXdXNzUwUlVMcnRYREUzTk8vRzdnWmpxaQpjWFdheERJYmw1Vjk4ZS92M2NGWk9aOXc5MnRSeDZJNUJQWUEwSlFiYTQ2QkllOTBFdmYzL1VMamJSS1lXTm1OCkZudnYwOXlqR21pU2M5OEpDRGtHTXptY0NRWjd5U1lRdzdFK3JVRVdjblM5clNQaURyMGJ0eWVhQU9YVjNxNkIKdHpmbW15T2NTWjVMKzVsV1NCTllyY2Q4TTVudXp1R204UjBqV3E1UWlDRlpmN3YzVzFDeVpGR0grYk5WUDkxYQpnTUx2QWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBYlMrbkJlaWVFK2o1bmF6YnNyWDZYVXpzCjMvZkpCOTN0MjVxcWE4bk94bWIyeUFMQjFkb090R1pndUt1Wi8zbE1DZk9Yd1RWTGN6WjVEbjJoY05Qa0ErbmsKUjF2bzNqZ0VuVGQ3ZTdaS1FhQkg2Z092Z2xPM01oWVhiK0xSUGFDUVJwRGs2NEdCL1dFYkpQK1RodzhSZVJheApmS3dlS3BDcXc5cDkySm9LQXRHYVgzVEdqR2ZJSHduNjhvcngxTzRQc0NkSnV6NElRNHpyLytJZkY0bE8welN6CjFCQjdGakhmemVmZ1B2M25pQjRDL2U0VDZTU21WbkEwaE4rYWZYd3FKbEtYV0pmeGJaaS9EQWN4SFQ1WXU3SC8KT0RwMlI5clR2bUJudHJVOFZJcHVlZkUvOFhCbWV4b01UelpwRFBmK1hQa0h3eXhSbDhwTFkzWVZ4NnU3NXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K

user1-csr.yaml

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: user1
  namespace: demoapp
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2FqQ0NBVklDQVFBd0pURU9NQXdHQTFVRUF3d0ZkWE5sY2pFeEV6QVJCZ05WQkFvTUNtUmxkbVZzYjNCbApjbk13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzNGZkdGRm9hWnRxVFVnQUxiCmdZSjJBNU9ncmRHczJhK0FHWTl6NzNRcU1lczg2dUg5dForcTJiSk44TXZRYXlPUk9IVnJBQ3J2STBJQkxoK3IKbENESllRVms3YytkL0JaTWhDa3M2em5RU0ZMQndzdGJNRkIySVY5OXdXNzUwUlVMcnRYREUzTk8vRzdnWmpxaQpjWFdheERJYmw1Vjk4ZS92M2NGWk9aOXc5MnRSeDZJNUJQWUEwSlFiYTQ2QkllOTBFdmYzL1VMamJSS1lXTm1OCkZudnYwOXlqR21pU2M5OEpDRGtHTXptY0NRWjd5U1lRdzdFK3JVRVdjblM5clNQaURyMGJ0eWVhQU9YVjNxNkIKdHpmbW15T2NTWjVMKzVsV1NCTllyY2Q4TTVudXp1R204UjBqV3E1UWlDRlpmN3YzVzFDeVpGR0grYk5WUDkxYQpnTUx2QWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBYlMrbkJlaWVFK2o1bmF6YnNyWDZYVXpzCjMvZkpCOTN0MjVxcWE4bk94bWIyeUFMQjFkb090R1pndUt1Wi8zbE1DZk9Yd1RWTGN6WjVEbjJoY05Qa0ErbmsKUjF2bzNqZ0VuVGQ3ZTdaS1FhQkg2Z092Z2xPM01oWVhiK0xSUGFDUVJwRGs2NEdCL1dFYkpQK1RodzhSZVJheApmS3dlS3BDcXc5cDkySm9LQXRHYVgzVEdqR2ZJSHduNjhvcngxTzRQc0NkSnV6NElRNHpyLytJZkY0bE8welN6CjFCQjdGakhmemVmZ1B2M25pQjRDL2U0VDZTU21WbkEwaE4rYWZYd3FKbEtYV0pmeGJaaS9EQWN4SFQ1WXU3SC8KT0RwMlI5clR2bUJudHJVOFZJcHVlZkUvOFhCbWV4b01UelpwRFBmK1hQa0h3eXhSbDhwTFkzWVZ4NnU3NXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 8640000  # 100天
  usages:
  - client auth

创建csr资源

# kubectl apply -f user1-csr.yaml

certificatesigningrequest.certificates.k8s.io/user1 created

查看CSR

# kubectl get csr -n demoapp

NAME    AGE   SIGNERNAME                            REQUESTOR   REQUESTEDDURATION   CONDITION
user1   63s   kubernetes.io/kube-apiserver-client   admin       100d                Pending

批准 CSR

# kubectl certificate approve user1 -n demoapp

certificatesigningrequest.certificates.k8s.io/user1 approved

查看CSR状态

# kubectl get csr -n demoapp

NAME    AGE    SIGNERNAME                            REQUESTOR   REQUESTEDDURATION   CONDITION
user1   2m9s   kubernetes.io/kube-apiserver-client   admin       100d                Approved,Issued

获取证书

# kubectl get csr user1 -o jsonpath='{.status.certificate}'| base64 -d > user1.crt

验证证书 

# openssl x509 -in user1.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            af:3b:4a:8c:e1:69:51:12:64:15:69:7a:a9:bd:b0:8d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = HangZhou, L = XS, O = k8s, OU = System, CN = kubernetes
        Validity
            Not Before: Aug  4 07:05:54 2023 GMT
            Not After : Nov 12 07:05:54 2023 GMT
        Subject: O = developers, CN = user1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b7:15:f1:85:16:86:99:b6:a4:d4:80:02:db:81:
                    82:76:03:93:a0:ad:d1:ac:d9:af:80:19:8f:73:ef:
                    74:2a:31:eb:3c:ea:e1:fd:b5:9f:aa:d9:b2:4d:f0:
                    cb:d0:6b:23:91:38:75:6b:00:2a:ef:23:42:01:2e:
                    1f:ab:94:20:c9:61:05:64:ed:cf:9d:fc:16:4c:84:
                    29:2c:eb:39:d0:48:52:c1:c2:cb:5b:30:50:76:21:
                    5f:7d:c1:6e:f9:d1:15:0b:ae:d5:c3:13:73:4e:fc:
                    6e:e0:66:3a:a2:71:75:9a:c4:32:1b:97:95:7d:f1:
                    ef:ef:dd:c1:59:39:9f:70:f7:6b:51:c7:a2:39:04:
                    f6:00:d0:94:1b:6b:8e:81:21:ef:74:12:f7:f7:fd:
                    42:e3:6d:12:98:58:d9:8d:16:7b:ef:d3:dc:a3:1a:
                    68:92:73:df:09:08:39:06:33:39:9c:09:06:7b:c9:
                    26:10:c3:b1:3e:ad:41:16:72:74:bd:ad:23:e2:0e:
                    bd:1b:b7:27:9a:00:e5:d5:de:ae:81:b7:37:e6:9b:
                    23:9c:49:9e:4b:fb:99:56:48:13:58:ad:c7:7c:33:
                    99:ee:ce:e1:a6:f1:1d:23:5a:ae:50:88:21:59:7f:
                    bb:f7:5b:50:b2:64:51:87:f9:b3:55:3f:dd:5a:80:
                    c2:ef
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                90:4F:95:52:FF:B2:B1:F7:04:60:1B:D8:21:EA:8F:F6:E6:39:CD:2B
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        36:53:c9:fa:ad:06:0a:65:fd:c8:17:6a:f9:f3:ca:c5:a5:7e:
        d9:e1:5c:8d:60:5d:e9:47:ce:f7:fd:68:2f:66:10:79:74:68:
        5f:e6:07:52:01:71:49:d8:5c:28:f7:e2:0c:1b:32:f3:f9:fa:
        d4:8a:e0:95:cd:f6:7d:4d:9b:a1:f3:da:fd:76:51:f5:15:25:
        2d:68:bd:3c:c2:fc:67:03:c6:db:b5:13:3b:6b:a2:56:7b:c8:
        85:eb:da:37:99:a3:10:5f:7e:10:7d:74:e7:6a:b9:c0:ca:fa:
        49:8a:d6:24:c9:1f:21:2d:f7:f9:c3:ca:9d:e5:0e:d7:08:bf:
        d8:83:08:b8:b9:fd:97:cc:47:13:e2:ab:27:94:2d:2b:a5:61:
        bf:7c:cd:de:eb:80:e0:a3:9e:90:4e:c1:67:ee:41:c7:a9:b6:
        64:19:97:b2:c5:c7:71:fb:aa:b6:75:ba:a6:22:16:76:9b:74:
        64:1b:e0:a4:cb:bd:9e:c8:f7:44:c1:e0:28:90:79:64:d1:21:
        8c:d6:51:4a:9f:ad:49:d6:5b:4c:e5:ad:71:cf:6b:83:1e:ad:
        d4:93:35:d2:2e:67:e4:c8:d2:38:81:9f:01:2a:bb:c3:62:01:
        c4:1f:8c:78:bc:63:e5:4f:4d:f9:2d:2e:33:b2:7c:d5:89:00:
        cc:6d:63:85

创建用户

demoapp-ns.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: demoapp

serviceaccount-user1.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: user1
  namespace: demoapp

创建user1资源

# kubectl apply -f demoapp-ns.yaml -f serviceaccount-user1.yaml

namespace/demoapp created
serviceaccount/user1 created

查看user1资源

# kubectl get serviceaccount -n demoapp

NAME      SECRETS   AGE
default   0         54s
user1     0         54s

创建role

user1-role.yaml

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: demoapp
  name: user1-role
rules:
- apiGroups: ["*"] # "" 表示核心群组
  resources: ["pods", "services", "pods/log"]
  verbs: ["get", "watch", "list"]

创建role资源

# kubectl apply -f user1-role.yaml

role.rbac.authorization.k8s.io/user1-role created

查看role资源

# kubectl get role -n demoapp

NAME         CREATED AT
user1-role   2023-08-04T07:34:14Z

查看role规则

# kubectl describe role user1-role -n demoapp

Name:         user1-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources   Non-Resource URLs  Resource Names  Verbs
  ---------   -----------------  --------------  -----
  pods.*/log  []                 []              [get watch list]
  pods.*      []                 []              [get watch list]
  services.*  []                 []              [get watch list]

角色绑定

role-bind-user1.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-bing-user1
  namespace: demoapp
subjects:
- kind: ServiceAccount
  name: user1 
  namespace: demoapp
roleRef:
  kind: Role        
  name: user1-role  
  apiGroup: rbac.authorization.k8s.io

创建rolebinging资源

# kubectl apply -f role-bind-user1.yaml

rolebinding.rbac.authorization.k8s.io/role-bing-user1 created

查看RoleBinding资源

# kubectl get rolebinding -n demoapp

NAME              ROLE              AGE
role-bing-user1   Role/user1-role   82s

查看RoleBinding规则

# kubectl describe rolebinding/role-bing-user1 -n demoapp

Name:         role-bing-user1
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  user1-role
Subjects:
  Kind            Name   Namespace
  ----            ----   ---------
  ServiceAccount  user1

为user1手动创建长期 API 令牌

user1-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: user1-secret
  namespace: demoapp
  annotations:
    kubernetes.io/service-account.name: user1
type: kubernetes.io/service-account-token

创建secret资源

# kubectl apply -f user1-secret.yaml

secret/user1-secret created

查看token

# kubectl get secret user1-secret -n demoapp -o jsonpath={".data.token"} | base64 -d

eyJhbGciOiJSUzI1NiIsImtpZCI6IklkYWRmQU53aV8yYlU4amdheGY0aXhseVNDMDhOZFg3SElVdjNFbHowaFEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vYXBwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InVzZXIxLXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ1c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjY2ZDgwMjQxLTM0MzEtNDIzNS1hNjE4LTRhYjM4MWNkZjE2NCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZW1vYXBwOnVzZXIxIn0.e_afkGL9vVAcsHnMF4SzN00iqHCMy6iHJkwRmthz9q6YC0zCGs6ltmvhmy5GqS7yTSIYy_RROVT12PTaq2WqIgoZV-ZT14oDQbc9gs9l9ssssyRtXyj9lglb4SADBxYv5cxBIFW-BodpsnG8J8j-QqbmCUViXe5EJky5pi4xVmS7ezzRmdcYUfjE0Xzq6c3gib4nU9KutvgqOG8zve35cRQ4Ca6jedFj23Yb9n7q_x8Ozpt9JfU9XopinjqS8M4uSHYy7BmTY9UgZnEA6xUOmG-TIAJZyEeBLaGHiBS7Lo2aA0uU_zj224efU7QoliyL8nBBLYynvLEtRRnV1g5QTg

创建kubeconfig

添加集群信息

# kubectl config set-cluster developer --embed-certs=true --certificate-authority=/etc/kubernetes/ssl/ca.pem --server="https://127.0.0.1:6443" --kubeconfig=$HOME/.kube/kube-user1.config

Cluster "developer" set.

添加用户信息

# kubectl config set-credentials user1 --embed-certs=true --client-certificate=user1.crt --client-key=user1.key --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IklkYWRmQU53aV8yYlU4amdheGY0aXhseVNDMDhOZFg3SElVdjNFbHowaFEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vYXBwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InVzZXIxLXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ1c2VyMSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjY2ZDgwMjQxLTM0MzEtNDIzNS1hNjE4LTRhYjM4MWNkZjE2NCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZW1vYXBwOnVzZXIxIn0.e_afkGL9vVAcsHnMF4SzN00iqHCMy6iHJkwRmthz9q6YC0zCGs6ltmvhmy5GqS7yTSIYy_RROVT12PTaq2WqIgoZV-ZT14oDQbc9gs9l9ssssyRtXyj9lglb4SADBxYv5cxBIFW-BodpsnG8J8j-QqbmCUViXe5EJky5pi4xVmS7ezzRmdcYUfjE0Xzq6c3gib4nU9KutvgqOG8zve35cRQ4Ca6jedFj23Yb9n7q_x8Ozpt9JfU9XopinjqS8M4uSHYy7BmTY9UgZnEA6xUOmG-TIAJZyEeBLaGHiBS7Lo2aA0uU_zj224efU7QoliyL8nBBLYynvLEtRRnV1g5QTg --kubeconfig=$HOME/.kube/kube-user1.config

User "user1" set.

添加上下文信息

# kubectl config set-context user1 --cluster=developer --namespace=demoapp --user=user1 --kubeconfig=$HOME/.kube/kube-user1.config

Context "user1" created.

查看当前上下文

# kubectl config get-contexts --kubeconfig=$HOME/.kube/kube-user1.config

CURRENT   NAME    CLUSTER     AUTHINFO   NAMESPACE
          user1   developer   user1      demoapp

切换当前上下文

# kubectl config use-context user1  --kubeconfig=$HOME/.kube/kube-user1.config

Switched to context "user1".

查看kubeconfig文件

# kubectl config view --kubeconfig=$HOME/.kube/kube-user1.config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://127.0.0.1:6443
  name: developer
contexts:
- context:
    cluster: developer
    namespace: demoapp
    user: user1
  name: user1
current-context: user1
kind: Config
preferences: {}
users:
- name: user1
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    token: REDACTED

登录dashboard

验证权限

验证deployments权限

添加deployment权限

user1-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: demoapp
  name: user1-role
rules:
- apiGroups: ["*"] # "" 表示核心群组
  resources: ["pods", "services", "pods/log","deployments"]   # deployments
  verbs: ["get", "watch", "list"]

更新权限

# kubectl apply -f user1-role.yaml

role.rbac.authorization.k8s.io/user1-role configured

再次验证deployments权限