用自己服务器做网站用备案,网站开发 创造收益,个人视频网站怎么做,做理论的网站目录
1.创建用户
1.1证书创建
1.2创建用户
1.3允许用户登陆
1.4切换用户
1.5删除用户
2.RBAC 1.创建用户
1.1证书创建
进入证书目录
# cd /etc/kubernetes/pki创建key
# openssl genrsa -out user1.key 2048
Generating RSA private key, 2048 bit long modulus
.....…目录
1.创建用户
1.1证书创建
1.2创建用户
1.3允许用户登陆
1.4切换用户
1.5删除用户
2.RBAC 1.创建用户
1.1证书创建
进入证书目录
# cd /etc/kubernetes/pki创建key
# openssl genrsa -out user1.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................
........
e is 65537 (0x10001)创建csr
# openssl req -new -key user1.key -out user1.csr -subj /CNuser1查看创建结果
# ll
total 72
-rw-r--r-- 1 root root 1310 Jun 12 14:52 apiserver.crt
-rw-r--r-- 1 root root 1155 Jun 12 14:52 apiserver-etcd-client.crt
-rw------- 1 root root 1679 Jun 12 14:52 apiserver-etcd-client.key
-rw------- 1 root root 1679 Jun 12 14:52 apiserver.key
-rw-r--r-- 1 root root 1164 Jun 12 14:52 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 Jun 12 14:52 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1099 Jun 12 14:52 ca.crt
-rw------- 1 root root 1675 Jun 12 14:52 ca.key
-rw-r--r-- 1 root root 17 Oct 10 18:07 ca.srl
drwxr-xr-x 2 root root 4096 Jun 12 14:52 etcd
-rw-r--r-- 1 root root 1115 Jun 12 14:52 front-proxy-ca.crt
-rw------- 1 root root 1675 Jun 12 14:52 front-proxy-ca.key
-rw-r--r-- 1 root root 1119 Jun 12 14:52 front-proxy-client.crt
-rw------- 1 root root 1679 Jun 12 14:52 front-proxy-client.key
-rw------- 1 root root 1679 Jun 12 14:52 sa.key
-rw------- 1 root root 451 Jun 12 14:52 sa.pub
-rw-r--r-- 1 root root 883 Oct 10 18:27 user1.csr
-rw-r--r-- 1 root root 1679 Oct 10 18:26 user1.key修改权限
# chmod 600 user1.key使用集群证书签发
# openssl x509 -req -in user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user1.crt -days 1095Signature ok
subject/CNuser1
Getting CA Private Key
查看签发的证书
# openssl x509 -in user1.crt -text -nooutCertificate:Data:Version: 1 (0x0)Serial Number:fc:aa:fd:55:13:43:c3:62Signature Algorithm: sha256WithRSAEncryptionIssuer: CNkubernetesValidityNot Before: Oct 10 10:30:34 2023 GMTNot After : Oct 9 10:30:34 2026 GMTSubject: CNuser1Subject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d8:c0:f2:4c:35:42:32:97:12:0f:c1:c2:0f:16:........篇幅省略Exponent: 65537 (0x10001)Signature Algorithm: sha256WithRSAEncryption8d:92:df:d1:53:cf:0c:e6:97:10:cc:53:37:16:01:0c:69:c3:......篇幅省略
1.2创建用户
# kubectl config set-credentials user1 --client-certificate./user1.crt --client-key./user1.key --embed-certstrueUser user1 set.
1.3允许用户登陆
# kubectl config set-context user1kubernetes --clusterkubernetes --useruser1Context user1kubernetes created.
查看集群信息
# kubectl config viewapiVersion: v1
clusters:
- cluster:certificate-authority-data: DATAOMITTEDserver: https://master01:6443name: kubernetes
contexts:
- context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-adminkubernetes
- context:cluster: kubernetesuser: user1name: user1kubernetes
current-context: kubernetes-adminkubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-adminuser:client-certificate-data: DATAOMITTEDclient-key-data: DATAOMITTED
- name: user1user:client-certificate-data: DATAOMITTEDclient-key-data: DATAOMITTED
可以看到user1已经存在并可以登陆
1.4切换用户
# kubectl config use-context user1kubernetesSwitched to context user1kubernetes. 但此时用户没有任何权限需要配置rbac
# kubectl get podError from server (Forbidden): pods is forbidden: User user1 cannot list resource pods in API group in the namespace default
1.5删除用户
# kubectl config delete-context user1kubernetesdeleted context user1kubernetes from /root/.kube/config# kubectl config unset users.user1Property users.user1 unset. 2.RBAC
允许user1用户查看pod日志
# cat user1_pod_get.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: defaultname: pod-log-reader
rules:
- apiGroups: []resources: [pods, pods/log]verbs: [get, list] # 允许 user1 用户获取和列出 Pod 以及日志
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: pod-log-reader-bindingnamespace: default
subjects:
- kind: Username: user1 # 这里的 user1 是您之前创建的用户名称apiGroup: rbac.authorization.k8s.io
roleRef:kind: Rolename: pod-log-readerapiGroup: rbac.authorization.k8s.io
再次使用user1用户就可以查看pod和日志了
# kubectl get pod -n default# kubectl logs -f pod/free-study-questionnaire-5c7f8c878d-859wl
