标签:oca ext use inux Kubernete profile creat 成功 cfssl
k8s没有用户管理组件,通过提取client传递过来的证书中的CN为用户名,O字段为组名https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
cp cfssl_linux-amd64 /usr/local/bin/cfssl
cp cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
cfssljson_linux-amd64 /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl*cat <<EOF>> ceph.json
{
"CN": "ceph", # 用户
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "shanghai",
"L": "shanghai",
"O": "k8s", #组
"OU": "System"
}
]
}
EOFcfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -profile=kubernetes ./ceph.json | cfssljson -bare ceph
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key ./ceph.json | cfssljson -bare ceph到此已经为ceph用户生成了证书
这里将将cla***ole的admin作rolebinding绑定至ceph,这个命令需要在能管理k8s的用户下执行
kubectl create rolebinding ceph-admin-binding --clusterrole=admin --user=ceph --namespace=cephcentos7中的curl 7.29.0 似乎不能将ceph.pem的公有证书提交到api,造成api认为是匿名访问,curl 7.64.0可以正常访问api
curl -X GET --cert ceph.pem --key ceph-key.pem --cacert cacrt https://192.168.254.99:6444/api/v1/namespaces/ceph/podsexport KUBE_APISERVER=https://192.168.254.99:6444
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=ceph.kubeconfigkubectl config set-credentials ceph --client-certificate=ceph.pem --client-key=ceph-key.pem --embed-certs=true --kubeconfig=ceph.kubeconfigkubectl config set-context ceph \ #这个是上下文名称,可随意取
--cluster=kubernetes --user=ceph --namespace=ceph --kubeconfig=ceph.kubeconfigkubectl config use-context ceph --kubeconfig=ceph.kubeconfigkubectl --kubeconfig=ceph.kubeconfig get pod也可以复制到.kube中使用
cp ceph.kubeconfig ~/.kube/config标签:oca ext use inux Kubernete profile creat 成功 cfssl
原文地址:https://blog.51cto.com/penguintux/2535461
