X509认证

1.创建出用户的私钥

1
2
3
4
5
6
7
8
9
10
# 创建一个存放用户证书的目录
root@k8s-master01:/etc/kubernetes# mkdir usercerts
root@k8s-master01:/etc/kubernetes# cd usercerts/

# 创建一个私钥
root@k8s-master01:/etc/kubernetes/usercerts# (umask 077; openssl genrsa -out masuri.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................+++++
.....................+++++
e is 65537 (0x010001)

2.基于私钥创建一个证书签署请求,此签署请求需要被k8s的CA所签署

1
2
3
4
# 生成证书签署请求,需要注意此处CN将会被做为用户名,O将会被作为组名使用
root@k8s-master01:/etc/kubernetes/usercerts# openssl req -new -key masuri.key -out masuri.csr -subj "/CN=masuri/O=kubeusers"
root@k8s-master01:/etc/kubernetes/usercerts# ls
masuri.csr  masuri.key

3.将用户的证书签署请求,使用k8s的CA签署成证书

1
2
3
4
5
6
7
8
# 签署时需要指定k8s CA的证书,CA的私钥,以及CA自己维护的序列号。
root@k8s-master01:/etc/kubernetes/usercerts# openssl x509 -req -days 3655 -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -in masuri.csr -out masuri.crt
Signature ok
subject=CN = masuri, O = kubeusers
Getting CA Private Key

# 可以使用以下命令查看证书的详细信息
root@k8s-master01:/etc/kubernetes/usercerts# openssl x509 -in masuri.crt -text -noout

自制kubeconfig文件尝试认证到k8s

1.设定集群信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 设定集群信息,需要指定集群名字,指定集群服务器地址,指定k8s的ca证书,最后指定生成的kubeconfig文件。
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config set-cluster kubernetes --server=https://kube-api:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/mykubeconfig
Cluster "kubernetes" set.

# 查看kubeconfig内信息
root@k8s-master01:/etc/kubernetes/usercerts# cat /tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EY3hOVEEyTVRNek5Gb1hEVE14TURjeE16QTJNVE16TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnZjCkc0NytMTUUydkxsNzJXNUpWYSt1S2VLY1htWVNFVjVXSmtCSkl4VjBZK0JkRExtb044WWxSWUdVaDVxTmxRRUQKOFhRSzgzOUNOUUl4ZGRSQWc3c1M4Z2I2SWdabGxCRXNobGRGb0JEcjNDUUlzMWxGMEFsVEFyV2RpK0NUbHdZYwpyYTRTREN6ZHVQUDZhdzFHWVBTNE9zOUtsUEpVZHpPMXRkUjdGNVBHVkY3SWpsWE1EMWc3NW1yL2d6NkgrcTVOCkN0S1UraFJ2WGd5QXN1TDY1TFlROUVEMyt1K0lJSE5xQWR4S1lXRkFmZ2tNT3Bqa0V3Z2xRWUUzenhWREdZR0EKdFI5clg5STNQUHF0UkkwWVdqb2EveGtxY1lhUTNRckhzU3ZBTjU5b2FyV3plS2xuMS8wWVdVeEd0cEZtdy92ZQpRMTYzYkVlc21YaDdSMERhMGhzQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZIWmV1cEFHdnZ4c0pkSHl5N3hTVUNoZFNGY1hNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFBTVUySkVrdU1QZ0ltSDlaSzk2OHRsY05HNVRsVFVseFVYRm9Uc1VTSWhyU1pycGhmRApKelBOTE5rcTJxMCtUV3ZTbHZxbzFyM2dLckhNWWZDY1AwTnFIU2VYVWNhaW1WeUhwUm12M3AzODBoTlJONnNyCkJZSmZ4RUE0aWJsWEpvYnNVR0tDcmdZeHk5SFJYbE9ud0QvMHdrTVVBZHFuSG90MlRPbGJZSVU3aUNTNklCajMKaWZLeHlGdkdDTWJ6NFhIY0xjajY4L3AzaC9VRDgxRjNGc2ZqdmV6L1A3Nk42L2hCL090TkhKK3pTWGVmdjJjcQpMUXBxYXA5aW9IUGZTVFpnTm5BUndSWUNaMW9DdmI0WitnbzdkQTROM3M2K3NOTUpYZFFERWkxb1dWeDVKUXgyClgzejNtY1hhZHROTVgwOEN0UHorTlQwZGZGOUNhaDVWMTkzWgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://kube-api:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

2.设定用户信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# 设定用户信息时需要指定用户名,此处使用的x509认证,所以还需要指定用户的证书,用户的私钥,embed-certs表示是否将用户的证书信息嵌入kubeconfig文件,最后指定kubeconfig文件目录
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config set-credentials masuri --client-certificate=masuri.crt --client-key=masuri.key --embed-certs=true --kubeconfig=/tmp/mykubeconfig
User "masuri" set.

# 查看kubeconfig文件
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://kube-api:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: masuri
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

3.设定用户和集群的关联关系

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 设定关联关系的名称,指定用户,指定集群,指定kubeconfig文件
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config set-context 'masuri@kubernetes' --user=masuri --cluster=kubernetes --kubeconfig=/tmp/mykubeconfig
Context "masuri@kubernetes" created.

# 查看kubeconfig信息
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://kube-api:6443
  name: kubernetes
contexts:
- context:														# context信息被建立
    cluster: kubernetes
    user: masuri
  name: masuri@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: masuri
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

4.设定当前使用的context

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config use-context masuri@kubernetes --kubeconfig=/tmp/mykubeconfig
Switched to context "masuri@kubernetes".

# 查看kubeconfig信息
root@k8s-master01:/etc/kubernetes/usercerts# kubectl config view --kubeconfig=/tmp/mykubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://kube-api:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: masuri
  name: masuri@kubernetes
current-context: masuri@kubernetes         # 当前使用的为masuri@kubernetes
kind: Config
preferences: {}
users:
- name: masuri
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

5.kubeconfig文件已经创建完毕,尝试使用此文件进行认证

1
2
3
4
root@k8s-master01:/etc/kubernetes/usercerts# kubectl get nodes --kubeconfig=/tmp/mykubeconfig
Error from server (Forbidden): nodes is forbidden: User "masuri" cannot list resource "nodes" in API group "" at the cluster scope

# 认证已经没有问题,报错是因为用户没有权限导致的。