合规国际互联网加速 OSASE为企业客户提供高速稳定SD-WAN国际加速解决方案。 广告
# 1. k8s认证 ## 1.2 两种账户信息 1. user账户 2. pod访问apiServer的一种账户(service account) `kubectl config view`对应配置文件/root/.kube/config(认证信息) ``` apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.56.10:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED ``` 有四种实体,users对象列表,clusters集群列表,contexts用户与集群对应关系,current-context用来指定当前连接那个集群 # 2. 创建serviceAccount **1. 使用k8是证书签名serviceAccount证书** ``` # private key openssl genrsa -out tuna.key 1024 # private Ca openssl req -new -key tuna.key -out tuna.csr -subj "/CN=tuna" # sign CA openssl x509 -req -in tuna.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out tuna.crt -days 365 ``` **2. config加入用户tuna** ``` [root@master serviceAccount]# kubectl config set-credentials tuna --client-certificate=./tuna.crt --embed-certs=true --client-key=./tuna.key User "tuna" set. [root@master serviceAccount]# kubectl config view apiVersion: v1 clusters: ... - name: tuna user: client-certificate-data: REDACTED client-key-data: REDACTED ``` **3. 操作context将用户与集群绑定** ``` [root@master serviceAccount]# kubectl config set-context tuna@kubernates --cluster=kubernates --user=tuna Context "tuna@kubernates" created. [root@master serviceAccount]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.56.10:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes - context: cluster: kubernates user: tuna name: tuna@kubernates ``` **4. 使用tuna操作k8s** > 当前用户切换到tuna ``` [root@master serviceAccount]# kubectl config use-context tuna@kubernates Switched to context "tuna@kubernates". ``` ``` [root@master serviceAccount]# kubectl get pods error: no configuration has been provided, try setting KUBERNETES_MASTER environment variable ```