lens客户端用户授权

1. lens载

https://k8slens.dev/

2. 在集群端操作

设置变量值

bash
  • 01
NAME=fld

1). 创建用户证书私钥

bash
  • 01
openssl genrsa -out ${NAME}.key 2048

2). 创建用户证书请求(CN为用户名,O为组名)

bash
  • 01
  • 02
# 需要修改CN的值(用户名) openssl req -new -key ${NAME}.key -out ${NAME}.csr -subj "/CN=fld/O=view"

3). 创建用户证书(需要k8s集群的ca证书和私钥)
证书存放路径:/etc/kubernetes/pki/

bash
  • 01
openssl x509 -req -in ${NAME}.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ${NAME}.crt -days 3650

4). 创建一个k8s用户,使用上一步生成的证书认证登陆

bash
  • 01
kubectl config set-credentials fld --client-certificate=fld.crt --client-key=fld.key

5). config文件生成用户配置

bash
  • 01
kubectl config set-context fld --cluster=kubernetes --namespace=beta-fld --user=fld

6). 创建k8s集群角色(cluserrole)
lens-apps-clusterrole.yaml

yaml
  • 01
  • 02
  • 03
  • 04
  • 05
  • 06
  • 07
  • 08
  • 09
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
# lens namespace www权限 kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: lens-apps-cluserrole rules: - apiGroups: - "*" resources: - pods - pods/log - pods/status - replicasets - deployments - deployments/scale - statefulsets - services - ingresses - endpoints - persistentvolumeclaims - events verbs: - get - list - watch - apiGroups: - "*" resources: - pods/exec verbs: - create --- # beta 权限 kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: lens-apps-cluserrole-beta rules: - apiGroups: - "*" resources: - pods - pods/log - pods/status - replicasets - deployments - deployments/scale - statefulsets - services - ingresses - endpoints - persistentvolumeclaims - events verbs: - get - list - watch - apiGroups: - "*" resources: - pods/exec verbs: - create - apiGroups: - "" resources: - pods verbs: - get - watch - list - delete - deletecollection

monitoring授权
lens-monitor-rbac.yaml

yaml
  • 01
  • 02
  • 03
  • 04
  • 05
  • 06
  • 07
  • 08
  • 09
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
# lens监控授权 kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: lens-read-metrics namespace: monitoring rules: - apiGroups: - '*' resources: - services/proxy verbs: - '*' --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: lens-read-metrics namespace: monitoring subjects: - kind: Group name: view apiGroup: rbac.authorization.k8s.io - kind: Group name: leaders apiGroup: rbac.authorization.k8s.io roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: lens-read-metrics

全局授权
overall-rbac.yaml

yaml
  • 01
  • 02
  • 03
  • 04
  • 05
  • 06
  • 07
  • 08
  • 09
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
# 全局授权 kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: overall-cluserrole rules: - apiGroups: - "" resources: - nodes - nodes/status - pods/status # - namespaces - events verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: overall-cluserrolebinding subjects: - kind: Group name: view apiGroup: rbac.authorization.k8s.io - kind: Group name: leaders apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: overall-cluserrole apiGroup: rbac.authorization.k8s.io

3. 客户端操作

下载config文件,将crt,key文件解码

yaml
  • 01
  • 02
  • 03
  • 04
- name: fld user: client-certificate: /root/fld/fld.crt client-key: /root/fld/fld.key

解码命令

bash
  • 01
  • 02
  • 03
  • 04
cat /root/fld/fld.crt | base64 --wrap=0 # 修改内容 client-certificate 改为 client-certificate-data

4. lens导入config文件

参考文献

https://www.codenong.com/jsc88deebed840/
https://blog.csdn.net/javahuazaili/article/details/114108918