lens客户端用户授权

1. lens载

https://k8slens.dev/

2. 在集群端操作

设置变量值

NAME=fld

1). 创建用户证书私钥

openssl genrsa -out ${NAME}.key 2048

2). 创建用户证书请求(CN为用户名，O为组名)

# 需要修改CN的值（用户名）
openssl req -new -key ${NAME}.key -out ${NAME}.csr -subj "/CN=fld/O=view"

3). 创建用户证书(需要k8s集群的ca证书和私钥)
证书存放路径:/etc/kubernetes/pki/

openssl x509 -req -in ${NAME}.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ${NAME}.crt -days 3650

4). 创建一个k8s用户，使用上一步生成的证书认证登陆

kubectl config set-credentials fld --client-certificate=fld.crt --client-key=fld.key

5). config文件生成用户配置

kubectl config set-context fld --cluster=kubernetes --namespace=beta-fld --user=fld

6). 创建k8s集群角色(cluserrole)
lens-apps-clusterrole.yaml

# lens namespace www权限
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lens-apps-cluserrole
rules:
  - apiGroups:
      - "*"
    resources:
      - pods
      - pods/log
      - pods/status
      - replicasets
      - deployments
      - deployments/scale
      - statefulsets
      - services
      - ingresses
      - endpoints
      - persistentvolumeclaims
      - events
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "*"
    resources:
      - pods/exec
    verbs:
      - create
---
# beta 权限
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lens-apps-cluserrole-beta
rules:
  - apiGroups:
      - "*"
    resources:
      - pods
      - pods/log
      - pods/status
      - replicasets
      - deployments
      - deployments/scale
      - statefulsets
      - services
      - ingresses
      - endpoints
      - persistentvolumeclaims
      - events
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "*"
    resources:
      - pods/exec
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - watch
      - list
      - delete
      - deletecollection

monitoring授权
lens-monitor-rbac.yaml

# lens监控授权
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: lens-read-metrics
  namespace: monitoring
rules:
- apiGroups:
  - '*'
  resources:
  - services/proxy
  verbs: 
  - '*'
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lens-read-metrics
  namespace: monitoring
subjects:
- kind: Group
  name: view
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: leaders
  apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: lens-read-metrics

全局授权
overall-rbac.yaml

# 全局授权
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: overall-cluserrole
rules:
  - apiGroups:
      - ""
    resources:
      - nodes
      - nodes/status
      - pods/status
      # - namespaces
      - events
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: overall-cluserrolebinding
subjects:
- kind: Group
  name: view
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: leaders
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: overall-cluserrole
  apiGroup: rbac.authorization.k8s.io

3. 客户端操作

下载config文件，将crt，key文件解码

- name: fld
  user:
    client-certificate: /root/fld/fld.crt
    client-key: /root/fld/fld.key

解码命令

cat /root/fld/fld.crt | base64 --wrap=0

# 修改内容
client-certificate 改为 client-certificate-data

4. lens导入config文件

参考文献

https://www.codenong.com/jsc88deebed840/
https://blog.csdn.net/javahuazaili/article/details/114108918