lens客户端用户授权
1. lens载
2. 在集群端操作
设置变量值
- 01
NAME=fld
1). 创建用户证书私钥
- 01
openssl genrsa -out ${NAME}.key 2048
2). 创建用户证书请求(CN为用户名,O为组名)
- 01
- 02
# 需要修改CN的值(用户名)
openssl req -new -key ${NAME}.key -out ${NAME}.csr -subj "/CN=fld/O=view"
3). 创建用户证书(需要k8s集群的ca证书和私钥)
证书存放路径:/etc/kubernetes/pki/
- 01
openssl x509 -req -in ${NAME}.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ${NAME}.crt -days 3650
4). 创建一个k8s用户,使用上一步生成的证书认证登陆
- 01
kubectl config set-credentials fld --client-certificate=fld.crt --client-key=fld.key
5). config文件生成用户配置
- 01
kubectl config set-context fld --cluster=kubernetes --namespace=beta-fld --user=fld
6). 创建k8s集群角色(cluserrole)
lens-apps-clusterrole.yaml
- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
- 09
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
# lens namespace www权限
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: lens-apps-cluserrole
rules:
- apiGroups:
- "*"
resources:
- pods
- pods/log
- pods/status
- replicasets
- deployments
- deployments/scale
- statefulsets
- services
- ingresses
- endpoints
- persistentvolumeclaims
- events
verbs:
- get
- list
- watch
- apiGroups:
- "*"
resources:
- pods/exec
verbs:
- create
# beta 权限
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: lens-apps-cluserrole-beta
rules:
- apiGroups:
- "*"
resources:
- pods
- pods/log
- pods/status
- replicasets
- deployments
- deployments/scale
- statefulsets
- services
- ingresses
- endpoints
- persistentvolumeclaims
- events
verbs:
- get
- list
- watch
- apiGroups:
- "*"
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
- delete
- deletecollection
monitoring授权
lens-monitor-rbac.yaml
- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
- 09
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
# lens监控授权
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: lens-read-metrics
namespace: monitoring
rules:
- apiGroups:
- '*'
resources:
- services/proxy
verbs:
- '*'
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: lens-read-metrics
namespace: monitoring
subjects:
- kind: Group
name: view
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: leaders
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: lens-read-metrics
全局授权
overall-rbac.yaml
- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
- 09
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
# 全局授权
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: overall-cluserrole
rules:
- apiGroups:
- ""
resources:
- nodes
- nodes/status
- pods/status
# - namespaces
- events
verbs:
- get
- list
- watch
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: overall-cluserrolebinding
subjects:
- kind: Group
name: view
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: leaders
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: overall-cluserrole
apiGroup: rbac.authorization.k8s.io
3. 客户端操作
下载config文件,将crt,key文件解码
- 01
- 02
- 03
- 04
- name: fld
user:
client-certificate: /root/fld/fld.crt
client-key: /root/fld/fld.key
解码命令
- 01
- 02
- 03
- 04
cat /root/fld/fld.crt | base64 --wrap=0
# 修改内容
client-certificate 改为 client-certificate-data
4. lens导入config文件
参考文献
https://www.codenong.com/jsc88deebed840/
https://blog.csdn.net/javahuazaili/article/details/114108918