今天来聊聊Kubernetes 1.19.0——安全管理

一旦装好了kubernetes,登录master之后就有了足够的权限

如果想在worker节点上运行并查看集群状态怎么办?

将admin.conf这个文件拷贝过去

如果想直接输入命令不指定配置文件,需指定环境变量
[root@vms62 ~]# kubectl --kubeconfig=kcfile get nodes
NAME    STATUS   ROLES    AGE   VERSION
vms61   Ready    master   45d   v1.19.0
vms62   Ready    <none>   45d   v1.19.0
vms63   Ready    <none>   45d   v1.19.0
[root@vms62 ~]# export KUBECONFIG=./kcfile
[root@vms62 ~]# kubectl get nodes
NAME    STATUS   ROLES    AGE   VERSION
vms61   Ready    master   45d   v1.19.0
vms62   Ready    <none>   45d   v1.19.0
vms63   Ready    <none>   45d   v1.19.0

如何申请证书呢?

/CN=john/O=cka2020里john表示被授权的用户,cka2020表示被授权的组名
[root@vms61 xx]# openssl genrsa -out john.key 2048
Generating RSA private key, 2048 bit long modulus
.......................+++
.+++
e is 65537 (0x10001)
[root@vms61 xx]# ls
john.key
[root@vms61 xx]# openssl req -new -key john.key -out john.csr -subj "/CN=john/O=cka2020"
[root@vms61 xx]# ls
john.csr  john.key

对john.csr进行base64编码
[root@vms61 xx]# cat john.csr | base64 |tr -d "\n"

编辑配置文件
[root@vms61 xx]# cat csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: john
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1pqQ0NBVTRDQVFBd0lURU5NQXNHQTFVRUF3d0VhbTlvYmpFUU1BNEdBMVVFQ2d3SFkydGhNakF5TURDQwpBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1ZeEpvQmdWYUtoSlI2U1VUMDFwZStyCk9kS0Zpc1VUNWJlaElkSXpyYlBpaDBKeVgzZy9sYlFraWE4M1VDS3Rjb09iNjMzbVdPVEEvcWg3andqMFBLeFkKaER4NEw5cDhXV1h3bmJ3RnZMczhCUnhFc3R4OWpQR016L3hJRE1senhTVGlzbkx1QzhSLzJ5blhCMHBvMTVpVQpmYnQ5QzBwbHZTeHJjZjQyelVmMzVTcVYydzdDaHVkbThkWnVGb1JUTlJWR3V5WWdkYTVPR3ZWc21LWkJZVnN5CmtLMUxvbDNFWHUzcUNvTVFRWEhzY08rT1VvdWtVd0JnL2pJRXFQQTgydkF3azltS2FieGFXRGlvRUl6MFZTQVkKb3J2UlNESWtPYmNuZ1F5elRtWEI3V1NCMlVpK2FwVC9aQllsaVBGUkpDbnRhV0V2bE9wcDRJd2lFWVUyR3VVQwpBd0VBQWFBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ3FiT2ZGNDhIVERETGZKb3hzRS9jbUN0bXVxSk1YCi9HUklpdWoxYUN4SnRDbC9LQUhTdGU0ZFphR0g3TVFrd3czbzkzbWNOOTdiVUNWNE05MlloRGl1YW0vYjlQcWoKbFNqc3NSdFozaFZmQ2JHalhyeE5ZaVNidTNBMmtIWEVCVG9valUydkZkMmxrcFUweno3b2FTWTQ2UW56R0c2QQovblQyS3A4M1FyM2VrS3VDdTVla3VTY3Y3WlFGNTNDeGxyaG1JUFJXa0ZIQUFIRnJqaW4xRGp1KzFiS3NmRTh0CmpkZUlmbEJTdWhLY09YUGNuVEQ2SWFRMG1iSHVDSURPNlhoR3BpZDhDTEwvdW5UMTFHSW9zV1pHNmhKN05IczQKQW8vOWJReElONnY4bm5US3B5OTZpWU9NcDV0c0tFdDU2OFFEMkltOXhTYUhoOForNXd1MGRuRGEKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  usages:
  - client auth

申请证书,并审批通过
[root@vms61 xx]# kubectl apply -f csr.yaml 
Warning: certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
certificatesigningrequest.certificates.k8s.io/john created
[root@vms61 xx]# kubectl get csr
NAME   AGE   SIGNERNAME                     REQUESTOR          CONDITION
john   27s   kubernetes.io/legacy-unknown   kubernetes-admin   Pending
[root@vms61 xx]# kubectl get csr
NAME   AGE   SIGNERNAME                     REQUESTOR          CONDITION
john   37s   kubernetes.io/legacy-unknown   kubernetes-admin   Pending
[root@vms61 xx]# kubectl certificate approve john
certificatesigningrequest.certificates.k8s.io/john approved
[root@vms61 xx]# kubectl get csr
NAME   AGE   SIGNERNAME                     REQUESTOR          CONDITION
john   94s   kubernetes.io/legacy-unknown   kubernetes-admin   Approved,Issued

一旦审批之后,k8s暂且还没有提供任何撤销这个功能

获取证书
[root@vms61 xx]# kubectl get csr john -o jsonpath="{.status.certificate}" | base64 -d > john.crt
[root@vms61 xx]# cat john.crt
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIQT2IhO/DFNuWrVgRIft9dgDANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDEwprdWJlcm5ldGVzMB4XDTIwMTAyMDA0NDAxM1oXDTIxMTAyMDA0
NDAxM1owITEQMA4GA1UEChMHY2thMjAyMDENMAsGA1UEAxMEam9objCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYxJoBgVaKhJR6SUT01pe+rOdKFisUT
5behIdIzrbPih0JyX3g/lbQkia83UCKtcoOb633mWOTA/qh7jwj0PKxYhDx4L9p8
WWXwnbwFvLs8BRxEstx9jPGMz/xIDMlzxSTisnLuC8R/2ynXB0po15iUfbt9C0pl
vSxrcf42zUf35SqV2w7Chudm8dZuFoRTNRVGuyYgda5OGvVsmKZBYVsykK1Lol3E
Xu3qCoMQQXHscO+OUoukUwBg/jIEqPA82vAwk9mKabxaWDioEIz0VSAYorvRSDIk
ObcngQyzTmXB7WSB2Ui+apT/ZBYliPFRJCntaWEvlOpp4IwiEYU2GuUCAwEAAaNG
MEQwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAW
gBTHuWzego7xTGC/vldhgNjmdHtY2jANBgkqhkiG9w0BAQsFAAOCAQEAVFLSYQbi
jKR00Q1Mokvd2bvV3Wp38Zs5ZuE31v0hqW/QDznSgyJW7v4oqNOBavPVe+yN2A2s
YL5pOQ5KUpBGGrjsGVTvg8WVI3a+VMTvdVMqbEmeVgUBJgtP4jeJpJF/y0YnMtPB
2YHdqHYo4FdT7CI5/qaPcdyboB2UbtL7WKn2qhLRfV/ekRf+FP2rEqCEqtUaB6Fc
ZyuLucZAaTbm2l5cog5v+ihGe5CKscVnaE8kTrOfdlUaoygXAaoxYAeZXXb6bg41
XkjQ0v4CC4cv3sz+GL5QrfJVFnqfeSp9MHLsfLncckGbmuTyN6zEUi3fkZpCSMVS
iZtg5W+JbFhDDw==
-----END CERTIFICATE-----

正文完
worker 权限 登录 集群
2021-02-11