# 系统环境 - 部署方式：二进制 - Docker 版本：19.03.8 - kubernetes 版本：1.18.4 二进制部署k8s集群后，如果其它节点或机器需要kubectl管理集群，需要相应的config文件，二进制部署会默认生成，二进制需要手动生成 # 创建 admin 证书 ```bash [root@k8s01 ssl]# cat admin-csr.json { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:masters", "OU": "System" } ] } ``` - 后续 kube-apiserver 使用 RBAC 对客户端(如 kubelet、kube-proxy、Pod)请求进行授权； - kube-apiserver 预定义了一些 RBAC 使用的 RoleBindings，如 cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定，该 Role 授予了调用kube-apiserver 的所有 API的权限； - O 指定该证书的 Group 为 system:masters，kubelet 使用该证书访问 kube-apiserver 时 ，由于证书被 CA 签名，所以认证通过，同时由于证书用户组为经过预授权的 system:masters，所以被授予访问所有 API 的权限； 注意：这个admin 证书，是将来生成管理员用的kube config 配置文件用的，现在我们一般建议使用RBAC 来对kubernetes 进行角色权限控制， kubernetes 将证书中的CN 字段 作为User， O 字段作为 Group（具体参考 [Kubernetes中的用户与身份认证授权中](https://jimmysong.io/kubernetes-handbook/guide/authentication.html) X509 Client Certs 一段） # 生成admin证书和私钥 ```bash [root@k8s01 ssl]# cfssl gencert -ca=./ca.pem -ca-key=./ca-key.pem -config=./ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 2021/01/12 17:30:08 [INFO] generate received request 2021/01/12 17:30:08 [INFO] received CSR 2021/01/12 17:30:08 [INFO] generating key: rsa-2048 2021/01/12 17:30:09 [INFO] encoded CSR 2021/01/12 17:30:09 [INFO] signed certificate with serial number 231444717985151863143351072550771542586366536821 2021/01/12 17:30:09 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@k8s01 ssl]# ls admin* admin.csr admin-csr.json admin-key.pem admin.kubeconfig admin.pem ``` # 生成admin证书和私钥 ``` [root@k8s01 ssl]# cfssl gencert -ca=./ca.pem -ca-key=./ca-key.pem -config=./ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 2021/01/12 17:30:08 [INFO] generate received request 2021/01/12 17:30:08 [INFO] received CSR 2021/01/12 17:30:08 [INFO] generating key: rsa-2048 2021/01/12 17:30:09 [INFO] encoded CSR 2021/01/12 17:30:09 [INFO] signed certificate with serial number 231444717985151863143351072550771542586366536821 2021/01/12 17:30:09 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@k8s01 ssl]# ls admin* admin.csr admin-csr.json admin-key.pem admin.kubeconfig admin.pem ``` 将生成的admin.kubeconfig拷贝相应机器的/root/.kube下，并改名config即可kubectl管理集群 在执行完上述操作后我们可以通过命令: kubectl get clusterrolebinding cluster-admin -o yaml ,查看到 clusterrolebinding cluster-admin 的 subjects 的 kind 是 Group，name 是 system:masters， roleRef 对象是 ClusterRole cluster-admin，意思是凡是 system:masters Group 的 user 或者 serviceAccount 都拥有 cluster-admin 的角色，因此我们在使用 kubectl 命令时候，才拥有整个集群的管理权限 ```bash [root@k8s01 ssl]# kubectl get clusterrolebinding cluster-admin -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2020-12-29T09:53:06Z" labels: kubernetes.io/bootstrapping: rbac-defaults managedFields: - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:rbac.authorization.kubernetes.io/autoupdate: {} f:labels: .: {} f:kubernetes.io/bootstrapping: {} f:roleRef: f:apiGroup: {} f:kind: {} f:name: {} f:subjects: {} manager: kube-apiserver operation: Update time: "2020-12-29T09:53:06Z" name: cluster-admin resourceVersion: "97" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin uid: 6583f1fe-950b-4c62-a845-a2c655e3bb05 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters ```