# 系统环境
- 部署方式:二进制
- Docker 版本:19.03.8
- kubernetes 版本:1.18.4
二进制部署k8s集群后,如果其它节点或机器需要kubectl管理集群,需要相应的config文件,二进制部署会默认生成,二进制需要手动生成
# 创建 admin 证书
```bash
[root@k8s01 ssl]# cat admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
```
- 后续 kube-apiserver 使用 RBAC 对客户端(如 kubelet、kube-proxy、Pod)请求进行授权;
- kube-apiserver 预定义了一些 RBAC 使用的 RoleBindings,如 cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予了调用kube-apiserver 的所有 API的权限;
- O 指定该证书的 Group 为 system:masters,kubelet 使用该证书访问 kube-apiserver 时 ,由于证书被 CA 签名,所以认证通过,同时由于证书用户组为经过预授权的 system:masters,所以被授予访问所有 API 的权限;
注意:这个admin 证书,是将来生成管理员用的kube config 配置文件用的,现在我们一般建议使用RBAC 来对kubernetes 进行角色权限控制, kubernetes 将证书中的CN 字段 作为User, O 字段作为 Group(具体参考 [Kubernetes中的用户与身份认证授权中](https://jimmysong.io/kubernetes-handbook/guide/authentication.html) X509 Client Certs 一段)
# 生成admin证书和私钥
```bash
[root@k8s01 ssl]# cfssl gencert -ca=./ca.pem -ca-key=./ca-key.pem -config=./ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2021/01/12 17:30:08 [INFO] generate received request
2021/01/12 17:30:08 [INFO] received CSR
2021/01/12 17:30:08 [INFO] generating key: rsa-2048
2021/01/12 17:30:09 [INFO] encoded CSR
2021/01/12 17:30:09 [INFO] signed certificate with serial number 231444717985151863143351072550771542586366536821
2021/01/12 17:30:09 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s01 ssl]# ls admin*
admin.csr admin-csr.json admin-key.pem admin.kubeconfig admin.pem
```
# 生成admin证书和私钥
```
[root@k8s01 ssl]# cfssl gencert -ca=./ca.pem -ca-key=./ca-key.pem -config=./ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2021/01/12 17:30:08 [INFO] generate received request
2021/01/12 17:30:08 [INFO] received CSR
2021/01/12 17:30:08 [INFO] generating key: rsa-2048
2021/01/12 17:30:09 [INFO] encoded CSR
2021/01/12 17:30:09 [INFO] signed certificate with serial number 231444717985151863143351072550771542586366536821
2021/01/12 17:30:09 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s01 ssl]# ls admin*
admin.csr admin-csr.json admin-key.pem admin.kubeconfig admin.pem
```
将生成的admin.kubeconfig拷贝相应机器的/root/.kube下,并改名config即可kubectl管理集群
在执行完上述操作后我们可以通过命令: kubectl get clusterrolebinding cluster-admin -o yaml ,查看到 clusterrolebinding cluster-admin 的 subjects 的 kind 是 Group,name 是 system:masters, roleRef 对象是 ClusterRole cluster-admin,意思是凡是 system:masters Group 的 user 或者 serviceAccount 都拥有 cluster-admin 的角色,因此我们在使用 kubectl 命令时候,才拥有整个集群的管理权限
```bash
[root@k8s01 ssl]# kubectl get clusterrolebinding cluster-admin -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2020-12-29T09:53:06Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:rbac.authorization.kubernetes.io/autoupdate: {}
f:labels:
.: {}
f:kubernetes.io/bootstrapping: {}
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: kube-apiserver
operation: Update
time: "2020-12-29T09:53:06Z"
name: cluster-admin
resourceVersion: "97"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
uid: 6583f1fe-950b-4c62-a845-a2c655e3bb05
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
```

二进制k8s集群创建 kubeconfig 文件