x.509数字认证
客户端配置文件kubeconfig

一、创建SSL/TLS认证自定义账号：

1、生成私钥文件，此处在master节点root上操作，将文件放置于/etc/kubernetes/pki专用目录中：
# cd /etc/kubernetes/pki
# (umask 077;openssl genrsa -out sonfer.key 2048)
2、创建证书签署请求，-subj选项中的CN的值将被kubeconfig作为用户名使用，O的值将被识别为用户组：
# openssl req -new -key sonfer.key -out sonfer.csr -subj "/CN=sonfer"�# openssl req -new -key sonfer.key -out sonfer.csr -subj "/CN=sonfer O=kubernetes"

3、基于kubeadm安装kubernetes集群时生成的CA签署证书，这里设置其为有效时长为36500天：
# openssl x509 -req -in sonfer.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out sonfer.crt -days 36500

4、验证证书信息（可选）：
# openssl x509 -in sonfer.crt -text -noout

用户、role、rolebinding关系：rolebinding将用户绑定到role上

二、其他用户config使用证书

1、将证书拷贝到家目录并赋权
# cp -ap /root/.kube /home/sonfer
# chown sonfer. /home/sonfer/.kube -R
# cp -a /etc/kubernetes/pki/sonfer.* /home/sonfer/.kube/

2、配置客户端证书及秘钥，名称要跟创建时的名称一样。

# kubectl config set-credentials sonfer --client-certificate=/home/sonfer/.kube/sonfer.crt --client-key=/home/sonfer/.kube/sonfer.key

3、配置context
# kubectl config set-context sonfer@kubernetes --cluster=kubernetes --user=sonfer

4、切换为sonfer访问集群：
kubectl config use-context sonfer@kubernetes

5、此时没有权限访问

[sonfer@k8s001 .kube]$ kubectl get pods
Error from server (Forbidden): pods is forbidden: User "sonfer" cannot list resource "pods" in...

6、创建role
# kubectl create role pod-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-daemo.yaml
# kubectl apply -f role-daemo.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader         # 创建的role名称，绑定时用到
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

7、将用户绑定到role
# kubectl create rolebinding sonfer-read-pods --role=pod-reader --user=sonfer -o yaml --dry-run >rolebinding-daemo.yaml
# kubectl apply -f rolebinding-daemo.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sonfer-read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader          # 绑定到哪个role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: sonfer                 # 哪个用户：sonfer

8、再次查看pod

[sonfer@k8s001 .kube]$ kubectl get pods
NAME                        READY   STATUS             RESTARTS   AGE
activity-5f8948dcd9-ghmcf   0/1     CrashLoopBackOff   289        29h
activity-5f8948dcd9-z7nvx   0/1     CrashLoopBackOff   294        29h
myapp-0                     1/1     Running            6          6d21h
myapp-1                     1/1     Running            5          6d21h
myapp-2                     1/1     Running            5          6d21h