22.kubernetes(k8s)笔记 认证、授权与准入控制(二) 认证Users Account

Users Accounts认证
kubeconfig配置文件
之前有提到过,K8S间的通信是通过https实现,https通信每次都需要认证,比如我们在命令行输入命令

[root@k8s-master ~]# kubectl get pod

都需要https认证,而且https是无状态链接 意味着每次访问 都需要附带证书,如果这一切都手动指定完成,实际操作肯定非常不方便,为了简化连接和方便使用,K8s使用kubeconfig配置文件来简化使用时文件附带认证信息
kubeconfig配置文件:3种搜索路径
1.指定证书位置 优先级最高
2.通过环境变量 $ KUBECONFIG加载config文件
3.读取用户家目录 $ HOME/.kube/config
【22.kubernetes(k8s)笔记 认证、授权与准入控制(二) 认证Users Account】kubeconfig配置文件:
将用户名、认证信息等组织一起,便于认证到API Server上的认证信息文件; 支持一个文件中保存m个集群的n个认证信息;
22.kubernetes(k8s)笔记 认证、授权与准入控制(二) 认证Users Account
文章图片

  • kubectl选项中可以看到可以指定证书与秘钥
[root@k8s-master kubernetes]# kubectl options The following options can be passed to any command:--add-dir-header=false: If true, adds the file directory to the header of the log messages --alsologtostderr=false: log to standard error as well as files --as='': Username to impersonate for the operation --as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups. --cache-dir='/root/.kube/cache': Default cache directory --certificate-authority='': Path to a cert file for the certificate authority --client-certificate='': Path to a client certificate file for TLS#客户端证书 --client-key='': Path to a client key file for TLS#指客户端秘钥 --cluster='': The name of the kubeconfig cluster to use --context='': The name of the kubeconfig context to use --insecure-skip-tls-verify=false: If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure ...

kubeconfig配置文件
  • 大致会包含4种信息; 支持一个文件中保存m个集群的n个认证信息;
  • clusters:配置要访问的kubernetes集群
  • contexts:配置访问kubernetes集群的具体上下文环境
  • current-context:配置当前使用的上下文环境
  • users:配置访问的用户信息,用户名以及证书信息
系统默认的几个config配置文件
[root@k8s-master core]# cd /etc/kubernetes/[root@k8s-master kubernetes]# ll#kubernetes 安装完成 几个config配置文件 total 32 -rw------- 1 root root 5565 Jun 29 01:42 admin.conf#管理员配置文件 -rw------- 1 root root 5601 Jun 29 01:42 controller-manager.conf#管理控制器配置文件 -rw------- 1 root root 1933 Jun 29 01:43 kubelet.conf drwx------ 2 root root113 Jun 29 01:42 manifests drwxr-xr-x 3 root root 4096 Jun 29 01:42 pki -rw------- 1 root root 5541 Jun 29 01:42 scheduler.conf#调度器的配置文件 [root@k8s-master kubernetes]# cat admin.conf apiVersion: v1 clusters:# 集群相关的信息 - cluster:#API service ca证书 certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== server: https://192.168.4.170:6443 name: kubernetes#集群名称 contexts:#通过上下文件 把集群和用户名建立关联关系,所以在一个配置文件中,并不一一对应的,一个用户可以管理 多个集群 - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes#建立集群与用户 kind: Config preferences: {} users: - name: kubernetes-admin#用户相关的信息 user: #用户token 秘钥 client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lJTzB3MXV1SWhEbDR3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBMk1qZ3hOelF5TVRCYUZ3MHlNakEyTWpneE56UXnp2V3RsRStRdUc2Ulk0bjB3UEc0OFR1N0JobGgxVTQKYTNVb3p4SHV4MmRBdi9JNHdBMmRrem8xc0FIL1pFUUFFTjNBN0JZL28rWWE1MXErNmNYMjYvN3hkVlhvMjVKTwpzRkdqUjVJbTIvcDYwR2R4N1MraGlDSE9MZzc1ZFBlZVQvOTZRMk15cVFiaHAyYmlERnNtMnRCSjBhWXdhQThyCm9rMHJYcTd4NmZ1M2l1R2NmaWt0azhRWjA5b29WM29Kd21ORVlSY3A5RTd4TjIxM042dFlOcHVtK0dxVWNiVTIKSHB5MmF4YjZhRWNOVk90YTVJdWluZUtmR1NaZ1hmND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeVVSd3hnVmwvNmczRkpiYnh3Y2EwUi9kejdua0lpbGVFcWl1Tm1yTVE3UlhaSnR3Ckh1bEhnTlQvREtENUMxOTg0cGtQZXV5RzZJc3V6VHFtL0REVERMdndBNXArMWNFNksvWDI5LzV3U29TMUtJN2c3dXc2NEZnSHRBazB3aVloYkhQUGVOMVAKa0Y5RDVFUTdySkZ0S3ZDU2ZPKzdueDhYUEVFM01CTWdBNlR0cXdJREFRQUJBb0lCQUdldHVlcElIYUwxSkdxVwp5K0JhNkpXUnROR3RFTGdJVjAyRlZ6anhDd2hWZmk5MVl1eUpmeXYrak9RVWlEWXpta0dnVnprYlh1T3J6eEFwCmhwpdQpOMFFEaE9iZlE3c1BQV08wSWpzeVo0anVKbDlxYTVsS2N6TTNJTWU3aFdYcXpTUXMwblNKRW9QS04zQUh2UllhCkJNdFZBb0dBRnNkUyswcHBIVnllWlVoblRJZXhiOEhSa0ViT2I2Z3lXenM3bThzcllXK2dwU3RJTVBpR3NTNFoKL0xYZ0RvZ2xUQ01VTnJ1Zjd3RjVtRWcrVTFEZGEyTmtSeWZPRmlnZGQybDVyZkRTN1BxMDhIOGdrZmtNWXFYdQppYUg5cnR3QmRCOEF3bktzTjlKaWFTRkV4RXlxOCtRM3ZIaXpGenhkV1IxU0VQZzQ2V0E9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

kubeconfig文件3种不同的指定方式
  • 方式1 指定配置文件
[root@k8s-master ~]# kubectl --kubeconfig=/etc/kubernetes/admin.conf get pod#指定config路径 这个文件也是集群初始化提示我们拷贝到家目录主文件 NAMEREADYSTATUSRESTARTSAGE centos-deployment-66d8cd5f8b-9x47c1/1Running144h demodb-01/1Running021h demodb-11/1Running019h

    • 方式2 通过环境变量来指定
[root@k8s-master ~]# export KUBECONFIG=/etc/kubernetes/admin.conf#通过环境变量来 [root@k8s-master ~]# echo $KUBECONFIG /etc/kubernetes/admin.conf

  • 方式3 拷贝到家目录
  • 集群初始化提示我们拷贝到家目录主文件
To start using your cluster, you need to run the following as a regular user:mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/configYou should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/Then you can join any number of worker nodes by running the following on each as root:kubeadm join 192.168.4.170:6443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:d31662998938389c1f9e432a0c7bcef7d05678b42c2f5fd67213ed228f356db2

kubeconfig文件查看常用命令
[root@k8s-master ~]# kubectl config -h Modify kubeconfig files using subcommands like "kubectl config set current-context my-context" The loading order follows these rules:1.If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place. 2.If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list. 3.Otherwise, ${HOME}/.kube/config is used and no merging takes place.Available Commands: current-context Displays the current-context delete-clusterDelete the specified cluster from the kubeconfig delete-contextDelete the specified context from the kubeconfig get-clustersDisplay clusters defined in the kubeconfig get-contextsDescribe one or many contexts rename-contextRenames a context from the kubeconfig file. setSets an individual value in a kubeconfig file set-clusterSets a cluster entry in kubeconfig set-contextSets a context entry in kubeconfig set-credentials Sets a user entry in kubeconfig unsetUnsets an individual value in a kubeconfig file use-contextSets the current-context in a kubeconfig file viewDisplay merged kubeconfig settings or a specified kubeconfig file

  • 显示默认config信息
[root@k8s-master ~]# kubectl config view apiVersion: v1 clusters: - cluster: server: "" name: /etc/kubernetes/admin.conf - cluster: server: "" name: etc/kubernetes/admin.conf - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.4.170:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED

  • 查看指定config文件上下文信息
[root@k8s-master ~]# kubectl config get-contexts--kubeconfig=/etc/kubernetes/scheduler.conf CURRENTNAMECLUSTERAUTHINFONAMESPACE *system:kube-scheduler@kuberneteskubernetessystem:kube-scheduler

示例1: 使用openssl创建认证帐号kubeconfig配置文件
  1. 创建私钥
    使用openssl工具做 X509认证 支持双向认证 ,通过k8s自己的CA去签证
  2. 在K8S组件目录中可以看到ca.crt只有一个,这是因为所有组件都是通过api-server的ca签发的,如果想让我们自己的key通过api-server认证,那么就需要通过这个ca来签发证书
[root@k8s-master pki]# ls apiserver.crtapiserver.keyca.crtfront-proxy-ca.crtfront-proxy-client.key apiserver-etcd-client.crtapiserver-kubelet-client.crtca.keyfront-proxy-ca.keysa.key apiserver-etcd-client.keyapiserver-kubelet-client.keyetcdfront-proxy-client.crtsa.pub

  • 创建私钥
[root@k8s-master kubernetes]# mkdir usercerts [root@k8s-master kubernetes]# cd usercerts/ [root@k8s-master usercerts]# (umask 077; openssl genrsa -out tom.key 2048) Generating RSA private key, 2048 bit long modulus ...............................................................+++ .......................+++ e is 65537 (0x10001) [root@k8s-master usercerts]# ls tom.key

  • 接下来创建证书 基于这个私钥创造一个自签证书是不行的,需要创造一个证书签署请求,通过k8s的ca来签署
  • openssl 常用选项
    -days 时间
    -CA 指定使用的CA
    -CAkey 指定私钥
    -CAcreateserial CA自己创造序列号
    -in 待签文件
    -out 输出
[root@k8s-master usercerts]# openssl x509 -req -days 3655 -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -in tom.csr -out tom.crt Signature ok subject=/CN=tom/O=kubeusers Getting CA Private Key[root@k8s-master usercerts]# openssl x509 -in tom.crt -text -noout#查看证书详情 Certificate: Data: Version: 1 (0x0) Serial Number: bc:c3:53:df:96:10:ec:ed Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kubernetes Validity Not Before: Aug 24 00:35:05 2021 GMT Not After : Aug 27 00:35:05 2031 GMT Subject: CN=tom, O=kubeusers Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c5:c9:3d:ac:3a:b3:9d:38:58:f1:d9:c6:21:c5: d5:57:d1:a5:5d:0a:92:a1:88:3e:3c:2d:8d:2d:20: b1:a4:d1:07:03:7e:72:48:dd:d9:7e:4b:b6:fc:35: 46:b9:60:82:c2:36:30:7d:04:8c:83:b5:7c:8a:b1: 20:7d:f4:b3:5c:29:f4:e0:2b:67:96:5d:b8:a6:ba: 4a:0c:7e:4f:6b:34:82:5b:7d:1a:8c:26:ed:91:dd: 62:9f:37:68:70:14:a4:cf:ea:b0:51:b3:56:9e:d6: 1d:64:32:66:8c:c1:9e:40:4b:20:1c:0a:8b:2c:c8: 94:be:10:95:29:7f:8b:6e:a1:03:32:11:31:de:c6: d1:8c:64:a8:43:4b:0b:ad:ff:64:e1:17:4d:55:fe: 04:9f:a5:59:2b:e5:13:5e:0d:2b:c1:c7:45:f8:b3: a7:ad:da:dc:e8:aa:22:5a:37:e6:ce:75:8e:bc:e3: 1e:eb:95:db:be:14:dd:43:1b:51:e6:94:21:10:81: 1c:b5:e3:2d:3e:12:b6:78:14:d4:90:8a:06:32:7e: ef:90:7b:e7:26:60:38:6c:52:04:bc:91:e1:3f:db: 8b:8a:05:39:ad:74:99:e1:80:ae:58:d6:4a:6d:7d: 64:a3:bc:16:b8:7c:d6:08:33:b8:23:56:35:75:18: bb:57 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 40:fe:1b:d7:c1:67:bf:15:21:be:ac:0e:fb:32:a3:1e:58:e5: c8:2a:3f:3a:21:87:23:9c:14:dc:05:39:fb:5f:f8:1e:f3:66: 98:54:48:1c:25:c1:b5:bc:1c:be:7d:d6:86:7d:09:ae:7c:40: 2d:cd:0b:5d:29:7f:67:ec:51:1b:c3:97:d3:a2:17:d4:96:04: 17:ba:aa:79:ff:0e:d0:53:2c:81:a3:8e:05:0b:a5:f5:12:0c: f8:38:f1:fb:6e:bf:7b:1b:40:f0:dc:b1:5e:b1:a8:c8:fc:ec: 92:c5:fb:6b:76:ff:7c:ab:f5:ea:94:89:8a:fd:47:cf:c8:8a: b6:f3:42:19:b9:b2:74:41:de:bf:66:7e:b3:e2:78:8e:e1:db: ac:85:2b:ed:8d:c1:55:16:0f:15:8c:72:7b:0d:7e:31:ce:06: ce:2e:d3:9f:77:60:22:4e:11:32:33:b6:28:d5:93:2f:c9:a5: 4c:f6:1f:4f:7d:e7:66:e0:74:14:c4:c8:de:c1:26:1e:56:db: 29:54:35:b9:3b:24:8b:5f:f5:81:af:30:27:f4:1f:99:a5:aa: 8d:f3:91:c4:4f:3e:3d:12:a9:a5:85:44:0b:17:19:2a:ac:ea: 50:3f:39:31:c5:ef:15:04:f7:bf:11:a3:57:af:8f:ce:8d:d1: d7:5e:c4:31

    1. 生成kubeconfig配置文件 配置集群信息 存放在/tmp/mykubeconfig目录
[root@k8s-master core]# kubectl config set-cluster kubernetes --server=https://k8s-master:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/mykubeconfig Cluster "kubernetes" set.[root@k8s-master ~]# cat /tmp/mykubeconfig apiVersion: v1 clusters: - cluster:#集群的认证信息 certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlPREUzTkRJeE1Gb1hEVE14TURZeU5qRTNOREl4TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXdRCm1DSkowR3VJRGR6WmE4WEFKSXk3QlJVR0JUMG9JMGxWdVdjM1BEMjV3aHIxTUJSeVVydTB1MG43bUtWUVR6YlkKMEc4VVNIendTblg1MU9vTXBVNVl3SEs2V0dMZ0o2Z2RDZmpBWTZ2MTJlN3krcnZqT0tZbnM2bGpVZjJNbmFJTApuckN5MS91NTZMbmgxd0NIMVhrTEVDUDUzOU1GYW1Za1JHeGVTOUZabEZjZ0x2SnA0M1ZYOVY0SVdRZXVtSGQ5CjFhYktWZWkvNDFxYmJ2eURVN2w0bDdrbFVtTFVUR0RsWXBmMUdQVS9KYW9tNFFMUmFFdDJjc1ljTlo4SjN5YVkKR3ZPbG9HTTE1MFJzeDR2TDhEV09xWmNVVWcvdVh1aktnMU1mV1JyRDlLdnFLMVFkUDkySUUrbDZuWFVLWTM0cgp2b0RDbU9jTDhKMG5QeWpieWYwQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPd2kyd3JVYnV2Vm1iaVYycm5uTHR6MGhzZ2NNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCQ0ZrRVU0Z3lvdURzNGhHMHBqZGxySlJrRHcxa0tnMUpWOG0zQ3FjS1VLbUpCVVQ5SAo5UjhMYVUycy82eVM1elgzVlNkVU5nRjFWL2hwalVKNmJTdWQ5WGZubWJ3OGxIS1V1Y1VTSVdVOWErVEdUdmtuCkRxSThGY0M4Z0tzdFVBd2FneGRSd2ozS0V5N0hTQWNiTVhqS0ZTZEFsUTJRcTdDRzh2TFhpbHVySGhFRWJyenEKdW5idVZqSjgwZ0lXZWVvMjNIa0Fiak9pVGlTb2tOMkFvR3lHVzllUzNiTUxTSmdNSHpMdFg4MHVXd1M3NWpjMwoybU1yWWU1OW56R0lSMnlZMnp4a21tajZET0xvTVFLeUpscVBDMmZHS3lBdjBONzlRS0FHbDdKamJYell2YVYyCmVnV3RDazBGSG5mYWg5RnUrL1A4cE50WThhZ1NsdW5lZUhrTAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== server: https://k8s-master:6443 name: kubernetes contexts: null current-context: ""#上下文件信息为空 kind: Config preferences: {} users: null#用户为空

    1. 配置集群用户tom
[root@k8s-master ~]# kubectl config set-credentials --help#用户可以使用多种方式认证 ... Usage: kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile] [--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name] [--auth-provider-arg=key=value] [--exec-command=exec_command] [--exec-api-version=exec_api_version] [--exec-arg=arg] [--exec-env=key=value] [options][root@k8s-master usercerts]# kubectl config set-credentials tom --client-certificate=./tom.crt--client-key=./tom.key --embed-certs=true--kubeconfig=/tmp/mykubeconfig User "tom" set. [root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://k8s-master:6443 name: kubernetes contexts: null current-context: "" kind: Config preferences: {} users: - name: tom#添加用户tom user: client-certificate-data: REDACTED#信息隐藏--embed-certs=true的作用 client-key-data: REDACTED#隐藏信息

  1. 添加上下文 对集群与用户进行绑定
[root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes --kubeconfig=/tmp/mykubeconfig Context "tom@kubernetes" created. [root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://k8s-master:6443 name: kubernetes contexts: - context: cluster: kubernetes user: tom name: tom@kubernetes#用户与集群通过进行绑定 current-context: "" kind: Config preferences: {} users: - name: tom user: client-certificate-data: REDACTED client-key-data: REDACTED

    1. 切换上下文切换认证用户为tom
[root@k8s-master usercerts]# kubectl config use-context tom@kubernetes--kubeconfig=/tmp/mykubeconfig Switched to context "tom@kubernetes"[root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/mykubeconfig apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://k8s-master:6443 name: kubernetes contexts: - context: cluster: kubernetes user: tom name: tom@kubernetes current-context: tom@kubernetes#当前用户 kind: Config preferences: {} users: - name: tom user: client-certificate-data: REDACTED client-key-data: REDACTED[root@k8s-master usercerts]# kubectl get nodes --kubeconfig=/tmp/mykubeconfig Error from server (Forbidden): nodes is forbidden: User "tom" cannot list resource "nodes" in API group "" at the cluster scope- 上面的错误是指授权有问题,认证已经通过,已经完成示例的要求,授权会在下一小节讲到

示例2: kubeconfig证书合并 tom.crt证书在示例1已经完成
  • 集群不用在创建 默认配置文件里已经有了
[root@k8s-master usercerts]#kubectl config set-credentials tom --client-certificate=./tom.crt--client-key=./tom.key --embed-certs=true User "tom" set.

  • 在默认kubeconfig中创建contexts
[root@k8s-master usercerts]# kubectl config set-context "tom@kubernetes" --user=tom --cluster=kubernetes Context "tom@kubernetes" created. [root@k8s-master usercerts]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.4.170:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes#默认context - context: cluster: kubernetes user: tom name: tom@kubernetes#新建contextcurrent-context: kubernetes-admin@kubernetes#当前context kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: tom#新建用户 user: client-certificate-data: REDACTED client-key-data: REDACTED

  • 切换当前context 为tom@kubernetes
[root@k8s-master usercerts]# kubectl config use-context tom@kubernetes Switched to context "tom@kubernetes". [root@k8s-master usercerts]# kubectl get pod#提示没有权限 Error from server (Forbidden): pods is forbidden: User "tom" cannot list resource "pods" in API group "" in the namespace "default"

  • 指定使用前context
[root@k8s-master usercerts]# kubectl get nodes --context=kubernetes-admin@kubernetes NAMESTATUSROLESAGEVERSION k8s-masterReadymaster56dv1.19.9 k8s-node1Ready56dv1.19.9 k8s-node2Ready56dv1.19.9 k8s-node3Ready19dv1.19.9[root@k8s-master usercerts]# kubectl config use-context kubernetes-admin@kubernetes#修改默认context Switched to context "kubernetes-admin@kubernetes". [root@k8s-master usercerts]# kubectl get node NAMESTATUSROLESAGEVERSION k8s-masterReadymaster56dv1.19.9 k8s-node1Ready56dv1.19.9 k8s-node2Ready56dv1.19.9 k8s-node3Ready19dv1.19.9

  • 删除context
[root@k8s-master usercerts]# kubectl config delete-context tom@kubernetes [root@k8s-master usercerts]# kubectl config delete-usertom [root@k8s-master usercerts]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.4.170:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED

  • 通过环境变量合并配置文件合并配置文件
[root@k8s-master usercerts]# export KUBECONFIG=$HOME/.kube/config:/tmp/mykubeconfig [root@k8s-master usercerts]# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.4.170:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes - context: cluster: kubernetes user: tom name: tom@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: tom user: client-certificate-data: REDACTED client-key-data: REDACTED

    1. 在通过环境变量合并配置文件基础上 通过 --merge --flatten 选项,可以展平合并重复项,生成新的配置文件
[root@k8s-master usercerts]# kubectl config view --merge --flatten > /tmp/newkubeconfig [root@k8s-master usercerts]# kubectl config view --kubeconfig=/tmp/newkubeconfig apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.4.170:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes - context: cluster: kubernetes user: tom name: tom@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED - name: tom user: client-certificate-data: REDACTED client-key-data: REDACTED

    推荐阅读