当前位置: 首页 > news >正文

kubernetes pod日志查看用户创建

目录

1.创建用户

1.1证书创建

1.2创建用户

1.3允许用户登陆

1.4切换用户

1.5删除用户

2.RBAC


1.创建用户

1.1证书创建

进入证书目录
# cd /etc/kubernetes/pki创建key
# openssl genrsa -out user1.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................+++
........+++
e is 65537 (0x10001)创建csr
# openssl req -new -key user1.key -out user1.csr -subj "/CN=user1"查看创建结果
# ll
total 72
-rw-r--r-- 1 root root 1310 Jun 12 14:52 apiserver.crt
-rw-r--r-- 1 root root 1155 Jun 12 14:52 apiserver-etcd-client.crt
-rw------- 1 root root 1679 Jun 12 14:52 apiserver-etcd-client.key
-rw------- 1 root root 1679 Jun 12 14:52 apiserver.key
-rw-r--r-- 1 root root 1164 Jun 12 14:52 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 Jun 12 14:52 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1099 Jun 12 14:52 ca.crt
-rw------- 1 root root 1675 Jun 12 14:52 ca.key
-rw-r--r-- 1 root root   17 Oct 10 18:07 ca.srl
drwxr-xr-x 2 root root 4096 Jun 12 14:52 etcd
-rw-r--r-- 1 root root 1115 Jun 12 14:52 front-proxy-ca.crt
-rw------- 1 root root 1675 Jun 12 14:52 front-proxy-ca.key
-rw-r--r-- 1 root root 1119 Jun 12 14:52 front-proxy-client.crt
-rw------- 1 root root 1679 Jun 12 14:52 front-proxy-client.key
-rw------- 1 root root 1679 Jun 12 14:52 sa.key
-rw------- 1 root root  451 Jun 12 14:52 sa.pub
-rw-r--r-- 1 root root  883 Oct 10 18:27 user1.csr
-rw-r--r-- 1 root root 1679 Oct 10 18:26 user1.key修改权限
# chmod 600 user1.key

使用集群证书签发

# openssl x509 -req -in user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user1.crt -days 1095Signature ok
subject=/CN=user1
Getting CA Private Key

查看签发的证书

# openssl x509 -in user1.crt -text -nooutCertificate:Data:Version: 1 (0x0)Serial Number:fc:aa:fd:55:13:43:c3:62Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=kubernetesValidityNot Before: Oct 10 10:30:34 2023 GMTNot After : Oct  9 10:30:34 2026 GMTSubject: CN=user1Subject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d8:c0:f2:4c:35:42:32:97:12:0f:c1:c2:0f:16:........篇幅省略Exponent: 65537 (0x10001)Signature Algorithm: sha256WithRSAEncryption8d:92:df:d1:53:cf:0c:e6:97:10:cc:53:37:16:01:0c:69:c3:......篇幅省略

1.2创建用户

# kubectl config set-credentials user1 --client-certificate=./user1.crt --client-key=./user1.key --embed-certs=trueUser "user1" set.

1.3允许用户登陆

# kubectl config set-context user1@kubernetes --cluster=kubernetes --user=user1Context "user1@kubernetes" created.

查看集群信息

# kubectl config viewapiVersion: v1
clusters:
- cluster:certificate-authority-data: DATA+OMITTEDserver: https://master01:6443name: kubernetes
contexts:
- context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-admin@kubernetes
- context:cluster: kubernetesuser: user1name: user1@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-adminuser:client-certificate-data: DATA+OMITTEDclient-key-data: DATA+OMITTED
- name: user1user:client-certificate-data: DATA+OMITTEDclient-key-data: DATA+OMITTED

可以看到user1已经存在并可以登陆

1.4切换用户

# kubectl config use-context user1@kubernetesSwitched to context "user1@kubernetes".

 但此时用户没有任何权限,需要配置rbac

# kubectl get podError from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" in the namespace "default"

1.5删除用户

# kubectl config delete-context user1@kubernetesdeleted context user1@kubernetes from /root/.kube/config# kubectl config unset users.user1Property "users.user1" unset.

2.RBAC

允许user1用户查看pod日志

# cat user1_pod_get.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: defaultname: pod-log-reader
rules:
- apiGroups: [""]resources: ["pods", "pods/log"]verbs: ["get", "list"]  # 允许 "user1" 用户获取和列出 Pod 以及日志
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: pod-log-reader-bindingnamespace: default
subjects:
- kind: Username: user1  # 这里的 "user1" 是您之前创建的用户名称apiGroup: rbac.authorization.k8s.io
roleRef:kind: Rolename: pod-log-readerapiGroup: rbac.authorization.k8s.io

再次使用user1用户就可以查看pod和日志了

# kubectl get pod -n default# kubectl logs -f pod/free-study-questionnaire-5c7f8c878d-859wl

http://www.lryc.cn/news/187687.html

相关文章:

  • HTML5+CSSday4综合案例二——banner效果
  • 关于红包雨功能的探索
  • 【已解决】Python打包文件执行报错:ModuleNotFoundError: No module named ‘pymssql‘
  • 华为云云耀云服务器L实例评测|测试CentOS的网络配置和访问控制
  • CSP模拟51联测13 B.狗
  • GEO生信数据挖掘(七)差异基因分析
  • JAVA-SpringBoot入门Demo用IDEA建立helloworld
  • Unity布料系统Cloth
  • 漏电继电器 LLJ-630F φ100 导轨安装 分体式结构 LLJ-630H(S) AC
  • 数据结构和算法(10):B-树
  • VR会议:远程带看功能,专为沉浸式云洽谈而生
  • 实验室管理系统LIMS
  • 开源ERP和CRM套件Dolibarr
  • 视频号双11激励政策,快来看一看
  • Maven最新版本安装及配置
  • 探索ClickHouse——使用MaterializedPostgreSQL同步PostgreSQL数据库
  • 《向量数据库指南》——向量数据库 有必要走向专业化吗?
  • 你必须知道的数据查询途径!!
  • 火焰原子吸收光谱法、容量法和电感耦合等离子体发射光谱法
  • 亚马逊云科技 2023 柏林峰会主题演讲总结
  • CentOS Stream9 安装远程桌面服务 Xrdp
  • 实施运维01
  • MySQL大表直接复制文件的copy方式
  • Redis-集群
  • 使用CrawlSpider爬取全站数据。
  • 【JUC】Java并发编程从挖坑到入土全解(4-一文讲通LockSupport与线程中断->长图预警)
  • Springboot学习笔记——3
  • jupyter 切换虚拟环境
  • 如何在Apache和Resin环境中实现HTTP到HTTPS的自动跳转:一次全面的探讨与实践
  • 安全防御—密码学