kubernetes pod日志查看用户创建
目录
1.创建用户
1.1证书创建
1.2创建用户
1.3允许用户登陆
1.4切换用户
1.5删除用户
2.RBAC
1.创建用户
1.1证书创建
进入证书目录
# cd /etc/kubernetes/pki创建key
# openssl genrsa -out user1.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................+++
........+++
e is 65537 (0x10001)创建csr
# openssl req -new -key user1.key -out user1.csr -subj "/CN=user1"查看创建结果
# ll
total 72
-rw-r--r-- 1 root root 1310 Jun 12 14:52 apiserver.crt
-rw-r--r-- 1 root root 1155 Jun 12 14:52 apiserver-etcd-client.crt
-rw------- 1 root root 1679 Jun 12 14:52 apiserver-etcd-client.key
-rw------- 1 root root 1679 Jun 12 14:52 apiserver.key
-rw-r--r-- 1 root root 1164 Jun 12 14:52 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 Jun 12 14:52 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1099 Jun 12 14:52 ca.crt
-rw------- 1 root root 1675 Jun 12 14:52 ca.key
-rw-r--r-- 1 root root 17 Oct 10 18:07 ca.srl
drwxr-xr-x 2 root root 4096 Jun 12 14:52 etcd
-rw-r--r-- 1 root root 1115 Jun 12 14:52 front-proxy-ca.crt
-rw------- 1 root root 1675 Jun 12 14:52 front-proxy-ca.key
-rw-r--r-- 1 root root 1119 Jun 12 14:52 front-proxy-client.crt
-rw------- 1 root root 1679 Jun 12 14:52 front-proxy-client.key
-rw------- 1 root root 1679 Jun 12 14:52 sa.key
-rw------- 1 root root 451 Jun 12 14:52 sa.pub
-rw-r--r-- 1 root root 883 Oct 10 18:27 user1.csr
-rw-r--r-- 1 root root 1679 Oct 10 18:26 user1.key修改权限
# chmod 600 user1.key
使用集群证书签发
# openssl x509 -req -in user1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user1.crt -days 1095Signature ok
subject=/CN=user1
Getting CA Private Key
查看签发的证书
# openssl x509 -in user1.crt -text -nooutCertificate:Data:Version: 1 (0x0)Serial Number:fc:aa:fd:55:13:43:c3:62Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=kubernetesValidityNot Before: Oct 10 10:30:34 2023 GMTNot After : Oct 9 10:30:34 2026 GMTSubject: CN=user1Subject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:d8:c0:f2:4c:35:42:32:97:12:0f:c1:c2:0f:16:........篇幅省略Exponent: 65537 (0x10001)Signature Algorithm: sha256WithRSAEncryption8d:92:df:d1:53:cf:0c:e6:97:10:cc:53:37:16:01:0c:69:c3:......篇幅省略
1.2创建用户
# kubectl config set-credentials user1 --client-certificate=./user1.crt --client-key=./user1.key --embed-certs=trueUser "user1" set.
1.3允许用户登陆
# kubectl config set-context user1@kubernetes --cluster=kubernetes --user=user1Context "user1@kubernetes" created.
查看集群信息
# kubectl config viewapiVersion: v1
clusters:
- cluster:certificate-authority-data: DATA+OMITTEDserver: https://master01:6443name: kubernetes
contexts:
- context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-admin@kubernetes
- context:cluster: kubernetesuser: user1name: user1@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-adminuser:client-certificate-data: DATA+OMITTEDclient-key-data: DATA+OMITTED
- name: user1user:client-certificate-data: DATA+OMITTEDclient-key-data: DATA+OMITTED
可以看到user1已经存在并可以登陆
1.4切换用户
# kubectl config use-context user1@kubernetesSwitched to context "user1@kubernetes".
但此时用户没有任何权限,需要配置rbac
# kubectl get podError from server (Forbidden): pods is forbidden: User "user1" cannot list resource "pods" in API group "" in the namespace "default"
1.5删除用户
# kubectl config delete-context user1@kubernetesdeleted context user1@kubernetes from /root/.kube/config# kubectl config unset users.user1Property "users.user1" unset.
2.RBAC
允许user1用户查看pod日志
# cat user1_pod_get.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: defaultname: pod-log-reader
rules:
- apiGroups: [""]resources: ["pods", "pods/log"]verbs: ["get", "list"] # 允许 "user1" 用户获取和列出 Pod 以及日志
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: pod-log-reader-bindingnamespace: default
subjects:
- kind: Username: user1 # 这里的 "user1" 是您之前创建的用户名称apiGroup: rbac.authorization.k8s.io
roleRef:kind: Rolename: pod-log-readerapiGroup: rbac.authorization.k8s.io
再次使用user1用户就可以查看pod和日志了
# kubectl get pod -n default# kubectl logs -f pod/free-study-questionnaire-5c7f8c878d-859wl