Background:

Here’s the thing: the service runs on the Kubernetes cluster (Tencent Cloud TKE1.20.6). The logs are collected in the ElasticSearch cluster and The CLS log service of Tencent. Small friends feel that the log is not too convenient, or want to see the console output. They were assigned a server (a node added to the cluster, but with a stain label). So they can test things out. Now you want them to be able to view the logs on the console through this Work node. Copy the config file from /root/.kube/ on the master node. But that’s too much access! Review the KubeconFig configuration file and role RoleBinding again! Note: Namespace is Official. You want to assign permissions to the pod list and log. You cannot view other namespaces.

Of Kubernetes kuberconfig

1. Create user credentials

Premise: The openSSL installation ignores……

1. Create a user certificate private key

The user will use my own name, and the private key will be zhangpeng.key

openssl genrsa -out zhangpeng.key 2048
Copy the code

2. Create a certificate signature request file

Create a certificate signing request file using the private key we just created: zhangpeng.csr, be sure to specify the user name and group in the -subj argument (CN for user name, O for group)

openssl req -new -key zhangpeng.key -out zhangpeng.csr -subj "/CN=zhangpeng/O=layabox"
Copy the code

You may get the following error:Note: The figure is not the screenshot of the above command execution. In other environments, the solution is as follows:

cd /root
openssl rand -writerand .rnd

Copy the code

Then rename it again

openssl req -new -key zhangpeng.key -out zhangpeng.csr -subj "/CN=zhangpeng/O=layabox"
Copy the code

3. Generate the final certificate file

Find Kubernetes cluster of CA, if you are using is kubeadm installation of cluster, the CA certificate is located in the/etc/Kubernetes/pki/directory below, if you is to establish the binary mode, you should begin to build in the cluster was specifies the directory in which the good CA, We will use the ca.crt and ca.key files below the directory to approve the above certificate request. Of course, I use the TKE cluster of Tencent Cloud. The certificates are server. CRT and server.key in /etc/kubernetes. These two files are used to generate the certificate file as follows:

root@ap-shanghai-k8s-master-1:~/ap-shanghai# openssl x509 -req -in zhangpeng.csr -CA /etc/kubernetes/ca.crt -CAkey /etc/kubernetes/ca.key -CAcreateserial -out zhangpeng.crt -days 3650
Signature ok
subject=CN = zhangpeng, O = layabox
Getting CA Private Key

Copy the code

Check to see if a certificate file is generated under our current folder

4. Create credentials and context in kubernetes cluster

Create new user credentials

root@ap-shanghai-k8s-master-1:~/ap-shanghai# kubectl config set-credentials zhangpeng --client-certificate=zhangpeng.crt  --client-key=zhangpeng.key User "zhangpeng" set.Copy the code

Set the Context for the user:

root@ap-shanghai-k8s-master-1:~/ap-shanghai# kubectl config set-context zhangpeng-context --cluster=kubernetes --namespace=official --user=zhangpeng
Context "zhangpeng-context" created.
Copy the code

At this point, zhangpeng’s configuration has been created successfully. Now we should get an error when we use the current configuration file to operate kubectl, because we haven’t defined any permissions for this user:

$ kubectl get pods --context=zhangpeng-context -n official
Error from server (Forbidden): pods is forbidden: User "zhangpeng" cannot list resource "pods" in API group "" in the namespace "official"
Copy the code

2. Create a role

cat role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: official
  name: official-log-role
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]
Copy the code
kubectl apply -f role.yaml
Copy the code

You may refer to note: kubernetes. IO/useful/docs/ref… Rbac authentication

3. Create role permission binding

cat rolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ap-shanghai-rolebinding
  namespace: official
subjects:
- kind: User
  name: zhangpeng
  apiGroup: ""
roleRef:
  kind: Role
  name: official-log-role
  apiGroup: ""

Copy the code
kubectl apply -f rolebinding.yaml
Copy the code

4. Test

root@ap-shanghai-k8s-master-1:~/ap-shanghai# kubectl get pods --context=zhangpeng-context
The connection to the server localhost:8080 was refused - did you specify the right host or port?
Copy the code

Why is it wrong? /root/.kube/config: The default tKE cluster is local. I used Kubernetes for cluster in step 1.2.4. Change the cluster to local directly in the config file. It is also important to confirm the cluster name before performing step 1.2.4. Don’t copy it directly!

Retest:

kubectl get pods --context=zhangpeng-context
Copy the code

Since these pods are running online, I will create a new Nginx pod and test it to see if I can delete and Edit it

kubectl run nginx --image=nginx -n official
Copy the code
$ kubectl delete pods nginx --context=zhangpeng-context
Error from server (Forbidden): pods "nginx" is forbidden: User "zhangpeng" cannot delete resource "pods" in API group "" in the namespace "official"
Copy the code
$ kubectl edit nginx --context=zhangpeng-context
error: pods "nginx" could not be patched: pods "nginx" is forbidden: User "zhangpeng" cannot patch resource "pods" in API group "" in the namespace "official"
You can run `kubectl replace -f /tmp/kubectl-edit-kp0az.yaml` to try this update again.
Copy the code

Then copy the config file to the user’s laptop /root/.kube/config:I did this to delete user and Contexts for the default user of the original cluster. Speak the default user of Contexts is set to the created Zhangpeng-Context. Of course, also remember to copy the client-certificate client-key file to the corresponding directory (of course, you can also customize it, and then modify the config file).Try switching the namespace to namespace:Basically achieved personal goals. RBAC and security Context also need a thorough review!