K3s-使用客户端证书创建用户 [英] K3s - create user with client certificate
问题描述
我试图用客户证书创建用户帐户.
I've tried to create user accounts with a client certificate.
我遵循了两个教程,但是在出现错误消息时都卡住了这两个选项
I followed two tutorials but stuck with both options in an error with the message
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
我设置了正确的用户,服务器和正确的上下文.我设置了命名空间,但仍然是相同的错误.
I set the right user, server and the right context. I set the namespace but still the same error.
> kubectl get pods
You must be logged in to the server (Unauthorized)
有人已经经历过类似的事情吗?还是有人知道我在做什么错?
Did someone already experienced something similar? Or does someone knows what i'm doing wrong?
我的k3s集群版本为1.15.4.
My k3s cluster version is 1.15.4.
推荐答案
我终于在这张票中找到了答案.
I finally found my answer in this ticket.
https://github.com/rancher/k3s/issues/684
用户huapox发布了以下代码:
The user huapox posted the following code:
[root@(⎈ |default:default) sec-rbac]$ cat t2.sh
ws=/opt/sec-rbac
day=3650
clus_name="t1.k3s"
clus_ns="default"
user="koper"
#clus_url="https://10.200.100.183:7442"
clus_url="https://server:6443" ##
ca_path=$ws/server/tls
rm -f $ca_path/*-ca.srl
ctx=gen && mkdir -p $ws/$ctx/{kube,keys} && cd $ws/$ctx
#############
ca1=client-ca
generate="keys/u-"$user
echo -e "\033[32m#>>GEN-KEY\033[0m"
#openssl genrsa -out $generate.key 2048
openssl ecparam -name prime256v1 -genkey -noout -out $generate.key
openssl req -new -key $generate.key -out $generate.csr -subj "/CN=${user}@${clus_name}/O=key-gen"
openssl x509 -req -in $generate.csr -CA $ca_path/$ca1.crt -CAkey $ca_path/$ca1.key -CAcreateserial -out $generate.crt -days $day
#-----------
#generate=$ca_path/client-admin ##test
ca2=server-ca
embed=false
ctx2="$user@$clus_name"
config="kube/$user.kubeconfig"
echo -e "\033[32m#>>KUBE-CONFIG\033[0m"
kubectl --kubeconfig=$config config set-cluster $clus_name --embed-certs=$embed --server=$clus_url --certificate-authority=$ca_path/$ca2.crt
kubectl --kubeconfig=$config config set-credentials $user --embed-certs=$embed --client-certificate=$generate.crt --client-key=$generate.key
kubectl --kubeconfig=$config config set-context $ctx2 --cluster=$clus_name --namespace=$clus_ns --user=$user
kubectl --kubeconfig=$config config set current-context $ctx2
kubectl --kubeconfig=$config --context=$ctx2 get pods
非常感谢huapox.
Big thanks to huapox.
这篇关于K3s-使用客户端证书创建用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
