此刻如果不希望使用token认证,而是希望通过config文件认证,就需要创建一个config文件
但是仍然需要创建serviceaccount,并且创建rolebinding或者clusterrole绑定,并且配置,在配置中还需要将此前的token字段解码放进去,也就是说使用config文件认证就需要先创建token认证,在token认证之上做的config认证。而后完成通过提交一个配置文件来完成登陆验证。
1,配置config
生成kubeconfig。在/etc/kubernetes/pki/下,并且使用kubernetes的ca证书来做k8s的认证。另外存放到/root/linuxea-default-admin.conf
[root@linuxea pki]# kubectl config set-cluster kuberntes --certificate-authority=./ca.crt --server="https://10.10.240.161:6443" --embed-certs=true --kubeconfig=/root/linuxea-default-admin.conf
Cluster "kuberntes" set.
[root@linuxea pki]# kubectl config view --kubeconfig=/root/linuxea-default-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://10.10.240.161:6443
name: kuberntes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
2,配置credentials
credentials是可以使用证书和token认证的,这里使用token进行认证
- 将之前的kube-system dashboard-admin-token-vc7cv中token来创建credentials。这段做了base64 -d的解码
[root@linuxea ~]# kubectl get secret -n kube-system dashboard-admin-token-vc7cv -o jsonpath={.data.token} |base64 -d
生成credentials,并且使用此前生成好的token,将这个token包含进来
- dashboard-admin-token名称并不作为登陆的用户名称,创建serviceaccount的dashboard-admin名称才是真正与api server认证的名称
[root@linuxea pki]# kubectl config set-credentials dashboard-admin-token --token=$(kubectl get secret -n kube-system dashboard-admin-token-vc7cv -o jsonpath={.data.token} |base64 -d) --kubeconfig=/root/linuxea-default-admin.conf
[root@linuxea pki]# kubectl config view --kubeconfig=/root/linuxea-default-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://10.10.240.161:6443
name: kuberntes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: dashboard-admin-token
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdmM3Y3YiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGZlNWNkYWYtYzlmMy0xMWU4LWE4YWItODg4ODJmYmQxMDI4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.qcPhHAkyW0k5gdkkDaTD-DVxRcrZ5Ml_Kcxw0mZIYlJWME_1Wu1_i4B9jE1RcwKDZHV0ND8jpN91oUg1Ac8O6X8VwsfpFw1HzcBv7Te46L4_Z2NjIBuf6cPngkHx1Ija08_BLUd--i3E9cJrTsrqaZojr1JO4ZTHifU7K6cKpGUmbvbYjkIASzj8onT2988znkjp13bvdx7YF3hrKMg4jeDFbR-yMPEwXadgiY0IHArekzLuL37KiRVGgEubuqZFy7fkBPiSQGWc9ecl5dwhmhfofHm7WuKlf4Lvwyz3ivGqPFuoKk0AMmAME3ULOO7INaTlRQkSGJs-bdWl7y-eIg
3,配置context
配置context,指明集群--cluster=kuberntes,指定dashboard-admin-token用户到/root/linuxea-default-admin.conf配置文件
[root@linuxea pki]# kubectl config set-context dashboard-admin-token@kubernetes --cluster=kubernetes --user=dashboard-admin-token --kubeconfig=/root/linuxea-default-admin.conf
Context "dashboard-admin-token@kubernetes" created.
[root@linuxea pki]# kubectl config view --kubeconfig=/root/linuxea-default-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://10.10.240.161:6443
name: kuberntes
contexts:
- context:
cluster: kubernetes
user: dashboard-admin-token
name: dashboard-admin-token@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: dashboard-admin-token
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdmM3Y3YiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGZlNWNkYWYtYzlmMy0xMWU4LWE4YWItODg4ODJmYmQxMDI4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.qcPhHAkyW0k5gdkkDaTD-DVxRcrZ5Ml_Kcxw0mZIYlJWME_1Wu1_i4B9jE1RcwKDZHV0ND8jpN91oUg1Ac8O6X8VwsfpFw1HzcBv7Te46L4_Z2NjIBuf6cPngkHx1Ija08_BLUd--i3E9cJrTsrqaZojr1JO4ZTHifU7K6cKpGUmbvbYjkIASzj8onT2988znkjp13bvdx7YF3hrKMg4jeDFbR-yMPEwXadgiY0IHArekzLuL37KiRVGgEubuqZFy7fkBPiSQGWc9ecl5dwhmhfofHm7WuKlf4Lvwyz3ivGqPFuoKk0AMmAME3ULOO7INaTlRQkSGJs-bdWl7y-eIg
4,配置use-context
将dashboard-admin-token@kubernetes作为/root/linuxea-default-admin.conf文件中的当前用户
[root@linuxea pki]# kubectl config use-context dashboard-admin-token@kubernetes --kubeconfig=/root/linuxea-default-admin.conf
Switched to context "dashboard-admin-token@kubernetes".
[root@linuxea pki]# kubectl config view --kubeconfig=/root/linuxea-default-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://10.10.240.161:6443
name: kuberntes
contexts:
- context:
cluster: kubernetes
user: dashboard-admin-token
name: dashboard-admin-token@kubernetes
current-context: dashboard-admin-token@kubernetes
kind: Config
preferences: {}
users:
- name: dashboard-admin-token
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdmM3Y3YiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZGZlNWNkYWYtYzlmMy0xMWU4LWE4YWItODg4ODJmYmQxMDI4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.qcPhHAkyW0k5gdkkDaTD-DVxRcrZ5Ml_Kcxw0mZIYlJWME_1Wu1_i4B9jE1RcwKDZHV0ND8jpN91oUg1Ac8O6X8VwsfpFw1HzcBv7Te46L4_Z2NjIBuf6cPngkHx1Ija08_BLUd--i3E9cJrTsrqaZojr1JO4ZTHifU7K6cKpGUmbvbYjkIASzj8onT2988znkjp13bvdx7YF3hrKMg4jeDFbR-yMPEwXadgiY0IHArekzLuL37KiRVGgEubuqZFy7fkBPiSQGWc9ecl5dwhmhfofHm7WuKlf4Lvwyz3ivGqPFuoKk0AMmAME3ULOO7INaTlRQkSGJs-bdWl7y-eIg
而后将/root/linuxea-default-admin.conf 文件复制到需要登陆的主机,即可使用文件登陆