반응형
[문제]
Cluster : kubectl config use-context k8s
TASK:
Create the kubeconfig named ckauser.
- username : ckauser
- certificate location : /data/cka/ckauser.csr, /data/cka/ckauser.key
- context-name : ckauser
- kubernetes cluster must be operated with the privileges of the ckauser account.
Create a role named pod-role that can create, delete, watch, list, get pods.
Create the following rolebinding.
- name : pod-rolebinding
- role : pod-role
- user: ckauser
[사전준비]
1. key file 생성 및 csr 파일 생성
# mkdir -p /data/cka/
# genrsa -out /data/cka/ckauser.key 2048
# sudo openssl req -new -key /data/cka/ckauser.key -out /data/cka/ckauser.csr
csr 파일 생성시 개인 정보 입력할 필요는 없기 때문에 Enter 입력
2. CertificateSigningRequest 만들기
base64로 인코딩괸 csr 파일 내용이 입력되어야 하므로 다음 명령어를 이용하여 확인 후 복사
# cat /data/cka/ckauser.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNOEpDVXpUaWMxck90VTJCcjA1ZHNDVTFjek0vdWt6YmtqdURVRGQKaUs4dVRlSWxvM1dvL3lSeVQ2ZGx0SWhrZmNxMUNTaXA5THBJYUdIRVI4YXJZN1R2OWtiZzFMc1Z6K1VWN1VoSApwdHVueFNaWnRSZG90MkpQSU1OVjl6aWNJWEtJNW41eVNsVzUwN1B1VUl3UEY0MjAvVkRJSHhQYW5aMEdYNDVWClhYODkwM2NNY3FzVjVQcjlRS1JQYTMwZDVPKzMvQzBCT2Mvd3J4VkM5S1VlNldGNGRMczhkdmtMZktDVk1TS3gKQnduTU5OUTJQc1F2VHlaQzV6a056bmlzOWJ1Z25Xa29aT3N6S0N0QStDS1owVEh0SUg0YlZOK29HVGR2TUltZQo0RENFakxUZ3h3UjVzRjZKZmREMTBqa3hGVWhmdGZIL2YwRjRJOENUM2ZsRW5Vc0NBd0VBQWFBQU1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUJZc25MVG5jZkNFald0MkcvRVlGcXFldWNWby9qeEtVZmlYQ25RZzQ2R1lieUEKVTRPTTRCT3UvTFAxd1ZuL0trd2d2QVhLNENZY20xVzFOVWljVmQwUzhMazFEWUJTZDRXSUVBdFprVzJSUWJjQgpHNUZVYnJIbFJzelkwUHg1Z1pUcmp4cE5BWlk2RDBad0U5WUtTMW9Bc0pSUmxhVVo3dFJTa3RDUlAvWkNnek9jCkUwbW5BczRwWU93YzlTUlhCSzFkTWExRnAvM0EzNGpneTRlYnl4VlpPZDdvMk9ZMWRnZ1N3QytpbGdDUFdIRm4Kck1IYXpxRlNpS0lCMWlGRTREb21rL25OcC9hT2QxdVRpNU1LUmNPMkQzcHF2RXo4SDMrY0taNHpnSEtVSTdyVwpLVEF1QVpBVGJ2M0dySzBCeUpoUjZzNC95bXNMUHF3OGdvRTRsNlhOCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
CertificateSigningRequest를 생성하고 kubectl을 통해 Kubernetes 클러스터에 제출
# cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ckauser
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNOEpDVXpUaWMxck90VTJCcjA1ZHNDVTFjek0vdWt6YmtqdURVRGQKaUs4dVRlSWxvM1dvL3lSeVQ2ZGx0SWhrZmNxMUNTaXA5THBJYUdIRVI4YXJZN1R2OWtiZzFMc1Z6K1VWN1VoSApwdHVueFNaWnRSZG90MkpQSU1OVjl6aWNJWEtJNW41eVNsVzUwN1B1VUl3UEY0MjAvVkRJSHhQYW5aMEdYNDVWClhYODkwM2NNY3FzVjVQcjlRS1JQYTMwZDVPKzMvQzBCT2Mvd3J4VkM5S1VlNldGNGRMczhkdmtMZktDVk1TS3gKQnduTU5OUTJQc1F2VHlaQzV6a056bmlzOWJ1Z25Xa29aT3N6S0N0QStDS1owVEh0SUg0YlZOK29HVGR2TUltZQo0RENFakxUZ3h3UjVzRjZKZmREMTBqa3hGVWhmdGZIL2YwRjRJOENUM2ZsRW5Vc0NBd0VBQWFBQU1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUJZc25MVG5jZkNFald0MkcvRVlGcXFldWNWby9qeEtVZmlYQ25RZzQ2R1lieUEKVTRPTTRCT3UvTFAxd1ZuL0trd2d2QVhLNENZY20xVzFOVWljVmQwUzhMazFEWUJTZDRXSUVBdFprVzJSUWJjQgpHNUZVYnJIbFJzelkwUHg1Z1pUcmp4cE5BWlk2RDBad0U5WUtTMW9Bc0pSUmxhVVo3dFJTa3RDUlAvWkNnek9jCkUwbW5BczRwWU93YzlTUlhCSzFkTWExRnAvM0EzNGpneTRlYnl4VlpPZDdvMk9ZMWRnZ1N3QytpbGdDUFdIRm4Kck1IYXpxRlNpS0lCMWlGRTREb21rL25OcC9hT2QxdVRpNU1LUmNPMkQzcHF2RXo4SDMrY0taNHpnSEtVSTdyVwpLVEF1QVpBVGJ2M0dySzBCeUpoUjZzNC95bXNMUHF3OGdvRTRsNlhOCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
CertificateSigningRequest 승인
# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
ckauser 9s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pending
# kubectl certificate approve ckauser
certificatesigningrequest.certificates.k8s.io/ckauser approved
root@master:/data/cka# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
ckauser 27s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issued
[풀이]
검색 키워드 : csr
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
Certificates and Certificate Signing Requests
Kubernetes certificate and trust bundle APIs enable automation of X.509 credential provisioning by providing a programmatic interface for clients of the Kubernetes API to request and obtain X.509 certificates from a Certificate Authority (CA). There is als
kubernetes.io
아래 명령어를 활용하여 role 및 rolebinding 생성
role 생성
# kubectl create role pod-role --verb=create,delete,watch,list,get --resource=pods
role.rbac.authorization.k8s.io/pod-role created
# kubectl get role pod-role
NAME CREATED AT
pod-role 2023-04-29T10:24:45Z
# kubectl describe role pod-role
Name: pod-role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [create delete watch list get]
rolebinding 생성
# kubectl create rolebinding pod-rolebinding --role=pod-role --user=ckauser
rolebinding.rbac.authorization.k8s.io/pod-rolebinding created
# kubectl get rolebinding pod-rolebinding
NAME ROLE AGE
pod-rolebinding Role/pod-role 17s
# kubectl describe rolebinding pod-rolebinding
Name: pod-rolebinding
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: pod-role
Subjects:
Kind Name Namespace
---- ---- ---------
User ckauser
Context 생성
# kubectl config set-credentials ckauser --client-key=/data/cka/ckauser.key --client-certificate=/data/cka/ckauser.csr --embed-certs=true
User "ckauser" set.
# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.100.0.104:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: ingress-nginx
user: kubernetes-admin
name: ingress-admin@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: ckauser
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
# kubectl config set-context ckauser --cluster=kubernetes --user=ckauser
Context "ckauser" created.
# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.100.0.104:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: ckauser
name: ckauser
- context:
cluster: kubernetes
namespace: ingress-nginx
user: kubernetes-admin
name: ingress-admin@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: ckauser
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
테스트 진행
# kubectl config use-context ckauser
# kubectl run testpod --image=nginx
# kubectl get pods testpod
# kubectl get svc
# kubectl delete pod testpod
# kubectl config use-context kubernetes-admin@kubernetes
[참고]
- 유투브 따배씨
반응형
'자격증 > CKA' 카테고리의 다른 글
| [CKA] ServiceAccount Role Binding (0) | 2023.05.01 |
|---|---|
| [CKA] User Cluster Role Binding (0) | 2023.05.01 |
| [CKA] Kubernetes Troubleshooting (2) (0) | 2023.04.22 |
| [CKA] Kubernetes Troubleshooting (1) (0) | 2023.04.22 |
| [CKA] Kubernetes Upgrade (0) | 2023.04.22 |
