Configure the KUBECTL client to access Kube-apiserver by token

This is a creation in Article, where the information may have evolved or changed.

Help documentation

Variables to use

The variables used in this document are defined as follows:

$ export MASTER_IP=XX.XX.XX.XX # 替换为 kubernetes master VIP$ export KUBE_APISERVER="https://${MASTER_IP}:6443"$

Create a kubectl config file

$ # 设置集群参数$ kubectl config set-cluster kubernetes \  --insecure-skip-tls-verify=true \  --server=${KUBE_APISERVER} $ # 设置客户端认证参数$ kubectl config set-credentials crd-admin \ --token=7176d48e4e66ddb3557a82f2dd316a93 $ # 设置上下文参数$ kubectl config set-context kubernetes \  --cluster=kubernetes \  --user=crd-admin  \  --namespace=crd $ # 设置默认上下文$ kubectl config use-context kubernetes

• Using the command head-c 16/dev/urandom | Od-an-t x | Tr-d ' Generate tokens

Kube-apiserver settings

Add Kube-apiserver-Side token Certificate

$ cat > /etc/kubernetes/pki/token_auth_file<<EOF7176d48e4e66ddb3557a82f2dd316a93,crd-admin,1 EOF

• The first column is the token you just generated, and it's consistent with the token in config.

• The second column is user, which is consistent with the use in CONFIG.

• Number or serial number

Add kube-spiserver Startup Parameters--token-auth-file=/etc/kubernetes/pki/token_auth_file

• Note Address

• Need to restart Kube-apiserver

• Certificate authentication and token and simultaneous enablement, but token and username password cannot be enabled at the same time

Configuring Client RBAC Correlation

Restricting the behavior of crd-admin users requires RBAC to limit the user's behavior to CRD namespace space

kubectl create -f crd-rbac.yaml

This way crd-admin users have full access to CRD namespace.

Crd-rbac.yaml Specific content:

 apiversion:rbac.authorization.k8s.io/v1kind:rolebindingmetadata:name: Crdadmin-admin-binding Namespace:crdroleRef:apiGroup:rbac.authorization.k8s.io Kind:clusterrole Name:adminsubject s:-apiGroup:rbac.authorization.k8s.io kind:user name:crd-admin