# 下载证书生成工具 cd /root wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 mv cfssljson_linux-amd64 /usr/local/bin/cfssljson wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo chmod  x /usr/local/bin/cfssl chmod  x /usr/local/bin/cfssljson chmod  x /usr/local/bin/cfssl-certinfo 

mkdir /root/devuser vi devuser-csr.json { 
         "CN": "devuser", "hosts": [], "key": { 
         "algo": "rsa", "size": 2048 }, "names": [ { 
         "C": "CN", "ST": "GuangZhou", "L": "GuangZhou", "O": "k8s", "OU": "System" } ] } 

cd /etc/kubernetes/pki   #找到集群证书和私钥ca.crt ca.key cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /root/devuser/devuser-csr.json | cfssljson -bare devuser #执行上一个命令后，将是/etc/kubernetes/pki生成devuser.csr devuser-key.pem devuser.pem 三个文件 

输出内容：

2022/01/03 16:27:01 [INFO] generate received request 2022/01/03 16:27:01 [INFO] received CSR 2022/01/03 16:27:01 [INFO] generating key: rsa-2048 2022/01/03 16:27:01 [INFO] encoded CSR 2022/01/03 16:27:01 [INFO] signed certificate with serial number 
       
        183318846060115252175414421649635047300497396132 
        2022/01/03 
        16:27:01 
        [WARNING
        ] This certificate lacks a 
        "hosts" field. This makes it unsuitable 
        for websites. For 
        more information see the Baseline Requirements 
        for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum 
        (https://cabforum.org
        )
        ; specifically, section 
        10.2.3 
        (
        "Information Requirements"
        ). 
       

kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/kubernetes/pki/ca.crt \
> --embed-certs=true \
> --server=https://192.168.3.81:6443 \
> --kubeconfig=devuser.kubeconfig


# 输出：Cluster "kubernetes" set.

kubectl config set-credentials devuser \
> --client-key=devuser-key.pem \
> --client-certificate=devuser.pem \
> --embed-certs=true \
> --kubeconfig=devuser.kubeconfig

#输出：User "devuser" set.

kubectl config set-context kubernetes \
> --cluster=kubernetes \
> --user=devuser \
> --kubeconfig=devuser.kubeconfig

# 输出： Context "kubernetes" created.

kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig
# 输出：Switched to context "kubernetes".

kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=default

备注：–clusterrole=admin也可以重新创建角色。

cat devuser.kubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ERXhPREEyTXpVd05Wb1hEVE15TURFeE5qQTJNelV3TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWdqCjh5MUlVWDl5U2ZKRzRtSEswSjc0aEJxQnN0T0hKejVxeXhsTEQ5eUZRN3dXRlFMNUp4cnp5eVRmQWNzN1FYeTYKOFdpQXJMK0hmY3dJRkVseklLYVZRZnRZemxxb1REeE1RRnI5YnN4VUN6ZldXZHhrWlRKaTQ3VDZ5dExFd1RWUwpNVUh2QVlMWnNzUVBhSEN3MTZTTCtGVHR6aHVUNUVVNkJvdWNONEZpbEN3VGlVTnlRNFNQYUxFN2o3dGc0ajdDCmZ1QkZwUXpOWnhZUHFIRTFWYXhsVVFoV2IrT0s4QTVTVmJVcCtablBiaEZTRHUxWHFpd29YK1gzNXZKazAveW8KMmpzenllSW9abFJwVTRKbnZWT0Y3NlJ4L0VZUHJqYlRpTkZJd1JiU3k2Tm1DL0hiNU4zUDZFSGo4UDBEejNUWAptVlBRbFlXQVBrWXZMbjAzaVA4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNU3Q3ZGU4bHdiZEoxSjQvOElBYktmSXgyVm1NQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCdGJTUHdvNE5QbjllekQwbE45cytaYVBreHVNMG5NTmJKUVd6aHdZaW9SVXBqcGVCTQpZMVdKTC9ZaHlzN2l4cU5kb0RUeFJxWnYrUHpiaUw0cHUzV0c1WHgwTmJvVE5BQ2w0Tno3dTRGMVpMWHpucmExCnN1aXh6b2s3T25aejFrSGpMUFNLL29wcjZLbER3M3pnRys4dkd5RURKYitiREhjVDVsdW5pQkQySkRzekJYb3MKemtXeXMzaWlMRTFCSnU3MUVPcnhkZDVQVVVPWEJoWXZkYW5FcWpDQVY4ckdWMVN0VTBuUjFOeDltR2taTDhaQgpWZDZhZDNSVjRJQ3lnUDRodDZ0T3FnNnRUMCtLUHArMlJaLzk2a0pYNUxRdUhwSFNucTdvVU1vZml1dFRSeVFYClBqZkZJdGFvWHRiQXNmVGtuaXBZS281MHM2ZDlJQmZFaFN4YwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://192.168.3.81:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: devuser
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: { 
        }
users:
- name: devuser
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpRENDQW5DZ0F3SUJBZ0lVZHpXcnhZR0JESVUzd0YzYnhIb1pPenFERHh3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTBNRFF4T0RFM01EQmFGdzB5TXpBMApNRFF4T0RFM01EQmFNR1l4Q3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhkV0Z1WjFwb2IzVXhFakFRCkJnTlZCQWNUQ1VkMVlXNW5XbWh2ZFRFTU1Bb0dBMVVFQ2hNRGF6aHpNUTh3RFFZRFZRUUxFd1pUZVhOMFpXMHgKRURBT0JnTlZCQU1UQjJSbGRuVnpaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQgpBUURRSkszWGNYT3F3QjE2a1ExbDdQaVNBektNU0pqRjZpMjNKNGNGdXZJejM3L0I3MmNEMFUrOFZCU2ViK2VOClRsOUpWNzhlQkdNc094MmU4elpvYmNUbklpV1hYUHlOT3F0OFpzOWpDUDVMdXEyN05RZHVKbkN2a0t0YzgrZTUKU2tpRVBjQ01vUUI1N2JEUFZqaFd2ck9KY3BoUk5KN3NiWmNzYlFkZ3NtUzA1RERSajNVa3kweVRTd2gvQW1XMwptWGlYSklBZnhmbFQ4VnhIdVJCYTNKUlhEakZ0eGR0aGUxc1lOcGFKYTQ5VnVaU2hyVlQrOGUzOUhGTjFsUC9UCjZPNDlxemhuNjQzSlRuRFVpZnVwUmZualFlTkxJKzJ6cHhreFNFSTJtYnllQyt4T285NUQyQ2doeHVHYUFGbzYKd1oreWphQWpQSUdlanlIVjlKUDlkZDVEQWdNQkFBR2pmekI5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVgpIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFCkZnUVVJYXNCbWhOWGJaUThlbWZkUjBxWUcycmtMdEl3SHdZRFZSMGpCQmd3Rm9BVXhLM3QxN3lYQnQwblVuai8Kd2dCc3A4akhaV1l3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUxxWitYeUoxREU3Uk95TFBwTmI1VXlkS09uWgpwSTV1UjBsVFRrTkd0bkNMNS8xV0lkMmJzTS9XSEFtamFMS1dWVjZ2RWpNZkMyOG1UdDc1K0NXeXlXT3VFdXhSCll2RFRSblhBbitHMDhoNjNmcjA5alpNcklKS2RqL1NqZ1NhUkpwR3ZqazVyM2o1M1NLVDhEekxvbXliOVBtS1MKU0IvOEdkenA3bEFiWTBlVlE5TUVjcjJiYjJBOStBZk9mU3Qwa1UvTUhITHhJdFpGbWZrWFE4dTRKdWpPZVZ1MgpCbmJEOCtyWFVNbU5IeUtGNjFVRlNiWVhrVDdtTUc2RmY2UHdCaFVZdEY5VWI5Z1Jod2liUzJZcnp4OGlaeWZICmdiM2R1MzZqa3ovWExTdFJEUE1rQzB5dm1WRjRQQXpURXZYanlyQkEzWTBaQ3FaWGVEVnhIY1EwQ3N3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMENTdDEzRnpxc0FkZXBFTlplejRrZ015akVpWXhlb3R0eWVIQmJyeU05Ky93ZTluCkE5RlB2RlFVbm0vbmpVNWZTVmUvSGdSakxEc2Rudk0yYUczRTV5SWxsMXo4alRxcmZHYlBZd2orUzdxdHV6VUgKYmlad3I1Q3JYUFBudVVwSWhEM0FqS0VBZWUyd3oxWTRWcjZ6aVhLWVVUU2U3RzJYTEcwSFlMSmt0T1F3MFk5MQpKTXRNazBzSWZ3Smx0NWw0bHlTQUg4WDVVL0ZjUjdrUVd0eVVWdzR4YmNYYllYdGJHRGFXaVd1UFZibVVvYTFVCi92SHQvUnhUZFpULzAranVQYXM0Wit1TnlVNXcxSW43cVVYNTQwSGpTeVB0czZjWk1VaENOcG04bmd2c1RxUGUKUTlnb0ljYmhtZ0JhT3NHZnNvMmdJenlCbm84aDFmU1QvWFhlUXdJREFRQUJBb0lCQVFDbW84YitScGw1S2dndgoyYk9sVjd5R2djTFZaMFhRcGpUbGZ1THQ1b2NFbXUxV0lnb1NsMkJFQWZqa0ErbVpTeGFrakhpNVduL2ZxSkNGCmNtaXI0TDRVNGxUQVF6VDdDTzdFVVRkV0xad1NHeW4rU0cxamRha2dGaTNyNUdZd0JWWGJjZWtYYmNzSTB4Q00KWHBZS2RQRWVhTDJqdmdKQ2ZWYmJ2WXA3a3pkblRocVpqOG9NMmJuV0UxdFJzK2RjamdpcnN6S0VITkUrMXJLRApyMjRycGlRM0hpK3Y1bHRwUEVLZ0JtYkFrejdEeURuTkdBWFd5YVcxbGg5cTdoMnZHaWIxdHJFTU9NVjdwUnhvCjJ6TTBiYkRuM0sycGpWbVJEajhxRlJvWTJVZk9JS1lGaTJpNVE1Ymt3NnpRcldqNENnZXg5WXVSaDFYZEVpaTcKckwxeFhUekpBb0dCQU5GYkpZWm5ZSS9wbWJDTlZjd0pNMkFScmxCcEU3cGp4cXNSTkdEblkybWxSVGRsUVMyMwpWUEFXYTNPdVJpWXB0cGk0ei9MNlRxakdMUW9aMTZ2UzFvU214OUEvL05Ddkk4RGRqZ1pPSlpCeVAwRnhMM0NNClhqVDMxWTdhRlFUUHhRSXd4OGtTRFRBeGVMZFFaanFMM00vQXF4Nk5SZnd5ZjAzNXNjVEhaWlNQQW9HQkFQNkUKWEhWZXNOeEtPNWNRZGNkY20rZnRWVFpxZmtsd2lSRC9QUnJ1aHQ5c2ZGUFNpVGdpZXJXaXljQm9BQVFXVWNENApDT0FRb2c3VTBVRi9kMlgyaGpBSldsL2FLN3AvNkRseFNqQnNmeUh1V3d4WFE2QjRtR29YQXFDaXdYV1F4T3V5ClR1ZlNHNXZwclVGbDRBcm1xVjN5Qm0yZ0NlbmdGZ1pqak9tRXhQME5Bb0dCQUpEamI3ancycGMrcUNyVDVjanIKcFM2YmpmUUFoTEsrVXNRWmlCSjRrUWlRWkxMTjFLbjY4MEdsZ24vdzRJT1E0dG9YTFhPUFg5aldMbDJMUFFPaApTdTFMTDRZa2dxYzZUcGd2dlJjSUJsOU5jaEdzYjVTSTBMbi91MEMrRlVYYk5SRXJDVmxTc09YbGx4SG5CcGtHCktxOXRQQUJNN1Y1NDVEbm0wT3pLd3JacEFvR0FIazJ1SUg5Y3VXM1JPSVJLTWFseUdxUWtZQzAveWdpdkdTbjYKb1lsQzM3a3YrRjc1M1lnbGFoanV3b3pmYTUwb3NMd1hlbTRnalhtRFRMUWJpRFZZOXNFMlZIRktnWk1YR0RmSAo2SW9TZlB5L05ISHphRmpUZE5ZMmh0KzUvd0Iwb2NlQ0k1SGRuYXV0NkRweitYaExOQmRMOHFONmFyRTJqaDR1Ck9lT0gvTVVDZ1lBQnZ5dHd6L3UyeE9HS2MvdW9CakFyVk1GU3BKdUJiNlllY1k5UjZYK1FRcmc4ZU55Z2RaaWMKeUIzaEtxL1poRWFBNlF1cG5qUkpxTUw3cWZ1WFhIZGpUcHZJWGxLalRVTGZpbzhHZnYrd1R1a3pFdUZCVDFqSwo5NzAwd0JXY1kzTy9SUzFBWFVMYjRCVjNXNVVJSTFLTDdkbG9kY01iNTF4L0J3aFk1ZGM1cEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

安装客户端：

yum install -y kubectl-1.18.6

客户端创建config目录

mkdir /root/.kube

从master拷贝/root/devuser/config过去客户端

scp devuser.kubeconfig root@192.168.3.84:/root/.kube/config

查看集群的命名空间default情况：

[root@k8s21-worker02 .kube]# kubectl get pod -n default
NAME                           READY   STATUS             RESTARTS   AGE
busybox0403-5b4f44676f-jcbhp   0/1     CrashLoopBackOff   422        37h
busybox0403-648c58cd59-5wqp6   0/1     CrashLoopBackOff   443        37h
legacy-app                     2/2     Running            3          29h
nginx0329-6f68f5ffd4-vdpxn     1/1     Running            1          6d4h
nginx0403-7d458bd795-d49zb     1/1     Running            1          38h
nginx0403-7d458bd795-hl94g     1/1     Running            0          38h
nginx0403-7d458bd795-p5fr6     1/1     Running            0          38h
nginx0403-7d458bd795-qbf8j     1/1     Running            0          38h
nginx0403-7d458bd795-qg56z     1/1     Running            0          38h

查看集群的命名空间kube-system情况：

# kubectl get pod -n kube-system
Error from server (Forbidden): pods is forbidden: User "devuser" cannot list resource "pods" in API group "" in the namespace "kube-system"

可见无权限。

k8s服务端增加以下：

kubectl create rolebinding devuser-admin-binding2 --clusterrole=admin --user=devuser --namespace=demo2