根据k3s server CA生成客户端kubeconfig,无法访问集群

K3s
,
1

环境信息:
K3s 版本: v1.19.3+k3s3

节点 CPU 架构、操作系统和版本:4.18.10-1.el7.elrepo.x86_64 #1 SMP Wed Sep 26 16:20:39 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux

集群配置:2 server,20 agents

问题描述:
想根据k3s server CA生成客户端kubeconfig,k3s是否支持?

复现步骤:

  • 安装 K3s 的命令:

创建私钥

openssl genrsa -out ops-user.key 2048

建一个csr(证书签名请求)文件

openssl req -new -key ops-user.key -subj “/CN=ops-user/O=ops” -out ops-user.csr

使用 openssl 工具生成用户证书

openssl x509 -req -in ops-user.csr
-CA /var/lib/rancher/k3s/server/tls/server-ca.crt
-CAkey /var/lib/rancher/k3s/server/tls/server-ca.key
-CAcreateserial
-out ops-user.crt -days 3650

设置集群参数变量

export KUBE_APISERVER=“https://192.168.100.100:6443
kubectl config set-cluster kubernets
–certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt
–server=${KUBE_APISERVER}
–embed-certs=true
–kubeconfig=ops-user.yaml

设置客户端认证参数

kubectl config set-credentials ops-user
–client-certificate=ops-user.crt
–client-key=ops-user.key
–embed-certs=true
–kubeconfig=ops-user.yaml

设置上下文参数

kubectl config set-context kubernets
–cluster=kubernets
–user=ops-user
–kubeconfig=ops-user.yaml

设置上下文配置

kubectl config use-context kubernets --kubeconfig=ops-user.yaml

用户授权规则(RBAC)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ops-user
rules:

  • apiGroups:
    • ‘*’
      resources:
    • ‘*’
      verbs:
    • ‘*’
  • nonResourceURLs:
    • ‘*’
      verbs:
    • ‘*’

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ops-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ops-user
subjects:

应用授权配置文件

kubectl apply -f k8s_create_kubeconfig_ClusterRoleUser.yaml

预期结果:
可以访问集群

实际结果:
error: You must be logged in to the server (Unauthorized)

附加上下文/日志:

日志