当使用kubeadm工具搭建一个k8s集群之后,会自动的创建一个admin.conf文件。
同时,会建议将这个文件拷贝到$HOME/.kube/config,kubectl会使用这个配置文件来访问k8s集群,也可以说是访问apiserver。
那么,在admin.conf中,到底设置的是哪个用户呢?
下面,我们就来看下。
1、首先,获取admin中的客户端证书信息
[root@nccztsjb-node-23 .kube]# cd $HOME/.kube [root@nccztsjb-node-23 .kube]# cat config apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1ESXlOekEzTXpFeE5sb1hEVE16TURJeU5EQTNNekV4Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUZoClNxaXNMalFIS29MMDlCWlJtUG12bkgwbzcwZWlmOXpZTCtROXlNUzlVODNwRXQ5dk93VnhvWk1JOWdqSEhxMnAKZjNlYk8xaktYVEhscnpmQ3VTL1pMSW1yRjF6ZElIV0NJb281dlRPbWxSbjNlQlNBNGZiUnhXQVBtTlZLc2txKwpxRmJ0NmhXM0pqaXFSZGdzSGd2ZnZGU0szZktmMmdRdjNpUDljb2p1NG5lNHRYWHUyVUIxSFZGY2l4UUxHK3NGCmNUektCU2RSSFJncXhiMUJWWEJXT2pmdjVqUGo4WFhxWEdFbVdLZ0czV0FQVkRQSjZqUWFQZ1VsWWNURmhpOTMKZHZwSTduanhxaXhCdm1XZEV4ZXorcVRJa0Z0N1p5bUpjdUVuWlNmK2E3UFZwWENhc2tiVUJnRmxkVHp5eVFUKwpwVnlZR1gzc3pOUGRJQndWNjdzQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZGT1QyTzhvYlJXdWFrRHIxck1mZklqK0NGcVZNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQnRld3lIaitYaGZmUElIQ2p4YwpockpkcFNIdTJZbElsL3BhOFFGTHdyZUtQZHpzYXNYUElhUUJyU2FsNUQ0TTlQVVFwSk9XMzhpQjBqUnpXZU9FCmJWN25jNnhTOVZJWThSSEdmSytDWGlqbGowYWFFNHFERm9oWUZQeCtHVlV6SG1YdUp6bXlGSnhPYVc2VG9XSkIKYXE0OFY1YktBSzBHaTJnUlA5Q053d01DQTBBeFV2Y25HUHJWVjNDckNnMFhxcElQc2dyTWdkUFpwbllkdUk3RApydnZXZkFvZU9QL2w0SzJrSkw5QWJTMG91Z0F0cy9GTFB1dEhRbFNLWDZ2T0FtUWtVNzFtbXBuNDkzUEt0ckNjCllHamFxQjZnbFpzVGI0emovdlBDMUJIbTM2S2JUeHptckRVWXd2Z2oxQWhOSmtuNDE5MlFRRExwTzMzdGFaTkUKdFZJPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== server: https://172.20.58.83:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJYlU0Q2orYkRzSEV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBeU1qY3dOek14TVRaYUZ3MHlOREF5TWpjd056TXhNVGxhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXZIQmk2WEJ4WTBKVUNvdFoKYStlSHU2T3VSYlhIZGZVclRUS1RWaXFkU1IzYzZFdmprTUo0SityeThwbFdRVHduUldoQlNIM0k5MXorUlpldQo1MW5naFQ4R0dmMXBuRlg3ODZyRnl4UmF1SUVmWXozVWhnNEVlS1VxZkFFWjFXSkhEUDlWTjhxem01SmpuZDF0ClJ5MGI5TENqOFVLYUkrbnVieXhwOXl0VVA3TTZsRW83VUNieEc5S3FUSUlTWU14LzdQeGpWUmFGRlk4VjIvK2wKeUpQa25KUVNON3prK01PU29QWTAvWU8xajRnY3I2eDc5MDdYL1dGdHR6OGs2NDR0UkZXYm54Wk5JZWpqdEdjZAp3MXNZYm4zNmFVZ2kxRS9udDdUQm5LOVlBUE5IcGFLU0tYcG0yM1hVcC91ZmwzUjFUS0dQSnRHczZJaEZHRmJEClpNRkZMUUlEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JSVGs5anZLRzBWcm1wQTY5YXpIM3lJL2doYQpsVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBbXQ0eVBuQ0d2ZUVnZE5XRFFqZ0pja3pKVkhneGhYaUxoUlJyClVFcDd1Z2ZoVFJoSmxnTHlPajJvb0wrMnpKOFFvdC8zaG9xNzFGTXlFcnFubEdUZitKay9IdUlwUkNIM2JlWmwKWmpvZkY0QW5RbU5LL2NjS2VVZGFERFBHeHFPaWFDME15MWN0cDZ6VnltUXkvSklScmlMUEFrYjhSekREN2ZDVQo5QzhFS0I3dEFlTThaZ2ZBZmhxUHVPcEttRXkySU81V042SE51UWRsenNpN0F3UEdhcVNxclNwaW9wV2NQaUxqCm1GMXV6cWQ2d08xTHQzTi9kZENKejFhSWMzL0VoNE1qTmpiTmRzbFJTK3p4Q2U2SnFIU0ppeXZFS2hPZTFyN1UKakhLa3Zxanh2enBvT2N2OTNSZ3NIM3orcmN0REx6YVV6MlJNQ1hZRG1NQVQzOFRqR2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdkhCaTZYQnhZMEpVQ290WmErZUh1Nk91UmJYSGRmVXJUVEtUVmlxZFNSM2M2RXZqCmtNSjRKK3J5OHBsV1FUd25SV2hCU0gzSTkxeitSWmV1NTFuZ2hUOEdHZjFwbkZYNzg2ckZ5eFJhdUlFZll6M1UKaGc0RWVLVXFmQUVaMVdKSERQOVZOOHF6bTVKam5kMXRSeTBiOUxDajhVS2FJK251Ynl4cDl5dFVQN002bEVvNwpVQ2J4RzlLcVRJSVNZTXgvN1B4alZSYUZGWThWMi8rbHlKUGtuSlFTTjd6aytNT1NvUFkwL1lPMWo0Z2NyNng3CjkwN1gvV0Z0dHo4azY0NHRSRldibnhaTkllamp0R2NkdzFzWWJuMzZhVWdpMUUvbnQ3VEJuSzlZQVBOSHBhS1MKS1hwbTIzWFVwL3VmbDNSMVRLR1BKdEdzNkloRkdGYkRaTUZGTFFJREFRQUJBb0lCQVFDaXVPWWhNWEVveHJFdAovZEYxUlpWSGFudm1SS2YrYTMwK0I0dUZuL3o4azZZY2p0UHZRSTlqNFJaMGVnY3JCQmZoYnJyWkw0Mm9WZ3hZCjZqZ21IYzJ0SXBSUlF5eTh6TjlxTmpEaFFpMXBJRStMY213Z2F1QmZramtTcGh5NTBFa01wenplbGRMdFo4ZFEKSGxMc1lMN0FXUHpwTEp0UW9nUzh5ZnlqYlM0dVprcWwyZTF1MVl0MnpHUUp2WWEzT1piR3I3RXNGaWp4U3J5Sgo5QmNLbDcxT0hOaUJ3ZTlpRFYzNXplbWRFb0prSVd2Q2hlcDc4QVEvKzFuTGRZSmNCYWVldHkyYjhFWWx2c01BClFENnMwR3hZUms2TWNiQTJTT2ZydXVad3pKaFlhdnpEWEVOM1Nnc0Z5MFlZdW95YXJ1SlZGVlUzRDBWaEgzVnUKTk1hcWxwZDlBb0dCQU5iTktxNjZDTGpNbHNJbFpBUmNCNVJzV3VkQzVzL3dBdW94Nlp1V2Jna2VlaXdKRXV2YgpNOEZ4NTFHTWk2ZFFKaUg0aHJYRHRtRE50OE1yUDR4bzR4LzlIMVAvd2txZWkwaDQzeXFyQzVORHpCdWl4OGVqCkdDSno0bjlHdDc3UFpSRlhxaXlyNVFsNVEvNS9tRndxY3crclhsRjJlMHhmNGZFRjFzeW9qbDdiQW9HQkFPQ1UKMElJZXVvcnMrRmJ6bFRQUmY0aVYwa2ZVYnlaaStWWnVaVEp5bXNndy9PZXg1eTlTS3NIQ0FEMUhVeWNqUGlLcQozMFpuVEJib1RTZ1RXKzBoTU12TmpxUVJ0ZXFxUHV0L2VsUmZoMUphK0xJbHUvRVNCeENYcEtKUlA3MHRuVEJQCkw5K3Z4MXQrVkdXVXFoMG4zSExoSm1ONDJZRE1YMGVGWDdoK2laYVhBb0dBUElzSGhNZ2F2VHV0SW51M2ZTTVQKWDlwS3BQUk9hajJVRkw2TXdiWGN2ZVZCT2pnMGhSWDd1SUtLV0luc3N2UDhTNGJwTVVKQW5YaGVXenhOWlI0TApKbkVKNjNzaklEVWZ2UVdVb1Vva3NSVmk2a2N2V0MyNEY3M2lFVTIxYktxNEtmTXptL08zVXJ4RFZmQlEyV2w5CmxPVVFhSldrbXhwTGJNdmdoejdiSWhFQ2dZQUJwN2Nkcm1KTGtkR0d1b2JYK2V4SnNtajVWSXg1S1BPVGVuN08KYjEvS3ArbkZQMTluenVBM3kxazdHbUozZ0YvOTIycUgxMDBOUWlzSFo1VWUyMGJEeWNFS1hvTUx0ck4rQXRPQQorYTlDb1I4Q0dSc1lmTHlHbDhlRDFydDBobmlKR1p4TnRycnVackR5aXJUeVFBLzAzTW51bzc1ZW42TDRJUGlDCm9KUWRBd0tCZ1FEU2pVTWNhWE1KVW5BMWlsdHdCcXJtckttZGlIa1dPY25jVG9IVDVyWDAzcjRZU2krREdRZlkKRDRBTGlEVDBRNVNqSGJGRGxqcTdFNWhHR1RhUEFQS3VNbGdBME05L1VQSXRma2RNZGwvRkVPTW9PYTFQT055WQozLyswUzFtOXJmVHcrUzZScVAwUElKVlY4dVlPT3FyWXJUQjloMHp6NDRHNjdCS0Q4b2U5R0E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
2、获取client-certificate-data的部分
[root@nccztsjb-node-23 .kube]# cat config | grep client-certificate-data | awk -F ":" '{print $2}' | tr -d " " LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJYlU0Q2orYkRzSEV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBeU1qY3dOek14TVRaYUZ3MHlOREF5TWpjd056TXhNVGxhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXZIQmk2WEJ4WTBKVUNvdFoKYStlSHU2T3VSYlhIZGZVclRUS1RWaXFkU1IzYzZFdmprTUo0SityeThwbFdRVHduUldoQlNIM0k5MXorUlpldQo1MW5naFQ4R0dmMXBuRlg3ODZyRnl4UmF1SUVmWXozVWhnNEVlS1VxZkFFWjFXSkhEUDlWTjhxem01SmpuZDF0ClJ5MGI5TENqOFVLYUkrbnVieXhwOXl0VVA3TTZsRW83VUNieEc5S3FUSUlTWU14LzdQeGpWUmFGRlk4VjIvK2wKeUpQa25KUVNON3prK01PU29QWTAvWU8xajRnY3I2eDc5MDdYL1dGdHR6OGs2NDR0UkZXYm54Wk5JZWpqdEdjZAp3MXNZYm4zNmFVZ2kxRS9udDdUQm5LOVlBUE5IcGFLU0tYcG0yM1hVcC91ZmwzUjFUS0dQSnRHczZJaEZHRmJEClpNRkZMUUlEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JSVGs5anZLRzBWcm1wQTY5YXpIM3lJL2doYQpsVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBbXQ0eVBuQ0d2ZUVnZE5XRFFqZ0pja3pKVkhneGhYaUxoUlJyClVFcDd1Z2ZoVFJoSmxnTHlPajJvb0wrMnpKOFFvdC8zaG9xNzFGTXlFcnFubEdUZitKay9IdUlwUkNIM2JlWmwKWmpvZkY0QW5RbU5LL2NjS2VVZGFERFBHeHFPaWFDME15MWN0cDZ6VnltUXkvSklScmlMUEFrYjhSekREN2ZDVQo5QzhFS0I3dEFlTThaZ2ZBZmhxUHVPcEttRXkySU81V042SE51UWRsenNpN0F3UEdhcVNxclNwaW9wV2NQaUxqCm1GMXV6cWQ2d08xTHQzTi9kZENKejFhSWMzL0VoNE1qTmpiTmRzbFJTK3p4Q2U2SnFIU0ppeXZFS2hPZTFyN1UKakhLa3Zxanh2enBvT2N2OTNSZ3NIM3orcmN0REx6YVV6MlJNQ1hZRG1NQVQzOFRqR2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
保存在config文件中的值,是经过base64加密的
进行解密,就是原始的证书的值
[root@nccztsjb-node-23 .kube]# cat config | grep client-certificate-data | awk -F ":" '{print $2}' | tr -d " " | base64 -d -----BEGIN CERTIFICATE----- MIIDITCCAgmgAwIBAgIIbU4Cj+bDsHEwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE AxMKa3ViZXJuZXRlczAeFw0yMzAyMjcwNzMxMTZaFw0yNDAyMjcwNzMxMTlaMDQx FzAVBgNVBAoTDnN5c3RlbTptYXN0ZXJzMRkwFwYDVQQDExBrdWJlcm5ldGVzLWFk bWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvHBi6XBxY0JUCotZ a+eHu6OuRbXHdfUrTTKTViqdSR3c6EvjkMJ4J+ry8plWQTwnRWhBSH3I91z+RZeu 51nghT8GGf1pnFX786rFyxRauIEfYz3Uhg4EeKUqfAEZ1WJHDP9VN8qzm5Jjnd1t Ry0b9LCj8UKaI+nubyxp9ytUP7M6lEo7UCbxG9KqTIISYMx/7PxjVRaFFY8V2/+l yJPknJQSN7zk+MOSoPY0/YO1j4gcr6x7907X/WFttz8k644tRFWbnxZNIejjtGcd w1sYbn36aUgi1E/nt7TBnK9YAPNHpaKSKXpm23XUp/ufl3R1TKGPJtGs6IhFGFbD ZMFFLQIDAQABo1YwVDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH AwIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRTk9jvKG0VrmpA69azH3yI/gha lTANBgkqhkiG9w0BAQsFAAOCAQEAmt4yPnCGveEgdNWDQjgJckzJVHgxhXiLhRRr UEp7ugfhTRhJlgLyOj2ooL+2zJ8Qot/3hoq71FMyErqnlGTf+Jk/HuIpRCH3beZl ZjofF4AnQmNK/ccKeUdaDDPGxqOiaC0My1ctp6zVymQy/JIRriLPAkb8RzDD7fCU 9C8EKB7tAeM8ZgfAfhqPuOpKmEy2IO5WN6HNuQdlzsi7AwPGaqSqrSpiopWcPiLj mF1uzqd6wO1Lt3N/ddCJz1aIc3/Eh4MjNjbNdslRS+zxCe6JqHSJiyvEKhOe1r7U jHKkvqjxvzpoOcv93RgsH3z+rctDLzaUz2RMCXYDmMAT38TjGg== -----END CERTIFICATE----- [root@nccztsjb-node-23 .kube]
3、通过openssl工具,查看这个证书的内容
[root@nccztsjb-node-23 .kube]# cat config | grep client-certificate-data | awk -F ":" '{print $2}' | tr -d " " | base64 -d > admin.crt [root@nccztsjb-node-23 .kube]# [root@nccztsjb-node-23 .kube]# openssl x509 -in admin.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 7876235615392739441 (0x6d4e028fe6c3b071) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=kubernetes Validity Not Before: Feb 27 07:31:16 2023 GMT Not After : Feb 27 07:31:19 2024 GMT Subject: O=system:masters, CN=kubernetes-admin Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bc:70:62:e9:70:71:63:42:54:0a:8b:59:6b:e7: 87:bb:a3:ae:45:b5:c7:75:f5:2b:4d:32:93:56:2a: 9d:49:1d:dc:e8:4b:e3:90:c2:78:27:ea:f2:f2:99: 56:41:3c:27:45:68:41:48:7d:c8:f7:5c:fe:45:97: ae:e7:59:e0:85:3f:06:19:fd:69:9c:55:fb:f3:aa: c5:cb:14:5a:b8:81:1f:63:3d:d4:86:0e:04:78:a5: 2a:7c:01:19:d5:62:47:0c:ff:55:37:ca:b3:9b:92: 63:9d:dd:6d:47:2d:1b:f4:b0:a3:f1:42:9a:23:e9: ee:6f:2c:69:f7:2b:54:3f:b3:3a:94:4a:3b:50:26: f1:1b:d2:aa:4c:82:12:60:cc:7f:ec:fc:63:55:16: 85:15:8f:15:db:ff:a5:c8:93:e4:9c:94:12:37:bc: e4:f8:c3:92:a0:f6:34:fd:83:b5:8f:88:1c:af:ac: 7b:f7:4e:d7:fd:61:6d:b7:3f:24:eb:8e:2d:44:55: 9b:9f:16:4d:21:e8:e3:b4:67:1d:c3:5b:18:6e:7d: fa:69:48:22:d4:4f:e7:b7:b4:c1:9c:af:58:00:f3: 47:a5:a2:92:29:7a:66:db:75:d4:a7:fb:9f:97:74: 75:4c:a1:8f:26:d1:ac:e8:88:45:18:56:c3:64:c1: 45:2d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:53:93:D8:EF:28:6D:15:AE:6A:40:EB:D6:B3:1F:7C:88:FE:08:5A:95 Signature Algorithm: sha256WithRSAEncryption 9a:de:32:3e:70:86:bd:e1:20:74:d5:83:42:38:09:72:4c:c9: 54:78:31:85:78:8b:85:14:6b:50:4a:7b:ba:07:e1:4d:18:49: 96:02:f2:3a:3d:a8:a0:bf:b6:cc:9f:10:a2:df:f7:86:8a:bb: d4:53:32:12:ba:a7:94:64:df:f8:99:3f:1e:e2:29:44:21:f7: 6d:e6:65:66:3a:1f:17:80:27:42:63:4a:fd:c7:0a:79:47:5a: 0c:33:c6:c6:a3:a2:68:2d:0c:cb:57:2d:a7:ac:d5:ca:64:32: fc:92:11:ae:22:cf:02:46:fc:47:30:c3:ed:f0:94:f4:2f:04: 28:1e:ed:01:e3:3c:66:07:c0:7e:1a:8f:b8:ea:4a:98:4c:b6: 20:ee:56:37:a1:cd:b9:07:65:ce:c8:bb:03:03:c6:6a:a4:aa: ad:2a:62:a2:95:9c:3e:22:e3:98:5d:6e:ce:a7:7a:c0:ed:4b: b7:73:7f:75:d0:89:cf:56:88:73:7f:c4:87:83:23:36:36:cd: 76:c9:51:4b:ec:f1:09:ee:89:a8:74:89:8b:2b:c4:2a:13:9e: d6:be:d4:8c:72:a4:be:a8:f1:bf:3a:68:39:cb:fd:dd:18:2c: 1f:7c:fe:ad:cb:43:2f:36:94:cf:64:4c:09:76:03:98:c0:13: df:c4:e3:1a [root@nccztsjb-node-23 .kube]#
通过上面的输出,可以知道:
Subject: O=system:masters, CN=kubernetes-admin
证书的用户是kubernetes-admin
所在的用户组是system:masters
system:masters是超级用户组,可以绕过授权层。