文章目录
-
- 前言
-
- k8sv1.24及以上版本
-
- [创建 ServiceAccount](#创建 ServiceAccount)
- [创建Role 和 RoleBinding](#创建Role 和 RoleBinding)
- [长期 token Secret创建](#长期 token Secret创建)
- [提取 token 和 CA](#提取 token 和 CA)
- [生成 kubeconfig](#生成 kubeconfig)
- 验证
- k8sv1.24及以下版本
-
- [创建 RBAC(SA + Role + RoleBinding)](#创建 RBAC(SA + Role + RoleBinding))
- 生产kubeconfig文件
前言
创建指定命名空间的kubeconfig文件是为了安全考虑,有时候开发会想要admin的kubeconfig的配置文件来实现自动化管理pod,但是给管理员权限风险较大(之前开发就搞崩了几次k8s)所以创建指定命名空间的kubeconfig较好,只能操作固定命名空间的资源,k8s也有完善的防提权机制,碰不到别的命名空间。
注:1.24版本前后的创建方式不一样
k8sv1.24及以上版本
创建 ServiceAccount
powershell
kubectl create serviceaccount monitoring-user -n monitoring
创建Role 和 RoleBinding
python
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: monitoring-user-role
namespace: monitoring #命名空间
rules:
- apiGroups: ["*"] #给所有权限
resources: ["*"] #给所有权限
verbs: ["*"] #给所有权限
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: monitoring-user-binding
namespace: monitoring
subjects:
- kind: ServiceAccount
name: monitoring-user
namespace: monitoring
roleRef:
kind: Role
name: monitoring-user-role
apiGroup: rbac.authorization.k8s.io
EOF
长期 token Secret创建
powershell
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: monitoring-user-token
namespace: monitoring
annotations:
kubernetes.io/service-account.name: monitoring-user
type: kubernetes.io/service-account-token
EOF
提取 token 和 CA
powershell
TOKEN=$(kubectl get secret monitoring-user-token -n monitoring -o jsonpath='{.data.token}' | base64 -d)
kubectl get secret monitoring-user-token -n monitoring -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
APISERVER=https://192.168.10.11:6443
生成 kubeconfig
powershell
kubectl config set-cluster k8s-cluster \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=${APISERVER} \
--kubeconfig=monitoring-user.kubeconfig
kubectl config set-credentials monitoring-user \
--token=${TOKEN} \
--kubeconfig=monitoring-user.kubeconfig
kubectl config set-context monitoring-user@k8s-cluster \
--cluster=k8s-cluster \
--user=monitoring-user \
--namespace=monitoring \
--kubeconfig=monitoring-user.kubeconfig
kubectl config use-context monitoring-user@k8s-cluster --kubeconfig=monitoring-user.kubeconfig
验证
powershell
kubectl --kubeconfig=monitoring-user.kubeconfig get pods

powershell
kubectl --kubeconfig=monitoring-user.kubeconfig get pods -A

k8sv1.24及以下版本
k8sv1.24以下对比以上版本的区别在于不需要手动创建secret,会自动生成
创建 RBAC(SA + Role + RoleBinding)
powershell
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: monitoring-admin
namespace: monitoring
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: monitoring-full
namespace: monitoring
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: monitoring-admin-binding
namespace: monitoring
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: monitoring-full
subjects:
- kind: ServiceAccount
name: monitoring-admin
namespace: monitoring
EOF
生产kubeconfig文件
powershell
NAMESPACE="monitoring"
SA="monitoring-admin"
APISERVER="https://192.168.10.11:6443"
OUTPUT="monitoring.kubeconfig"
# 1.23 自动生成了 secret,直接取
SECRET=$(kubectl get sa ${SA} -n ${NAMESPACE} -o jsonpath='{.secrets[0].name}')
TOKEN=$(kubectl get secret ${SECRET} -n ${NAMESPACE} -o jsonpath='{.data.token}' | base64 -d)
kubectl get secret ${SECRET} -n ${NAMESPACE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/ca.crt
kubectl config set-cluster monitoring-cluster \
--server=${APISERVER} \
--certificate-authority=/tmp/ca.crt \
--embed-certs=true \
--kubeconfig=${OUTPUT}
kubectl config set-credentials ${SA} \
--token=${TOKEN} \
--kubeconfig=${OUTPUT}
kubectl config set-context monitoring-context \
--cluster=monitoring-cluster \
--namespace=${NAMESPACE} \
--user=${SA} \
--kubeconfig=${OUTPUT}
kubectl config use-context monitoring-context --kubeconfig=${OUTPUT}