文章目录
- 前言
- k8sv1.24及以上版本
- 创建 ServiceAccount
- 创建Role 和 RoleBinding
- 长期 token Secret创建
- 提取 token 和 CA
- 生成 kubeconfig
- 验证
- k8sv1.24及以下版本
- 创建 RBAC(SA + Role + RoleBinding)
- 生产kubeconfig文件
前言
创建指定命名空间的kubeconfig文件是为了安全考虑,有时候开发会想要admin的kubeconfig的配置文件来实现自动化管理pod,但是给管理员权限风险较大(之前开发就搞崩了几次k8s)所以创建指定命名空间的kubeconfig较好,只能操作固定命名空间的资源,k8s也有完善的防提权机制,碰不到别的命名空间。
注:1.24版本前后的创建方式不一样
k8sv1.24及以上版本
创建 ServiceAccount
kubectl create serviceaccount monitoring-user-n monitoring创建Role 和 RoleBinding
cat<<EOF|kubectlapply-f-apiVersion:rbac.authorization.k8s.io/v1 kind:Role metadata:name:monitoring-user-role namespace:monitoring#命名空间rules:-apiGroups:["*"]#给所有权限resources:["*"]#给所有权限verbs:["*"]#给所有权限---apiVersion:rbac.authorization.k8s.io/v1 kind:RoleBinding metadata:name:monitoring-user-binding namespace:monitoring subjects:-kind:ServiceAccount name:monitoring-user namespace:monitoring roleRef:kind:Role name:monitoring-user-role apiGroup:rbac.authorization.k8s.io EOF长期 token Secret创建
cat<<EOF|kubectl apply-f-apiVersion: v1 kind: Secret metadata: name: monitoring-user-token namespace: monitoring annotations: kubernetes.io/service-account.name: monitoring-usertype: kubernetes.io/service-account-token EOF提取 token 和 CA
TOKEN=$(kubectl get secret monitoring-user-token-n monitoring-o jsonpath='{.data.token}'|base64-d)kubectl get secret monitoring-user-token-n monitoring-o jsonpath='{.data.ca\.crt}'|base64-d > ca.crt APISERVER=https://192.168.10.11:6443生成 kubeconfig
kubectl configset-clusterk8s-cluster \--certificate-authority=ca.crt \--embed-certs=true \--server=${APISERVER}\--kubeconfig=monitoring-user.kubeconfig kubectl configset-credentialsmonitoring-user \--token=${TOKEN}\--kubeconfig=monitoring-user.kubeconfig kubectl configset-contextmonitoring-user@k8s-cluster \--cluster=k8s-cluster \--user=monitoring-user \--namespace=monitoring \--kubeconfig=monitoring-user.kubeconfig kubectl configuse-contextmonitoring-user@k8s-cluster--kubeconfig=monitoring-user.kubeconfig验证
kubectl--kubeconfig=monitoring-user.kubeconfig get podskubectl--kubeconfig=monitoring-user.kubeconfig get pods-Ak8sv1.24及以下版本
k8sv1.24以下对比以上版本的区别在于不需要手动创建secret,会自动生成
创建 RBAC(SA + Role + RoleBinding)
cat<<EOF|kubectl apply-f-apiVersion: v1 kind: ServiceAccount metadata: name: monitoring-admin namespace: monitoring---apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: monitoring-full namespace: monitoring rules:-apiGroups:["*"]resources:["*"]verbs:["*"]---apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: monitoring-admin-binding namespace: monitoring roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: monitoring-full subjects:-kind: ServiceAccount name: monitoring-admin namespace: monitoring EOF生产kubeconfig文件
NAMESPACE="monitoring"SA="monitoring-admin"APISERVER="https://192.168.10.11:6443"OUTPUT="monitoring.kubeconfig"# 1.23 自动生成了 secret,直接取SECRET=$(kubectl get sa ${SA}-n ${NAMESPACE}-o jsonpath='{.secrets[0].name}')TOKEN=$(kubectl get secret ${SECRET}-n ${NAMESPACE}-o jsonpath='{.data.token}'|base64-d)kubectl get secret ${SECRET}-n ${NAMESPACE}-o jsonpath='{.data.ca\.crt}'|base64-d >/tmp/ca.crt kubectl configset-clustermonitoring-cluster \--server=${APISERVER}\--certificate-authority=/tmp/ca.crt \--embed-certs=true \--kubeconfig=${OUTPUT}kubectl configset-credentials${SA}\--token=${TOKEN}\--kubeconfig=${OUTPUT}kubectl configset-contextmonitoring-context \--cluster=monitoring-cluster \--namespace=${NAMESPACE}\--user=${SA}\--kubeconfig=${OUTPUT}kubectl configuse-contextmonitoring-context--kubeconfig=${OUTPUT}