rbac 和 kubeconfig 汇总篇
配置 rbac
-
定义 clusterrole & clusterrolebinding
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: common-node-clusterrole rules: - apiGroups: - "" resources: - nodes verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: common-node-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: common-node-clusterrole subjects: - kind: ServiceAccount name: test namespace: test
-
shell 脚本交互式生成 kubeconfig 文件
#!/bin/bash # 获取用户输入 read -p "请输入要创建的Namespace名称: " namespace read -p "请输入要创建的ServiceAccount名称: " sa_name read -p "请输入要创建的SecretName名称: " secret_name read -p "请输入要生成的Config文件名称: " config_file_name read -p "请输入Kubernetes集群API服务器地址: " api_server # 创建Namespace kubectl create namespace $namespace # 创建ServiceAccount kubectl create serviceaccount $sa_name -n $namespace # 创建Secret cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: $secret_name namespace: $namespace annotations: kubernetes.io/service-account.name: $sa_name EOF # 创建Role cat <<EOF | kubectl apply -f - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: $namespace name: $sa_name-role rules: - apiGroups: ["*"] resources: ["*"] # 根据需要修改资源类型 verbs: ["get", "list", "watch", "create", "update", "delete"] EOF # 创建RoleBinding cat <<EOF | kubectl apply -f - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: $sa_name-binding namespace: $namespace subjects: - kind: ServiceAccount name: $sa_name namespace: $namespace roleRef: kind: Role name: $sa_name-role apiGroup: rbac.authorization.k8s.io EOF # 创建 ClusterRole # 仅第一执行脚本时需要,clusterrole 不需要多次创建 #cat <<EOF | kubectl apply -f - #apiVersion: rbac.authorization.k8s.io/v1 #kind: ClusterRole #metadata: # name: common-node-clusterrole #rules: #- apiGroups: # - "" # resources: # - nodes # verbs: # - get # - list # - watch #EOF # 创建Clusterrolebinding,使 ns 有查看 node 权限 cat <<EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: common-node-clusterrolebinding-$namespace roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: common-node-clusterrole subjects: - kind: ServiceAccount name: $sa_name namespace: $namespace EOF # 获取 ServiceAccount 的 Token #secret_name=$(kubectl get serviceaccount $sa_name -n $namespace -o jsonpath='{.secrets[0].name}') token=$(kubectl get secret $secret_name -n $namespace -o jsonpath='{.data.token}' | base64 --decode) # 生成Config文件 cat <<EOF > $config_file_name apiVersion: v1 kind: Config clusters: - name: $namespace-cluster cluster: server: "https://$api_server:6443" certificate-authority-data: "$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}')" contexts: - name: $namespace-context context: cluster: $namespace-cluster namespace: $namespace user: $sa_name current-context: $namespace-context users: - name: $sa_name user: token: $token EOF echo "RBAC 和 Config 文件创建成功!" # 这部分按需原则即可,要求免密 ssh 192.168.0.110 "mkdir -p /home/$namespace/.kube/" scp $config_file_name 192.168.0.110:/home/$namespace/.kube/ ssh 192.168.0.110 "chmod 755 /home/$namespace/.kube/$config_file_name && cp /home/$namespace/.kube/$config_file_name /home/$namespace/.kube/config" ssh 192.168.0.110 "cp /opt/scripts/.bashrc /home/$namespace/" echo "KubeConfig 远程 copy 完成,请用普通用户登录 centos 执行: kubectl get pod "
合并多个 kubeconfig 文件
-
kubeconfig
# first kubeconfig file apiVersion: v1 clusters: - cluster: certificate-authority-data: "" server: https://192.168.0.196:6443 name: 196cluster contexts: - context: cluster: 196cluster user: 196cluster name: 196cluster current-context: 196cluster kind: Config preferences: {} users: - name: 196global user: client-certificate-data: "" client-key-data: "" # second kubeconfig file apiVersion: v1 clusters: - cluster: certificate-authority-data: "" server: https://192.168.0.255:6443 name: 255cluster contexts: - context: cluster: 255cluster user: 255cluster name: 255cluster current-context: 255cluster kind: Config preferences: {} users: - name: 255cluster user: client-certificate-data: "" client-key-data: ""
-
合并
- 定义 KUBECONFIG 变量,该变量值是 config 文件的路径列表,这里过滤掉了 config.swp 文件
export KUBECONFIG=$HOME/.kube/config:$(find $HOME/.kube -type f -maxdepth 1 | grep config | grep -v '\.config\.swp' | tr '\n' ':') kubectl config view --flatten > .kube/config echo $KUBECONFIG /Users/kingskye/.kube/config:/Users/kingskye/.kube/255-config:/Users/kingskye/.kube/196-config:
- 合并
- 结果
mawb:~ kingskye$ kubectl config get-clusters NAME 196cluster 255cluster mawb:~ kingskye$ kubectl config get-contexts CURRENT NAME CLUSTER AUTHINFO NAMESPACE * 196cluster 196cluster 196cluster 255cluster 255cluster 255cluster