目标是需要生成一个仅能操作demo这个namespace的kubeconfig文件
rbac资源准备
创建ServiceAccount
1
2
3
4
5
| apiVersion: v1
kind: ServiceAccount
metadata:
name: demo-account
namespace: demo
|
Secret
在 K8s 1.24 版本之后,ServiceAccount 对应的 Secret 就不会自动创建了
1
2
| # kubectl -n demo get secret
No resources found in demo namespace.
|
需要我们自己手动创建一下。之前的k8s自动会创建。
1
2
3
4
5
6
7
8
| apiVersion: v1
kind: Secret
metadata:
name: demo-account-secret
namespace: demo
annotations:
kubernetes.io/service-account.name: "demo-account"
type: kubernetes.io/service-account-token
|
这个 Secret 创建出来之后,K8s 会自动将 ServiceAccount 对应的 token 写进这个 Secret
可以看到data部分中,ca.crt和token信息都有了。
后面创建kubeconfig文件时会用到这个token。
创建Role
1
2
3
4
5
6
7
8
9
10
11
12
| apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: demo-role
namespace: demo
rules:
- apiGroups: [""]
resources: ["services", "configmaps", "secrets", "pods"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
|
对常用资源的操作权限
RoleBinding
1
2
3
4
5
6
7
8
9
10
11
12
13
| apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: demo-rolebinding
namespace: demo
subjects:
- kind: ServiceAccount
name: demo-account
namespace: demo
roleRef:
kind: Role
name: demo-role
apiGroup: rbac.authorization.k8s.io
|
创建kubeconfig文件
关于kubeconfig文件的介绍之前写过
我们可以先复制一下集群默认的kubeconfig文件
1
| cp ~/.kube/config demo.config
|
改一下其中的users部分
把之前secret中的token用base64解码一下
填到下面user部分
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: 都一样,不用改
server: 都一样,不用改
name: demo-cluster改一下,和业务相关命名
users:
- name: demo 你的用户名
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IklaWG5QekZrSzM4cXkyZ2NPRFRxX3hxYUVuZ01vaTZ1NFZOZUxtUVBSeVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlbW8tYWNjb3VudC1zZWNyZXQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVtby1hY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMWQwYmY1M2EtOTUwNS00N2E3LWE5OTItYjA4YzdiMTc2Yjc2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlbW86ZGVtby1hY2NvdW50In0.tsH_CoGD_p7Rn1MMwEJrW-PEdUYh7H6KnS6QXxQzl4DMN3wWBA_jeiuir-4I0WhTjS5TQ_0OMtRtsaWcvL1XuvencUtAZFygqpsA20AHLeEsyFAvwmb_2GeInV8a-BFchcQUp8IcHEv2GXEdP5BGlK6zfroEK1cfPbaM-ITV82HFmVjn8eCynq0EON5EZATz4WO7ewnX2mEg7mh_aPWiW7_StjzZrPtvbbkA8ef1fpf67Ou9wym70TkEmovgYcTfBecY-OHrCkSuSStQilSQ5wi0rbsPDH-v8Z2SckXrCqO9kmqDBk-2d_65BK5oM0aTD7VFlxeWvRXXx_NjBCNh6A
contexts:
- context:
cluster: demo-cluster 和上面改的名要一致
namespace: demo 你的ns
user: demo 和上面改的名要一致
name: demo-context 改一下,和业务相关命名
|
合并kubeconfig文件
1
| export KUBECONFIG=/root/.kube/config:/root/.kube/demo.config
|
之后kubectl config view 可以看到合并后的kubeconfig文件
测试一下
1
| kubectl --context demo-context get pod
|
也可以使用之前推荐过的kubectx工具
