生成特定权限和配额的kubeconfig

1. 步骤

注:所有步骤的一键生成脚本可以在generate_kubeconfig.sh下载

  • 找到一台可以访问集群apiserver并且对集群有admin操作权限的机器,以下的操作是直接在master节点上进行的。

  • 创建namespace,并在该namespace时创建一个service account

    # kubectl create namespace test-user-ns
namespace/test-user-ns created
# cat service_account.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-user
# kubectl create -f ./service_account.yaml -n test-user-ns
serviceaccount/test-user created

  • 获取该service account对应的secret

    # kubectl describe serviceAccounts test-user -n test-user-ns
Name:                test-user
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   test-user-token-5q46v
Tokens:              test-user-token-5q46v
Events:              <none>

  • 获取secret对应的token

    # kubectl describe secret test-user-token-5q46v -n test-user-ns

  • 获取集群信息,并存到cluster-cert.txt文件里。

    # kubectl config view --flatten --minify > cluster-cert.txt

  • 用以上信息按照下面的格式生成kubeconfig

    apiVersion: v1
kind: Config
users:
- name: test-user
  user:
    token: {TOKEN content of the service account}  
clusters:
- cluster:
    certificate-authority-data: {certificate-authority-data from cluster-cert.txt}
    server: https://{YOUR_SERVER_IP}:6443
  name: {YOUR_CLUSTER_NAME}
contexts:
- context:
    cluster: {YOUR_CLUSTER_NAME}
    user: test-user
  name: test-user-context
current-context: test-user-context

  • 权限控制

    创建一个新的namepsace和role,并通过rbac控制上面生成的service account只能访问该namespace里的资源。

    # cat role.yaml 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-user-role
  namespace: test-user-ns # Should be namespace you are granting access to
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test-user-rolebinding
  namespace: test-user-ns # Should be namespace you are granting access to
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: test-user-role # Should match name of Role
subjects:
- namespace: test-user-ns
  kind: ServiceAccount
  name: test-user # Should match service account name, above
# kubectl create -f ./role.yaml 
role.rbac.authorization.k8s.io/test-user-role created
rolebinding.rbac.authorization.k8s.io/test-user-rolebinding created

  • 为新建的namespace设置quota

    # cat quota.yaml 
apiVersion: v1
kind: List
items:
- apiVersion: v1
  kind: ResourceQuota
  metadata:
    name: quota
  spec:
    hard:
      cpu: "20"    # CPU
      memory: 10Gi  # 内存
      pods: "50"  # pod数
# kubectl create -f ./quota.yaml -n test-user-ns
resourcequota/quota created

2. 参考资料

Previous生产力小工具Next社区贡献

Last updated