生成特定权限和配额的kubeconfig
1. 步骤
注:所有步骤的一键生成脚本可以在generate_kubeconfig.sh下载。
找到一台可以访问集群apiserver并且对集群有admin操作权限的机器,以下的操作是直接在master节点上进行的。
创建namespace,并在该namespace时创建一个service account
# kubectl create namespace test-user-ns namespace/test-user-ns created # cat service_account.yaml apiVersion: v1 kind: ServiceAccount metadata: name: test-user # kubectl create -f ./service_account.yaml -n test-user-ns serviceaccount/test-user created
获取该service account对应的secret
# kubectl describe serviceAccounts test-user -n test-user-ns Name: test-user Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: test-user-token-5q46v Tokens: test-user-token-5q46v Events: <none>
获取secret对应的token
# kubectl describe secret test-user-token-5q46v -n test-user-ns
获取集群信息,并存到cluster-cert.txt文件里。
# kubectl config view --flatten --minify > cluster-cert.txt
用以上信息按照下面的格式生成kubeconfig
apiVersion: v1 kind: Config users: - name: test-user user: token: {TOKEN content of the service account} clusters: - cluster: certificate-authority-data: {certificate-authority-data from cluster-cert.txt} server: https://{YOUR_SERVER_IP}:6443 name: {YOUR_CLUSTER_NAME} contexts: - context: cluster: {YOUR_CLUSTER_NAME} user: test-user name: test-user-context current-context: test-user-context
权限控制
创建一个新的namepsace和role,并通过rbac控制上面生成的service account只能访问该namespace里的资源。
# cat role.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: test-user-role namespace: test-user-ns # Should be namespace you are granting access to rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: test-user-rolebinding namespace: test-user-ns # Should be namespace you are granting access to roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: test-user-role # Should match name of Role subjects: - namespace: test-user-ns kind: ServiceAccount name: test-user # Should match service account name, above # kubectl create -f ./role.yaml role.rbac.authorization.k8s.io/test-user-role created rolebinding.rbac.authorization.k8s.io/test-user-rolebinding created
为新建的namespace设置quota
# cat quota.yaml apiVersion: v1 kind: List items: - apiVersion: v1 kind: ResourceQuota metadata: name: quota spec: hard: cpu: "20" # CPU memory: 10Gi # 内存 pods: "50" # pod数 # kubectl create -f ./quota.yaml -n test-user-ns resourcequota/quota created
2. 参考资料
Creating a kubeconfig file for a self-hosted Kubernetes cluster: http://docs.shippable.com/deploy/tutorial/create-kubeconfig-for-self-hosted-kubernetes-cluster/
Kubernetes: Creating Service Accounts and Kubeconfigs: https://docs.armory.io/spinnaker-install-admin-guides/manual-service-account/
Resource Quotas: https://kubernetes.io/docs/concepts/policy/resource-quotas/
Last updated
Was this helpful?