# 生成特定权限和配额的kubeconfig ## 1. 步骤 **注:所有步骤的一键生成脚本可以在**[**generate\_kubeconfig.sh**](https://gist.github.com/hex108/12c8c104f17a5189e14da621147daf84)**下载**。 * 找到一台可以访问集群apiserver并且对集群有admin操作权限的机器,以下的操作是直接在master节点上进行的。 * 创建namespace,并在该namespace时创建一个service account ``` # kubectl create namespace test-user-ns namespace/test-user-ns created # cat service_account.yaml apiVersion: v1 kind: ServiceAccount metadata: name: test-user # kubectl create -f ./service_account.yaml -n test-user-ns serviceaccount/test-user created ``` * 获取该service account对应的secret ``` # kubectl describe serviceAccounts test-user -n test-user-ns Name: test-user Namespace: default Labels: Annotations: Image pull secrets: Mountable secrets: test-user-token-5q46v Tokens: test-user-token-5q46v Events: ``` * 获取secret对应的token ``` # kubectl describe secret test-user-token-5q46v -n test-user-ns ``` * 获取集群信息,并存到cluster-cert.txt文件里。 ``` # kubectl config view --flatten --minify > cluster-cert.txt ``` * 用以上信息按照下面的格式生成kubeconfig ``` apiVersion: v1 kind: Config users: - name: test-user user: token: {TOKEN content of the service account} clusters: - cluster: certificate-authority-data: {certificate-authority-data from cluster-cert.txt} server: https://{YOUR_SERVER_IP}:6443 name: {YOUR_CLUSTER_NAME} contexts: - context: cluster: {YOUR_CLUSTER_NAME} user: test-user name: test-user-context current-context: test-user-context ``` * 权限控制 创建一个新的namepsace和role,并通过rbac控制上面生成的service account只能访问该namespace里的资源。 ``` # cat role.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: test-user-role namespace: test-user-ns # Should be namespace you are granting access to rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: test-user-rolebinding namespace: test-user-ns # Should be namespace you are granting access to roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: test-user-role # Should match name of Role subjects: - namespace: test-user-ns kind: ServiceAccount name: test-user # Should match service account name, above # kubectl create -f ./role.yaml role.rbac.authorization.k8s.io/test-user-role created rolebinding.rbac.authorization.k8s.io/test-user-rolebinding created ``` * 为新建的namespace设置quota ``` # cat quota.yaml apiVersion: v1 kind: List items: - apiVersion: v1 kind: ResourceQuota metadata: name: quota spec: hard: cpu: "20" # CPU memory: 10Gi # 内存 pods: "50" # pod数 # kubectl create -f ./quota.yaml -n test-user-ns resourcequota/quota created ``` ## 2. 参考资料 * Creating a kubeconfig file for a self-hosted Kubernetes cluster: * Kubernetes: Creating Service Accounts and Kubeconfigs: * Resource Quotas: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hex108.gitbook.io/kubernetes-notes/sheng-chan-li-xiao-gong-ju/generate-kubeconfig.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.